We’ve been warned and warning for years now, the “Cookieless Future” is coming. It is a big topic, so buckle up. In this article, I’ve tried to lay out for you what will be changing, why it is changing, and what it means for you as a digital marketer.
What are cookies and which types are there?
Cookies are a technology that has been used in browsers for a long time. They are small Text files that your browser saves on your computer that contain a small piece of information about you.
A big division is made based on the website domain that is issuing the cookie. When the website domain dropping the cookie in your browser is also the domain you are actually visiting, then that is called a first-party cookie.
When the domain is different (e.g. a Facebook pixel is on the website and that pixel is dropping a cookie on your browser) it is called a third-party cookie. This allows for communication between different domains on the internet.
It is a technology that serves a clear purpose to identify certain preferences that you have when browsing websites. For example, not having to log in every time you visit a website, is based on cookies.
Why are we heading towards ‘The Cookieless Future’?
There are 3 big threats to the heavy reliance of the marketing and advertising industry on cookies. (Just because I call them ‘threats’ doesn’t mean they aren’t justified or that I disagree with them. The threat is to the ecosystem and the parties in it. Also, it feels really arbitrary to separate them into 3 bullet points because they influence each other.)
- Increased Privacy Awareness & Browser Choice: People are growing more and more concerned with big tech companies tracking them across the internet. For some of those users, this leads to choosing a specific browser based on Privacy features (e.g. Brave, Avast, Firefox, Safari, …) but as you’ll see, this is quite limited. Next to that, HootSuite reported that 42,7% of internet users worldwide, use an Ad Blocker, which in some cases also block trackers.
- Legal Action (GDPR, etc.) to Protect Privacy: All over the world this increase in privacy awareness has led to legal action. Most notable (at least in the EU) is the GDPR (General Data Protection Regulation) which is trying to protect individuals’ personal data. Long story short, it is keeping you from unnecessarily processing or sharing personal Personally Identifiable Information (PII) or tracking people without prior consent (through a ‘cookie banner’).
- Big Tech parties taking action to Protect Privacy: I don’t want to go into the reasoning behind why or any differences in their public and private motives here, as it would lead us to far, but let’s take a look at the facts:
- Apple releasing Intelligent Tracking Prevention (ITP) for web browser Safari:
Released in 2017, ITP was Apple’s way to limit the usage of (third-party) cookies and cross-site tracking, trying to get cookies back to their original purpose, mostly by limiting their expiry date based on first- versus third-party domain partitioning.
- Apple releasing App Privacy and AppTrackingTransparency with iOS 14.5:
With the launch of iOS 14.5, Apple continued their mobile Privacy charge by forcing transparency and prior consent to tracking within mobile apps. Not directly about cookies, but you get the relevance.
- Google Chrome promising to remove Third-Party Cookies by the end of
Most notably the most used browser (Google Chrome) promised to get rid of third-party cookies first by the end of 2022, but delayed that deadline to end of 2023.
- Apple releasing Intelligent Tracking Prevention (ITP) for web browser Safari:
Which browsers are being used the most?
You’ll notice throughout the blog post, that a lot of focus is on Google Chrome. That’s because, at the time of writing, this is still the most used browser worldwide with 64,06% of users. Way below is Apple Safari (19,22%) in second place and then both Microsoft Edge and Mozilla Firefox around 4%.
The below charts are embedded which means they will be kept up to date by the data provider, so you can do your own critical thinking after reading this. 😉
If we look at the purely Desktop Browsers, we see here as well that Chrome (66,35%) is dominating, Safari and Edge are first followers with about 9,5% and then Firefox at about 8,5%. The next browsers is already below 3% of users.
What does this mean for digital marketing and advertising?
If you are reading this, it is very likely that you have a digital marketing profession. You might or might not be interested in the technical stuff, but will most definitely be impacted by this decrease in the usefulness of cookies.
Actually, I’ve polled my LinkedIn network and saw these results:
There are a few domains that indeed are being impacted:
Diminishing Performance of 3rd Party Audiences
You probably are very used to being able to pick an audience in your media-buying based on their interest. Unfortunately, a lot of those are built through cross-domain tracking, being enabled by cookies.
Using the example of Facebook, you could ask yourself how they are building those audience segments that you’re using. The short answer is that they use your engagement with content on their platform (linked to your account), but they also have a lot of websites serving their pixel or SDK, allowing them to follow your behavior on other websites, creating a profile of your interests.
I’m using them as an example because of their importance within the advertising market and the because it is easy to relate to. But imagine the crazy amount of Ad Tech companies that are purely using that second tactic to make behavioral targeting a possibility within your media-buying process. This cross-domain tracking will be greatly impacted by the trends outlined above, diminishing the volume and accuracy of the third-party audiences you’re probably using now.
Less Trustworthy Attribution Data
If you are working in any mature eCommerce or Lead Generation marketing team, you are very likely trying to measure the channels and campaigns that are driving your revenue. You’ll have an attribution model set up to measure where precisely a certain conversion comes from.
Imagine simple conversion tracking: A few years back, that was easy. You put up the Facebook campaign, the pixel on your website, trigger an event when the form is filled or the payment is done and bada-bing, bada-boom, the conversion is tracked in both your and Facebook’s measurement system.
Even this simple one-step conversion tracking has become harder today, because of GDPR and the need for prior consent before you can actually drop the cookie that will connect the Facebook ad click to the conversion. Suddenly ±40% of the conversions happen without the Facebook pixel noticing it. Problem.
And then there’s the fact that you probably want to have a view on the multi-touch attribution to understand the impact of all your marketing efforts and not just the very linear last-touch conversion measurement. This challenges you to connect all previous sessions, even cross-device, to one person, using cookies. The longer this journey is, and the later you can actually connect it to a logged-in account (which gives you a more trustworthy identifier), the harder it will get to tie everything together.
Campaign Measurement & Frequency Capping
When buying media based on an audience, you will want to make sure the distribution of your ad over that audience happens in a somewhat balanced way. You definitely want the person most likely to convert, to see your ad. But you also don’t want this person to see 20 ads per hour every day and other people in your audience to see none.
That is why frequency capping is put in place, limiting the number of times you can see an ad within a certain amount of times. (e.g. limited to 3 impressions per day). For walled garden advertising spaces like Facebook, LinkedIn, … where you are logged in to an account, it’s not a real problem to still provide this feature as they can tie those impressions to your account ID.
For most other advertising tough, this all depends on their effectiveness in determining if you are the same person and how many times you’ve already seen this ad. It will be harder for those advertising partners to be able to offer accurate frequency capping, if not impossible.
Ad Fraud Prevention
A similar problem arises for identifying when a browser user is an actual human being. Traffic sourcing in which bots are set out to generate traffic, ad impressions, and clicks thus stealing your media budget, is one of the biggest forms of ad fraud. And it’s only one of many. To learn more about it, I suggest you read this post from interceptd on the yearly cost of ad fraud.
This huge fraudulent business (which is estimated to cost $50B in 2021) has also triggered a counter-business of detecting fraudulent traffic and excluding them from seeing your marketing campaigns, improving your bottom-line performance, and battling ad fraud. By now, you probably understand how identifying a bot across different websites, will be harder to do.
Which technical solutions are coming up?
Pretty uncomfortable picture, right? With both the reasons and impact being clear, let’s look at some technical solutions that are coming up. Digital marketing is a huge ecosystem that just cannot change overnight, so lots of stuff is going on simultaneously
Google Chrome Privacy Sandbox
As we’ve described at the beginning of this blog post, Google Chrome is one of the most important playing fields at this time. Google is channeling its activities towards a more Private Web in their Privacy Sandbox initiative.
With this initiative, they are trying to reach a new balance between a few parties:
- The Internet User who has a right to privacy and doesn’t want to be tracked all over the internet. On the other hand, there is a preference for the open web, which means access to information is free.
- Publishers that need to somehow monetise their content in order to continue their operations. Roughly speaking, it’s either the user, a government or third party that is paying for the created content.
- Advertisers that want to effectively reach their target audience and find new customers.
This new balance has led to a few separate technology initiatives that might or might (not) become the future ‘standard technology’. A lot is still moving and being debated in this space, so don’t take those as a given. I’ll list some initiatives that, in my opinion, summarise the approach Google wants to take which is focussed on anonymity in numbers and on-device processing.
Removing third-party tracking with FLoC
First of all, there is the much-debated FLoC (Federated Learning of Cohorts): As an alternative to third-party tracking, Google wants to replace any unique identifier that can be used by third parties with a Cohort ID.
It uses the principles of differential privacy and k-anonymity which means that instead of communicating a unique ID they will put internet users in groups of ‘k’ people (probably a few ten-thousands). The Cohort ID will be based on machine learning that clusters you with people that have shown similar behavior. This provides what is called ‘safety in numbers’.
To further increase the privacy in this technology, the calculation of this Cohort ID will happen on-device, in the browser so it does not get communicated with servers.
So what you actually end up with, is a bunch of Cohort IDs of which you know people are behaving in a similar way, you just don’t know what that behavior is. This will probably trigger a new industry to emerge that reverse-engineers the actual clustering of behavior and gives an ‘understandable categorization’ to Cohort IDs.
Google claims that the current technology would be at least 95% as effective as cookie-based advertising. How it will actually work is very well explained in this blogpost and image:
Still allowing for Remarketing with FLEDGE
This one is very hard to explain in short. 😅 It comes from the critique that Google would create a monopoly in Cohort IDs with FLoC, with no other parties being able to create them. Also, solely relying on Cohort IDs from FLoC would not allow advertisers to successfully retarget people that have visited their website which is a very common practice today.
FLEDGE is an attempt to open up the creation of ‘interest groups’ to other parties like advertisers (for remarketing), publishers, or ad-tech companies (audience creation). The information on interest groups, creatives that could be shown, etc. would all be on-device which allows for an auction that is happening locally on your device instead of through a server. These interest groups will also have to pass the k-anonymity test.
Blocking Fingerprinting with Gnatcatcher
Another technique that is often used to identify or recognize a certain user is fingerprinting, which combines device information (device IP, type, screen size) that is shared with the server. With the proposal of Gnatcatcher, Google wants to limit the use of this device information with a ‘privacy budget’ and possibly even mask the actual IP Address.
Although this is only a proposal, it’s clearly a threat to the current IP-to-company technology used in B2B marketing. This technology is used by parties such as Leadfeeder and Albacross to identify the company your website visitors are working for.
Solving Ad Fraud with Trust Tokens
In order to separate human users from bots, Google wants to ‘reward’ real humans with Trust Tokens when they perform an action that a bot wouldn’t be able to do, like making a purchase with an e-mail address or completing a CAPTCHA. This builds a profile of humanness while not conveying any personal information about this person.
It’s very well explained in this video:
Server-to-Server Communication & Offline Conversion Tracking
Another way to do conversion tracking without the need for cookies is by using postback URLs. This relies on the advertising channel adding a unique click ID to the link that is being clicked. The information about the conversion is then being sent server-to-server back to the advertiser, leaving the browser or cookies out of the equation.
So for example, an advertising partner could put a link on their website towards this article appended with a unique clickID (e.g. ‘15768’)
My systems record that clickID and keep it stored in my server. When this person converts, I can then POST that information back to the API of the advertiser.
This Server-to-Server communication is the way the Conversion APIs from Facebook and Google work. You’ll notice they’ll always add a fbclid (Facebook Click ID) or gclid (Google Click ID) to links that are being clicked from their platform. This allows you to post back conversion data for that identifier.
If on your server, you store this Click ID with another identifier you have after the conversion (e.g. an e-mail address), you can keep sending later conversions back to the advertising platform. This is what the Offline Conversion Tracking by Google is all about. In Lead Gen Marketing this comes in very handy when for example an MQL turns into an SQL in your marketing & sales process, and you want to report back which campaign led to this SQL.
What’s interesting with this technology is that it’s also beneficial for the user itself as it removes the need for a lot of client-side tracking being loaded. By removing this and relying on server-to-server communication for tracking, websites will load faster in their browser.
First Party Data & Walled Garden Cluster Targeting
The decline of performance for interest-based audiences has been most noticeable for Facebook as they were heavily reliant on cross-site tracking to create those audiences. You might have noticed this by a decreasing reach of those audiences. They are now more and more limited by the behavior that happens on their platform to train their clustering algorithm.
You will notice Facebook will push you towards using ‘Similar Audiences’ based on the information you’ve sent to them (customer lists or conversion events) rather than hand-picking interests as well as expanding that interest selection ‘if it increases performance’.
This is indicative of the decreasing importance and volume of audiences that Facebook is able to create and the increasing importance and reliance on the capability of the algorithm to predict who is more likely to convert on your website, based on the information they have on your current converters.
A big part of this technology relies on sharing first-party data with the platform, in order to do some matching within the accounts on the platform. In the end, this most often comes down to sharing a hashed version of the e-mail address of your customer. I have to join Simo Ahava in his skepticism for this approach as it is not exactly increasing the users’ privacy:
As you might have interpreted from my previous newsletters discussing all these third-party cookies replacements, I remain skeptical. The idea of “first-party data” means most often that the user’s email address is hashed and used as the identifier. This is, and will always be, an invasive and sticky identifier, because users can’t be expected to change their email address whenever they want to “unlink” from these systems.
So “first-party data” as a technology is very interesting and definitely the way an engineer would approach the deprecation of third-party cookies, but from a privacy and data security point-of-view it remains problematic, hashing or no hashing, partitioning or no partitioning.Simo Ahava
How should you change your marketing approach?
All those changes in technology can be very daunting, so I’d love to give some final thoughts on what I would personally focus on towards the “Cookieless Future”. In the end, technology is just one part of this change, a big part of this will also be the mindset change within digital marketing and the determination to keep moving forward in the face of uncertainty.
Embrace and prepare for the new technical solutions
Despite the numerous warning signs about third-party cookies, I still see a lot of companies being totally reliable on this technology with no plan in mind to make any changes. This leaves you vulnerable to the decreasing performance of this technology as well as a sudden huge transformation that will have to happen over a short period when this technology has reached the end of its life. It will take unplanned resources and delay your initial roadmap by months.
Yes, Google Chrome has postponed the deadline to 2023 but this has a very specific reason, being the fact that getting this technology tested, implemented, and used all over the ecosystem will take a lot of time. So make sure that you don’t get surprised by ‘the brute force change’ that will come by 2023.
Start educating yourself and your team on the changes that will most likely occur by then (reading this blog post was an excellent start 😉). Start running experiments with the new technologies and discover how you can use them so you can assess if your current infrastructure is sufficiently supporting the new approach you will have to take.
Build 1st party data and centralise it
As you’ll be less able to rely on third-party audiences in the future, make sure to build your own audience while you can still use them to help you out. This can be done by building out your owned channels like your social media profiles, your email list, and with that your brand. Just like with an investment portfolio, make sure to diversify.
Building an owned audience will also involve an assessment of your CRM / CDP and your current collection of data on your prospects and customers. In the light of the upcoming changes, it will be important to have a single source of truth on your prospects and customers. Next to that, this CRM / CDP should easily allow you to sync your data with other channels.
Stop chasing perfect attribution and evaluate holistically
The one thing that separates us, digital marketers, from normal human beings, is that perfect attribution excites us, but scares others. Wouldn’t we love to see every ad impression or radio commercial exposure that has in the end led to a sale? That would end all of the discussion in your marketing team, right? Think again.
While we were getting relatively close in a cookie-full world to make digital marketing efforts 100% measurable, it was also setting us up with a false belief that only what is measurable should be done. Short-term reporting and flawed KPI-setting often lead to very focused efforts on all the wrong things.
Now, with internet users gradually regaining their privacy, this marketers’ dream is (at least temporarily) becoming unattainable. So let’s face this new reality, stop chasing the mirage, empathize with our buyers again, and learn how they make buying decisions. Maybe start by working on your dark funnel?
Closing thoughts and notes
If you’ve just read this whole article through, well first eh, congrats! 😅
With a topic this broad and technical implications so deep, it’s hard to select the subtopics to educate yourself on. There is a lot of switching between the macro-level of running an effective marketing approach and the micro-level of marketing technologies.
But even if you would understand all those new technical solutions that are coming up, beware! Most of them are still just proposals that will be tweaked, changed, killed, or delayed. But it won’t hurt to at least get a sense of the direction they move in.
Just don’t stick to your old ways, because change is inevitable.
Be water, my friend.Bruce Lee