Resisting the hype about the cookiepocalypse

Last updated: 23 May 2024 // Reading time: 8 minutes
Digital AdvertisingDigital AnalyticsWebsite
[Image credit]

Resisting the hype about the cookiepocalypse

Published: Last Updated: 23 May 2024 // Reading time: 8 minutes

    • If you’ve done any digital marketing over the last 3 years you’ll have seen a constant set of opinions, suggestions and “are you ready?” guides about the deprecation of 3rd party cookies. There’s a lot of info out there but when we talk to clients and website owners they usually tell us they’re still confused.

    While not a comprehensive guide, this will hopefully clarify and help you work out what actions if any you should take.

    What is the timeline?

    • Firefox and Safari have already phased out 3rd party cookies years ago and their share of the Australian market is about 31%, so you’re already living in that world.
    • Microsoft Edge (9% AU market share) plans to phase out this year.
    • Chrome (56% AU market share) was going to phase out this year, but this has been pushed yet again. They’re still ironing out the technical and regulatory details for some of their mitigation efforts (see below) and since they own one of the largest ad networks they won’t pull the plug until that’s secured. There’s definitely a bit of boy who cried wolf with the constantly moving rollout time.

    What is changing?

    This image shows the difference between 1st and 3rd party cookies.

    If I visit carsguide.com.au and drive.com.au, they can both set 1st party cookies which are only read by that domain. So if my anonymous visitor ID is 123 on carsguide.com.au, it might be 456 on drive.com.au.

    3rd party cookies are those set on a domain different to what the user is actually visiting. So if both websites ping an ad tech domain like googleads.com, it gets to set its own anonymous ID, in this case 789. The reason this enables things like remarketing or cross-site tracking is even though the googleads.com pixel is being fired by 2 completely different car sites, googleads.com knows that the user ID is 789 in both cases. It knows it’s the same person. And if you identify yourself on a site that this ad tech domain is affiliated with (eg. google.com) it can then associate the anonymous ID 789 with your actual login.

    Basically 3rd party cookies allow websites to ping other websites (like ad servers) and it’s as if you visited those domains too, even though you didn’t choose to. This is what’s changing.

    What will this impact in digital marketing?

    This depends on the specific setup.

    Case 1: the user stays only on the website(s) of the ad network

    In this case there’s no change at all. Facebook knows who the user is, there is no 3rd party. So audiences and measurement that depend only on on-network touchpoints will not be affected. There’s a similar case for (say) users who stay on Google-owned properties like YouTube, Maps, Search etc except logged-out activity will be much harder for Google to associate with logged-in activity.

    Note that ad networks have been trying to let advertisers run more campaigns that don’t send the user anywhere. This is what lead forms hosted on Google, Instagram, LinkedIn and Facebook are about. A campaign with on-platform lead forms will generally not be impacted by 3rd party cookies.

    Case 2: the user only visits website(s) that are NOT the ad network

    Here, the user started on SMH then went to Cars Guide, completed a conversion and then at some point visited SMH again. In this case the 2 domains will store their own 1st party cookies with different IDs. If both domains ping (say) Facebook, their pings will have 2 completely different IDs. Which means:

    • Facebook won’t be able to serve a remarketing ad on SMH based on the person visiting Cars Guide (it doesn’t know it’s the same person).
    • Facebook won’t be able to attribute a conversion to a Facebook ads campaign (it doesn’t know which Facebook user the ping was for).

    This is the biggest impact but this is mainly a problem for ad networks, not website owners! And ad networks have been working on mitigation strategies for years.

    Case 3: the user starts on the ad network then visits the website

    Here, a Facebook user clicks on an ad. Facebook generates a click ID unique to that user and appends it to the URL the user visits. Pretty much all ad platforms do this.

    In this case, if the website has Facebook pixel, it will store a 1st party cookie for that website with the click ID. Meaning every user action sent back to Facebook will contain that click ID, and since Facebook knows which user matches this ID, it knows the identity of the user and can add them to audiences and attribute ad campaign conversions to them. This is what it means for ad networks to have moved identification to a 1st party context: you are storing their ID in a cookie that your website owns.

    Some browsers are already starting to disrupt these click IDs but we think ad networks are likely to overcome this.

    Note that the user had to have clicked from Facebook in this case, if they just saw the ad and navigated to your website (or encountered it later), your website will not know the click ID. So the smallest impact will be on direct response and the biggest impact will be on branding and longer-term campaigns (which even when every browser had 3rd party cookies have never been tracked that well).

    Case 4: the website just tells the ad network who the user is

    Here, it doesn’t matter how the user got to your website or conversion page. Once the user has converted, you usually know who they are and so can tell the ad networks directly. There are lots of ways to do this, and here the main considerations are:

    • Implementation – some methods are more complex than others
    • Privacy – are you actually allowed to do this in your country/industry and if so what consent do you need from the user?

    There are also some limitations:

    • You can’t do this for micro-conversions or user actions before they have identified themselves to your website
    • While this is easy for marketing measurement and optimisation, it won’t overcome the 3rd party cookie challenges for remarketing and interest based advertising. Just because Google knows that a Jane Doe completed a conversion on your website doesn’t necessarily mean it can show your remarketing ad to Jane Doe on say SMH. Because when Jane Doe is on SMH, Google still won’t know that this user is in fact Jane Doe.

    What are Google’s new technologies to mitigate this?

    Google has been working on a number of mitigations in their Privacy Sandbox project. This is what they want to fully resolve before they phase out 3rd party cookies in Chrome. Most of these are new methods of achieving similar goals but without 3rd party cookies and without tracking users granularly. For marketers the most interesting for now are:

    • Topics API – Chrome determines for the user which topics they are interested in, out of a list of pre-defined topics (currently 469 but set to expand). Chrome is doing this automatically so no website owner action is needed. Expect these to be available for targeting in major ad platforms (including non-Google ones).
    • Protected Audience API – This lets website owners define their own audiences for remarketing and bidding purposes. So rather than tracking the users, you attach labels to the user’s browser (like saving a non-personalised cookie) and then you can remarket to those audiences. These are available now so you could in theory start implementing them. However the advertising side is not yet running, and we’d expect marketing tools like Google Tag Manager to allow websites to do this more easily soon so it’s not clear whether implementing this now is a huge advantage.

    So, what should I do now?

    If you asked 10 years ago what most websites should do given the uncertainty of tracking we would suggest:

    • Don’t forget micro-conversions – set your websites up to ask for them and track them. Most people are not ready to complete the final big conversion
    • Give people a reason to provide their email address – that’s a great micro-conversion that lets you market to them directly.
    • Give people a reason to create an account/log in – an even better reason.

    For everything that’s happened in the last 10 years, we don’t think this has changed, we’d give the exact same advice now!

    A lot of tracking and remarketing mitigation focuses on complex tech (including server-side tracking, APIs etc). This can be part of the solution but we think for most websites, 80% of the benefit and the ROI will come from the above 3 points. If you convince more people to identify themselves earlier on in the customer cycle, you don’t need to worry as much about long-term measurement. You should still be able to track those conversions and optimise for them pretty well.

    If your product or service has a very long sales cycle, where users may visit dozens of times before they do anything else, you will be most impacted. However, the “good” news is you have already been impacted for decades, since attribution measurement for such long life cycles has never been very accurate anyway, even with 3rd party cookies.

    Save page to PDF

    Got a question?

    Contact us
    NEWSLETTER

    SEARCH THE KNOWLEDGE BASE

    , ,