Editor’s Note: This blog post was originally published in September 2021, courtesy of the Association of National Advertisers. It is repurposed with permission.

— PART I —

Overview of the Five-Part Series

In a time of constant change in digital advertising, there is one consistent question that persists in advertisers’ minds: What do we do after third-party cookies are gone? The digital marketing ecosystem was built on the ability to track and target consumers as they surf across websites, apps, and online platforms. This is facilitated by third-party cookies – the small digital files that websites download to a user’s device to help identify the user as they interact with a website and traverse the Internet. In two years, the third-party cookie will likely be obsolete, and with it, the third-party consumer behavior-based digital advertising model that relies on it.

Due to a confluence of new data privacy laws and advertising technology standards, the cookie, specifically the third-party cookie, is scheduled to be phased out by the end of 2023. The questions advertisers are correctly asking themselves now are: What will replace the third-party cookie, and how should they best position themselves to market brands in the post-third-party cookie world? The good news is that alternative data solutions are already being developed, and the picture of what the digital advertising post-“cookie-pocalypse” landscape may look like is starting to come into focus.

This Five-Part series kicks off below with a brief overview of cookies before homing in on the third-party cookie in particular, including its many use cases and its role in the current digital advertising ecosystem. Part Two examines the many foreign and U.S. privacy laws and regulations that govern – and to a certain extent limit – businesses’ ability to leverage third-party cookies to collect, track, and share consumers’ personal information for advertising purposes. Part Three provides a summary of the big tech phase-out of the third-party cookie; updates on Google’s Privacy Sandbox, a protected test environment used to determine how to run ad targeting, measurement and fraud prevention without third-party cookies and Apple’s SKAd Network, the company’s alternative for advertisers to attribute impressions and clicks to installs on iOS apps launched in connection with its new iOS 14.5 App Tracking Transparency (ATT) privacy feature. Part Four will take a deep dive into the industry-wide post-cookie trends, focusing on the shift toward developing and cultivating first-party consumer data strategies, the various emerging alternate identifier solutions, and contextual advertising-based models. Finally, Part Five will close with key takeaways and best practices advertisers should consider sooner rather than later to start preparing for the inevitable transition from a consumer tracking and targeting-based framework to what may come next.

What Are Third-Party Cookies and Why they are Important

Cookies are small text files stored on a user’s computer or mobile device generated by a website through users’ browsers when they visit a website. Websites use cookies for many purposes. At the most basic level, cookies help improve or simplify a user’s web experience by allowing web servers to track user activity on the site. For example, websites use cookies to identify users, remember user language preferences and passwords, and store user information from one page to another when browsing. Cookies can also be used by a third party, i.e., a website other than the one visited by the user, to enable online behavioral or interest-based advertising.

There are a wide variety of cookies, and they can be broken down and defined along many different lines. But for the purposes of this primer, OneTrust provides a helpful cookie breakdown in three general categories – lifespan, purpose, and domain:

• Lifespan: As the name suggests, these cookies turn on their temporal use. Session or temporary cookies are only active while the browser is open and disappear when the user closes the browser, whereas persistent cookies remain on the user’s device for a defined period and are used to remember information like settings, preferences, and login information.
• Purpose: There are four basic categories of use case cookies:
• Strictly necessary or essential, which are used to provide basic functions on the website and without which the website would not work as intended.
• Performance or static, which collect information about how users navigate a website, such as pages visited and clicks. Think analytics cookies, which are usually aggregated and do not identify individuals.
• Functional or preference, which allow websites to track and “remember” a user’s past preferences and choices on the website to provide a more personalized experience, e.g., username, password or login, region, and language.
• Targeting or tracking, which are used to manage the performance and display of advertisements and to build user profiles.
• Domain: first-party v. third-party cookies, i.e., the entity storing the cookie on the device:
• First-party cookies are set by the web server of the visited page and share the same domain.
• Third-party cookies are set by a domain other than the website being visited.

First-party cookies allow websites collecting analytics data to, among other things, provide a deeper understanding of user habits while also helping to provide a better user experience. These cookies cannot be used to track user activity anywhere but the original website that set the cookie. Third-party cookies, on the other hand, are employed by social media platforms, advertisers and adtech companies to track users’ online behavior and deliver personalized or targeted ads. Types of third-party cookies include advertising, tracking, and targeting cookies, which are specifically made to build user profiles for website visitors. Tracking cookies collect data ranging from geographic location to browsing history and purchase trends and can follow a user across multiple websites or platforms.

Third-party cookies have been a mainstay of digital marketing for over 20 years, and over time, advertisers have developed a variety of ways to leverage them in ad campaigns. It is important to recap these use cases to understand the functionalities brands may lose when they can no longer rely on third-party cookies to power their online advertising strategies. For instance, it is the third-party cookie – after assignment to a user’s browser – that enables a number of key programmatic advertising tools, such as the use of software and algorithms to automate the buy/sell of ads and fuel real-time bidding. Third-party cookies’ use cases for digital advertising can be categorized into the following buckets:

• Identification: This is one of the most popular uses of third-party cookies. Adtech platforms like supply side and demand side platforms use third-party cookies to identify users across the web. The cookies are then used for behavioral targeting and retargeting once an adtech platform can identify users, showing them personalized ads based on their behavior and interest.
• Frequency capping: This practice helps identify whether a user a company is trying to reach has seen a given ad a specific number of times so it can limit the number of times the user is shown the same ad.
• Measuring performance and attribution: Third-party cookies can also help measure the performance of a campaign and run attribution, allowing advertisers to understand which action was responsible for the conversion and which ads were clicked, were viewed, and led to the purchase.
• Audience activation: This use case enables advertisers to use data management platforms (DMPs) to leverage cookie syncing (see below), to create audiences and target them across different websites.
• Cookie syncing (aka cookie matching): This use case underlies many of the above use cases, e.g., audience activation, and essentially means matching cookies that have been created by different players in the digital advertising ecosystem, such as DSPs, SSPs and DMPs, into one cookie ID to theoretically identify the same user (“theoretically” because the cookie syncing and tables have their limitations and are far from a perfect match).

Many of these use cases are part of most digital advertising campaigns today. This is probably why the end of third-party cookies, and what to do after they are gone, has become such a big deal for digital advertising. Brands may still be able to run a combination of targeting, measurement, and attribution without third-party cookies, particularly with some of the potential solutions we will discuss in detail later in this series, but the key difference will be one of scale. Simply put, advertisers may not achieve the same scale in terms of targeting ads and measuring their performance across different websites without third-party cookies, and that likely reality should inform every brand’s post-cookie strategy.

Stay tuned for our next post, in which we will discuss the privacy laws and regulations, such as the GDPR and the CCPA, that govern and limit businesses’ ability to collect, track, and share consumers’ personal information for advertising purposes. These laws not only are relevant to how businesses should be conducting their digital advertising campaigns now but are ultimately part of the driving force pushing the industry away from a third-party cookie-centric model.