We Need to Think Again About Why We Don’t Allow Third-Party Cookies

We Need to Think Again About Why We Don't Allow Third-Party Cookies
by

There has been a constant drumbeat that websites should switch to first-party data, which many say is better anyway, ever since Google said it would get rid of third-party cookies. It is important to collect first-party data, but third-party cookies were made for a reason, and website owners should not ignore them even though they are becoming less popular and reliable.

What are cookies, and why do we have them?

Sites can put a cookie, which is a small text file, on your machine. Most of the time, it has a unique ID for each user, or internet browser, like Chrome or Safari.

This is how it works. An internet browser lets you go to a website. For that reason, the website checks your computer for the cookie to see if you’ve been there before. If the cookie is there, it tells the server that you have been here before. It gives you an ID and writes it to a new cookie in your browser if the cookie doesn’t exist. This way, the site can recognize you when you request the next page.

Because the internet was built on links that don’t need to be connected to a specific server, cookies are needed. When you use your web browser to ask for a page, the server sees that as a new, anonymous user. If there isn’t a cookie, the web server doesn’t know if the reader is new or has been 100 times before.

Because every page view was a new, anonymous request, this stateless, anonymous setting made it impossible to log in (until cookies were added). The website needs to be able to “identify” the visitor in order to “maintain state,” or keep track of that visitor as the same person who sees different pages. That’s what the cookie does.

There are probably hundreds of websites’ cookies on your computer right now. On some sites, like Amazon or Gmail, those cookies may keep you logged in. If you delete your cookies, you’ll have to log in again the next time you go to any of those sites.

Cookies from first- and third-parties

The site you’re on right now puts a first-party cookie on your computer. A third-party cookie is made by a different website.

I will get a first-party cookie from nationalgeographic.com that only the National Geographic computers can read if I visit the site. A Doubleclick cookie will also be sent to me. That’s a third-party cookie that Doubleclick can use to find me on any site that uses Doubleclick for ads, even NatGeo. If I look at some pages on the National Geographic website, the first-party cookie on that website will let National Geographic follow me around the website.

Then I go to llbean.com, and the L.L. Bean first-party cookie will let them follow me around their site. I’ve never been to Doubleclick, but their third-party cookie is used on both National Geographic and L.L. Bean, so they can follow me across both sites.

Well, the third-party cookie does “follow you around,” but it does so for a good reason. Doubleclick can make a profile of a person by keeping track of what they do on different sites. In this case, it will know that he reads about Appalachia and looks at ads for campaign gear. That lets Doubleclick show that person the right ads on any site that uses Doubleclick for ads.

Limits on first-party cookies

Cookies from the first party don’t follow you around. This site is the only one that can read a first-party cookie because it was made by that site. That makes things hard for businesses with more than one page.

Take a look at ACME Dog Food Company. There are 20 websites that ACME owns, such as feedthedogforgodsake.com (site No. 1) and wouldyoupleasefeedthedog.com (site No. 2). Every time someone views one of those sites, it leaves a first-party cookie on their browser and collects first-party information about them.

The CEO of ACME Dog Food Co. asks the IT manager to make a report that shows how many people who visit site No. 1 also visit site No. 2.

The IT manager scratched his head and thought for a moment. Then he realized that the only way he could do that was if the users of both sites shared some info.

For instance, if I go to site No. 1, it will put a site No. 1 first-party cookie in my computer. This lets site No. 1 keep track of the pages I’ve visited. Once I go to site No. 2, it will also put a first-party cookie in my browser and gather information. Most of the time, though, neither of those user records shows that it’s the same person—that is, that it’s me both times.

In some cases, this kind of material does exist and can be used to make a connection. If I buy something on both sites, the shopping carts will have saved my email address, so the IT boss would be able to connect the two records.

Without a record like this, our confused IT boss has no choice but to give up. He is unable to link information from one site to the other.

Hold on, there must be other choices.

I understand what you mean. Don’t we hear all the time that everyone is following us around and has all this information on us? There must be a way for a business to find a user who logs in to two different sites.

It’s too bad that they are not the same thing. Big companies like Google and Facebook keep track of most of what we do because they use third-party cookies that most people have on their computers. When you use Chrome, your Google account follows you around the web.

(Did you ever wonder why Google didn’t get rid of third-party cookies? (Maybe it’s since they like them too much.)

That’s not the same thing as what another business can get from its own website.

That being said, yes, there are choices.

Remember that the issue we’re trying to fix is that the records are separate on the two sites. We need to find some kind of key that will match those records and let us join them. That can be done in a number of ways.

Set up site registration on both of them. When someone logs in, probably with the same username or email address on both sites, that gives you a point of contact that lets you combine the records. Another problem is that not all of your visitors will sign up, and this method will only work for those who do.

Use tracking for browsers. Some of the things that a web browser gives to a site when it visits are its IP address, screen size, which browser is being used, and so on. You can pretty much be sure that a person who visits one site and then visits another site is the same person. It’s not perfect, but sometimes it works well enough.

Take a third-party cookie from someone else. It is sometimes possible to match two records if you use Google Analytics on both sites and get the visitor’s GA ID.

Send a unique ID from one site to another. You can use an ID as a query field in links between the two sites and use that ID to combine the records. People who click on those links are the only ones who can use this.

You could also use cookies from a third party.

Here’s an alternative answer. What would happen if ACME Dog Food Company made its own third-party cookie and put it on all of its websites? The cookie would give each user a unique ID that would follow them from one site to the next. That ID would be the one record that ACME could use to combine customer information from all of its websites.

You say, “Hold on.” “That’s too easy and good to be true.”

There are, in fact, some problems and restrictions.

While Google hasn’t done away with third-party cookies yet, some sites have, so this method might not work for everyone. Google is also said to be going to let users turn off third-party cookies.

Based on all of that, let’s be pessimistic and say that this third-party cookie work will only be able to match half of your users who are on different domains.

I think fifty percent is better than nothing, and you should be able to do pretty well if you use some of the other tips I gave you above.


Leave a Reply

Your email address will not be published. Required fields are marked *