Table of Contents
What are cookies?
Cookies within the context of law are not the ones that crumble, but small text files that websites place on your device as you are browsing. They are processed and stored by your web browser, that serves as crucial functions for websites. Cookies are harmless and may generally be easily viewed and deleted.
However, cookies store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they may target you with highly specified ads. Given the amount of data that cookies may contain, such data may be considered personal data in certain circumstances and therefore are subject to the EU’s General Data Protection Regulation (GDPR) as well as the e-Privacy Directive (EPD), which is also known as the “cookie law”.
In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance. There are cookies as well that will not fit neatly into these categories or may qualify for multiple categories. Classified by purpose, such cookies are essential for browsing websites and using their features while not required to obtain consent, however it is necessary to explain in clear language what such cookies do and why. Duration of cookies might be session based or persistent cookies. Session based cookies are temporary and expire once a browser is closed, while persistent cookies remain on hard drivers until manually erased or a browser does, depending on the cookie’s expiration date. Provenance refers to cookies that are either first-party or third-party cookies. First-party cookies are put on a device directly by the website, while third-party cookies are placed on a device by advertisers or analytic systems.
Cookies under the GDPR and EPD
GDPR is the most comprehensive data protection legislation, which has been applicable since May 25th of 2018 in all EU Member States. The Regulation aims to harmonize data privacy laws across the EU. Recital 30 of the GDPR is the only reference to cookies and it states that cookies used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or have a legitimate interest.
EPD or the “cookie law” was passed in 2002 in order to address crucial aspects about the confidentiality of electronic communications (e-communications) and the tracking of internet users more broadly. It is a supplementary legislation to the GDPR, although it sometimes might override the GDPR with regard to e-communications. The EPD’s eventual replacement, the ePrivacy Regulation (EPR), will build upon the directive and expand its definition. The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force, however the EU has missed the goal by far. The EPR is to be finalized sometime in 2024 even though there is still no date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and consider new methods for communication.
To comply with the legislations governing cookies, receiving users’ consent is absolutely necessary to obtain before deploying any cookies on a website. Exceptions are made with strictly necessary cookies on which websites are dependent upon. Even before obtaining consent, providing accurate and specific information about the data each cookie tracks and its purpose in plain language is crucial.
Additionally, users should be able to use websites or services even without being forced to accept non-essential cookies, as denying access for not consenting cookies is not compliant with the GDPR and EPD. If a user decides to withdraw their consent to cookies, the process should be straightforward and easily accessible, similar to how the consent was initially given.
Google ban on cookies
On January 4th in 2024, Google began testing its new privacy features and stopped the use of third-party cookies in the Google Chrome browser for 1% of users, joining Safari and Mozilla Firefox by dumping such tracking technologies. Chrome currently holds a significant majority of the web browser market globally and Google plans to end the use of third-party tracking cookies for all users, though the deadline for completion has been pushed back.
Third-party cookies not only serve the website they are placed on, but also serve their providers, and the AdTech industry at large revolves around mass data harvesting, profiling and real-time bidding. In return for optimization services on websites, a lot of third-party cookies will amass enormous amounts of personal data from end-users, sometimes even without their consent of even their knowledge. Such data is then sent, traded, and sold in digital markets. The problem does not lie in the amount of data collected or in the sensitivity of data, but in the processing of that data to create extensive profiles of end-users. Google’s initiative to exterminate third-party cookies in Chrome has been naturally met by resistance from the AdTech industry.
Google’s decision to remove Chrome’s third-party cookies is a part of a larger series of initiatives called “Privacy Sandbox”, which was launched back in August 2019. The initiative is an alternative to all forms of cross-site and cross-app tracking and functions similar to third-party cookies.
Future of the cookies
The end of third- party cookies doesn’t mean the end of the need for user consent. Consent is still an integral requirement of many of the world’s major data protections laws. Discontinuing supporting third-party cookies neither means the end of tracking users as tracking technologies can be also nested in the services used on websites and apps in multiple other ways.
Google’s The Privacy Sandbox solution for ad targeting is “Topics” application programming interface (API), which creates recognizable categories that the browser infers based on the pages users visits. With Topics, the specific sites a user visited are no longer shared across the web as they have been with third-party cookies. Another Privacy Sandbox solution is the “Protected Audience” API, which is designed to serve remarketing and custom audience use cases without allowing third parties to track user browsing behavior across sites. It enables on-device auctions by the browser to select relevant ads from websites previously visited by a user.
Additionally, one of the fears that marketers have besides the end of third-party data and the shift to privacy friendly AdTech, is the reduction of the detailed and accurate advertisement measurements. Privacy Sandbox addresses this concern with its “Attribution Reporting” API, which enables advertisers to place relevant ads and analyze their effectiveness without third-party cookies, ensuring privacy by preventing cross-site user tracking.
The cookieless world is almost here, and marketers are shaking in their boots. However, after certain setbacks and recovery from them, advertisers might look into leveraging first-party data. Such information (email addresses, purchase history etc.) is more credible and richer since it’s provided by users willingly or it can be monitored without trackers. To enhance the first-party database, marketers may offer a newsletter subscription, launch loyalty programs, analyze customer feedback, or create polls and quizzes. Gaining such exclusive access to first-party data means a definite competitive advantage.
Nevertheless, the EU’s GDPR and EPD will govern EU data. The same principles of processing personal data will persist long after third-party cookies being gone. Third-party cookies have supplied the raw and privacy infringing data to a nearly trillion US dollar AdTech industry that has relied for years on the interferences to predict the behavior users and in real time bidding auctions that have made up the mechanics of how personalized ads are shown to user on websites.