Skip to main content
Industry Contributor 6 May 2021 - 4 min read

Not all cookies crumble

By Kevin Nugegoda - Optimisation and Personalisation Tech Lead, The Lumery

Google's burning cookies – and the ad industry is up in arms. But if your martech strategy is using the right cookies, your optimisation programs need not suffer.

The digital marketing community has been up in arms after major tech companies, Apple and Google, announced they are dropping cookies. The moves – touted as helping to create a more privacy-friendly internet – are causing concern among advertisers about revenue impacts and what it means for personalisation and optimisation. 

But are these changes as bad as they seem? And are personalisation and optimisation really no longer possible? Maybe not.

First, we need to understand the types of cookies this affects, and what we still have to work with. As it happens, there is more than one type of cookie on the internet.

Cookies are currently the most common means of identifying users online, so their browsing experience can be personalised, and advertisers can serve them products and services that suit their profile.

The changes to cookie policies prevent the internet-wide tracking that has attracted criticism from privacy advocates. They relate to "standard cookies,” the ones behind those seemingly innocuous, and even occasionally helpful, ‘like’ and ‘share’ buttons you see on internet sites. The catch with these cookies is that they hide their tracking prowess behind their façade of convenience.

Standard cookies can be created and manipulated via Javascript and come in two flavours: ‘first’ and ‘third’ party.  First party cookies are created by the site being visited and can only be accessed by that site. ‘Third party’ cookies are loaded as part of that page, but from another domain.

Standard cookies work by loading a Javascript library from a common URL source where a web developer follows the simple instructions for embedding the share buttons into their site, which includes adding a script tag that loads a Javascript library from the vendor server.  When this script is executed, it creates a cookie for that server hostname which identifies the user on their browser for that ‘domain’ and records information about the pages visited.  The more sites one person visits that load the same library from the same domain, the more places they can be identified as having visited. 

The cookie changes announced will effectively limit the lifetime and functionality of cookies which are created or modified using Javascript.

However, the severity of these changes depends on browsers and vendors. Google is moving to block third party but will continue to allow first party cookies with some minor changes to increase their security. Apple has blocked third party cookies for some time and auto-deletes even first party cookies after seven days of inactivity.

Overall, these announcements are bad where standard cookie use is concerned. But there are other valuable tools in an optimisation and personalisation expert’s arsenal:  HttpOnly cookies.

The HttpOnly cookie differs to a standard cookie, in that it does not allow reading or writing via Javascript.  Instead, it is generated by the web server between receiving a ‘request’ for a URL and generating the ‘response’ to the browser. It is sent between a browser and that server whenever a user browses to the same or different page on that domain.

The good news is that the HttpOnly cookie is currently not affected by the policy changes being proposed or implemented by browser or vendors to date. This is because it cannot be shared across the web and therefore cannot be used for tracking users’ behaviour across sites.

But what can an HttpOnly cookie do? It allows a website to deliver personalised experiences to each visitor based on their behaviour and/or preferences. 

This is an important distinction. Due to the definition by the IETF of RFC6265, HttpOnly cookies assist in preventing the unsolicited sharing of users’ information. At the same time, they allow businesses to speak to you as a person across their digital channels, and they remain functional regardless of longer periods of inactivity between sessions, compared to standard cookies.

With HttpOnly cookies still at our disposal, ethical personalisation by brands is still very much a possibility, even if cross-site profiling is not.

So providing your martech strategy is using the right cookies, your personalisation and optimisation programs need not suffer.

Doesn’t that sound good to you as a person, and as a business?

Share your reaction (and see how others voted)

Leave a comment (you must be logged in)

Be the first to comment

Kevin Nugegoda

Optimisation and Personalisation Tech Lead, The Lumery

Market Voice

Search Mi3 Articles

Make it personal

Join Mi3 to receive our weekly edition and personalise your experience