Third-party cookies are going away. What’s next?
Earlier this year, Google announced plans to kill third-party cookies in Chrome by 2022. This came on the heels of tightening privacy regulations, growing user discontent about the intrusiveness of online ads, and competing browsers taking the lead on tracking prevention.
With Chrome’s 64.67% market share across devices (according to GlobalStats), Google’s decision is the final nail in the coffin of the third-party cookie. For publishers, lack of third-party data translates to reduced behavioral targeting abilities, and as a consequence, a decline in revenue.
In this post, we’ll look at how third-party cookies are different from first-party cookies, how different browsers treat them, their function and value in online advertising, and finally, some of the solutions that are being proposed as an alternative to third-party data.
In a nutshell, cookies are what make the internet stateful instead of stateless.
Each time you return to a website and it remembers your login details, content preferences, the items in your shopping cart—it’s because that information was previously written and saved in a browser cookie as a text file. Apart from this core functionality, cookies are also used for behavioral targeting, which forms the backbone of the ad-supported model of the web.
Cookies are broadly categorized based on who created them:
First-party cookies are created directly by the website (domain) that a user is presently visiting. These cookies allow website owners to preserve user login status, save content preferences, collect analytics data, and perform other useful functions needed to keep the website operations running smoothly.
Third-party cookies are created by websites (domains) other than the ones that a user is visiting directly, hence the name “third-party”. These cookies are used for cross-site user tracking, retargeting, behavioral targeting, and a few other things.
Second-party cookies are not created like first-party or third-party cookies and technically don’t exist, but when a company transfers its first-party cookies to another company via a data exchange or a direct data partnership, they get classified as second-party cookies.
Third-party cookies came under scrutiny due to user privacy concerns linked to their use. Regulations like GDPR and CCPA have mandated publishers to give users control over the decision to accept or reject cookies, which has in turn given rise to a new breed of software called consent management platforms. While this was happening, privacy-focused browsers also released tracking prevention updates to limit the functionality of or block third-party cookies.
Beyond behavioral targeting, third-party cookies are currently being used to perform a number of tasks online, some examples of these include:
Retargeting: Retargeting involves Tracking visitors who have previously visited a website and showing them ads about products and services that they might have interacted with. Webmasters place a 1×1 transparent pixel on their site, which when triggered during page load, will send a request to the retargeting company’s server. Finally, the ad server drops a cookie on the visitor’s browser.
Live chat: A lot of websites use live chat to offer sales assistance or customer support. In order to remember user details such as name and chat history, live chat tools drop a third-party cookie on the user’s browser. This data is removed when users clear their cookies or when they expire.
Social buttons: Most social media websites that offer site or app login functionality, and sharing and like buttons for content, use third-party cookies to track users across websites. This cookie data can then be used to serve users ads when they visit those social media websites.
Safari was one of the first browsers to start blocking third-party cookies with its Intelligent Tracking Prevention (ITP) release. With its latest update, ITP 2.3, Safari has not only blocked all third-party cookies, but is also plugging loopholes and workarounds that companies used to continue identifying users using other means, such as link decoration and device fingerprinting.
Firefox has been following Safari’s lead by launching its own tracking prevention feature called Enhanced Tracking Prevention (ETP). In September last year, Mozilla announced that it was now blocking all third-party cookies by default, in addition to protection against cryptominers. Users have the option to enable third-party cookies from privacy settings if they want to.
Chrome has the largest market share in the browser space, but Google’s ad business depends heavily on advertisers and publishers being able to use behavioral targeting. This is why Chrome is lagging Safari and Mozilla when it comes to tracking prevention. At this time, Chrome users have the option to block third-party cookies, with default blocking coming in two years.
Browsers are not the only gatekeepers of cookies on the internet. Apart from the big three above, there are also privacy-focussed browsers and apps that block third-party cookies and cross-site tracking by default, this includes Tor, Brave, Ghostery, and Privacy Badger.
Since tracking prevention gained steam, CPMs achieved by publishers on browsers restricting or blocking third-party cookies have lagged Chrome. According to data published by OKO, Safari and Firefox return 23% and 36% lower CPMs compared to the average, while Chrome is just 2% lower.
According to a Digiday report, the initial ITP 2.x update saw publishers lose 40% of their revenue on the open exchange against their users on Safari, while Rubicon reported that prices for ads targeting Safari users plummeted 60% because of tracking prevention.
In addition to data released by ad tech vendors, multiple academic and industry reports have also been published on the revenue impact linked to the loss of third-party targeting data. Here’s a summary of the value they associate to cookies based on findings.
Study | Sample | Measure | Loss in value |
Goldfarb & Tucker (2011) | 9,596 ad campaigns | User purchase intent survey | 65% |
Beales & Eisenach (2014) | 2 ad exchanges | Exchange/publisher price | >66% |
Johnson, Shriver, and Du (2020) | Ad exchanges (10K+ advertisers and publishers) | Exchange price | 52% |
Marotta, Abhishek, and Acquisti (2019) | Large, multi-site US publisher | Publisher revenue | 4% |
Google (2019) | Top 500 publishers using Google’s tech | Publisher revenue | 52% |
UK CMA Report (2020) | Google study’s UK users | Publisher revenue | 70% |
With loss estimates ranging from 4% to 70% between studies, the jury’s still out on precisely how much value third-party targeting really adds to online advertising, making it an ongoing issue of contention.
However, given the clear trend of browsers with tracking prevention underperforming Chrome when it comes to CPM, when Google finally flips the switch and starts blocking third-party cookies by default, a revenue decline of at least 10-20% can be expected.
It doesn’t have to be that way though, as multiple alternatives have been proposed to replace third-party cookie data in ad tech and are under various stages of development.
Proposed alternatives to third-party data
Shift to contextual ads
Before behavioral targeting was commonplace, ads were contextually targeted. Contextual ads are served to match the content of the page on which they are served.
For example, you might see a contextual ad for Nike shoes on a blog about shoe reviews. Unlike behavioral targeting, it does not rely on third-party data or tracking users across sites.
Even now, contextual ads are being used by many publishers in cases where users refuse to provide cookie consent under GDPR and CCPA. The downside to using contextual ads is that they historically return lower CPMs compared to behaviorally targeted ads.
Google Privacy Sandbox
In the cookie-less future, Google wants ad targeting, measurement, and fraud prevention to be handled by the Privacy Sandbox. The data currently received from cookies will be replaced by five different application programming interfaces (APIs) that are part of the Privacy Sandbox.
Instead of tracking users at an individual level, the Privacy Sandbox uses FLoC, a.k.a, “federated learning of cohorts”—a combination of data aggregation and the use of machine learning to club users based on common browsing behaviors, while maintaining anonymity.
During early tests, FLoCs generated a nearly 350% improvement in recall and 70% improvement in precision over a random assignment of users to cohorts.
Project Rearc
An initiative launched by the Interactive Advertising Bureau (IAB) earlier this year, Project Rearc (short for “re-architecture”) is an industry coalition working to develop a set of agreed-upon principles, which will eventually turn into tech standards that companies can use in the future for targeting without using cookies or mobile IDs.
The core idea revolves around using hashed, encrypted emails or phone numbers as a unique identifier that can be passed between publishers, SSPs, DSPs, and advertisers.
So far, sixteen ad tech companies have pledged their support to the project, including GroupM, GumGum, Index Exchange, LiveRamp, MediaMath, and Oracle. However, the big browser makers, Google and Apple, are not at the table.
Third-party identity solutions
Several companies and consortiums have been working to develop universal ID solutions that could be shared between members of the ad tech supply chain. Originally, some ID solutions were cookie-based and intended to improve the match rate of cookie syncing.
However, of late, many of these solutions have pivoted to other forms of privacy-first identification such as encrypted single sign-on (SSO) data and email addresses. Some of the entities working on universal ID solutions with Prebid support include The Trade Desk, LiveRamp, ID5, and PubCommonID.
The most popular ID solution, The Trade Desk’s Unified ID, now in its second iteration Unified ID 2.0, is open source, independently governed, secure, and user-friendly.
Conclusion
As crucial as third-party cookies may have been as the foundational basis for the ad-supported model of the web for the last two decades, they are now at the end of their lifecycle. Revenue decline in audiences using Safari and Firefox as their browser have provided some early indication of the impact that lack of third-party targeting data might have on the publishing business.
Some larger publishers such a New York Times, Vox Media, The Washington Post, and Telegraph have already experimented with ad targeting based on first-party data and witnessed varying degrees of success. Now it’s time for others to follow. Thankfully, the one year of heads-up gives publishers enough time to test various strategies and finalize their approach to monetization in a cookie-less environment.