According to Data Protection Authorities like the French CNIL consent will still be required, even if third-party cookies are phased out.
As regulators begin to focus on data privacy and consent, advertisers have started to look for alternatives to third-party cookies. The thought is that if they are not relying on these trackers, then they don’t need to ask for consent, right?
Companies must be mindful of the consequences of using different technologies. They must still comply with data protection laws and other legal frameworks, specifically the consent requirements! Keep reading to learn more about the consent implications of using third-party cookie alternatives.
Consent will still be required, even if third-party cookies are phased out.
Third-Party Cookies: The Basics
Before we get into the topic of consent and third-party cookie alternatives, it is necessary to review the basics of this technology. What exactly is a cookie, and what is the difference between first-party and third-party cookies?
The term cookies refer to the technology used to track user activity on a website, browsing history, and other data to help advertisers develop targeted marketing. Cookies seek to improve the user experience by enabling companies to keep their shopping carts available, reduce website load times, and more.
A first-party cookie is placed by the website the user visited specifically on their domain. These cookies help the website function properly, but they can also collect personal data to be used for advertising.
Third-party cookies, on the other hand, are installed and managed by a party other than the website the user visited. Although these may also facilitate the website’s operations, they are primarily used to show third parties which pages the user visits on a site. Ultimately, that data will be tracked and sold to advertisers who can use it to create targeted marketing.
Targeted Advertising through Cookies
The primary use of third-party cookies is primarily used for targeted advertising. They are one of the most widely used tools in the marketing industry since they allow companies to be strategic with their advertising efforts.
By understanding users’ behavior and browsing history, companies can create personalized advertisements to boost their sales. For example, they can determine that people in a particular age group that visit a website or live in a target region will be most likely to make a purchase.
When you combine this data with consumption patterns, you have a powerful tool for advertising. Websites can create profiles on each user and continue to develop them over time – but the level of detail they can access is quite intrusive.
As you can imagine, this leads to a dilemma between profits and user privacy. Companies generate large portions of their revenue from target ads, and AdTech firms continue to grow in popularity. So yes, they could advertise without third-party cookies, but why should they if it makes them more money?
That’s why regulators are working to implement laws like the GDPR to force companies to ask for consent and do a better job at protecting user privacy.
Alternatives to Third-Party Cookies
Many large companies are challenging third-party cookies, including Apple and their Safari browser. They launched an Intelligent Tracking Prevention program in 2017, which aims to limit the data that advertisers could collect. It also promotes the need to obtain consent from users first.
Firefox and Google Chrome rolled out their limits shortly after, and Google has committed to stop third-party cookies on their platform by the end of 2023.
Just because third-party cookies are going away does not mean that advertisers will stop tracking internet users, though! Instead of using that technology, they will simply develop alternative ways to track behavior for advertising purposes, and we are already seeing that shift.
So, what alternatives do advertisers have if they don’t want to use third-party cookies? There are a few options, including first-party cookies, single sign-on technology, cohort targeting, and using other identifiers. Let’s dive into these in more detail:
The most obvious alternative to third-party cookies is to rely solely on first-party cookies. These trackers can use URL calls on the advertiser’s domain to return data. The information is detailed, as they can tell users apart and track them in a manner very similar to third-party cookies.
Theoretically, you could use these to bypass blockers set up by the browser and use the data for advertising purposes anyways.
Single Sign-On Technology
SSO, or single sign-on technology, can also be used as an alternative to third-party cookies. It allows you to use one form of authentication to log in and connect to many different websites. While this can be convenient for users, it also creates a consolidated vision of user browsing.
In other words, it still tracks and follows user behavior even though it is not designed for advertising purposes.
Another alternative to third-party cookies is cohort targeting. This is the method that large tech companies like Google or Apple are investing in – they are working on building cohort-based targeting systems that could meet the needs of both advertisers and regulators.
Google’s Privacy Sandbox, for example, aims to replicate the benefits of cookies for targeted advertising without being intrusive. By taking steps to protect user privacy, they can comply with regulations, provide a better experience for users, and still get the data needed to create personalized ads.
Cohort targeting seeks to track a group of users that display similar behaviors instead of individuals. This technical solution would give advertisers aggregated results – like total views instead of information about individual views – so that they could still make appropriate business decisions.
Rather than including personal identifying information about one person, it will generalize the data and group people together in cohorts. The group can include people with similar interests, those that live in a certain region, or other generalized characteristics.
Advertisers can use other unique identifiers to track users as well. For instance, they can track deterministic hashed data that is collected while a user browses a website to build personalized advertisements.
Similarly, if users provide a login for another online service to link their account or offer an email address, they can use it to build a marketing profile on them. Many companies combine this technique with fingerprinting so that they can get even more detailed information.
The Importance of Consent
As you can see, there are various alternatives to third-party cookies. You may be wondering, what role does consent – and the other requirements put in place by GDPR – play?
The user’s right to data privacy and security should be at the forefront of all decisions surrounding third-party cookie alternatives. Even if you aren’t using cookies and trackers to develop targeted advertisements, you are still legally bound by the GDPR, ePrivacy Directive, and other data security laws.
In other words, the legal framework protects users’ terminal equipment, private communications, and personal data. However, all the cookie alternatives we discussed above rely on accessing the user’s laptop, smartphone, or another device to take data that is already stored in the terminal equipment.
Not only do users have the right to choose whether they are subject to data tracking, but they also need to make that decision in an informed way. They must have the option to refuse data tracking if it’s not explicitly needed for the service they requested – such as third-party cookie alternatives used for targeted advertising.
Since the consent must be in an informed way, the users must be told what information is collected, how it is processed, and what their rights are. This applies to all techniques used to track data for advertising purposes, so using an alternative to third-party cookies will not eliminate this requirement.
Additional Regulatory Considerations
Although consent is one of the most essential aspects of the data privacy regulations, there are additional factors to consider. For instance, data processors must avoid collecting sensitive details and are responsible for protecting any information they store. Similarly, users must be able to maintain control over their data.
Sensitive Data & Other Responsibilities
It doesn’t matter whether you use third-party cookies or an alternative solution – you must take care to avoid collecting sensitive data protected under the GDPR and other data privacy laws. Likewise, there can be no discrimination – even indirectly – that occurs from the data you collect.
Regulations also require that users maintain control over their data, even after a website or advertiser collects it. As such, they must design their systems to enable users to maintain control over their personal data.
The GDPR imposes privacy by design approach, and this key component emphasizes ease of use for individuals. They should be able to correct data, view what has been collected about them, and ask for it to be removed without jumping through excessive hoops.
Regardless of which techniques or third-party alternatives a business uses, they must still meet these requirements.