Understanding why cookies are going away… and why they should not simply be ‘replaced’

June 17, 2020  |   Christian Carlsson

At this point, we’ve heard it a hundred times. “The third-party cookie is going away;” “The ‘cookiepocalypse’ is upon us;” “Digital marketing will never be the same.” While these statements are true to some degree and the industry as a whole has embraced the fact that change is coming, have we fundamentally understood why this change is happening?

Why is this shift really happening?

The deprecation of third-party cookies is a response to increased consumer awareness and privacy regulation, which strives to place transparency, control, and choice in the hands of readers and viewers on the open web to protect consumer privacy. 

In other words, the issue with the current ecosystem isn’t data collection, re-targeting, or personalisation of websites, but the lack of understanding from the end user about what data is being collected, how their data is being used, and which parties are handling that data.

As a way to combat this lack of transparency, EU regulators instated the General Data Privacy Regulation (GDPR) in 2018, which aims to give individuals an understanding of what happens with their data and how it is used. However, this only addressed data collection at its source, i.e., it forced any company that handles personal data of any kind to explain why data is being collected, what it will be used for, and allow that person to object to these terms. GDPR also classified what data is considered personal data, and thus which data GDPR must apply to. 

In the case of cookies, this became rather complicated, as the cookie itself was not classified as personal data, but as an ‘online identifier.’ However, if the cookie was being used to identify an individual in any way, for example, to facilitate a login on a website or to create a profile of a user, then it would be considered personal data.

Today, one of the primary use cases of a cookie is to pseudonymously identify an individual across the web, and thus GDPR had to apply to cookies as well as any other method of data collection. But cookies were not primarily designed to identify users across domains or to be transparent to the user.

They were designed, initially, to enhance the user experience—to work in the background and help users by remembering passwords for websites, storing the contents of a shopping cart, etc. so that users didn’t have to re-enter information every time they came to the website.

To summarise, the end of the third-party cookie is first and foremost an effort to bring consumer transparency to the digital advertising ecosystem—one that allows individuals to have more control over what happens with their data. With that in mind, how do we, as an industry, continue to enable digital marketing activities while ensuring consumer transparency and choice?

The real solution: rebuild not replace

There are a few different ways we can accomplish this with one common denominator: regardless of the solution, we must be able to consistently and accurately honor an individual’s preferences and ensure that the individual has full control over how their data is being used. Any solution that isn’t able to do this will have the same fundamental issues as the cookie and is therefore likely to meet the same criticisms and, ultimately, regulation as the third-party cookie. 

The best way to do this is to connect the individual to a pseudonymous, consented identifier that is based on personal information that the individual has willingly given. For example, when I go to my favorite news website and am prompted to enter my email address, I can choose to do so with the understanding that I’m entering into an agreement that exchanges my email address for content I consider valuable. Before I enter my email address, I am prompted to read and accept the policies of the news site, which state exactly how my data would be used if I choose to share it. Therefore, when I provide them with my information, I am given the opportunity to understand that the data can be used by the website to personalise my content and/or show me ads that are relevant to me—ultimately resulting in my ability to better support my favorite source of news. 

Conversely, if I choose not to share my email address with this news website, I would expect that the ads I receive are not based on a known profile, but likely based on the content I’m reading.

Authentications form the basis of a value exchange rooted in transparency and choice, and more importantly, makes sense to the individual. It is easy to understand that, in exchange for being able to consume the content I want and value, I support opportunities for the publisher to increase revenue. 

Isn’t there another way around this?

There are other ways to identify an individual online without that individual willingly sharing a piece of identifiable data with a publisher, even without using a third-party cookie; however, each alternative comes with some risk. In one scenario, a combination of parameters from the user’s device, such as the browser they are on, their screen resolution, the version of their operating system, etc., would be analysed when the user lands on the publisher website. Those parameters would be combined into an identifier and checked for uniqueness against hundreds of millions of other identifiers from other individuals. If this identifier turned out to be unique—or at least unique enough—it may be sufficient to use as a proxy to identify that individual or, more specifically, that individual’s device throughout the web. This practice is commonly known as fingerprinting and can be an accurate way of consistently identifying a device, yet is done unbeknownst to the individual browsing the site. It is also difficult to block since websites need to be able to read this information for web pages to display correctly on a specific device.

However, the problem with fingerprinting is that it doesn’t actually solve the fundamental problem of protecting consumer privacy. All it does is replace one device-based people proxy with a worse device-based people proxy. So, while fingerprinting may be a technically viable option to replace third-party cookies, it does nothing to increase consumer privacy and transparency, and is widely considered a poor alternative. All three major browsers, Google Chrome, Apple Safari, and Mozilla Firefox, have condemned fingerprinting as a violation of user privacy, and are independently taking action to restrict it. 

Given this alternative, there is only one option that seems viable, only one that is truly people-based and transparent to the consumer—namely one based on authentications and trust. This option:

  • Requires a value exchange that is focused on creating a trusted, direct relationship with individuals
  • Provides individuals with transparency and choice that makes sense to the them
  • Enables publishers to offer true, people-based marketing to advertisers and brands

Truly people-based marketing

As an industry, we want to limit people-based marketing to inventory that is truly people-based, and move away from opaque identifiers that attempt to represent a person by profiling their device. That said, by using a people-based identifier that is the same across both the demand- and supply-sides, the efficiency throughout the chain is dramatically improved as there is no need to translate between various ID spaces. This means that 100% of the overlapping users between advertisers and publishers are matched, something that cannot be said for today’s cookie-based ecosystem. The key benefit is the ability to measure across 100% of those users.

Ultimately, true, people-based inventory will be more valuable for publishers, more attractive to advertisers, and more privacy-friendly and transparent. It’s a win for everyone, especially individuals.


To find out more about identity and addressability post-cookie, register for our webinar, taking place on Thursday 25th June at 11am: Addressability post-cookie: How is it going to work?