April 15 2020

Exploring Different Types of Website Cookies

first vs third party cookiesAs children we’re told not to accept cookies from someone we don’t know, and the same is true of cookies on a website. While these cookies aren’t full of sugar or butter, you should still be wary of how many you’re accepting as well as how many you’re handing out. The cookies we’re talking about are the files that are placed on your computer by a website in order to track your actions and attributes. A website might place a cookie on a user’s computer to provide a personalized browsing experience, to remember login details, or to send browsing data to a third-party platform.
 
Cookies have been making headlines recently for a couple of reasons. First, there have been concerns about the safety of third-party cookies and consumer privacy. Second, there were recently announcements that third-party cookies will soon be going away entirely. With nearly all websites using cookies for a variety of reasons, now is a good time to review exactly which cookies you’re using, how you’re using them and how your website handles them.

How many cookies does your website have?

Depending on how long your website has been live and the type of third parties you work with, you may be serving a lot more cookies than you think. Like an overbearing mother at the holidays, you don’t realize that what started as a couple of cookies here and there has become an excessive amount. In order to identify which cookies your website (or any website) is using you can do a quick check using a built-in Chrome tool.
 
If you’ve ever looked at Developer Tools in Chrome and you’re not a developer, you may have thought it was too much information to process. In fact, using Developer Tools to find your list of cookies is actually relatively easy.

  • In your Chrome browser, navigate to your website (or the website you want to check)

  • Press F12 on your keyboard to open the Developer Tools window

  • In the top navigation (Elements, Console etc.) select Application

  • Expand the Cookies tab in the left nav of the Application screen

You will see your own website domain, which you can click on to see which first-party cookies your website is firing. If you see any domains besides your own, that means your website is using third-party cookies.

The difference between first and third-party cookies

When a cookie’s data is stored by the same domain that fired it, that is a first-party cookie. These are typically used to track website visitors through analytics and remember settings that you’ve enabled via the content management system (CMS). If you are personalizing content for your visitors, your website knows which experience to provide based on what the first-party cookie has recorded. And, if you’re using Google Analytics to analyze website traffic, it is able to differentiate users based on a first-party cookie.
 
As previously mentioned, cookies can be used to send data back to outside platforms to give more information on browsing data. This includes any tags you’ve placed on your website from advertising agencies for conversion, remarketing or other tracking purposes. These are your third-party cookies. The reason Google Analytics is considered a first-party cookie and not a third is that the default setting is to automatically be associated with the domain where the code is placed. It is important to know that Google Analytics does have some third-party cookie functionality if you are doing any remarketing or have enabled behavioral data, as that relies on a separate cookie, so it’s important to initially determine how you are using Google Analytics on your site. 

Recent and upcoming updates to cookies

In February of 2020 Google launched version 80 of their popular Chrome browser. Browser updates happen a few times per year with little to no fanfare, but every so often there are updates worth mentioning. Version 80 is one of them.
 
Notably, Chrome v80 updates how third-party cookies are handled, by checking to see whether certain attributes have been set for third-party cookies. Specifically, it is looking to see whether these cookies are marked as being safe or not. For those more technically inclined, you may want to know that there is an attribute called SameSite which usually has the default value of None (SameSite = None). With the update to Chrome v80, Google is also going to be looking for an indicator in the third-party cookie that it is secure (SameSite = None; Secure). Importantly, this is something that needs to be done by the vendors who host the cookies and is not something that is done in the website code.
 
If you’re unsure whether the cookies on your website uses adhere to the new guidelines you should reach out to your vendors for confirmation. Since these updates affect whether data is collected or not, it is likely that these platforms may already be aware and are making the necessary updates.
 
Even though measures are being made to ensure websites are only using trusted third-party cookies, it’s doubtful that the use of third-party cookies will be around for much longer anyway. HubSpot recently published an article called The Death of the Third-Party Cookie which indicates third-party cookies will no longer be supported at all. Based on what Google has stated it looks as though sometime in 2022 we will be transitioning to an internet where the most-used web browsers no longer support third-party cookies. Since these are so important to online advertising, including by Google, it is likely that an alternate solution will be presented before they go away entirely. What that solution is though has not yet been determined however.

What steps need to be taken by website managers?

The first recommended step is to check which cookies you’re currently firing on your website. You can do this using the Developer Tools steps outlined above. If you notice cookies from vendors that you’re no longer working with, or tools you’re no longer using, you should have the code removed that is firing those cookies. Developer Tools will also tell you what the SameSite setting is and whether the cookie is tagged as Secure.
 
While there’s still time before 2022 you should start talking to any vendors you work with who have placed or requested that you place third-party cookies on your website. Find out what their plans are for tracking campaign conversions and audiences once third-party cookies go away. This is a topic we’ll be hearing more and more about in the next year and a half, and ZAG will be sure to keep you informed of as we learn more. In the meantime, if you want to discuss your specific cookie tracking approach, contact us.

  • Analytics
  • Legal Watch
  • Regs & Legislation
  • Website
  • Website Compliance

posted by
Patrick Trayes
Patrick Trayes
Associate Director of Client Analytics

ZAG Interactive is a full-service digital agency in Glastonbury, CT, offering website design, development, marketing and digital strategy to clients nationwide. See current job openings.
Related Article
Website Privacy Policy Best Practices