Cookies
First let’s define what a cookie is.
A cookie is not a website, a company, or an organisation.
A cookie is a piece of data (text files) about your browsing activity. For example, the pages you browsed, duration spent on each page, your IP address, items added to cart, etc.
First-party cookies are created by the website you are currently visiting, stored on your browser. They can only be read by that website.
For example, when you visit flowers.com and set your cart currency to USD, flowers.com may save first-party cookies on your browser so that the next time you visit flowers.com, they will remember to display their prices in USD. First party cookies are usually ‘necessary, functional’ information for operational purposes to improve the user experience of the website.
Third party cookies are created by third-party websites such as advertising companies, stored on your browser. They can be read by the website you’re visiting and the third-party website that created them. These cookies track your behaviour across websites.
For example, after visiting flowers.com, you visit bees.com. If both of those websites store third-party cookies, the third-party website would know that you spent 25 mins looking at daisies on flowers.com, then 10 mins on bees.com checking out a certain brand of honey.
These third party cookies are usually collected when the browser requests for some third party services (ie. Facebook login/live chat services) and the service responded back with the script and at the same time, places some cookies in the browser.
From then on, those third party services can begin collecting third party cookies when you visit those websites.
domain=grapes.com
path=/
expires=2023-07-30
name=sessionid
value=1234567890This is an example of a cookie text file. First-party cookies have domain value as the domain of the website that created the cookie. Third-party cookies have domain value of the third-party advertiser, not the website your page is currently on.
For example, I visited Nike.com and opened my cookies tab to see the list of first- and third-party cookies being set on my browser.
How are third party cookies used?
Examples of companies that use third-party cookies: Google Analytics, Facebook Pixel, AdRoll, Criteo. These are platforms that work with advertisers to help businesses publish ads to consumers.
Prior to using third party cookies, advertisers have to rely on random or contextual advertisements.
They can launch ads (new bar, sofa, plumbing services) on TV, social media, magazines, google ads, and pay for it based on the size of the advertisement and actual number of click-throughs. They can also pay for their website to be displayed as a top search engine result when the user searches for something specific (ie. SEO ranking).
With these cookies, advertises can hyper-target individuals ads based on their online activity. Third-party cookies can even collect information such as your age, gender, when you have keyed in those information on websites before.
Instead of playing with chance that the ad platform they chose hits the right target audience at the right time, advertisers can rely on data collected from third party cookies to target ads to a specific demographic, or specific behaviour displayed by certain users.
Don’t eat too much of them
So… it turns out that most people don’t appreciate being targeted by their online behaviour. Even if it means getting more personalised wedding bands recommendations.
Unlike first-party cookies that can only be viewed and used by that specific site (stored locally on your device), third-party cookies are being harvested (usually without their consent) and shared with other websites, for the benefit of third party organisations.
Unlike first-party cookies that store more ‘essential’ data primarily for the benefit of the user, third-party cookies are used for ‘non-essential’ data for external parties to monitor your online behaviour, thereafter lining their pockets with ad monies.
Collecting these online behaviour can be considered personal data in certain circumstances. Of course, the term ‘personal data’ will trigger GDPR alarm bells. In late 2019, GDPR stepped in to require websites to collect explicit consent from user to opt-in for cookies. Since then, you may have since noticed more websites popping up annoying banners to request for your consent.
But is it enough?
Google says no more cookies
In Jan 2020, Google announced that they will phase out third-party cookies in Chrome by 2024.
This is a huge deal as third-party cookies is the an important driver of its advertising cash-cow. Without third party cookies, advertisers may need to revert back to random or contextual advertisements. This, as we all know, is more inefficient and less lucrative.
But Google is doing this because they have to.
The tech giant is already under heavy scrutiny for many privacy-invasive data-tracking practices, and can no longer afford to defend or react passively to these concerns.
Its brand and mission had always been to lead the industry, community, and to innovate. Following this history, it needs to take on a more proactive approach to manage the elephant in the room, or risk losing more of its ardent (tech-savvy) supporters.
If those intrinsic motivations haven’t been strong enough, perhaps competition has been. Alternatives are plenty for those who wish to protect their data, with Apple being a big one.
Eat Apples instead?
Apple had already been blocking third party cookies in Safari since 2017. More recently in 2021, Apple introduced the Apple Tracking Transparency (ATT) privacy framework to protect users from unsolicited tracking by advertisers.
This move had severely hit the revenues of advertising giants like Meta, who reported that their YoY revenue in 4Q 2021 was down 8%, attributing a part of it to ATT. Meta CFO said that the company anticipates losing more than $10 billion in revenue from these changes made by Apple. Needless to say, this was a popular news for the general public.
While Google may still be a tech giant today, there’s no guarantee for what may happen in the future. If users’ concerns on data tracking and potential malware becomes increasingly heated, many might choose to abandon Google’s search engine and Chrome browser altogether, which is a double blow to its cashcow.
It’s a tough decision — Google can choose to hit their advertising cashcow and incur the wrath from advertisers today, or wait for their users to migrate to other platforms and lose their main business (and slow rotting of their branding) tomorrow.
The advantage with choosing the former is that there’s control. Google can choose when and how to modify their advertising business according to those changes. For the latter, you may be kicked out of the game without much of a choice.
If so, how might Google seek to address users’ privacy concerns while not completely squashing the advertising business that their existence was built around?
Can there be another way? A way to protect individual anonymity, yet still deliver results for their advertisers?
Privacy Sandbox — how does it work?
Whether it was pressure from the legislators, lobbyists, competition, or internal initiatives, Google saw the removal of third party cookies as an inevitable future.
Google introduced the Privacy Sandbox initiative — which is a bunch of APIs (‘privacy sandbox APIs’) to collect data in a ‘privacy preserving way’.
Here are some of them:
Interest-Based Advertising (IBA) — these APIs seek to allow advertisers to address groups of people with similar interests, instead of hyper-targeting individually. Google needs to prove that this cohort-based targeting can be as effective as individual-based targeting.
- Topics API — retrieve the top topics that a page visitor might be interested in, based on sites they’ve visited in the past, to supplement contextual signals from current page being visited.
- Protected Audience API — on-device auctions by the browser, to choose relevant ads from websites the user has previously visited.
Strengthen cross-site privacy boundaries
- First party sets API — businesses can declare relationship among sites to browsers can allow limited third-party cookie access across different domains (ie. related brands under different domains).
- CHIPS API — Cookies Having Independent Partitioned State. These cookies can be set by advertisers, but only read within the context of the top-level site where they were initially set. See illustration below.
- Shared storage API — preserve use of unpartitioned data storage where data can only be read in restricted environment (ie. measure number of users who have seen an ad).
- Fenced Frames — introducing a new html element <fencedframe> for embedded content that restricts communication between embedded content and the rest of the page. useful when we need to display data from different top-level site on the same page.
- Federated Credential Management API —a new identity/login service without sharing personal information with the site.
Comments on Privacy Sandbox
It seems like cookies are here to stay.
Contrary to the headline buzz of removing cookies once and for all, Google is still holding on to the use and storage of cookies.
For example, the CHIPS API, Shared Storage API, and First Party sets API allow or enable the continued storage of third party cookies. The difference these APIs do is partitioning the cookies by the top-level site at which they are generated, preventing cross-site ‘contamination’.
Illustrating partitioned vs unpartitioned storage
Currently, Chrome does not partition cookies. Site C can compile a user’s browsing activity across site A, B and every site it is embedded on.
Using CHIPS API, third-party cookies generated by embedded site C on site A will be stored in its own jar, while the same from site B will be stored in a separate jar. Cookies from separate jars cannot be mixed. User behaviour is ‘isolated’ by the top-level site.
Another big bet on this privacy sandbox is the move towards interest-based cohort targeting. 2 of the sandbox API allow advertisers to do ‘targeted advertising’ via interest groups.
How does this work?
Instead of using third-party cookies that collect online behaviour within and across websites, the browser only uses your browsing history.
The browser trains a cohort model based on this browsing history, and sends this model to the topics API. Topics API aggregates models from all browsers and creates a global model. Using the global model, the API assigns each user a set of topics, and displays ads accordingly.
For example, if i consistently visit vancleefarpels.com, and acquadiparma.com, Topics API would eventually classify me as someone who’s interested in jewellery and perfume. If there are sufficient data to show that someone who visits these 2 websites also visits bottegaveneta.com, then i’m also expecting Topics API to add ‘luxury bags’ into my set of interest topics.
The difference between the use of third-party cookies and Topics API is that there isn’t any storing and joining of information of which sites i have visited and what i have done there; Topics API simply know that i am interested in jewellery and perfume, and potentially luxury bags.
In all, it seems like the Privacy Sandbox initiative is a move to keep the use of cookies through partitioned storage by top-level sites, and replace individual behaviour targeting with cohort-interest topics targeting.
Will they succeed?
Apologies for the misleading title. But i kept it because that was how i understood about the situation initially before studying it a little deeper.
Google is solving a difficult problem: balancing between user privacy and advertisers’ interest. This is a personal existential problem for Google, as its ad business relies on collecting data about users.
It has taken a step to signal the move towards user privacy, and acknowledge that it can no longer behave so brazenly with these matters, no matter how big a monopoly it is today in the adtech space. The strategy they are taking seems to be a slow and cautious one with advertisers in mind — removing some features but not without replacing them, working closely with regulators like IMDA in Singapore.
Google has mapped out a timeline to phase out third party cookies on chrome by Q3 2024, together with the launch of new privacy sandbox APIs. They’ve made this information transparent online — this welcoming of public scrutiny shows their commitment to the initiative — overdue though, some would say.
If they are successful, they will yet again lead the industry’s thinking about online advertising.
