Third party cookies coming to an end, what does the future of online tracking look like?

Author info

Since the arrival of the Internet in the 1990s, cookies have played an increasingly important role in personalizing ads. But that seems to be coming to an end soon. Some browsers already block third-party cookies, and Google is working on an alternative technology for showing personalized ads without using third-party cookies. What does this mean for companies in AdTech?

From contextual marketing to online tracking

Needless to say, the purpose of an advertisement is to convince the reader or internet user to buy something. Only the way in which this happens today differs from that of the 1990s. We distinguish between the suppliers of advertising space (e.g. newspapers or websites), the advertisers (e.g. brands) and the consumers.

In general, the more relevant the ad is to the consumer, the more likely the consumer is to buy the advertised product, the more the ad is worth to the advertiser and therefore the higher the potential revenue of the ad space providers. The question, however, is: how can an ad be made as relevant as possible?

A classic way consists of contextual marketing. This means that the ad shown is matched as much as possible with the content (e.g. newspaper article or website page) next to the ad. The disadvantage of contextual marketing is that a number of assumptions are made (including clichés) and it is impossible to measure the conversion. This difficulty persisted until the advent of the internet and cookies in the 1990s .

The use of cookies opened up revolutionary possibilities for finding out the consumer's interests and measuring whether the advertisement led to an actual sale (conversion). Although the cookie was initially intended to store data, it soon became apparent that the cookie was capable of tracking consumers across the internet. On top of tracing consumer interests, cookies can also trace, for example, location and income. Obviously, such information is very interesting when making advertisements more relevant. Whereas contextual marketing relied on assumptions, cookies turned out to be perfectly capable of profiling consumers.

AdTech companies emerged, selling real-time (and lightning fast) ad space on the screen of a particular consumer with a particular profile to the highest bidder.

The end of third party cookies?

More and more browsers block third-party cookies by default

Online tracking of consumers is done with various technologies, but one of them is through third party cookies (in addition to device fingerprinting, web beacons, etc.). These are cookies that third parties, often AdTech companies, place on the websites of advertising space providers.

Cookies, however, have acquired a negative connotation in recent years. Public opinion has turned against cookies due to various privacy scandals. Even though those scandals did not always have something to do with cookies (e.g. Cambridge Analytica). Many people also find the cookie banners, which are becoming increasingly elaborate and complex, extremely annoying.

Several browsers have therefore already decided to block third-party cookies. Safari, Apple's browser, already did this in 2017 and also in Firefox the internet user was given the option to block third party cookies. When third-party cookies are blocked by default the user needs to take action in order to allow third-party cookies. Chrome, Google's browser, will soon block third-party cookies as well, which means theend of third party cookies is near.

Is online tracking GDPR compliant?

Not only has public opinion turned against third party cookies, but regulations such as the EU General Data Protection Regulation (GDPR) and the e-Privacy Directive must also be complied with. Several supervisory authorities have already imposed fines on companies that have violated these regulations. Indeed, it is a challenge to fully reconcile the processing of personal data in the context of online tracking with important principles of the GDPR, such as transparency and accountability.

In addition, based on the GDPR, there must also be a legal basis for processing personal data. Due to the strict requirements that the GDPR imposes on the legal basis 'consent', it is questionable whether consent can constitute a suitable basis. In this respect, reference can also be made to the draft decision of the Belgian Data Protection Authority in the case against Interactive Advertising Bureau Europe (see below).

Another possible legal basis besides  'consent' is the 'legitimate interest' of the data controller, provided such interest is not overridden by the interests of the data subjects. In many cases this balancing of interests may show that the interests of the consumer outweigh those of the AdTech company meaning that legitimate interest may not serve as a legal basis either. Research also showed that a majority of Americans believe that there are more disadvantages than advantages to online tracking.

The case against IAB Europe: consent invalid?

The fact that the basis 'consent' may not be appropriate is shown by the recent court case against IAB Europe.

Several interest groups and individuals filed a complaint against IAB Europe's Transparency & Consent Framework (TCF). The TCF is used on many websites and apps and was developed by IAB Europe to make the Open Real-Time Bidding protocol (OpenRTB protocol) GDPR compliant. Under this protocol, (sensitive) personal data of internet users are shared with hundreds of advertisers and the advertising space for that specific internet user is auctioned in a fraction of a second.

Given the cross-border nature of this case, the Belgian Data Protection Authority (the Belgian DPA) is acting as the lead authority, and public statements from the parties involved indicate that a draft decision by the Belgian DPA would find IAB Europe's practices to be in breach of the GDPR. However, the draft decision is not public for now. The other European supervisory authorities can now respond to the draft decision and if comments are received, there are two options. Either the Belgian DPA will take the comments into account, or the matter will be escalated to the European Data Protection Board (EDPB).

To be continued.

What does the European Data Protection Board (EDPB) say about online tracking?

In its recent statement of 18 November 2021 on the Digital Services Package and Data Strategy, the EDPB called for pervasive forms of online tracking to be prohibited: "The EDPB also considers that online targeted advertising should be regulated more strictly in the DSA in favour of less intrusive forms of advertising that do not require any tracking of user interaction with content and urges the co-legislature to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking while the profiling of children should overall be prohibited."

So what replaces third party cookies?

As the era of third-party cookies nears its end, the question arises as to what AdTech companies will do instead to ensure ads remain relevant. But before answering this question, the question also arises what value third party cookies actually represent. Does the use of third party cookies actually make an ad more effective? Research has shown that this cannot be determined without doubt. There would mainly be an increased effectiveness with internet users who already had a high purchase probability. Although the study states that further research is needed, it appears that cookies can be useful, but their value should not be overestimated either. Moreover, data sharing from third-party cookies is not particularly accurate. That leaves the question: what are the alternatives if the third-party cookie disappears?

1. First party data

The first alternative is to rely on first party data. This means that providers of advertising space (e.g. organizations such as publishers) collect data about their users and then share these data with advertisers in order to show relevant ads. This requires both parties to make agreements and set up a system of (technical) cooperation. Smaller organizations will probably be left out.

An evolution towards first party data is favourable under the GDPR, but vigilance is still required (e.g. when enriching one's own dataset). Transparency and obtaining consent is less complex with first party data. Moreover, it also encourages organizations to really think about the data they actually need. So less data, but more relevant and accurate data.

2. Google's FLoC system

The second alternative is Google's FLoC system. This stands for Federated Learning of Cohorts and is a model where internet users are divided by Google into cohorts based on their interests. This is derived from the websites they recently visited. This information is shared with advertisers, without them being able to trace this encrypted information back to an individual. Since the calculation is done locally in the browser, Google says this is a privacy-friendly alternative to online tracking.

Yet the system has already been criticised. Too much power would be concentrated with Google, while AdTech companies would lose power. In addition, advertisers would be able to retrieve the identity of the internet user by means of device fingerprinting (test how device fingerprinting works here). FLoC is currently not being tested in the EU (Google Chrome users can check online whether they are part of the test).

3. A central unique ID

The third alternative is a system where a unique, encrypted ID is assigned to an internet user by a central organization (e.g., based on the e-mail address). This makes it possible for advertisers to identify the internet user if he were to log in to different websites with his email address. The third alternative is most similar to how third party cookies work, and therefore also has the same weaknesses. However, the data will in any case be more accurate than in the case of third party cookies.

There are currently tests being done with such a system. An opt-out per advertiser would be possible.

Remember what?

  • Third party cookies are already blocked by some browsers and will eventually disappear.
  • Online tracking as it happens today is likely to change because of the case against IAB Europe.
  • The industry is looking for alternatives. Several alternatives are possible, but each alternative has its advantages and disadvantages.
  • A focus on first-party data makes GDPR compliance easier, but will put smaller parties out of business.
  • Google FLoC calculates the ad profile locally in the browser, but concentrates a lot of power at Google.
  • A central unique ID is the least different from third party cookies and therefore has the same drawbacks.

Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.