The Cookie Compliance Question

The Cookie Compliance Question

| Marketing Operations

Third-party cookies were meant to be replaced in 2024. That deadline is now in doubt, but marketers still have new tracking questions to answer.

For years, advertisers and technology firms have worried about the impending replacement of third-party cookies. No other technology can truly replace the ability of cookies to track people across websites, yet pressure from privacy advocates and security researchers have forced browsers to deprecate them. It's not just external consultants driving the change. In an effort to sell their platforms to increasingly privacy-conscious users, Safari and Firefox blocked third-party cookies years ago. Third-party cookies are already ancient history on iOS devices.

As a result, most use cases for third-party cookies have already found alternatives. Web analytics and marketing automation platforms switched to secure first-party cookie solutions years ago, but these platforms only need to track users across one site. Websites using third-party cookies for login also switched to more modern alternatives - although Microsoft 365 is a notable exception. Ad tech vendors still need tracking across multiple sites, a capability explicitly blocked by more modern first-party cookie solutions.

Competitive Concerns

Google have taken the lead in designing replacement solutions, which is hardly surprising given their dual role as both the leading browser vendor and the leading digital advertising platform. However, many of their proposals have been rejected by the industry. At the start of the year, Google finally launched Privacy Sandbox, a pilot of their cookie replacement technologies. Their competitors in the ad tech space aren't happy. In a recent ruling, the UK Competition and Markets Authority blocked Google from progressing their roll-out of the Privacy Sandbox due to its impact on other advertising platforms.

Several weeks ago, Microsoft proposed an amended version of the Privacy Sandbox for Edge. This expanded the capabilities available to ad networks in a world without third-party cookies. Most notably, it allowed advertisers to run their own programmatic auction servers rather than relying on Google's services. These are still relatively new proposals that have been submitted to the broader industry for feedback, but they do form the starting point for a comprise approach. Microsoft's late entry into the cookie debate does mean that the 2024 deadline for deprecating third-party cookies is likely to be pushed back again. However, this time, any delays will be at the behest of regulators and advertisers rather than Google.

Compliance Burdens

In the interim, the EU's new DMA regulations have imposed compliance requirements on Google, that they are now passing onto advertisers in order to resolve privacy questions that were leftover from the introduction of GDPR. Since 2018, both Google and Meta have required advertisers to collect consent before any personal data can be shared with their platforms for re-targeting. This was initially interpreted to only apply to profile information shared for matched audience creation. Subsequent EU court judgements expanded the consent requirement to also apply to tracking and web activity data, but that was never enforced by Google and frequently ignored by advertisers.

Then, last year, the DMA regulations kick-started a change in attitude. As a result, Google have started enforcing their consent requirements. Website owners must now explicitly notify Google when consent has been collected for ad personalisation in the EU. This is done using Google's consent mode tools, which integrate the Google marketing platform with cookie consent banners. If consent mode is not used, then Google will simply not use activity data to personalise ads. This naturally reduces the effectiveness of retargeting campaigns.

Consent mode is not a new solution, so many digital teams will already have it implemented. It was originally introduced to allow for cookieless tracking within Google Analytics. The DMA-enforced update is the addition of specific requirements for ad personalisation, which means it can no longer be ignored when marketing to EU customers. The question of consent has been central to EU policy-making for many years, but there has never been a consistent mechanism for managing it in the back-end. Now Google have provided a solution. It is up to marketers to make use of it.

Banner Photo by Romain Dancre / Unsplash

Written by
Marketing Operations Consultant at CRMT Digital specialising in marketing technology architecture. Advisor on marketing effectiveness and martech optimisation.