Last week, after performing an internal training on cookies & tracking, I realised the amount of time and content devoted to cookies in regards to privacy.

Companies like Google, Meta and Apple introduce one approach after the other on how they protect people’s privacy by either using different technologies (e.g. Privacy Sandbox) or blocking existing ones (e.g. cookies).

I tried to approach the matter as holistically as I could and so, I wrote down my thoughts in order to add a bit more structure to them.

Please note that at some points I may need to go back to basics (how web works) so brace yourself as this might be a rather long read.

Here we go!

Why is privacy important and why is there an issue now?

The right to privacy is a fundamental human right and I would say one of the most important parts of modern societies. An individual should have the ability to decide for themselves how much of their own personal information is handled by others and for what purpose.

Web is no different than a modern society as it’s a pretty dynamic environment that is constantly and for many years we were blind (or ignorant) on what information of ours is being tracked, shared and how. Everything we do online can leave a digital footprint and whole industries have been built upon these (anonymous or not) footprints.

The advertising industry for example saw a tremendous growth over the years as the internet provided the ability to gather a lot of data. Data that can be used to effectively measure impact and optimize the delivery of ads. According to Statista, ad spending in the Digital Advertising Market is constantly growing, reaching US$568bn in 2021 and projected to grow up to US$910bn by 2027. Needless to say that the industry is (and expected to keep) booming.

So why is privacy a hot topic now and not in the past? Exactly like societies, web is like a living organism, constantly evolving and adapting to its surroundings and while we need to keep finding ways to make it useful and effective we predominantly need to keep it safe and fair.

Obviously a task of this magnitute is not something that can be tackled overnight, it does not have a clear and measurable outcome and it requires constant effort.

People are pressuring goverments to help them regulate the use of data in the web. This is why regulations like General Data Protection Regulation (GDPR) for Europe and California Consumer Privacy Act (CCPA) for California, US, were introduced to help enhance the privacy rights of residents.

Why are cookies being attacked?

During the last couple of years, cookies have been one of the hottest topics. These damn cookie banners are popping up here and there as a result of the regulations introduced by governments and unions interfering with the browsing experience.

So if the cookie banners have been introduced for our own protection, why are cookies still on the spot? Before answering that, let’s see what a cookie actually is.

What is a cookie?

Cookies, besides being a small piece of heaven that my grandmother makes when I visit (🍪), usually refer to a small piece of information stored in the browser.

The web is built on top of a protocol called HTTP (Hypertext Transfer Protocol) which is responsible for fetching resources such webpages and its components. In order for the protocol to be fast, reliable and able to serve millions of people in a day it needs to be stateless.

Stateless means, that a server (let’s say a website) has no information on whether you requested something in the past or what that was. It just receives a request for a page, sends the appropriate response and then closes the connection.

Cookies were created in order to provide some sort of persistency to the browsing experience. For example, when you log into a website and stay logged in across multiple pages, cookies are used to allow for a seamless experience. When you add products into your cart and they stay there while you continue browsing for other products, cookies are used so you do not have to repeat your actions again in case you browse away from your cart.

Types of cookies

There are two types of cookies:

• First-party cookies: Set, owned and can be accessed only by the visited website and maybe its own subdomains (e.g. mywebsite.com and portal.mywebsite.com).
• Third-party cookies: Set, owned and can be accessed by a third party provider. For example, someone visits our website (mywebsite.com) where we are hosting a YouTube video. Google can set a cookie to the browser and can access this cookie when the user comes back.

First-party cookies are used to support important functionalities and many times are necessary for a website to work properly. Third-party cookies on the other hand, are used for less important functions such as, tracking users between websites, display relevant ads to the user or even support the functionality of a chatbot.

Third-party cookie sunset

The cookies currently on the spot though are the third-party cookies. Google, Apple and Mozilla, have all announced plans to sunset the support of third-party cookies in their web browsers (Google Chrome, Safari and Mozilla Firefox).

The reason is because third-party cookies are heavily used by advertisers to track user behavior among websites and use this information for targeting purposes.

“Users are demanding greater privacy — including transparency, choice and control over how their data is used — and it’s clear the web ecosystem needs to evolve to meet these increasing demands”

Justin Schuh — Director, Chrome Engineering

Companies are trying to find a more privacy-friendly way to support publishers. Google initially announced FLoC (Federated Learning of Cohorts), which was a type of web tracking that grouped people into cohorts based on their browsing history. FLoC was criticized by the community and has been described as anti-competitive, which led Google to suspend it and replaced it with Topics API which is part of the Privacy Sandbox. The Privacy Sandbox initiative, contains a set of tools that aim to limit tracking of individuals while providing tracking capabilities for publishers.

Fighting the right fight

While reading all the news surrounding this topic and assessing the efforts of search engines to regulate distribution, usage and manipulation of data, it is clear to me that the problem is not third-party cookies. The problem is what we’re doing with them.

Cookies are just another piece of technology and it doesn’t matter if we replace them with a device ID or any other kind of “fingerprint”. If we eliminate cookies but we still track users without consent, we are just beating the wind.

Implications of a cookieless or non-tracking world

Let’s look at things from another scope. We agree that privacy is critical and that it is imperative to feel safe and protected while navigating the interwebs. If we want to eliminate cookies (or any other form of tracking), we need to understand that the change will come at a cost.

In today’s world, we witness that information is widely available online and there is an incredible amount of services and products on offer. All of this, readily available at your fingertips, is a result of a tremendous number of work hours translating directly to money either ingoing or outgoing.

News sites and blogs need journalists and copywriters to continuously produce content. Every website requires development work to be built and supported throughout all the new tech updates. Maintaining and operating a server requires energy and money.

While the fast and seemingly easy nature of these online businesses can “trick” us into believing that this comes at a lower cost when comparing to bricks and mortar, this is definitely not the case.

People (and companies) are giving a lot of hours and man power to bring something to life, and to sustain it, and of course they expect to be remunerated and rewarded for it in more than one ways.

Whether it’s money, or building their brand to sell their products, or attracting visitors to get paid by hosting ads for advertisers, all companies expect something in return and nothing is free!

The elimination of tracking means that companies and advertising platforms will be “blind” about what works and what doens’t, in the effort to bring a potential customer “through the door”. Lack of access to these insights, will lead to a decrease of income for brands, as people will be seeing less relevant ads thus not enticed to “walk through the door”, explore what’s on offer and eventually buy from a brand that is relevant to them.

This will have a ripple effect, as many websites that are now “free” will be hidden behind paywalls in order to survive. Therefore, we need to ask ourselves: “Are we willing to pay a subscription at any website we are visiting? What about Google Search? Are you willing to pay a subscription to use a search engine?”

Search engines are free because they are selling ads to third parties.

“If you’re not paying for the product, you are the product”

Although I am not sure who said the aforementioned famous quote, it’s rather true but not necessarily a bad thing. Take for example search engines, we use them on the daily to look up information about anything and everything at no direct cost. The indirect cost is anonymous data sharing in order for brands and advertising platfroms to deliver personalised and relevant ads.

When looking at the privacy dilemma, we do not consider how many things we take for granted in our day-to-day lives. Although safety and privacy are important we need to be aware that while we try to determine new approaches, many things will change with potential implications for us; we cannot have one’s cake and eat it too.

So what does the future hold?

Battling for privacy is crucial but we need to pick our battles. We need to focus on the right enemy which is not cookies or FLoC or Privacy Sandbox. The enemy is the absence of transparency.

Transparency is needed in order to for us to be aware when we are being tracked. We need transparency on how our information is being used. We need transparency on who has access to the digital footprints we leave behind. We need transparency on what we are sacrificing to get “free” access to a service. Finally we need the reassurance that we will not be tracked if we didn’t explicitly give our consent, even if that means that we will no longer have access to the service.