Safari’s done it. Mozilla’s done it. Chrome is doing it now. And by Summer ‘23, everyone else will have to do it, too – because fresh laws are coming in to force the issue.
We’re talking about cookies, those quaint little text files web browsers have been depositing onto your devices since 1996. They’ve had their uses – and, sadly, abuses, with their plus points often obscured by scare stories about security and privacy. But all that’s now moot. Because in less than a year the client-side cookie left on a user’s device will be crumbling into history.
And while their demise has been on the way for a while, a lot of marketers are going to find the non-cookie future harder than a ship’s biscuit from the pirate era.
Because cookies have been kings of the tracking world for over two decades – and a vast array of business models and processes have grown up to make use of them. Foremost among these is identifying who a person is, piecing together the jigsaw of someone’s personality from those little snippets of text in your browser cache. Today, companies who’ve relied on cookies to get to know their customers are having to adjust to a very different paradigm. Ultimately, it’s a good thing – for reasons you’ll see ahead – but that doesn’t make it easy.
At Tilores, confirming someone’s identity is something we know a lot about. In fact, it’s the basis of our business: it’s how we help our customers deduplicate millions of records, uncover useful patterns of behavior, ascertain with high probability that a given piece of data relates to a specific person or company. It’s called entity resolution.
And entity resolution can take on the same tasks the marketers behind cookies once dreamed of – and do it far, far better.
In the first part of this two-part article, we’ll see how cookies evolved, encountered problems, and are now going extinct, plus a look at what’s replacing them. In the second part, you’ll see how entity resolution offers an approach to identifying individuals that’s far superior to old-style cookies – with notes on how you might put it to work.
A brief history of the cookie
Once upon a time, there was a company called Netscape. Few Millennials and zero Zoomers will remember the name now, but in the mid-90s it was a big deal – the first of the big dotcoms, peaking at $2bn in shareholder value post-IPO. (Of course, that’s barely pocket change these days – but back then $2bn was real money.)
At Netscape, there worked a curious engineer called Lou Montulli. He realized how useful it’d be for websites to recognize if a computer user had visited them before – because it’d let the site owner track behavior, personalize content, and make offers. So, borrowing an existing term from computer science, he worked out a way for the Netscape browser to put “cookies” – small text files – on a user’s device, which the website could peek at to see if they’d dropped by at some point in the past.
Netscape shriveled to a husk in the bitter Browser Wars of the late 90s, but Montulli’s invention lived on. Every desktop computer, every laptop, and every smartphone today contains a multitude of them. (And if you’re annoyed at Montulli for all those “Accept cookies?” messages popping up on every site you visit, take solace in that another invention of his – the <blink> HTML tag, responsible for a billion headaches in the web’s early days – has at least been trashcanned.)
Over time, cookies became used for a greater and greater variety of purposes, capable of tracking not just a user’s visits to a site, but what they did while there. Later on, cookies started tracking behavior across sites, as ad-serving networks linked interactions on their customers’ websites to identify unique individuals in the blizzard of clicks. As sites ceased to be silos, and started using code and content from third parties, it opened the way for cookies to build up profiles of users in startling depth and detail.
That’s when governments got interested – because privacy was becoming a hot topic in the European Union in particular, with politicians realizing bills like the Data Protection Act didn’t cover the new world of the web. By 2011, Europe was mandating consent requirements; in the USA, litigious class-action lawyers even attempted to sue cookie-using companies for “theft of service”, taking up space on an individual’s PC without the owner’s permission.
Born in the innocent times of the web circa 1996, the cookie was becoming a liability less than two decades later. By 2016 – when the EU’s GDPR legislation took shape – most browser vendors were making plans for a cookieless world.
The monster within: more Wookiee than cookie
It had always been obvious that client-side cookies had a fundamental flaw. Because they placed a text file on the device used to access the internet – ”keyed” to the device itself, not the device’s owner – any insights gleaned from a user’s behavior were tied to that single device, with no knowledge of whether a person was browsing at home but buying at work, or using public PCs in an Internet Café. In most cases, each individual user would have several separate profiles attributed to him, without any way of linking them together.
This was already a problem in the late 90s, as people started to own multiple home PCs in addition to their desktop at work. When laptops became mainstream, the problem doubled. And today – with the average consumer using eight web-connected devices and many choosing to simply block cookies altogether – the traditional tracking cookie is a monstrous waste of time and resources, inefficient and unsuited to the task at hand.
Today, the simple cookie is less like the loveable muppet from Sesame St, and more like a fearsome Star Wars creature that’s likely to pull your arms off when it gets angry.
Adding to this, US laws are taking on an “extraterritorial” tint. (Firms are now obliged to share customer data with their government on request, even if that data is about non-US customers and held outside US borders.) While Europe is increasingly keen on eye-popping fines for noncompliance. All of this means that even if the technology remained fit for purpose, the legal framework it exists in is making it obsolete. So the monster is migrating somewhere where it’s easier to handle: server-side in the cloud.
How cookies are going server-side ….
Yes, the bits of data that identify unique users are moving off the device and onto the web. It’s often called “server-side cookies”, although the data held on the web server isn’t in the form of small text files any more. Rather, they’re objects in a database, and the range of attributes they can cover is broader. Many of the major analytics applications, like Google Analytics 4, already use this method, and they’re all going to be compulsory from July 2023.
At first glance, server-side management of user data sounds less fragmented. Of course, if tracking data from a website is held in the same place, it brings together different facets of user behavior from a user’s desktop PC, their Mac at home, their phone and tablet when traveling. But there’s a kicker: simply moving where the data’s stored, from client-side to server-side, isn’t of itself an answer.
… and why this doesn’t help (much)
Bringing the data together in one location is one step. But making it useful needs another. If the data you’ve collected isn’t meaningfully linked to each other it remains disconnected and difficult to extract value from.
Tracking data from Mr Smith’s phone shows how he behaves on his phone. Tracking data from his laptop shows how he behaves when traveling. And tracking data from his desktop at the office shows how he behaves at work. (Or perhaps misbehaves.) But treating these disparate data points as a single set that definitely identifies Mr Smith isn’t part of the new server-side model.
The server-side approach collects data; it doesn’t analyze it. That’s left to other apps and third parties, like Google’s own GA4. Some of them are very good. But many only connect data into profiles when they have rock-solid data points to go on, such as an individual’s email address or a specific label from tag management software. Data with shades of doubt or nuances still sits in silos, unloved and useless.
And there’s the problem. The shift in cookie thinking is helping to comply with laws, protect people’s privacy, stop Big Tech being hit with fines by jealous legislators. But it’s not helping marketers build consistent, accurate, and useful profiles of a person’s activity online.
CONCLUSION: the cookie is dead, long live the … what?
That’s where cookies are today: moving server-side, transforming from little text files on the user’s device to entries in a database in the cloud. And they won’t properly be called “cookies” any more, although you’ll still hear the word for years to come. (Unlike cookies in the real world, web terminology has a habit of sticking around.)
