Why are 3rd party cookies dying and what do I need to do about it?

This blog post will be giving a brief overview of what is happening in the digital media and advertising world and how it will impact your business.

What exactly is the difference between a 1st and 3rd party cookie?

Cookies are bits of data that are stored by the browser about the user’s behaviour.  They might be used to allow a website to function, track how you use the website, improve the experience of the website based on your behaviour or for advertising optimisation purposes.

The main difference between 1st and 3rd party cookies relates to how data can be shared across domains.  A 1st party cookie can only be accessed on the website domain it is set on and as such presents less of a concern/risk of data being shared without you knowing about it (in theory).  3rd party cookies are typically set by a different domain to the one you are on and that data could then be used across any other website as long as the domain that initially set that cookie is also referenced on that other website.

Why are they on the decline?

Some of the main reasons are ePrivacy Regulations & GDPR, meaning the explicit consent is required from the consumer when their data is being collected. Then there are the Technology providers themselves (mainly Google & Apple) moving towards an alleged ‘privacy-first’ model in order to give control back to the users over their data.

Exploring these a little further:

1. ePrivacy Regulations + GDPR – both of these regulations make it very clear that if personally identifiable data (that includes IDs such as IP address and cookies) is being collected for a function that is not essential to the operation of a website then the website owner must have explicit consent (opt-in… not opt-out) to be able to do this. A 3rd party cookie would very rarely fall into this category.
2. Technology providers (mainly Apple and Google) – in many cases these tech providers are trying to give their customers more control over their data. One could argue they’re doing it in such a way to also make it hard for each other but that’s an article for another day. In some cases this is done by providing functionality to block 3rd party cookies in the browser (or all cookies) and in more extreme cases it actually alters how cookies are handled in the browser without explicitly giving the user of that browser the choice of changing that… ironic right!

As a result of these factors, it means that the 3rd Party cookies have been put under the microscope and found to be unnecessary and in some cases even invasive.

Do I need to actually do anything then?

Here are the main things we recommend you should be doing off the back of all these changes:

1. Auditing every data point you’re collecting about your customer. This is not fun but you’ll never be able to take control of your data without doing it and from what we’ve seen, this is something always absent from companies who have received fines from the ICO.
2. Reviewing how much of this is actually required to run your business profitably – do you really need to be setting 16 3rd party cookies to support that advertising campaign delivering 3 sales a month?
3. Classifying all the remaining required data points into two primary categories:
   1. LEVEL1 – high-level identification of the purpose of the data.
      1. Necessary – Absolutely essential data collection for the platform/service to work. If a user were able to opt-out of this then they would not be able to use the platform/service.
      2. Performance – Key/critical information to understand how the platform/service performs. If the user were to opt-out of this then it would cause a significant detriment to how the service/platform is delivered to the user.
      3. Functional – Information that allows you to optimise the experience for the user in a personalised way. If they opt-in to this then they would not have their data shared with any external parties but it would be used to alter the experience in various different ways.
      4. Advertising – Information that allows you to share their data with advertising networks. While this might be to improve the overall experience the main differentiator with the above is that data will be shared. If data is to also be sold then this is a subclass within here.
   2. LEVEL 2 – detailed classification of each individual data point to determine whether it is personally identifiable and what sensitivity level it is.DMPG – primarily acting as data processors – has taken legal advice on this and as such we normally recommend the above categories. However, you – as data controllers – need to seek your own independent legal advice on this subject.The reason for doing the above is to ensure that you understand how each data point needs to be handled from a consent and management point of view. Don’t forget that even if someone does opt-in to having their data collected they could at any time request this data from you and also ask for it to be deleted. To avoid a massively complicated data management process when this happens you will need to be able to understand what needs to be shown to an individual, from what system and how to delete it if required.
4. Implement consent management
   – there should be two sides to this
   1. Consent to capture/store/process data
   2. Consent management to see/delete data

Several tools exist on the market to help manage cookie consent such as OneTrust or TrustArc but this really only solves part of the challenge. You will need to have a system (and process) to ensure you can manage the data flows across their entire business, not just how cookies are set on websites.

That’s a lot of things I do need to do – who can help me?

Fundamentally the driver for change needs to come from within an organisation – top-down and bottom-up. It’s no good looking to an external party to be the saviour of your data collection practices – your business needs to understand the importance and relevance of doing this. To give you a little food for thought regarding motivation for doing this have a look here:

https://www.consultancy.uk/news/27367/rs-components-achieves-positive-roi-with-personalisation

This case study focuses on the value of providing personalised experiences to customers. Taking a strong data privacy approach with your customers is one of the ways to drive a direct relationship and in turn a more personalised and relevant experience.

DMPG can help you create a business case for taking a customer-first approach to all digital experience aspects and help you specifically with your adoption of a privacy-first approach within that wider framework. Additionally, we can support you with the delivery of all of the technical action points mentioned in this article. We support a large number of clients right now, many of which have well-considered consent management policies in place that we have helped deliver through technologies such as ObservePoint, Tealium IQ, Adobe Launch, Google Tag Manager, OneTrust and Trust Arc to name the most common. Please note however that we can not and never will be able to provide legal advice to you.