You’ve probably heard that web cookies are dying. Or that they are already dead.
And if you work in online marketing, you’ve probably been swamped with emails and LinkedIn messages about ‘cookieless’ tracking or ‘fingerprinting’ as the new best thing.
I’m here to tell you that’s wrong. Cookies – or similar browser storage – are essential to modern web tracking. Some cookies (the bad kind) are being killed, but good first-party cookies are alive and well. Cookies are essential to what Littledata does, along with almost every web analytics tool.
Third-party cookies are dead. Long live the first-party cookie!
What are web cookies?
Cookies are tiny text files, stored on an internet browser, designed to pass state or identifiers across multiple web pages or visits. Without storing a cookie, the internet servers which send content or track visitors would have no way of knowing if a ‘hit’ is from the same browser as the previous hit.
As Mozilla explains, there are three main purposes for HTTP cookies:
- Session management (logins, shopping carts, etc.)
Cookies don’t last forever; they can be deleted by the browser, deleted by the user or just expire. Broadly there are two durations of cookies: short-expiry session cookies, which link together the hits in one web session, and long-expiry user cookies, which link together multiple sessions.
Cookies are essential to the functioning of ecommerce stores. Many apps your store uses will save some settings to a cookie so the user doesn’t have to re-enter information on each page.
Ironically, cookies are also used to save consent granted in a cookie banner – so that once the user opts into cookies on the site, they don’t see the cookie consent banner again.
The problem with cookies
The first use of a cookie was for ecommerce. Netscape developed a way to store a virtual shopping cart on the browser – something Shopify now does server-side (more on that later).
But over the following 25 years tracking scripts proliferated which accessed ‘third-party’ cookies from any web page – allowing ad platforms to track the same user’s visits across most of the websites they visited.
Privacy campaigners objected to this concentration of data as hugely intrusive. A common example they gave was that an ad network could work out someone was pregnant by linking their visits to an online pharmacy with browsing for popular baby names, and start serving ads for baby clothes on another site.
And so the cookie crack-down began.
The death of third-party cookies
Third-party cookies will be the first to meet their demise. These cookies – mainly used by ad networks – can be stored on one website (web domain) and accessed by a script on another site. These are called ‘third-party cookies’ because neither the current website nor the current tracking script sets them.
Support for third-party cookies varies by browser but was dropped by Safari and then Firefox in 2019. The holdouts have been Chrome (owned by Google) and Edge (owned by Microsoft).
With Chrome holding 63% of the global browser market, only Google sticking the knife in will finally kill third-party cookies.
Littledata has never used third-party cookies, and I would welcome their demise.
Are first-party cookies affected?
The death of third-party cookies does NOT affect web analytics or marketing attribution, which need to track an anonymous user across their visits on a single website or domain.
This requires a ‘first-party cookie’, which is only accessible on the same domain (e.g. yoursite.com) and can’t be used for ad targeting on other sites.
But with every war there is collateral damage, and Apple – with no internet ad network of its own – decided to go further by limiting even first-party cookies that were set for tracking.
Apple’s war on trackers
Starting from 2019, and ratcheted up in every iOS release since, Apple’s Intelligent Tracking Prevention (ITP) aims to limit – but not kill – first party cookies used for tracking or analytics.
What ITP targets is those long-expiry user cookies, linking visitors over many web sessions for up to 2 years. ITP forces all tracking cookies to expire within 7 days.
Note: this is not called Intelligent Cookie Prevention because it blocks any kind of browser storage which might be used instead of cookies. I’ve written previously about ways to extend cookie expiry but all the technical workarounds have now been closed.
Firefox now does something similar with Enhanced Tracking Protection.
Apple is making it very hard for tools like Littledata to link web visits that happen more than 7 days apart, and the iPhone’s dominance means up to 40% of visits to the average North America’s ecommerce store are affected by ITP.
CNAME cloaking doesn’t help
For a while analytics tools thought they could avoid these restrictions by pretending to be a cookie set by the website itself.
‘Cloaking’ sounds like something from Star Trek, but it’s really just a redirect. The theory is that if the cookie is set by a subdomain on yoursite.com (e.g. tracker.yoursite.com) rather than by tracker.com then the browser will see the cookie as an essential part of how yoursite.com functions – and not part of a third party tracker.
If you are asked by a vendor to set up a DNS redirect (a CNAME record) to redirect tracker.yoursite.com (or equivalent) to their domain, then this is cloaking. But it won’t work any more.
Starting from 2021, Apple applies the same rules to cookies set from the same domain but a different IP address range as it does to cookies from a different domain.
And there’s a security risk with CNAME cloaking: if the DNS record is not deleted after use, a hacker could take over that subdomain.
Fingerprinting isn’t a magic bullet
Ah, fingerprinting – the supposed saviour of web tracking.
Fingerprinting works by the browser requesting as much information about the local environment (operating system, plugins, screen size, etc.) and comparing that to previous browsers it has seen. The theory is that one browser’s fingerprint is so unique that it can be linked to previous sessions no matter what IP address or cookie blocking the user has.
You can use AmIUnique.com to check if fingerprinting is possible from your browser. I checked it on Safari, Chrome and Firefox (which all supposedly block fingerprinting) and my browser profile was unique out of 1.9M others.
Many attribution tools for ecommerce – including Rockerbox, Northbeam and Triple Whale – use fingerprinting to improve the attribution of orders to marketing spend. But ad blockers and privacy extensions (e.g. Disconnect) can block fingerprinting by blocking a list of known tracking scripts from running and collecting the fingerprint.
So just because a tracking script uses fingerprinting does not ensure it works in 100% of browsers. There’s no magic bullet for 100% marketing attribution.
Littledata doesn’t use fingerprinting because it is:
- Borderline unethical: the user has not consented to be tracked, and we want to ensure our customers are GDPR and CCPA compliant
- Of limited incremental value: ~90% of orders can be attributed with cookies only, and maybe 95% with fingerprinting
- Extremely costly
Try Littledata free for 30 days
Respecting cookie consent
The ePrivacy Directive in Europe (and similar regulation sprouting up across US states) requires users to be allowed to opt out being tracked, typically via a cookie banner.
Many stores have the cookie banner but don’t respect the user’s decision when it comes to tracking cookies. It’s hard to be fully legally compliant. And complying with the right to not be tracked when using a fingerprinting tool is doubly hard – as the setting of cookies cannot just be blocked. I wonder how many of the tools using fingerprinting are in fact allowing users to opt out?
Littledata supports cookie banners using Shopify’s customer privacy API (along with integrations for TrustArc and OneTrust) to ensure that the users’ legal right to opt out is respected in the tracking, while ensuring maximum data accuracy for those tchat opt in.
Why Littledata isn’t cookieless
I believe more browsers will limit fingerprinting in future (e.g. by blocking canvas fingerprinting) as it’s in their users’ interests, so it’s likely a temporary fix at best.
As I mentioned earlier, Littledata provides accurate marketing attribution by piggy-backing on the shopping cart and checkout.
Shopify has built a very robust way to persist the contents of the cart on their servers, and that allows Littledata to persist cookie identifiers across many different user journeys and checkout scenarios.
This tracking is the best of both worlds – extending the life of the first party Google (_ga) cookie or Facebook (fbp) cookies to ensure that attribution is not broken at the bottom of the funnel. It’s not cookieless – but it’s pretty smart!
Littledata can make sure you have the best tracking set up for your ecommerce store, but beware of vendors overpromising their solution for a ‘lifetime identifier’ or similar. Lifetime identifiers are just not possible, and somewhat creepy.
Long live the first-party cookie!