Wtf is a Cookie?

You’ve probably been hearing a lot more about “cookies” lately. It’s a hot topic in the world of internet privacy and marketing, so let’s cover everything you need to know.

First, what is a cookie?

Glad you asked. Let’s say you’re in the market for a new grill, well you start by Googling a few things, you visit a few sites and then next thing you know you’re getting bombarded with ads everywhere you go. Sound familiar? Well thats a cookie at work. It’s a very small text file that usually lives in your browser (i.e. Chrome) and will keep following you around even if you close your browser. Some of them even track you for up to 400 days. It’s kinda creepy if you think about it.

These cookies do some harmless things like auto-fill form fields but more importantly, they collect information about you that is very valuable to marketers and companies like Google and Meta. Let’s take a step back, how does the site Facebook.com make money? We all pretty much know this, it’s ads, right? Kind of. The ads are the way they attract brands “Hey you, want to get in front of millions of your target customers? Buy this ad”. But the ad is no good if you’re not able to target the people you want. This is how Facebook.com makes money. They not only have the people you want using their platform, but they actively collect as much data on this person as possible so you (the advertiser) can effectively target them, get them to buy and then keep spending money on Facebook ads. 

But wait a second, what if you’re not logged into Facebook or don’t even HAVE a Facebook account? It doesn’t matter. Whenever you visit any one of Meta’s many websites or apps (Facebook, Instagram, Whatsapp, Threads, Boomerang, and more) OR if you visit any website that has a Facebook pixel (piece of code used for ads) or Facebook social plugin like a like/share button they are listening. 

All of that data is stored in the cookie and then is matched up with a lot of other information. Including your contacts in your phone, location, usage on the platform, and more to form an extremely detailed profile on millions of people regardless if they’ve signed up for the service or not. Facebook got into trouble for pushing this too far with the Cambridge Analytica scandal around illegal data collection used for political ads. 

Another example, Tik Tok. They’re under a lot of heat right now for privacy and concerns with data collected by the app being available to the Chinese government. And a big part of how they get all this data? You guessed it, cookies. Similar to Facebook they also use APIs and local proxy servers on your phone to access just about everything else they can. That includes your location, other apps, contacts, emails, texts etc. 

I think you get the picture. Data is king and although these companies are marketed as social networks, they are really data centers that make money by renting out the data at a premium cost. If the service is free, you are the product. 

The real issue here is most of this is going on without the user's knowledge and in some cases without consent. This is why 3rd-party cookies have come under scrutiny and as a result, will be completely unavailable to marketers very soon. European countries have been on a crusade to do away with them for over a decade but now the movement is starting to pick up speed in the US. Apple is now blocking all cookies in Safari and Google will be doing away with cookies entirely in late 2024 as the privacy pressure mounts, especially from Europe. Full timeline of all the major changes to 3rd-party cookies below. 

But wait what’s a 3rd-party cookie? The example I laid out above with the Meta tracking is done with a 3rd-party cookie, the 3rd-party being Facebook.com in that case. They are setting the cookie then when you get to Site A, it communicates back to Facebook the actions you just took.  

But there are 2 other kinds of cookies which are 2nd-party and 1st-party cookies.  2nd-party cookies are ones that one company creates then shares with another company in some kind of data partnership. Where I want to take you next is 1st-party cookies which is data collected on your own. 

Like their 3rd-party counterpart, 1st-party cookies can be used to store information about a user like on-site behavior, what sites they came from, remembering what's in their shopping cart, and storing passwords. The difference is this is all your data and you get to choose who you share it with and what you do with it. It can be more valuable to companies not only because you control it, but you can be more clear with your site visitors and customers about how you’re using it and give you better data on people interacting with your site so you can get more of them.  You’ve probably seen those pop-ups on a growing number of sites telling you this site uses cookies and if you’d like to opt-out. They are using 1st-party cookies (probably 3rd-party too) and that message is the consent you need to get from the user to set cookies or collect any personal data, now required by GDPR and CCPA rules (Europe and California).

Two big advantages to 1st-party cookies are for marketers doing any kind of paid advertising. When you’re doing your own collection of personally identifiable information (email, address, phone, company etc), you can form a more accurate picture of people as their information evolves and changes. They move to a new house, change names, get new email addresses and so on. This is normal but in a 3rd-party data world is difficult to capture effectively. When you’re storing all of this yourself, you can create better audiences and send this data back to ad networks and 

Secondly, you have a better idea of how all of these marketing channels are affecting the path to purchase for each one of your customers. You can see how some channels are better at assisting the purchase and some more responsible for the actual conversion, then place a weight on how much you value each. Just because a marketing channel didn’t directly convert this person into a customer it doesn’t mean it’s not valuable. Top-of-funnel channels like paid social are notoriously hard to justify because buyer intent is low. By seeing the full story you can understand if that kind of channel is right for your business. 

How do I start collecting my own data?

One easy way to get your own 1st-party data is setting up server-side tracking through Google Tag Manager (sGTM). This can set the 1st-party cookie and give more accurate conversion tracking by collecting user information from sources they came from, what they clicked on to get here, IP location and even setting a unique user ID to anonymous traffic that can stick with them through conversion. With server tracking you can even combine the data you collect with 3rd-party data, building an even more robust profile. There are even tools like 

One use-case for this that is top of mind for me is tracking for affiliate marketing. You must attribute correctly so your affiliate partners get paid for the customers they refer to you.

Using just 3rd-party tracking, a cookie with an affiliate tracking ID is set in the browser of the user when they click on your affiliate's link. This cookie has too much responsibility because it contains the information needed to credit your affiliate with the commission once that user converts to a customer. In a world where ad blockers could stop that information from being passed or when using Safari the cookie not even being created, you can see why relying on this tracking is dangerous. At scale, your affiliates will lose trust in your company to accurately pay them out and they will stop promoting.

This same interaction using server-side 1st-party tracking is much more reliable. The cookies cannot be blocked because they are directly sent from the partner server to the server of whatever affiliate network you're using. Not depending on someone else's browser to do this important transaction.

This is an example of what a user record could look like, showing all of the different traffic values and campaign source information from what marketing channels they came from. This would record ALL touches not just your customer’s last interaction as mostly commonly tracked. You can then choose what events to communicate back to affiliate or ad networks, instead of that information being taken by them automatically. This is a very big point in the conversation of protecting privacy and knowing who is accessing your user’s data. 

What is the future of tracking people online?

A major shift is happening across the internet towards more privacy and taking back rights for the individual. A shift away from mega-corporations owning everything about you and holding this data hostage, towards people and smaller businesses taking the power back. For companies trying to target people online, that means getting a better understanding of your best customers and crafting a more nuanced, informed marketing strategy so you can get more of them. This is a stark contrast to how it works now for most companies, which is channel-specific, not person-specific. 

The two sides of a company’s marketing are usually split into getting more customers (acquisition) and keeping your current customers happy (retention). In a lot of cases, I see these two sides working in a silo. The growth team is focused on trying to get new customers by relying on 3rd-party cookie data they rent from ad networks like Facebook and Instagram to tell them who is a good customer. The retention team looks at current customers (usually without looking at their journey to purchase) and they try to craft a separate plan to keep those customers happy and continuing to purchase. In a world where we will have limited access to 3rd-party cookies, companies will need to lean into consented data you collect yourself as the foundation for understanding your customers and measuring your future marketing.