third-party cookies: When the third-party cookie crumbles: A new privacy-centric internet emerges

“How will the internet operate without cookies?”

“When are they going?”

“Which ones are getting eliminated?”

For the last six months, Rinku Ghosh has been fielding queries like these from clients panicking about the phasing out of third-party cookies. Ghosh is the COO of Lemnisk, a Bengaluru-based customer data platform. In her line of work, a cookie isn’t a sweet treat; it is a text file spawned by a web browser when a user visits a site, capturing their login details, preferences and browsing history.

Elevate Your Tech Prowess with High-Value Skill Courses

Offering College Course Website
Indian School of Business ISB Professional Certificate in Product Management Visit
IIT Delhi IITD Certificate Programme in Data Science & Machine Learning Visit
IIM Lucknow IIML Executive Programme in FinTech, Banking & Applied Risk Management Visit

The host site stores this data as first-party cookies, to make the user’s next visit more personalised. However, since the dawn of the internet, browsers have also allowed large advertising technology (adtech) players to sneak in third-party cookies to access information of unwitting users, track their footprints across the internet and profile them for targeted ads. Why did these cookies suddenly rattle Ghosh’s clients?

Google Chrome—which is used by 88% internet users in India and 64% globally, according to Similarweb—has declared that it is phasing out third-party cookies. On January 4, it blocked third-party cookies from tracking 1% of its user base; by the end of the year, it says, it will block third-party cookies from tracking all of its 3 billion-plus users.

The crumbling of third-party cookies will spell the end of targeted digital advertising as we know it. It will likely impact Rs 50,000 crore worth of digital ad inventory placement in India by 2025, according to ET Research. For the user, the death of third-party cookies will not only be a landmark in enhancing data privacy but will also fundamentally change their internet experience.

Will this change be entirely consumer-friendly? “Consumers will be forced to sign up for more and more websites as companies scramble to gather first-party data of users in the absence of third-party cookie tracking,” says Ghosh. Her business model is built on using an enterprise’s first-party data to provide a seamless experience to its users across online and offline touchpoints. But even she thinks this drive to acquire first-party data could “get irritating for consumers after a point”.

Discover the stories of your interest


Already, websites are scooping up first-party data by asking users to sign up. They ask for consumers’ email ID or phone number so that they can upload it onto their preferred adtech platforms, which can match this data with their existing database and help them track these users’ behaviour on the internet. A media executive tells ET that it has become the job of every major brand manager to build a first-party database of 30-40 million users by next year. cookie1
Companies have to work hard to get users to sign up. “Brick-and-mortar clients, who are building a direct-to-consumer (D2C) network to gain first-party data on users, are enticing people with higher discounts or exclusive offerings,” says Jacob Joseph, VP, data science, at CleverTap, a consumer-engagement platform. “Only those who craft exceptional online user interfaces and experiences will win consumers over,” he adds.

For consumers, the wiping out of third-party cookies could mean a lot of meaningless ads. With no cross-site tracking at scale, “consumers may see fewer ads that are relevant to them,” says Gautam Mehra, cofounder of ProfitWheel, an ad analytics solutions platform. “So, people who have gotten used to personalised ads, might just have an underwhelming experience,” he adds.

However, as Anil K Pandit, SVP of programmatic division at Publicis Media, a media planning and buying company, says, third-party cookies have not always given accurate and reliable ad-targeting signals to brands. Nor have they been very useful for consumers.“It’s just rudimentary site-tracking that buckets you into different consumer categories based on your site visits,” he says. “Advertisers have relied on third-party cookies for placing ad inventory because it gives them scale, which first-party data cannot. With third-party cookies, you can also track users who aren’t logged in to the browser and surf anonymously by using tracking data stored on users’ computers. But this is also where it becomes privacy unsafe.’’

Walled gardens

What will advertisers do now? In the absence of third-party cookies, they will look at alternatives that can offer similar scale but are also privacy-compliant. AI-powered contextual targeting is considered as an alternative, says Pandit. Here, advertisers will place ads around relevant content, taking focus away from user tracking.

Data clean rooms or DCRs are growing in popularity, he says. DCRs allow multiple parties to share user data with each other in a privacy-compliant way. Data from one party is encrypted, anonymised and turned into signals, which are matched with data coming from other parties, to help everyone involved in this exercise get insights and target common users for specific marketing and sales objectives. This also enables them to measure the impact of their campaigns in a more “deterministic” rather than a “probabilistic” way, says Pandit.

But DCRs are expensive to set up, says Gowthaman R, founder-CEO of Aqilliz, a Bengaluru-based company, that offers decentralised DCR solutions. A mid-sized company would have to spend roughly $200,000 to create one. Meanwhile, the likes of Google, Facebook and Amazon already provide DCR-like capabilities to advertisers, which gives them an edge over smaller companies, such as online publishers, that lack the scale to offer comparable first-party data. “This will force advertisers to allocate more ad spends towards these walled gardens,” he adds, “leading to the death of the open web.”

cookie2
Hand out of the Cookie jar

Cookies, which were a tool to make a user’s internet experience more intuitive, became a villain when they became intrusive. For nearly a decade, there have been reports of tech companies and data brokers selling people’s personal information —financial, medical and location data—often collected through third-party cookies, without consent. Over the last few years, the US, the European Union and, most recently, India, have introduced strict data privacy laws to check this practice.

Since 2021, Google and Meta have each agreed to pay close to $800 million to settle data privacy violation cases in various US courts. Meta is reportedly appealing against a $1.3 billion fine levied by EU’s General Data Protection Regulation (GDPR) for its handling and sharing of user data.

Blocking third-party cookies is being seen as a way for the industry to demonstrate its commitment to safeguarding user data privacy.

A Google spokesperson says in an email response to ET: “There’s no one quick fix for the changes in the advertising landscape, which requires a mindset shift to meet people’s expectations for privacy online.” The spokesperson says the company is testing the effectiveness of privacy-preserving ad solutions to help businesses prepare for a “cookie-less future”.

Google is following in the footsteps of other players. Mozilla Firefox started blocking third-party cookies in 2019, followed by Apple’s Safari in 2020. On its homepage, Safari which has 21% market share globally and less than 5% in India, according to Similarweb, displays the number of trackers it has blocked from profiling a user in the previous seven days.

In India, the Digital Personal Data Protection Act (DPDPA), which came into force in August 2023, “technically gives consumers the power to take any fiduciary to court if their data is misused by the fiduciaries or their processors,” says Ashok Hariharan, cofounder and CEO of IDfy, an integrated identity platform.

The DPDPA makes it mandatory for companies to inform consumers on how their data is being stored and shared—in a simplified notice as opposed to a licence agreement. It also requires them to regularly ask for consent to keep/share data and offer users the option to revoke or modify terms of agreement. A breach could lead to a penalty of up to Rs 250 crore.

“An increasing number of companies are approaching us to create these notices and ensure their data transferability systems are legally compliant. Of the companies whose data consent management systems we have audited so far, none has come out clean,” says Hariharan. By June-July, a lot of companies will start sending out consent notices to their existing users, he says, adding that it could potentially lead to a minor case of “consent fatigue” among end consumers.

Apar Gupta, a Delhi-based lawyer and technology policy expert, says, “Once you start putting privacy on the table, people also start choosing it.” He adds: “Consent is only effectuated when you, the consumer, are made privy to the knowledge that companies cannot ask you for anything that is not necessary.”

Earlier, browsers assumed that users would not mind their data getting shared and got away with notifications such as: “This website uses cookies to improve user experience.” That assumption was wrong. In April 2021, when Apple forced mobile apps on its App Store to ask users for permission to collect tracking data, 89% users opted out. In India, Gupta points to a 2023 survey report on the status of policing by Lokniti–Centre for the Study of Developing Societies, which says 65% respondents from 12 major Indian states are concerned about private entities collecting personal data for misuse.

While the crumbling of third-party cookies would be a breather for users, some adtech players worry that it could result in “further concentration of personal data in the hands of a few mega-corporates,” according to an article published in Digiday, a US-based online publication, earlier this month. They believe Google “could leverage its massive logged-in user base as a replacement for third-party cookies”.

Like everything internet, the future is a loading webpage. The only thing that is certain is if Google purges the cookies, the internet will be an entirely different place this time next year.

Originally Appeared Here