Third-party cookies received an ultimatum. Browsers are currently phasing them out, which means they won’t be allowed anymore if you use any modern browser, like Safari, Firefox, or Chrome. This decision is not recent, but since the deadline is near, it’s time to understand what’s up with these changes and how they affect us. Despite this being a good thing for user’s privacy, it is something that may hit hard on some businesses. This is a brief overview of what’s happening and what you can do about it.
What is a cookie anyway?
A cookie is a piece of data stored by a website on your computer. It consists of a text file with a key-value relation followed by some configuration, and it is used to remember some parameters about the user and the usage of a website. For example, it stores a session token, a locale preference, or even the fact that you were on that page before. Without them, you probably would have to log in or authenticate at every page change or every action taken. Those cookies can be trivially set by the website you’re visiting, usually after clicking "Accept" on a cookie consent banner. Yes, those you often see blocking content and sometimes they have no "Decline" option.
They can live for a predetermined timespan or until you close your browser, ending your session. Differently from the local storage, a tool used to store the state between sessions and requests, cookies are sent to the server on every request you make to websites (if they’re set to do so). Without them, all states you have set on your browser during your stay on that page would be lost. Everything will be refreshed when you refresh a page, directly write a URL at the navigation bar, or click a link.
Next time you are asked to consent with website cookies, notice the kinds they’re offering you. When you see the consent banner, try to find a "choose your preferences" button and take some time to read the options. You may find that cookies are classified as:
- Strictly necessary cookies – These don’t even need the user’s consent to be set and are used to keep basic functionalities working, like keeping your session alive or remembering your cart items on an e-commerce website.
- Functional cookies – Those are used to remember the user’s preferences, like language, location, theme, or other settings.
- Performance cookies – Those track user’s behavior on the website, like how long they were on a page, which links they clicked, and other parameters that help the website owner improve the user’s experience.
- Marketing cookies – Those are used to track users’ behavior across the web and serve more targeted ads.
Cookies are not essentially bad, as they make the experience of using a website better. Or at least they should.
Following specifications to instruct your browser on how to handle them, they hold properties like an expiration date (Expires
), a website address it belongs to (Domain
and Path
), if it should be sent to the same site that emitted it (SameSite
) or how strict it should be shared, if it is supposed to be transmitted through a Secure
connection and if it should be accessible by JavaScript or if it is used as HttpOnly
. [1]
Those properties are quite interesting to go deeper into, but especially the SameSite
one had an important change in its default value and behavior starting from Google Chrome 80. When no setting for SameSite was specified, it defaulted to ‘None’. This means the cookie would be sent to any requests made to third-party domains from your website. Since the change, it defaulted to ‘Lax’, blocking the cookie from being sent to third parties by default unless the user followed a link from your website to the other website, like in the form of a referral. To have cookies sent to third parties, the cookie has to be explicitly set to ‘None’ and to be sent through a Secure
connection. [2] [3]
Cookies that are set directly by the domain you’re accessing or by JavaScript, are called first-party cookies, but they can also be generated by secondary calls to third-party domains the website uses to render its content; those are called third-party cookies.
First-party cookies
First-party cookies are set after your browser receives the response from the website server at your browser’s URL bar when you hit a URL. They come along with this response or are generated by JavaScript scripts running in your browser, those you received when you loaded the page and can contain information about your session, your preferences, and other parameters, making your experience smoother. JavaScript-generated cookies cannot be set to be HttpOnly
, which means if a script generated it, other scripts may as well see it.
Especially after you log in, your browser will receive an instruction to store tokens of some sort, like a JSON Web Token (JWT). Your browser will send the cookie back to the server on every request, so the server knows who you are and what you’re allowed to do; providing you Authentication and Authorization, respectively.
Furthermore, developers usually keep track of some actions you took on the website, like links clicked, how long you were on that page, and other parameters useful to improve your experience using that website. So it is good for both parts that you keep using it. First-party cookies are a very useful tool for everyone and they are not going away.
Third-party cookies
Third-party cookies are set by a website other than the one you’re accessing, either by scripts inserted in the page or by a request made by the website to another one to fetch extra resources like a payment method, an advertising section, or a simple embedded image. They are not essentially bad either, but they have been used for a long time to track users across the web and serve more targeted ads.
Unregulated use of those cookies led to privacy concerns, as they could hold sensitive data about your behavior and they were shared under the hood with people you didn’t agree to share your data with. Notice, that these cookies can be classified as any of those said above: necessary, functional, statistics, or marketing. This means some good functionalities that rely on third-party cookies may stop working.
A useful functionality that may be affected is if your website relies on a third-party authentication service. If you use a service like Google, Facebook, or Twitter to authenticate your users, you’re using third-party cookies. If you use a service like Stripe to process payments, you’re using third-party cookies. If you use a service like Google Analytics to track your user’s behavior, you’re using third-party cookies.
A Brief history of how it was
Selling things on the Internet has huge potential since its reach is global. That means one can sell a product or a service to people who wouldn’t normally know one’s business.
So advertising sections appeared on websites, some niched from the nature of that website, some more generic as its public was broader. Long story short, it doesn’t take long for advertisers to realize that the more targeted the ads were, the better the conversion rate was.
Publicity has a cost, and if you announce it in the right place to the right public, you’re more likely to increase sales. These days we still see static ads on podcasts, streets, radio, or television. Each of those communication channels has subchannels that have a public with some profile determined through polls and market research, usually molded by the kind of content they present, and the advertisers need to make sure their ads are being shown to the right public.
Knowing that, having dynamic advertising sections on the internet was a game changer. Having the means to know individuals instead of a probable public was the trick. That’s when third-party cookies came into play.
Imagine you owned a website that could hold a piece of code that would collect data about your users and send it straight to your ad-box provider. Your ad provider could respond with the right ad to show to that specific user who just entered your homepage.
That thought on a scale, there was a network of websites providing data to a central place that could organize which user would see a specific ad. Third-party cookies were used to track users across the web and build profiles and analytics of them. Companies like Google and Meta (formerly known as Facebook) made trillions of dollars with this feature, as they built databases that held more information about a person than the person knew about themselves. Those companies are essentially data companies as their main businesses would be to profile people and sell that data to advertisers. You may also recall the following two words: Cambridge Analytica.
Was it bad, anyway? Well, if you think for a bit, advertising sections were the only way websites could make money to keep running. If you are used to reading a blog or find it funny to see cute cat videos on someone’s tube, it certainly is annoying to see stuff you are not interested in at all shown to you. People are already used to skipping ads even if they’re a good fit to see those, imagine if not.
You don’t need to buy anything, but let’s face the truth: you were walking in a mall once and you saw something you liked and bought it. That’s how advertising works. So that’s why I advocate that seeing ads is not a bad thing, but seeing ads that are not interesting to you is.
On the other hand, which information are you willing to share with advertising companies so they can show what they have for you? Do you know what they know about you? Regulations make it clear that a person’s data belongs to that person, and it should be used only with that person’s consent, to the means that person agreed to.
Why are they going away?
Third-party cookies are being phased out because of privacy concerns. There was much abuse of this feature as it was not clear to users that their data was being shared with websites other than the one they were visiting at that moment. You probably have navigated to a certain website or searched for a specific subject or product and then started seeing ads about that everywhere you went. In some cases it was even more aggressive: you started receiving emails. Who told them your email? Well, you did when you signed up for that newsletter, but you didn’t know they would share your email with other companies.
If you look at GDPR definitions [4], you’ll see that it demands website owners to ask for consent to store cookies in the user’s browser. More granularly, it should ask for consent for each type of cookie and a website should not prevent you from using it if you do not consent with their cookies.
Many users do not know what they’re consenting to, as they lack this technical knowledge or they just don’t understand the terms of service. With that, many users just click "Accept" and move on. They’re selling their data for free, and they don’t even know it.
Also, you or a friend of yours may have already told you that they use ad-blocker extensions, virtual private network services (VPN), or a browser that prevents tracking. Apple and Mozilla have already blocked third-party cookies within their platforms, and Google is phasing them out in Chrome here in 1Q2024. This is a big deal, as Chrome is the most used browser in the world. Users don’t like being tracked, and they’re using tools to prevent it. This is a clear sign that the market is demanding more privacy.
As a user, what does this mean for me?
As a user, you may expect to have more privacy while you navigate through the internet. Ads you see will be less meaningful, but you’ll be less creeped out. Some websites you use may break but eventually, they’ll adjust their service to keep running. Everyone must understand that everything has a cost, so the "free" services you use must still profit somehow.
But don’t expect to not be tracked at all, since first-party cookies will be still there and websites may share your data with partners in other ways. Read the terms of service and privacy policy of the websites you use, and if you don’t agree with them, don’t use them. I know, some services you use may not have a good alternative and you’ll need to consent against your will. That’s the price of using a free service.
As a business, what does this mean for me?
As a business, you’ll need to take better care of your user’s data. If your business is based on serving ads, you’ll need to find new ways to track users and target ads. If your business relies on being advertised, conversions may decrease initially as ads will be less precise.
First-party cookies are still allowed, so you can still track users on your website, for your own purposes, collecting data internally for your business. You’ll need to think about privacy more, and you’ll need to be transparent about what you’re doing with user data. You’ll need to do analytics on your side, and tracking will be more difficult and probably done mostly on your server side. There are already server-to-server solutions that can help you with that. For example, if you own an e-commerce website you can emit events like ‘user viewed a product’ or ‘user bought a product’ and send them through your server to the tracking aggregator of your choice. Meta’s Conversion API (CAPI) and Google Analytics 4. [3] [4]
As a developer, what does this mean for me?
Your regular analytics won’t change much if you’re collecting data with first-party cookies. You’ll still be able to send and receive first-party cookies. After collecting user’s consent to share their data with partners, here I am not talking about third-party cookies, you’ll be allowed to collect data, send it to your server, and then to a third-party service. Thinking about privacy, user’s data should preferably be depersonalized before sending it to a third-party service.
Companies that rely heavily on data collection like Google and Meta already provide server-to-server solutions that can help you with that. Google Analytics 4 and Meta’s Conversion API (CAPI) are examples of that. [5] [6]
It will demand a bit more work since you’ll need to implement tracking points yourself, but now you’ll be responsible to handle and respect your user’s data. Be careful.
Conclusion
Although third-party cookies were useful once, they are probably better gone. The internet is an important resource of everyone’s lives and transparency is desirable, even more to people who have less technical knowledge about its internals. These changes are indeed a huge punch into abusers’ stomachs, but it may be a good measure for everyone else. We all have heard about data that was badly handled, being leaked and sold in shady alleys, and we are kind of used to being tracked. We expect the amount and the specificity of data roaming around to decrease, aiming to have a bit more privacy, if that is even a thing.
References:
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
[2] https://web.dev/articles/samesite-cookies-explained
[3] https://web.dev/articles/samesite-cookie-recipes
[4] https://gdpr.eu/cookies/
[5] https://developers.google.com/analytics
[6] https://developers.facebook.com/docs/marketing-api/conversions-api/
We want to work with you. Check out our "What We Do" section!