About the Upcoming Changes to Third-party Cookies

As you may have already read, #Google announced in January that they are planning to phase out support for third-party #cookies in 2022. There seems to be some misunderstanding about this topic, so, hoping you will find it useful, I am writing this article to help clarify a few things.

The Basics

Let's start with the basics, so the rest can be understood easily. You may have read about the evil cookies, and you may be sick and tired or seeing how websites request your permission to use cookies almost every time you visit their sites; but truth is that cookies are crucial for the web. They allow interactivity with websites! Before we had cookies, in the early 1990s, the web was a passive media. You could only read (and see the images) that other person published. There was no way for a web server (or its owner) to know that two web page views were related to one another. Every web page you saw was treated as a new web page visit from scratch.

Cookies solved this problem by allowing a website to store some information in the visitors computer, and to read its content before taking the next step. It works this way:

• You visit a log in screen on a website.
• You input your user name and password.
• If your credentials are correct, the server places a cookie on your computer that reads "User X connected".
• From there on, every time you request a new web page on that site, the server will fetch the content "User X connected" from your computer, and give you only the web pages that are specifically prepared for "User X" to see.
• When you log out, the web server edits the content of the cookie file from "User X connected" to "null", so anybody else can see content that was prepared just for "User X" until the cookie value changes to "User X connected" again (after entering the correct credentials, of course).

Simple but effective. Now you can log in, purchase products online and save your preferences. Without cookies, the web as you know it today would not be possible.

How Cookies Became a Problem —Part One

Now that you know that cookies are an important part of the web, you are probably curious about when and why they became a problem. This happened because cookies were abused. Let me show you how:

Let's imagine you want to visit your favourite blog. To do that, you open a web browser, type its URL (or find it among our bookmarks), press enter and wait a few seconds. Voilà!, the blog appears on the screen.

What most people are not very aware of is what happens under the hood. It works something like this:

• First, you enter your blog's URL on your browser and press enter.
• Then, your browser sends a request to your Internet Service Provider (ISP), asking for the information contained in that URL.
• Your ISP forwards the request to other servers until finding the web page you asked for. When it finds it, the web server responds by sending you the all information contained in that web page you requested:

• First, the HTML file with the instructions, and then,
• All of its parts (images, audio, video, etc.)

• Lastly, your web browser then gathers all that information and use it to build the web page on your browser, according to the instructions in the HTML file.

Simple, again, but this time the devil is in the details (in "all of its parts", to be exact):

• If the owner of a website included a web counter script on his site, you download it and execute it.
• If this script orders the creation of a new cookie with certain values, your computer obeys.
• If there are other scripts, and they order the creation of other cookies, your computer obeys them too.

At the end, when the web page finishes loading in your browser, you have the HTML page you requested plus all the images, audio, video (or others) you see on the screen plus all the parts that you do not see but were loaded anyway because the programming of some of "all of its parts" asked it to —and you must know they can really add up sometimes.

If cookies are a problem today it is because so many websites install so many cookies that it has become very easy for their creators to assign a unique ID to each visitor, and follow him around the web. It was not the original idea for cookies, though.

How Cookies Became a Problem —Part Two

If cookies are this troublesome, you may be wondering why website owners do this. Truth is only very few web owners are aware of this situation and do it on purpose. The majority do not even know. You see, most web owners do not design websites. They hire people to do them for them. Likewise, most web designers are knowledgeable about building websites, yet they are not experts in online privacy. They just know there are resources out there that make their lives easier, and they use them. Why reinvent the wheel if you can use free resources and get the job done faster?

Here a few samples of those free resources:

• The world's most popular web content manager: WordPress
• The world's most popular visitor counter: Google Analytics
• The world's most popular advertising network for website owners: Google Adsense
• Facebook's "like" button and Twitter's "tweet" button.
• AddThis article-sharing script.
• Disqus comments box.

These services market themselves as offering a nice benefit to website owners for free. They do not mention that, to allow the service to work, website owners need to accept that the service will place cookies on their visitors' computers (and track those users). They slyly hide that part of the deal within the lines of their long and boring terms and conditions, so most web designers just jump on the bandwagon, accept the terms and use the code.

Now, to be fair with web designers, the alternative would be to create all those features from scratch, or at least without third-party services. It is doable, but it would raise costs a lot. So let us all add to the to-do list that we need to find a balance for this situation in a reasonable future.

How Cookies Became a Problem —Part Three

Needless to say, service owners want to make money for what they offer, so they charge advertisers a fee for accessing their user base. To get advertisers to spend money, they need to show them an attractive offer; and the best way to give them that is to gather the most complete set of users. There is a huge difference for an advertiser between being able to display an ad on example.com (a very generic offer), being able to display it on 254873 websites that are seen by women between 25 and 45 (a more specific offer) and being able to display it on 32495 websites that are seen by divorced women between 25 and 45, with at least two children each. The last offer will make them more money because it is more specific, so they use cookies to gather as much information as possible from users to build the most attractive set of profiles they can.

So "tracking cookies" have become a problem because there is a financial motivation to use them. There is a lot of money in specific databases, and very little money in generic databases. That is, for example, what made Facebook a multimillion company in so little time. They have a really specific database of users.

We need to add to that the fact that gathering these databases have become so precise it scares. Companies have gathered (and sold) so much information behind our backs that we did not learn the level of detail data brokers can handle until the Cambridge Analytica data scandal of the late 2010s. In one sentence, they have just too much information, and this is why in recent years governments have approved privacy laws and regulations to try, at least, to require users' permission before they start using them to collect information.

What is Going to Happen in 2022 and its Consequences

The most accepted theory is that Google's Chrome browser will just ignore third-party cookies (the ones that are included by scripts from websites you are not visiting right now) and not let them work. Time will tell if this is correct.

Yet this does not mean Google will kill third-party cookies, as some people have stated in a variety of blog posts. The change they announced will only affect Chrome. All other browsers will still give users the option to accept third-party cookies, although most of them will keep blocking them by default.

This has been big news over the last few weeks because it affects a lot of people… and because of irony: Google is one of the companies that uses third-party cookies like there was no tomorrow.

Does this mean online tracking is going to end? No, it just means it is going to continue without cookies.

Can online tracking work without cookies? Yes, there are a few ways. One is already in use, and it is called canvas fingerprinting. JavaScript has become very powerful, so that is definitely a second option. (Take a look at clickclickclick.click to see with your own eyes how far JavaScript can go.) A third option would be making third-party cookies work as first-party cookies using some kind of redirection inside a web page's code. There are a few experiments with favicon tracking too. But let's not get too technical, shall we? Keep an eye on the news, and I am sure that you will find both programmers creatively creating new ways to track people and programmers creating way to stop those new ways to track people alike. It has been a mouse and cat race for decades.

What is interesting is the way Google will move its tracking to the browser. As Google is the only company that can control Chrome, it has full control on how it can gather information from that software. Today, we know that Google has already published a new tracking proposal model —named FLoC, an acronym for "Federated Learning of Cohorts"— and that it is testing it with a set of Chrome users (without notifying them, as usual). In a short future, it will allow a group of advertisers to place ads on those new "cohorts of users" to see how it works.

The idea of FLoC is creative, but it does not appear to be less invasive. As they state, the browser will use the user's browsing information to add him in a cohort. Then, it will allow advertisers to publish ads on those cohorts. Cohorts will be dynamic, which means the software will automatically be moved to a different cohort as his browsing history continues being analysed.

This means that, the first few times you browse web pages using Chrome, your cohort might be very generic. For example, "man". But, as you continue browsing the web and Chrome learns more about your user behaviour, your cohort may become more specific. "Single man in his early 40s, fighting against alopecia".

I do not have information yet on how specific cohorts may become, but I do know that advertisers want specific sets of users when they advertise online. If I wanted to advertise razors, for example, I would like to place my ads in the eyes of men from teenage years up. It does not need to be too specific. If I wanted to advertise tampons, conversely, I would like to place my ads in the eyes of women from teenage years up to the average menopause age (around 50) who are not pregnant. That is way more specific. Will there be a cohort for that? If yes, that would certainly be too specific and somewhat invasive. It is correct to feel concerned.

Can online marketing be specific to the point of knowing what women are pregnant today? Yes! Pregnant women tend to visit maternity websites a lot more than single women with no children. It is not too hard to notice a change if you have been following Sandra for a while and you see a switch in her browsing behaviour.

Now, Google claims that users will be protected both because the cohort ID will not leave the browser and because there will be thousands of users in each cohort. I do not agree very much. Every online marketer with enough experience know that you can always create a web page with an irresistible offer, advertise it to just one very specific cohort, and harvest those users' names and emails. Extracting people's personal information will not be very hard with their new model.

I will finish this section with a comment about what could have motivated Google to make this change. I certainly cannot speak for them, but I believe the rise in the use of ad blocking extensions is one of the strongest reasons. After all, it is hard for tracking companies to gather information about people if there are more than 200 million people using ad blockers in their computers.

That said, let's move on to the final part of my article.

What All This Means for You, as a User

There are many ways to understand and interpret this news from a user's point of view:

When Chrome finally "phases out" its support for third-party cookies, it will be just catching up with the browsers that currently block third-party cookies by default. Third-party cookies should continue working on other browsers.

This also means that, if the web drastically reduces its use of third-party cookies, all web pages will transmit less information and load slightly faster, which is good.

This also means that companies will need to adapt to the change. That will force them to make changes, so get ready to see a few updates here and there in almost every website you visit.

During the search for an alternative, we should all expect a raise in other means of software tracking in the upcoming months —that is, less cookies but more #canvas #fingerprinting and JavaScript tracking. Those are reliable techniques that have worked for years, so it is the easiest path to take (for them). Web #browsers do not block canvas or #JavaScript by default, which means that those who are concerned about this we need to take additional steps to prevent that kind of tracking in our computers. Other companies may feel creative and try new things.

As I mentioned above, Google's FLoC is an interesting proposal, but it means that the more you use Chrome the more precisely segmented your browser (or, in other words, YOU) are going to be, even if Google keeps its word and that information never leaves your computer. Would you like to be "FLoCked"? If not, then it is time to seriously consider switching to another, more privacy-aware, web browser, such as Mozilla Firefox.

What All This Means for You, as a Website Owner

For website owners, there are three additional things to think about:

First, for those among you who have not noticed it yet, I mentioned earlier in this article that most web browsers have been blocking third-party cookies for a few years already. This means that if you are using Google #Analytics, Statcounter or some other third-party software to gather statistics and analyse how many people visit your site, you are not receiving a share of your traffic information, and you are not receiving it today (because its trackers are being blocked by the browser's privacy protection settings). It may be a good moment to start thinking about switching to a self-hosted statistics solution, such as Matomo. As a Matomo installation runs on your own web server, its statistics software uses first-party cookies. Those are slightly less likely to be blocked, giving you more reliable information.

Next, if you count on affiliate marketers to bring you clients, and your affiliate marketing software still uses third-party cookies to track sales and commissions (it should not be doing that in the third decade of the twenty-first century, but it does not hurt to remind you), you may also need to think about switching to a different solution that uses first-party cookies or server-side recording of commissions. If not, your affiliates will receive less money than they should, and they may not be as interested in working for you as they were in the past, affecting your business. Add to your to-do list talking with your webmaster to double-check your affiliate program will not be affected.

The last one is sort of a moral question: Will you allow Google to "FLoCk" your users? If your answer is "yes" or "I don't mind", no problem, you do not need to change anything. If your answer is "no", then you need to take an extra step to opt out your website from Chrome's FLoC calculations. It is reasonably easy to do…

If your website works in an Nginx server, then you need to add…
add_header Permissions-Policy "interest-cohort=()";
…to your nginx.conf or website's configuration file.

If your website works in an Apache server, then you need to add…
Header always set Permissions-Policy "interest-cohort=()"
…to your .htaccess file.

…but I am afraid I cannot tell if Google will respect that signal in the future.

Anyway, your webmaster should be able to add those lines in five minutes. If he cannot, drop me a line and I will help you. Honestly, I would have preferred an opt-in rather than an opt-out mechanism for FLoC, but that has always been too much to ask for certain companies. At least, we should be happy to know we did not lose full control on what happens on our own websites.

What All This Means for You, as an Online Marketer

Lastly, if you are an online marketing, it is time to think about a few (new, but not that new) scenarios:

You have users who use Chrome and users who use other browsers. That has not changed. Yet soon the first set will be able to be targeted using the FLoC system, while the second cannot. This will have consequences in the way you control your clients' online advertising expenses.

You will also need to schedule some time so both your team of programmers and you can learn how to use the FLoC API for your campaigns.

If you are an affiliate marketer, you will need to keep an eye on how your affiliate marketing networks adapt to this change. If they do not update away from the use of third-party cookies, then you will need to start looking for a network that did.

Social media marketers are not affected by this change. You rely more on recommendations, popularity and reputation management; BUT tracking pixels will quite likely stop working altogether. Pay attention to news about that.

Search engine and conversion optimization marketers are already being affected by those browsers that block "tracking cookies", such as Google Analytics. I already suggested Matomo as an alternative, although it is safe to expect a future update to statistics software to see if updating is necessary.

Retargetting advertising will quite likely fall, which means you will need to start capturing e-mail addresses (again) to be able to nurture your potential clients.

Finally, this means you will need to schedule updates on all the sites you manage in a reasonably short future. All optimization and #marketing automation software that you use (and relies on third-party cookies to work) will stop working for Chrome users during 2022.