Digital marketers and advertisers recently noticed significant changes in the way they place ads online—especially around third-party cookies.
The changes began with extraterritorial privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR), which strictly regulate the way advertisers collect and use personal data. And today, major players in the digital ecosystem are prohibiting third-party cookies in ad tracking or planning to do so. Apple’s Safari has already removed third-party cookies, and Google is currently in a two-year transition period.
While many marketers and advertisers are starting to think about weaning themselves from cookies, the truth is that the removal of cookies changes the game for the entire industry. And many are left wondering, “Where do we go from here?”
With that in mind, here’s everything you need to know about third-party cookies and consent as a marketing or advertising professional.
Cookies are pieces of data, normally stored in text files, that websites place on visitors’ computers to store a range of information. They are usually specific to that visitor, or rather the device they are using to view the site, like the browser or mobile phone.
First-party cookies are set by the domain of the site you’re visiting. These cookies’ primary focus is to deliver you an optimal user experience. This means the site remembers your login information, language preferences, and ore. Only the host domain can retrieve and read the contents of the cookie once it has been set.
Third-party cookies are set by a domain that isn’t the one you’re visiting right now. These cookies are typically used for online advertising purposes. For example, have you ever searched online for a pair of shoes, and then the next time you read a news article, there’s an ad for those exact shoes?
That isn’t magic. It’s third-party cookie tracking.
Third-party cookies, while creating a more personalized user experience, also track a lot of consumers’ personal information. And in a world where 81% of people believe the risk of their data being collected by companies outweighs the benefits, some sort of regulation was bound to be put into place to protect people.
These are the major laws and companies that impacted the use of third-party cookie use:
General Data Protection Regulation (GDPR): Though the GDPR doesn’t go in-depth with respect to cookies, it states that cookies are online identifiers that as personal data, and therefore, subject to the law. Cookies used to uniquely identify the device and/or the individual associated with using the device, should be treated as personal data.
Privacy and Electronic Communications Directive (ePrivacy Directive): Current requirements for cookies in Europe are derived from the ePrivacy Directive; the current version was effective as of 2011. Unlike regulations, Directives are not directly applicable in Member States. They must be transposed into domestic legislation. The ePrivacy Directive, often referred to as the Cookie Directive, initially instigated the proliferation of cookie consent pop-ups.
As marketers targeting individuals in the EU, you’re required to comply with these two regulations following these five standards:
Obtain user consent before you drop any cookies, except strictly necessary cookies
Provide accurate and specific information about the data each cookie tracks and its purpose clearly and comprehensively
Document and store user consent
Allow users to access your service even if they refuse to consent to the use of certain cookies (i.e., no cookie walls)
Enable users to withdraw their consent as easily as it was for them to give their consent
Coming Soon? The ePrivacy Regulation: The drafted ePrivacy Regulation will replace the ePrivacy Directive. Originally proposed in 2017, the latest draft of the ePrivacy Regulation was released by the Presidency of Council of the European Union in November 2020 (but was voted down a few days later). For third-party cookies, the revised rules call for all third-party storage and processing to be blocked by default, severely limiting the use of third-party cookies and tracking. Negotiations are ongoing.
California Consumer Privacy Act (CCPA): The CCPA classifies cookies as personal information. While the CCPA doesn’t require businesses to obtain opt-in consent for cookies, it does require them to disclose what information they collect and the purposes of collection.
Moreover, where businesses sell the personal data collected via cookies, they must inform users of such sales and give them the opportunity to opt-out of the sale of their personal information. The CCPA defines ‘sale’ pretty broadly, but there are three main elements:
A sale must involve personal Information as defined in CCPA. If the operation in question involves de-identified information, publicly available information, or aggregate consumer information said operation would not involve personal Information.
Movement or transfer of personal Information from one business to another, or to a third- party. For example, making a cookie ID available to a third-party through real-time bidding–when this cookie relates to a consumer, a device or a household.
Consideration is defined in California case-law as a California Consumer Privacy Act Cookie Handbook for Privacy Professionals–42 “bargained-for exchange”, whereby the exchange of (e.g.) Personal Information in return for something of value is the main intention. If the transfer of personal information is just an incidental consideration, said transfer would not constitute a sale.
As an advertiser targeting California consumers, you may continue to do cookie matching as long as the user hasn’t opted out.
Not only is the government getting involved, but now major tech companies are taking cookie tracking into their own hands. And it’s actually making a bigger impact than legislation.
Firefox (Mozilla): In February of 2019, Firefox blocked all third-party tracking cookies.
The future of advertising: Consent
Using third-party cookies tracking was simpler. It gave you intel that was as good as gold–and it needs to be protected as such. This means giving consumers the right to opt-in and out of third-party cookie tracking.
However, eliminating the third-party cookie tracking process has two key upsides:
Fewer prospects, but more relevant ones
If potential customers are willing to opt-in to cookie tracking, that could mean they’re likely interested in content on a particular webpage.
Personalization will evolve
Most marketers would agree that personalization has a strong impact on advancing customer relationships. And many marketers feel removing third-party cookie tracking severely hindered personalization efforts. But the wonderful thing about marketers is that they’re resilient, and they always evolve.
Not having the third-party cookie tracking available gives advertisers the opportunity to improve the usefulness of data collected and personalization for users for whom they have. And those consumers may have more of an intent to buy.
Dabbling into the unknown is scary for anyone, but marketers and advertisers should never be afraid of a little challenge. In order to progress forward, here are the things they should begin telling their clients or their executives about targeting beyond cookie tracking:
Make first-party cookies a core part of the marketing strategy.
Start testing strategies that reach beyond cookie tracking.
Begin trying new targeting models like contextual targeting or keyword targeting.
Open up to the idea of a safe, honest, and transparent internet ecosystem. If you can’t beat it, join it.
Test preference centers to give users power over their personalization and data choices.
Track performance. Sales and conversions should still be the primary objective of advertisers and ad tech companies.
The most valuable component to your work is building trust with the customer through a better understanding of what they want. Including preference management in your strategy expands options available to customers, enhance the user experience, and reduce opt-outs/unsubscribes. You can show customers that you’re listening to what they want, while also respecting and protecting their privacy.