You’ve heard us say “cut out the cookies” in our How to Become a Track Star white paper. That’s because cookies are bad for your health — your tracking health, that is. In the context of performance marketing, what this really means is third-party tracking cookies will compromise your campaigns. First-party tracking cookies aren’t great for them, either, but there are important differences between the two.
Recently, we’ve heard that some of you have questions about these cookies, so we’re answering them. In this post, we’re crumbling the tracking cookie to show you what it’s really made of, addressing the differences between first- and third-party cookies, and reviewing why it’s a bad idea to depend solely on cookie-based tracking for your campaigns.
Browser cookies: a bite-sized history
While the internet has been around in some form since the 1960s, it didn’t evolve into the World Wide Web we know today until 1991. The first websites were basic, clunky, and far from user friendly, but their commercial potential was obvious.
However, unlike brick and mortar businesses, websites had no way of knowing who was walking in the door, so to speak. Every user was anonymous, so websites offered every user the same experience — a poor one.
That all changed in 1994, when Lou Montulli invented the HTTP cookie.
An employee of Netscape, Montulli had been tasked to find a way to store incomplete transaction information in a user’s computer, rather than a business’s servers. His solution was a browser-based “cookie,” or a piece of data that could be stored by a web browser on a user’s computer. (He borrowed the term from “magic cookie,” a data file used in programming.)
Suddenly, cookies made it relatively easy for a website to collect, store, and monetize visitor data. So, naturally, every website started using them.
Different types of cookies
Cookies improve user experience. They make it possible for websites to remember user preferences, store items in shopping carts, and do a thousand other useful things. Cookies also perform essential functions on the web, such as authentication. Some of these jobs are more sensitive than others, or require specialized functionality, so different “types” of cookies exist to handle different tasks.
(We say “types” in quotation marks because, technically, every cookie is the same type of file. They can contain the same information and functionality. What’s different is how they are created and used.)
Some types of cookies include:
- Session cookies
- Persistent cookies
- Secure cookies
- HTTP-only cookies
- SameSite cookies (of Google Chrome 80 fame)
- First-party cookies
- Third-party cookies
If you’re a digital marketer, you’ll recognize the persistent cookie, just maybe not by name.
A persistent cookie is simply a cookie that expires after a specific date or time frame. Until it expires, a persistent cookie will share its information every time the user interacts with the domain it belongs to. This interaction can be on the website where the cookie was created, or via a resource belonging to the original website that is hosted by a different publisher, like a banner ad.
For this reason, persistent cookies are also called tracking cookies.
Tracking cookies: first-party vs third-party
Tracking cookies come in two flavours: first-party and third-party. The “party” in both terms refers to the website that sets the cookie.
First-party cookies
First-party cookies are set directly by the website you’re on, either by the publisher’s web server or JavaScript loaded on the website, and only the same domain can access them. The domain of a first-party cookie will be the same as the domain in your browser’s address bar.
As first-party cookies come from a trusted source — the website you’re actively visiting — browsers allow them by default. That’s generally a good thing, because these cookies enable much of the functionality you’re used to when browsing the web.
If first-party cookies were blocked, you would have to log in to your favourite website every time you visited. You wouldn’t be able to purchase multiple items while shopping online, because your cart would reset with every item you add to it. And so on.
You can still choose to disable first-party cookies in any browser, or delete them at will — just don’t say we didn’t warn you.
Third-party cookies
Third-party cookies are not set by the website you’re on. Instead, they are set by an external server (e.g., a tracking platform) via a piece of code loaded on the website you are visiting. These cookies can then be accessed on any website that loads the code from the same third-party server. Since they share information across websites, third-party cookies are also known as cross-site cookies.
Third-party cookies are used in online advertising because they make it easy for marketers to collect data about consumers and use it to serve relevant ads across the internet. Unfortunately, many websites use third-party cookies to collect this data without the consumer’s knowledge, mine unnecessary personal and behavioral information, and track users wherever they go online. These practices have led to increased global scrutiny and mistrust of the digital advertising industry and driven new legislation to protect consumer privacy and data security.
Browser support for third-party tracking cookies is rapidly declining. Many major browsers now block them by default, and others have announced plans to phase them out entirely:
- In Safari and iOS, Apple’s Intelligent Tracking Prevention blocks all third-party tracking cookies by default.
- In Firefox, Mozilla’s Enhanced Tracking Protection blocks all third-party tracking cookies by default.
- Google announced in January 2020 plans to phase out support for third-party cookies in Chrome within two years, while Chrome’s Incognito mode now blocks all third-party cookies by default.
Should you use cookies in performance marketing?
We admit it — not all cookies are bad. The internet as we know it couldn’t work without first-party cookies. Tracking cookies, however, are a different story.
When we tell you to cut out the cookies in our white paper, we mean tracking cookies in general, and third-party tracking cookies in particular. But even first-party cookies, when used for digital tracking purposes, have limitations and drawbacks.
Third-party cookies and pixel tracking
Third-party cookies and web browsers power pixel tracking, also called client-side tracking or cookie-based tracking. Cookies are simple, and web browsers do all the work of storing and sending information in pixel tracking, so it’s easy to implement and use. Unfortunately, cookies are also easy for browsers to block, users to delete, and bad actors to leverage, leaving marketers and their campaigns at risk. Not to mention, pixel tracking works only on desktop web.
Pros: Easy to set up and share data.
Cons: Inaccurate, unreliable, prone to fraud, doesn’t work on mobile, doesn’t work in browsers where third-party tracking cookies are blocked (i.e. Apple’s Safari, Mozilla’s Firefox, and soon Google’s Chrome).
First-party cookies and JavaScript SDK tracking
First-party cookies can be used as third-party tracking cookies in certain situations. This can bypass some browser restrictions, but it’s not a panacea for pixel tracking.
TUNE’s version of this tracking method is called JavaScript SDK tracking. It uses a JavaScript code snippet and first-party cookies and still makes the browser do all the work. Therefore, it’s still susceptible to some of the same risks and limitations as pixel tracking. For example, Safari deletes all first-party cookies (and other script-writable storage) after 7 days without user interaction. If you use this tracking method, then your conversion windows on any Apple device are capped at one week. We go into more detail here.
Pros: Works on desktop web and mobile web, more reliable than pixel tracking, less sensitive to browser restrictions.
Cons: Implementation is more complex than pixel tracking, browser and cookie restrictions still apply, cannot track cross-channel, difficult to troubleshoot.
Conclusion: Cut out the cookies, pivot to postbacks
We stand by our point: All tracking cookies, whether first-party or third-party, will hurt your tracking health in the end. When superior solutions like postbacks are available, there’s no need to risk your campaign health with either one.
Postback tracking, unlike pixel and JavaScript SDK tracking, does not rely on web browsers to work. Also called server-side tracking or server-to-server tracking, postback tracking uses direct server communication instead. This frees marketers from cookie-based browser restrictions and provides complete control over campaign tracking. Even better? It works cross-channel on desktop web, mobile web, and mobile apps.
For the short list of pros and cons, plus how postbacks compare to cookie-based tracking, read “Pixels vs. Postbacks: Which Tracking Method Should You Be Using?”
For a more in-depth (and entertaining) look at all of these tracking methods, download our new white paper: “How to Become a Track Star: Your Guide to Tracking for Performance Marketing Campaigns.”
Performance marketers who continue to rely on the dying third-party cookie do so at their own risk. Whether the same fate awaits first-party tracking cookies is unknown, but we don’t suggest waiting around to find out.
Questions about cookies, postbacks, or other tracking topics? Reach out to our sales team at sales@tune.com.