Is This the Way the Third-party Cookie Crumbles?

The internet cookie has been around since the late 1990s and, in its original state, we remember it relatively fondly. Its core aim was to identify users and their website preferences, helping keep track of everything from shopping baskets to user dashboards. 

Today, first-party cookies continue to help personalise user experiences. However, the early 2000s brought a wave of third-party cookies with the sole aim of harvesting our personal data and selling it for profit. We all remember that eerie feeling when we first started receiving ads for products we’d previously been searching for online. Eventually, regulators moved in to protect consumers from non-consensual data harvesting, which brings us to where we are today; wearily clicking yes/no to cookie consent pop-ups each time we visit a new website. 

The recent news that Google has eliminated third-party cookies for 1% of its Chrome users (about 300 million people) signifies a turning point. This is Google catching up with “cookieless” browsers like Safari and Firefox so, given Chrome’s extraordinary reach, could the days of third-party cookie monsters finally be numbered? 

In the latest episode of the Security Visionaries podcast, I spoke with Netskope’s CIO and CISO for Asia-Pacific, David Fairman, and Zohar Hod, CEO of One Creation, to hear their thoughts on how this affects data protection policies and what Data Protection Officers need to know. 

What’s the incentive to eliminate third-party cookies?

Google positions this move as a step towards greater privacy control for consumers, but there is significant market scepticism as Google collects consumer data and develops behavioural insight from its own advanced technology, not third party cookies. By creating a “walled garden” as Zohar Hod puts it, Google has created “another mechanism to monetise privacy further” selling it to brands “who depend on third-party customer data to drive revenue”.

Will we soon wave goodbye to consent pop-ups for good? Not exactly. According to Zohar, we’re “moving towards an opt-in model rather than an opt-out model” which could diminish the efficacy of third-party cookies and make data collection more expensive, but will not eradicate them completely. Ultimately, user experience will be prioritised through a number of methods, including:

• The Rise of Zero-Party Data
  As David explained in our conversation, zero-party data is a method of data collection which is slowly gaining popularity because it involves customers proactively sharing personal details with a company. This information can be collected through website forms or pop-up questionnaires, many of which offer a reward in the form of a coupon or webinar for the customer in return. Through this direct form of data collection, marketing campaigns can tailor product recommendations and promotions to the customer with remarkable accuracy.

• Decline of “Dark” Practices
  There are many irritating tactics that companies deploy to encourage customers to accept optional cookies. One common method is to make it very difficult to select “reject all” easily, forcing the user to click multiple times through different options (having turned over a new leaf while recording the podcast I recently had to click “no” 97 times on a single cookie consent form to remove all third-party access!). According to Zohar, regulators have taken notice, and we’ll see pressure to remove these so-called “dark patterns” in the next two years.

• Nurturing brand relationships
  On the podcast, Zohar reflected that he’s seen cookie acceptance rates drop by up to 25% in recent years, as customers get more suspicious of companies and how their data is being used. To increase brand loyalty, it’s imperative for companies to encourage proactive data sharing, rather than relying on third-party cookie consent pop-ups that are increasingly resented by users.

Ultimately, the shift away from third-party cookies will be driven by companies who want to get ahead of customers’ changing needs and expectations. It’s the role of the Data Protection Officer (DPO) to anticipate this movement and get smarter about enhanced data collection in future. David advises that it’s up to the DPO to use the GDPR as a global standard for best practice, and to “ensure that they’re meeting the customer’s expectations around privacy and data collection” by implementing progressive consent approaches including zero party data. 

Want to learn more about the future of cookies? Tune into today’s episode of the Security Visionaries podcast.