Used to create smoother cross-site experiences for users, third-party cookies may seem like they’re always helpful. After all, they enable companies to serve more personalized ads based on a user’s interactions. They can even remember which products someone has added to their virtual shopping cart, even when that user leaves the website.
However, the darker side of third-party cookies is that they can pose a serious threat to privacy. They’ve been used to track users across the internet as well as execute cross-site forgery attacks that provide unauthorized access to a web system. This means that any user’s browsing data is effectively at risk of being stolen.
Due to these privacy concerns, leading browsers agree that third-party cookies have to go. Chrome has even announced that they will stop support for third-party cookies in the next two years — and with 65% market share (see the graph below), that’s the benchmark timeline for competitors to meet as well.
Let’s be clear: increased data privacy is important, especially when it comes to protecting people’s personal browsing habits and information. However, updated privacy guidelines will also require marketers to adapt as third-party cookies fade away and cross-domain data sharing becomes more restricted.
Browsers make strides to focus on privacy.
In our connected world, 81% of consumers feel they have no control over the digital data companies collect from them. As a result, browsers want to stand out as the most privacy-friendly choice for consumers. Here’s a quick look at some of the privacy updates these browsers are introducing.
In release 11 (2017), Safari unveiled Intelligent Tracking Prevention, which enacted stronger privacy protections, including stopping the browser’s support of third-party cookies. Instead, the browser implemented a Storage Access API, requiring a user’s explicit approval to share their data across sites.
Firefox was the next one off the starting block, releasing Enhanced Tracking Prevention in release 69 (2019). This update blocked third-party services associated with sites classified as known trackers, which are domains that collect, share, retain, or use someone’s data to enable tracking by other services. Additionally, Firefox allows users to easily switch to stricter levels of privacy that will block third-party cookies altogether.
In release 80 (2020), Chrome introduced default SameSite settings that would require the use of SameSite attributes for third-party cookies, which provides some protection for users. The SameSite cookie attribute identifies whether or not to allow a cookie to be accessed. For example, using certain parameters, the SameSite attribute can enable first-party cookies to be sent while restricting third-party cookies (i.e., cookies shared with other websites). Soon after rolling out the SameSite settings, Chrome announced its intent to sunset third-party cookies altogether by 2022.
As these browsers continue to strengthen their privacy positions, many more changes are on the horizon. Marketers will need to evolve to find innovative ways to reach and engage consumers.
What’s the difference between first-party and third-party context?
Before diving in further to how browser privacy could affect marketers, it’s important to understand the difference between third-party and first-party context. Context, used in this sense, refers to the relationship of data and web services to the website a user is currently viewing. As browsers continue to enact stricter privacy measures, it will be critical for marketers to understand this concept.
To start, first-party context simply means that a user’s data is stored within first-party cookies and the services used by the site share a domain at the Top-Level-Domain+1, or TLD+1 (website.com, for example). These cookies are used to create a personalized experience for a user only when the user is on that particular site. In other words, these cookies are not shared with third-party websites that have different domains.
Third-party context means that data is stored within third-party cookies and/or a service does not share the same TLD+1. For example, let’s say there is a video on the website www.example.com that is hosted on www.hostedvideo.com. The video service is considered a third-party service in this configuration.
Now imagine the service provides a way for the viewer to resume an incomplete viewing next time they visit the page. The service has to store the time the viewer stopped watching somewhere in their browser. The service may decide to store this information in a cookie for www.hostedvideo.com, which would be a third-party cookie.
Marketers need to plan for privacy.
If they haven’t already, marketers will need to start taking a close look at the customer experience across their brand’s digital footprint, especially if the brand has multiple websites. If marketers want a user’s experience on one of the websites to be informed by experiences on another site without the user logging in, third-party cookies are the main way to provide this experience. But because of the privacy changes browsers are making, marketers will need to begin thinking more about first-party context instead.
Combine microsites on one domain.
One way to create a seamless experience is to minimize the number of TLD+1 domains they require for their offerings. For example, since multiple microsites with different domains could cause issues for users, would there be a way to combine the sites under one TLD+1 domain? Staying within the same TLD+1 domain provides users assurances that all activity is staying within the same company and their data is not being sent to potentially harmful third parties.
However, scenarios like clear brand distinction may still warrant separate domains. In these cases, marketers likely will need to accept limited cross-site data until a user opts in to marketing and provides certain details, such as an email address, to each brand.
Assess current third-party cookie dependencies.
Marketers should also work with their IT teams to assess which marketing services and sites have third-party cookie dependencies. When third-party cookies are no longer available to use, marketers should have a risk mitigation plan in place that takes into account the impact this change will have on their marketing tactics — and how that will affect user engagement.
Give users control of their data.
Last but certainly not least, marketers will want to consider how to provide users more control of their data in as clear of a manner as possible. In the next decade, user consent will become critical for companies that want to be trusted with their users’ data. Ideally, marketers will be able to continue providing personalized experiences that drive user engagement and loyalty.
How marketers can stay informed and get ready
Salesforce Pardot is committed to helping our marketers stay up to date on major developments in the world of data privacy. Right now, Salesforce is actively involved in privacy groups helping to represent marketing needs to ensure we stay ahead of the curve and help minimize disruption for our customers.
In the Summer’20 Release, we released a beta for a new first-party tracking service that will allow our customers to host all of their Pardot content and web analytics in a first-party context. To learn more about how to become a beta tester, please visit this help documentation.
To keep learning more, be sure to follow our blog because we will continue to share updated information that helps you stay informed about privacy-related issues.