Everyone loves cookies. Or do they? Just like oatmeal raisin, people either love or hate third-party web cookies. Now, major players like Google are trying to phase them out altogether.
This emerging shift away from third-party cookies has become known as the “cookieless future.” Though experts say that a cookieless future bodes well for privacy and security, it undoubtedly presents many challenges and obstacles for marketers, businesses, and site owners. Even consumers will have a few things to work around.
With the cookieless future just over the horizon, now’s the best time to prepare. In this article, we’ll learn more about the cookieless future, its impacts, and how we can all make the most of it.
Read on to learn more and start saying goodbye to cookies — or at least to the digital ones.
What Is a “Cookieless” Future?
As the name suggests, the cookieless future refers to a recent shift away from using third-party cookies for various purposes.
But what’s so significant about this? While you probably already know what a cookie is, you may not know just how frequently they’re used — or the privacy concerns they’ve presented.
As user privacy and security become increasingly important on the web, Google, Firefox, and other big web players are starting to transition away from certain cookies altogether.
Though it’s perhaps a win for user privacy, it also presents a lot of uncertainty for site owners and marketers who use third-party cookies for tracking individual users and displaying relevant advertising. As a result, many people are scrambling for equally tasty alternatives as major players continue to transition to a cookieless future.
But before we dive into that, let’s have a brief refresher on what exactly cookies are and how they can do harm.
What Are Cookies?
On the web, cookies are small files containing user data that help identify you and your computer. This user data might include your username, password, or email address.
Since their main purpose is identification, cookies are largely used for exactly that: telling websites who you are. As you might imagine, this makes cookies useful for many applications, from maintaining login sessions to delivering ads through contextual targeting.
Just like their confectionary namesake, cookies also come in several different flavors — and some are more palatable than others.
In any case, cookies are served to you by the web server of the sites you visit. You’re usually served either one of two main “flavors” if the site you visit hasn’t opted out of serving cookies.
- First-party cookies: Cookies served directly from the site you’re visiting. These are usually used to maintain sessions, so you’ll stay logged in the next time you visit. In most cases, first-party data is safe as long as the website you’re visiting hasn’t been compromised.
- Third-party cookies: Cookies served from third parties that aren’t on the site you’re visiting. These cookies are usually linked to third parties through ads or other features. As a result, even the most well-intentioned site owner can be a channel for third-party cookies if, for example, they list ads from third parties with less-than-reputable practices.
It isn’t hard to imagine that third-party cookies are the more controversial of our two flavors. In the next section, we’ll explore why they cause so much concern and why they’re so widely used despite it.
The Third-Party Cookie Controversy
Where first-party data is usually pretty benign (essentially the “chocolate chip” of flavors), third-party cookies aren’t quite so innocent, and the controversy behind them is one of the primary reasons for the cookieless future.
But what makes them so controversial?
For one, third-party cookies are often delivered without consumer consent. That means that as you browse, ads you visit may be sneaking third-party cookies into your computer, allowing these third parties to track where you go online.
At their best, third-party cookies use this tracking capability to deliver personalized experiences (mostly personalized ads) on other websites you visit. You can follow along in the image to see how a user gets a third-party cookie, which changes how they’re served ads.
So what’s the big deal? Sure, targeted ads can be a bit creepy, but they aren’t that bad — right?
Yes and no. Cookies themselves aren’t inherently bad or harmful, third party or otherwise. However, many users are simply uncomfortable with being tracked.
Furthermore, though cookies are safe on their own, they can sometimes be vectors for security threats such as cross-site request forgery attacks (CSRF) and cross-site scripting (XSS). While we’ll dive into these more later, know for now that both of these (and other) threats make it possible for malicious third parties to commit cyber attacks on perfectly innocent websites.
These privacy and security concerns have been enough for many major search engine tech platforms to go cookieless. But what exactly does being “cookieless” look like?
What Does “Cookieless” Mean?
Being “cookieless” means not using or accepting third-party cookies.
Since many of our web experiences rely on cookies for personalization, it can be hard to imagine a cookieless existence. How are we supposed to stay logged in, have personalized experiences, or deliver targeted ads without some means of identification?
Thankfully, there are many alternatives that allow us to have all the functions of cookies without the cookies themselves. Though many websites and browsers are still transitioning, these transitions are all adding up to one common goal: a cookieless future.
Why Have a Cookieless Future?
There are many benefits to a cookieless future, especially when it comes to security.
However, these benefits can seem more like inconveniences to site owners and marketers, especially with 97% of advertisers using third-party data and cookies. As a result, many are questioning why a cookieless future is necessary in the first place.
Thankfully, site owners and marketers will still be able to personalize experiences and target users — just without the inherent privacy and security concerns of cookies. To do this, they’ll have to take advantage of cookie alternatives, such as first-party data like permanent web IDs and tools like Google’s Privacy Sandbox.
Plus, a cookieless future may not be entirely cookieless after all. Since third-party cookies are the primary concern, many sites may still be able to continue using first-party cookies (ones they serve themselves) without worry.
But even with the privacy and security benefits, a cookieless future can still feel like a big hassle. Thankfully, as we’ll see next, there are many more reasons to adopt cookie restrictions — some of which may even present cost savings.
Why Are Cookies Being Phased Out?
Privacy and security concerns are the biggest reasons behind the cookie phase-out. As a result, most buyers and sellers think the phase-out will actually benefit digital advertising in the long term.
While that’s probably enough to go on, there are other reasons why a cookieless future is a good idea. Let’s dive a little deeper into some of these important factors.
Privacy is perhaps the biggest concern surrounding third-party cookies — and the biggest reason many brands and companies are getting rid of them.
As we’ve covered a bit already, third-party cookies come with a slew of privacy problems. For most people, the biggest problem is tracking user behavior without knowing. Here, advertisers and other third parties (malicious or not) have long been able to store cookies in users’ browsers.
Though laws like the General Data Protection Regulation (GDPR) now require users to consent to cookies, many users simply click through these prompts (such as the one below) out of habit or convenience.
As a result, third-party cookies remain a widespread problem regardless of GDPR compliance.
Plus, cookies can help third parties build detailed — and potentially invasive — user profiles beyond just tracking user whereabouts and posting ads. Though some social media platforms are making some of this profile data available to their users, most people are shocked to find just how much their platforms know about them.
In any case, it can all seem a bit creepy and invasive. As brands place more value in consumer trust and privacy, they’re also beginning to embrace a cookieless (read: less invasive) future so they can build better customer experiences.
As if invading your privacy wasn’t enough, cookies can also pose several security risks. Talk about having unwanted guests!
Here are just a few major security concerns that cookies can present.
- Session Fixation: As we’ve seen, cookies are commonly used to keep you logged in between site visits. This is done through session cookies, which store a unique session ID for as long as your browser is open. Unfortunately, it’s possible for hackers to hijack your login credentials by specifying their own session ID in a URL they send you. If you log in through one of these URLs, a hacker can gain access to your account on a particular website.
- Cookie Tossing: Though most cookies are associated with a path or domain name, not all of them are. When a site encounters several of these cookies, it will often choose one at random without regard for anything else. To take advantage of this, many hackers “toss” a cookie into a user’s browser in hopes it might get picked up by an unsuspecting website. If it does, then the website is at the cookie’s (read: hacker’s) whim to fulfill any requests, such as forking over login information.
- Cookie Capturing: In the best-case scenario, session cookies and other types used for authentication are sent over secure SSL or TLS channels. However, since this is up to the website, it isn’t always done. Where cookies sent over secure channels carry a “secure” flag and can’t be read, cookies sent insecurely can. As a result, many hackers listen in to these unsecured connections in an attempt to capture valuable user data.
These security threats don’t just affect users — they also affect the sites they visit. As a result, many site owners are embracing a cookieless future just for the security benefits!
Ad Fraud (or Affiliate Fraud)
Cookies can also be used to create fraudulent purchases and page activity. While that may not sound like a big deal, it’s allowed many fraudsters to commit millions of dollars in fake sales.
Here’s how it works. Many businesses launch affiliate programs that allow third parties to promote their products. When a customer buys through one of these affiliates, the affiliate gets a cut of the sale. These sales are usually tracked by associating the affiliate’s cookie with customer sales. Sounds like a reliable way to keep track, right?
Not really. While most legitimate affiliate programs and their affiliates have no problem using this system, some fraudulent affiliates have taken advantage of it. This usually comes in the form of cookie stuffing, where malicious third parties place malicious cookies on a breached website. When unsuspecting users visit this website, they get the cookies, which discretely communicate with the affiliate page and make fraudulent sales.
As a result, advertisers and affiliate programs alike are keen to embrace a cookieless (and less fraudulent) future.
By now, you can probably imagine that consumer privacy, security, and fraud take a lot to monitor and mitigate. Unfortunately, the reality isn’t very far off.
Though cookies pose many advantages to advertisers, marketers, and site owners, their inherent risk poses massive costs to anyone worried about security. Though the finer details of our cookieless future remain uncertain, eliminating cookies will likely eliminate many of these risks and the costs associated with them.
Cookies or not, it’s always important for site owners and users to monitor their security. However, it may be easier and less expensive without having to worry about the cookie-related threats we’ve covered.
Potential Impacts of a Cookieless Future
Though a cookieless future presents many benefits for privacy and security, it won’t be easy for everyone.
Here’s how the cookieless future will impact some of the biggest key players on the web.
For users, the cookieless future is mostly beneficial. With many browsers and websites dropping cookies altogether, users can browse with the peace of mind that their cookies and sessions aren’t being used for malicious activity.
For Site Owners
For site owners, the cookieless future is very promising and challenging.
Though site owners won’t have to worry as much about cookie-related security issues, they will have to start changing how they interact with users and ensure a consistent user experience.
For example, where most sites use session cookies to maintain login sessions, doing so will become increasingly insecure — and increasingly discouraged — in the cookieless future. As an alternative, site owners should start to adopt first-party data strategies to take advantage of other (and more secure) personal identifiers.
Since advertisers mainly use third-party cookies to deliver targeted ads, digital marketing will see some of the biggest impacts from a cookieless future.
That’s not necessarily a bad thing, however — if anything, it’s a benefit. But how can it be when a cookieless future virtually eliminates much of the data collected for marketing purposes?
The answer lies in staying on top of cookieless trends and cookie alternatives. Though cookies have been a reliable standby for a long time, they aren’t the only reliable (or even the most secure) means of collecting user data. As we’ll see later, many marketers will need to adopt first-party data strategies to maintain targeted ads, especially in the face of advanced ad blockers.
Of course, the impacts go deeper than embracing alternatives. With cookie phase-outs challenging many longstanding marketing strategies, marketing teams will also need to find ways to build their own data, build better relationships with exclusive advertisers (aka “walled gardens”), and better educate their organizations about cookieless practices.
How To Prepare for a Cookieless Future
Ready or not, the cookieless future is already here.
Even as some major platforms like Google Chrome continue to delay third-party cookie depreciation, we’re already well into the transition phase. As a result, now is the best time for site owners, marketers, and businesses to prepare for the cookieless future.
Follow these tips to adapt and come out on top.
Stay Aware of Emerging Privacy Threats
Though the cookieless future will help eliminate many privacy threats, it won’t eliminate them entirely. As companies begin to adopt alternative tracking methods, it’s only a matter of time before hackers, and other malicious parties find some way to take advantage of them.
Even if first-party data doesn’t become the next big attack vector, companies should still stay aware of emerging trends in privacy and security. As the past two decades have shown, even the most promising technologies may be phased out if they pose a risk.
Use Alternative Identifiers
Cookies are a very effective way to track and identify users. But how can companies and marketers continue to do so in a cookieless future?
The answer is using alternative identifiers and tracking signals. Here are just a few that successful companies are already using.
- Universal IDs. As the tech world moves away from cookies, many tech platforms are turning to universal identifiers. Though Google Chrome doesn’t plan to support them, many other platforms are embracing them as a convenient means of identifying users without the security risks. These IDs are usually offered through security platforms that offer interoperable, secure means of tracking users across the web.
- Cohorts. Similar to contextual targeting, using cohorts — or grouping users together based on similar interests — remains a simple but effective means of tracking. Again, instead of worrying about individual identification, platforms can use activity information to deliver consistent, targeted experiences to groups of people who display similar characteristics, interests, or hobbies.
- On-device solutions. Device data also has the potential to further improve cohorts. Here, instead of marketing to individuals based on their device data, devices can instead reveal only as much information as a third party needs to classify their users into a certain cohort. In doing so, users maintain their anonymity while marketers can still deliver targeted experiences based on proven user activity.
If the cookieless future will teach us anything, it’s that there’s nothing more important than user privacy.
With the cookieless future already upon us, there’s never been a better time for marketers and site owners to make the transition.