We recently created a video (above) where we talked about the role of third-party cookies in programmatic advertising and what impact their demise would have on the industry.
Below you can find a consolidated and polished version of the discussion between:
- Michael Sweeney, Head of Marketing at Clearcode
- Piotr Banaszczyk, CEO of Clearcode
- Grzegorz Łukaszewicz, Head of Engineering at Clearcode
Michael Sweeney: Over the past few years, we’ve seen a lot of media reports about various things connected with third-party cookies.
More recently, we’ve seen a lot of news about Google Chrome.
In January last year, Chrome announced it would be shutting off support for third-party cookies, but prior to that we saw a number of changes implemented in Safari and Firefox. Both of those browsers have ultimately turned off support for third-party cookies over the past couple of years.
In today’s interview, we are going to dive into this whole third-party cookies topic and address a number of questions, including what third-party cookies are, what role they play in programmatic advertising, and what impact there will be for programmatic advertising in a world without third-party cookies.
So I will head over to you Banan (Piotr) and ask you to talk to us about what cookies are, because a lot of people may not actually understand what cookies are. So maybe you can just tell us what they are and what roles they have in a general sense.
Piotr Banaszczyk: Seeing as I’m not the technical one here, I will try to simplify it a lot. So think of cookies as small files that are being created in a given domain (e.g. website) to improve or simplify your web experience.
The information stored in those files can be related to the language you have chosen and the products you have viewed. All those activity-related pieces of information can improve your experience when you return to the website, so you won’t need to select the language the second time and because of your browsing history, you may see additional products recommended to you.
I think Greg can provide a bit more of a technical overview of them.
Grzegorz Łukaszewicz: So there is not really much difference between a first-party cookie and third-party cookie in the technical sense. They are both the same.
The difference is in how they are created and the main point here is that first-party cookies are created by the domain that you have requested, so whenever you enter a URL into your browser, the website can create a cookie for you. And that’s a first-party cookie.
A third-party cookie is created for the domain that you never intended to visit. So, whenever there is a piece of code that is loaded from another domain that you are requesting, it can create a cookie as well. And that’s called a third-party cookie.
Source: Clearcode.
Source: Clearcode.
In this case, when we are talking about cookies, the main goal of third-cookies within the AdTech environment is to assign you an ID.
We can then recognize you later on and personalize advertisements for you by recognizing that it is you who visited some other domain (i.e. website).
When it comes to actually creating cookies, there are two main ways to do it.
We can create them server-side and front-end-side (aka client-side).
With the front-end side, we can use Javascript or some other scripting language. The server-side method works by calling a third-party server.
Michael Sweeney: As you just said Grzegorz, there is really no difference from the technical side between a first and third-party cookie, but it all has to do with the context.
So, first-party cookies are created by the website that someone is visiting and third-party cookies are essentially all cookies created by domains other than that website the user is visiting.
I think that a lot of people have no doubt heard about third-party cookies being referred to as tracking cookies or third-party trackers, they are essentially the same thing, right?
So when a website adds an AdTech platform’s code or script to their web page and then each time the web page loads, those requests are sent out to the AdTech platform’s server and the third-party cookies are created that way, correct?
Grzegorz Łukaszewicz: Yes, that’s correct. The cookies are holding an ID that’s used to recognize you on that specific system.
So let’s imagine you are visiting an e-commerce website. An AdTech company that’s being used by the e-commerce website would assign you an ID.
That ID would be used to recognize you, allowing the AdTech company to build up a history of what you have done on this website. From there, the AdTech company can get a pretty good idea of how you interact with websites, what you are looking for, how long you are on the websites, and then it can assess what you are interested in and what you’re not interested in.
So that is how the histories and profiles of people are built in AdTech.
Piotr Banaszczyk: The problem is deciding whether this is a good thing that external companies are aware of what we are doing and whether there is a reasonable way of controlling who has access to the data and history.
Michael Sweeney: Agreed. So Grzegorz, staying on this topic of third-party cookies, you mentioned a moment ago that the key role of third-party cookies is identification.
As you said, companies store an ID within a third-party cookie and then it can be used to identify the same person across multiple different websites, collect data and match the data with those cookies.
But, when we are talking about some media-buying processes such as real-time bidding where there are multiple AdTech platforms involved in the process, for example, demand-side platforms (DSPs), DMPs, and ad exchangers, all of those platforms will need to identify the same user.
But as we’ve just mentioned, one of main limitations of both first-party and third-party cookies is that they can only be read by the domain that created them. So if a DSP creates a cookie for one particular user and if an SSP creates its own cookie for that user, then both of those two different platforms are going to have different cookie IDs.
So there needs to be a way to match those cookies together and that’s why we use the cookie-syncing process. Maybe you could just talk about what cookie syncing is and explain what the problem is and also how it is carried out.
Grzegorz Łukaszewicz: Sure. Just one thing to note: Both the domain that created the cookie and the user can access the cookies. This is an important distinction because most modern browsers allow you to look through and delete the cookies that were created for you.
Regarding cookie syncing, it is something that is very simple in its nature but it’s very, very hard to describe in simple terms.
The main goal of cookie syncing is to have a greater pool of cookie IDs to have a better chance of serving someone with an ad who would be interested in our product or service.
When it comes to how it’s done, you’ll remember earlier we explained that you can create a cookie and store an ID inside it by sending a request from the web browser to a server and then back again.
But we can also send another request to another server and carry over this cookie ID as well.
And at that point, the second server will know the cookie ID that the first platform created. The second server can also create a third-party cookie and share that ID with the first server. This is how the cookie IDs from two different platforms are matched, or synced, together.
Source: Clearcode
Those two servers can now store those cookie IDs in a cookie-matching table, which is essentially a database, and identify each other’s identifiers that they’ve assigned to the same person.
And that’s how cookie syncing between different AdTech platforms is done. As I said, the goal is to recognize as many users as possible to make the campaigns as optimal as possible from an advertising point of view.
Piotr Banaszczyk: When we are talking about cookie syncing, you’ll often hear the term profile merging.
Often, the same person may have two separate identities across a set of websites. For example, I could have one set of web-browsing history on website A and another web-browsing history on another set of websites.
By carrying out cookie syncing, all those platforms involved in the process are able to identify me and also learn more about my web-browsing history so that my profile becomes enriched.
Grzegorz Łukaszewicz: I think that one more thing that is worth mentioning here is that when we’re talking about profile merging in context of cookie syncing, that process can be done independently of the device.
So we can match profiles from you as a visitor on your mobile phone and your PC, and this is done through recognizing a common identifier.
Let’s say you log into your email on two different platforms, e.g. from your smartphone and PC. With pretty good accuracy, we can identify that you are the same person because your email acts as the common identifier.
Michael Sweeney: I will go back to you Banan, so now that we know how third-party cookies work and that cookie syncing is a very key process for media buying and other programmatic advertising processes, maybe you can talk to us about some of the main use cases of third-party cookies.
For example, what are they actually used for in programmatic advertising?
Because we know that the key thing is identity, but once you’ve got identity, what can you do next?
Piotr Banaszczyk: So the main goal for advertisers is to minimize their spend and maximize their return on investment.
To achieve it, they basically need to target their campaigns to some specific sets of people, which are called audiences.
Let’s imagine I have a travel agency. It would be beneficial for me to target summer holiday offers in Ibiza to some specific groups of people based on their demographic, e.g. people between 18 and 35 years of age who live in Europe.
But it would probably be even better if I can target those ads to people who have recently seen similar holiday offers or visited my website.
So third-party cookies allow us to identify those people and show those personalized ads to them.
Targeting and retargeting are basic use cases, but of course they’re not the only ones.
Apart from displaying those ads to my audience on multiple websites, I can also run frequency capping, which involves identifying whether a person I am trying to reach has seen a given ad a specific number of times so I know not to show that person the ad anymore, because I can assume that after the fifteenth time the ad may not be effective anymore.
Third-party cookies also help us measure the performance of our campaign and run attribution, which allows us to understand which action was responsible for the conversion. For example, it may have been the first ad or the last one.
So, just to summarize, third-party cookies allow us to identify and track those people across multiple sites, understand what they were doing and, based on that, display certain ads to them.
Grzegorz Łukaszewicz: Yes, and by conversion we mean the end goal of the campaign, which could be visiting a website, buying a product, or filling in a form.
Michael Sweeney: All the things you have just mentioned are key processes that are part of every single digital advertising campaign and are underpinned by third-party cookies, so I suppose that in many ways, that’s why this whole end of third-party cookies topic is such a big deal for programmatic advertising because certainly you will still be able to run some kind of targeting, maybe even frequency capping, measurement, and attribution without third-party cookies, particularly with some of the other solutions that are being proposed, but the key difference is that scale.
You won’t be able to get the same scale across multiple different websites without third-party cookies.
So, I think the main thing that is going to impact programmatic advertising is just the fact that the scale as far as targeting, frequency capping, measurement attribution is going to be severely impacted.
Piotr Banaszczyk: That’s true, and that’s why we’re having this whole discussion about what the AdTech ecosystem will look like after the death of third-party cookies.
I think it’s also worth talking about the good and bad sides of third-party cookies. As we just mentioned, they are used to show targeted ads to people. Advertising is a very popular way to monetize a website, so if I’m going to see ads, then I’d rather see something that I’m interested in rather than a totally random one. So in this sense, third-party cookies are a somewhat good thing.
But they also create a number of privacy problems.
As I mentioned earlier, the fact that an AdTech platform can create a cookie on a user’s web browser and even share those IDs with other companies has created a situation where some studies suggest that 90% of your web-browsing history is known by more than 90 companies and that more than 600 companies have access to 50% of your web-browsing history.
The worrying thing here is that this data is being created and sharing and it’s really hard to control it and keep it safe.
Because of this, popular web browsers like Apple’s Safari and Mozilla’s Firefox now block third-party cookies.
Google recently announced that it would also be blocking third-party cookies by default in its Chrome browser.
However, because a large majority of Google’s revenue comes from advertising and because its advertising tools are used by most advertisers and publishers, it couldn’t simply shut off third-party cookies and not provide some kind of alternative.
Especially seeing as Google did some research and found that when it turned off third-party cookies for a small group of its Ad Manager customers, ad revenue dropped by 52%.
This led to two observations:
- Although third-party cookies are not great for privacy, they do allow publishers to earn more ad revenue, compared to advertising that doesn’t identify individuals.
- There needs to be a way to run targeted or interested-based advertising, but do it in a more privacy-friendly way.
And this is the whole story behind today’s discussion, i.e. why do we have third-party cookies and what will happen now?
As I mentioned, Google Chrome will shut off support for third-party cookies, but it will introduce a solution that will allow advertisers and publishers to maintain many of these programmatic advertising processes, such as audience targeting, measurement, and attribution.
This solution is called Privacy Sandbox.
Privacy Sandbox is being discussed in a W3C business group between Google Chrome, Google’s Ads teams, independent AdTech companies, ad agencies, advertisers, and publishers.
The APIs and proposals in Privacy Sandbox, like FLoC and TURTLEDOVE, are designed to replace the processes carried out by third-party cookies.
The goal of these APIs is to run those programmatic advertising processes, whereas third-party cookies are used as a kind of hack. Third-party cookies were never specifically designed for programmatic advertising, instead, AdTech companies started using third-party cookies as a way to identify people across different websites.
To summarize, we need to be able to show targeted advertising, however, do it in a way that protects user privacy.
Grzegorz Łukaszewicz: Also, many people are probably asking themselves: Why don’t we just remove third-party cookies completely and then the problem will be solved, right?
But the thing is that millions of dollars flow through these AdTech platforms, so the economic impact of shutting off third-party cookies and not introducing some kind of alternative would be devastating for pretty much every AdTech company.
Also, many publishers rely on ad revenue to monetize their content and most see the biggest ad revenue comes from target advertising where advertisers are able to identify their target audience on a given publisher.
Piotr Banaszczyk: That’s true. A company like Mozilla can take a strong stance on user privacy and introduce a number of privacy settings in its Firefox web browser because it doesn’t have a stake in the digital advertising industry.
But because Google is in many ways an AdTech company at heart, they need to provide some kind of solution that will keep the programmatic advertising industry alive.
And also Greg is right because if you think about the big publishers like The New York Times or Zee5, or really any publisher that has a large audience, they can build their own world gardens and allow advertisers to show ads to their audiences and maintain their ad revenue, however, those small and medium publishers that rely on programmatic advertising but don’t have the same scale in terms of viewers will be hit the hardest.
Grzegorz Łukaszewicz: Yes, and we have also seen many advertisers move towards the walled gardens of Google and Facebook, even to those large publishers, because of those reasons.
Michael Sweeney: You guys have raised some really fantastic points and I think we could probably produce another interview solely on those topics you have mentioned, but I think that we leave it here for now.
In the next interview, we’ll talk in more detail about Google Chrome’s Privacy Sandbox because this is one of the main alternatives or solutions out there in regard to the whole end of third-party-cookies topic.
Did either of you want to add anything before we finish up?
Piotr Banaszczyk: We are excited that these changes are coming and we’re looking forward to seeing what will happen in the next couple of years. They will definitely be exciting years for sure.
Michael Sweeney: I absolutely agree. When we look at the main issues with privacy at the moment they are technical challenges and the only way to solve them is through technical solutions.
And as a development company, that’s obviously quite a positive thing for us as we get to work on things that haven’t really been built yet or even explored.
I definitely agree the future is quite interesting, no doubt there are a lot of challenges but as an industry, there have been many challenges in the past and a lot of innovations all over the years and I think this is just another challenge we will have to deal with. And as you said, very exciting.
Piotr Banaszczyk: Exactly.
Michael Sweeney: Well, thank you both so much for your time and, as I said, there will be a follow-up interview where we’ll talk about Chrome’s Privacy Sandbox in more detail, so keep your eye out for that one.
