The Full Privacy Guide to Third Party Cookies
What are internet cookies?
Cookies are, more or less, pieces of code used by websites that exist to improve user experience, collect data about that website visit, and track other metrics.
Internet cookies take many forms, including short-term vs long-term cookies, but arguably the most relevant split is between first-party cookies and third-party cookies. It’s important to note cookies are not inherently bad or risky, as their very existence is integral to the way the internet currently works, but they can certainly be abused.
First-party cookies are code that’s generated and stored on visitors’ computers when they visit your site, but are entirely contained to the information within that site visit. That means it follows how the user interacts with your site, saving things like logins and keeping track of how long they stay on the site, but doesn’t know for example, what other sites you visit.
Third-party cookies have fewer boundaries. They track the same information about user behavior on a website, but follow users around the internet, absorbing data about an individual's entire array of online activity.
When third-party cookies originate from advertisers or sites looking to sell that user data, a problem arises. This leads to situations where you’re browsing new shoes online and end up with shoe ads on half the sites you visit for the next several weeks.
Third-party cookies and internet browsers
Internet browsers act as a go-between for cookies and users. It’s why clearing your cache will temporarily end the omnipresence of targeted ads and things that seem eerily specific to you.
The public caught on to this long ago, and generally wasn’t happy about it. In response, major internet browsers like Safari and Firefox eliminated third-party cookies years ago, but Google Chrome has been a holdout due to the complexity of the situation.
This is not to say Google has been wholly inactive on the privacy front. The company began the slow phaseout of third-party cookies in early 2020, and put out a statement in March 2021 that noted, above all else,
“We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”
However, actions speak louder than words, and the inevitable removal of third-party cookies has been delayed multiple times, with Google now targeting the end of 2024 as the time of death. Google has not yet figured out a one-for-one replacement, but most of its proposals have garnered skepticism.
Why is how Google handles third-party cookies so important? Chrome is the most popular web browser in the world, by far, with nearly 66% of people using it to surf the web.
Third-party cookies: constant or capricious?
Despite the end of the cookie remaining a strong possibility for years, many advertisers and marketers have long fretted for when that day eventually comes.
Part of that anxiety is due to the nature of Google ads themselves, one of the largest money makers on the planet and a constant in nearly every company’s marketing plan.
Even if Google and Chrome will continue using some kind of trackers and even if first-party cookies will continue to play a vital role in everyone’s internet experience, third-party cookies have been tremendously profitable.
If one data privacy feature can affect so much financially, were third-party cookies ever a real solution or did they only exist because data privacy regulation and public perception had lagged behind in privacy issues until recent years?
Are third-party cookies dangerous?
On their own, third-party cookies, or any internet cookies, are not dangerous. They don’t carry malware or viruses and are not trying to trick users.
However, their presence and the fact that they have historically been sold to and used by advertisers for profit leaves many people with a bad taste in their mouths, like their presence online is being monetized in an over-the-top way.
Likewise, if companies use third-party cookies for targeted advertising–a practice some global data privacy regulations have begun to outlaw–how can we be sure they have the cybersecurity measures in place to protect that data? If they don’t, mountains of sensitive personal information are sitting around, vulnerable to data breaches and hacks.
Due to their very nature, third-party cookies are contradictory to data minimization, which is a data privacy principle that states organizations should seek to limit their data collection policies only to what is strictly relevant and necessary to their operations.
Cookie banners and consent: enough for data privacy?
When the EU passed the GDPR in 2016, some of the basic tenets of the regulation were data minimization, explicit user consent, and transparency about data collection and processing.
Technically, these cookie banners comply with the GDPR’s explicit consent requirement, as well as Brazil’s LGPD and California’s CPRA consent requirements. But, due to how unclearly many cookie banners are worded and their constant presence across the internet, that element of data privacy regulations has not been as effective as intended.
This phenomenon even has its own name: cookie fatigue.
What this means is that cookie banners have not done enough to inform people about their data rights, nor to curtail user tracking online. As we get closer and closer to the death of the third-party cookie, failing to find a solution to the matter of consent poses a significant problem.
Any replacement for third-party cookies will be set up to fail in protecting people and limiting tracking across the web if data protection authorities don’t compel sites to have more direct and honest conversations with users about data processing and collection.
That is why so much hoopla is made over third-party cookies. Not their somewhat exploitative use in certain circumstances, but the fact that the internet has not found a safe alternative in all the years third-party cookies have been on the chopping block.
What your business can do
Complying with data regulations is not enough when those regulations have underachieved in their goal of empowering people’s data rights.
Any good company needs to ensure its cookie consent banners are easy to read, understand, and navigate. Cookie banners must present a clear opt-out without the need for users to actively search for a button besides one that accepts all cookies by default.
That’s the starting point for proper consent management, and getting a good platform to put that in place is essential as we shift away from third-party cookies and brace for what comes next, hoping it’s an improvement.