It’s likely by now you’ve heard many doomsayers such as myself warning of the “death” or gradual deprecation of third-party cookies. Many blog posts and announcements from major browsers have portended this fate, even if the dates have been pushed back many times over by now. Currently the major phase-out is planned for 2025, and although there’s potential for it to move later again, the delays will hardly continue forever. In fact, cookie deprecation has already begun in a few browsers such as Safari and Firefox, and Chrome (where most eyes are on as the most heavily-used browser and thus the nail-in-the-coffin for cookies) is already testing the first waves of fully-restricted default cookie blocking for users. It’s fairly safe to assume that this full deprecation of third-party cookies will be happening within the next few years, so it’s wise to start considering how to adapt your own data collection strategies and build out your privacy program to account for them. This post aims to serve as a brief guide to this adaptation and give you some ideas about what might be lost with third-party cookies, what options are appearing to compensate, what to keep an eye out for, and finally present a couple strong first steps to take going forward.
To begin with, let’s quickly recap what exactly we mean by third-party cookie deprecation. A cookie is a small file that’s stored in a user’s web browser upon loading or interacting with a site, and can contain many little bits of information about what the user is doing. This information can be about what buttons a user has clicked, or what’s stored in their e-store shopping cart, or what color theme a user chose for a site – some of these selections can disclose sensitive information about users though (like IP addresses, names, etc), making them of concern for regulatory bodies. Third-party cookies are cookies deployed on a site by an entity other than that hosting the site itself, and are the primary target of privacy concern and are thus the target for many of these web-browsers deprecating them. The cookies becoming deprecated means that they will either be disabled by default for users or entirely non-functional – in either case, they’ll hardly be productive anymore for their original purpose.
So what exactly will be lost with this cookie deprecation? Well, that all depends on how your sites are presently using these third-party cookies. Generally, the cookies absolutely required for your site to function properly (thinking of performing login services or tracking a user’s shopping cart) are categorized as first-person or necessary cookies, and so will likely still work fine. If the focus of the cookies is generally to collect data to or via a third-party system or company, however, there’s a good chance those will lose their use entirely. This can create some holes in a company’s ability to collect information on users (at least via vendors), share/sell user information, deliver targeted advertisements, and personalize site experiences. And of course, there’s no strict guarantee the functionality of your site baseline won’t be affected either if there are some minor third-party dependencies, so it’s worth testing your site without third-party cookies now to ensure that any critical breakages can be accounted for.
With the potential breakages from third-party cookie loss established, let’s take a look at some of the means available to compensate. We’re going to focus primarily on recovering capabilities on collecting user information, delivering targeted advertisements, and personalizing experiences – those will be the activities most universally harmed by the cookie loss, and other areas of concern might best be tackled on a case-by-case basis. The first strategy we’d suggest is considering what types of data collection and targeting might best be accomplished via first-party cookies instead. Instead of collecting data automatically from users you might ask them to fill out a first-party form instead, or instead of tagging a user to specific ads you might have an ad-personalization preference page available upon account creation. It’s true that often this process can much more easily be said than done, as often it might require new site/server architecture, but it is at least worth considering as you audit what types of cookies you’re using how easily you might be able to accomplish a similar effect directly with your customers. In the cases where you can migrate a third-party functionality to an internal process it can greatly simplify longer-term regulatory compliance and earn some trust from consumers, so now is a great time to give it a try.
Beyond just taking your data collection and ad-targeting fully first-party, there are some emerging options to keep an eye out for for maintaining that utility in a relatively hands-off way. One such technology is Unified ID 2.0, which is an open-source identity management software that uses user email addresses to create unique and anonymized user IDs. Different attributes and marketing signals can be attached to these IDs to help still personalize experiences for users while evading much of the privacy concern with handling their personal information directly. If this sounds interesting, you can begin by partnering with an Unified ID 2.0 Provider. Alternatively, Google itself has been long developing their own solution to their deprecation of cookies, now titled as the “Privacy Sandbox”, which offers some options to replace some of the functionality that will be lost with full third-party cookie deprecation. The infrastructure that underlies this is complex and still in development, but in basic terms it works by allowing the browser to group users into different cohorts based on topics they appear interested in (eg. sports, fashion, hiking, etc) and then allowing websites to advertise to and draw analytics from these cohorts. Since Chrome is acting as a sort of impartial middleman in this user to website targeting dynamic, by design a great deal of third-party cookie functionality should be preserved without the sacrifices to individual privacy rights. Again, this Privacy Sandbox is still in fairly active development and is subject to significant change, but as the frontrunning solution for the critical Chrome browser it’s very much worth keeping an eye on and considering how a topics-based approach might work for your business, especially if you make heavy use of Google services already.
Whether you run with the services above, one of their alternatives, switch to first-party collection, or something else entirely, we have a couple general yet highly-recommended steps to adapting your privacy program as you move away from these cookies. For one, it’s again smart to begin this process with having a privacy audit be conducted on your privacy program, thinking about things like reviewing your data collection, use, storage, mappings, and likewise. Again, this is an important stage to figure out what elements of your site will have loss of function at the loss of third-party cookies and to establish solutions with time to spare to effectively implement them. And If there’s not much of a privacy program or organization thereof in place currently, this switch makes a great time to establish one. For two, it’ll be wise to review your privacy policy in context of your upcoming changes to cookie usage (and ideally, with context to any changes you make as a result of your privacy audit). For companies that have cookie sections in their policies already it’s worth paring them down appropriately, but keep in mind that any new solutions you onboard and transition duties to will need to be outlined, especially if they have to do with sensitive data collection, sharing, transfers, or sales.
If you’re able to see those couple steps above to completion then you can consider yourself far more prepared for the shift coming forward, and relative to many companies, ahead of the curve. This is not to undersell the challenges involved with tackling those steps – like so many important things, privacy systems reviews and establishments can seem extremely daunting and intricate and, at least for now, attractive to procrastinate. And to those concerns we can sympathize – it is far better to have this head-start to unravel these problems however, and wherever it can seem too much there’s always an option of consulting with data privacy expert groups for guidance. Either route you go, keep in mind that these challenges are faced across the whole business world, and with major changes those who adapt best tend to do best!