Which Are The Most Popular 3rd Party Cookie Alternatives?

The modern Web is strongly dependent on all kinds of cookies: a statement that is both true and obvious, and one that will not change any time soon. Advertisers use 3rd party cookies to serve their ads; and these cookies make you wonder if the same Advertisers are listening to your conversations, using speakers in your phones and laptops. Website owners use 1st party cookies in order to measure their audience. Developers use all kinds of cookies in order to store the preferences selected by the users. Even information pop-ups relating to cookies are cookie-based! Thus are there any 3rd party cookie alternatives? Well, there certainly are.

From the time of their invention, the digital media industry put their trust in the “cookie jar” when it came to tracing users across the World Wide Web. And among all kinds of different cookies, third-party cookies are most often used by Advertisers in order to identify the user between different websites. It’s little wonder then that the industry is in panic mode; most browsers have limited their usage and the last bastion, Chrome, has announced its cessation by 2022.

The 3rd Party Cookie Alternatives

There are of course still plenty of 3rd party cookie alternatives.

Even those that comply with web standards, such as:

Storage-based

Let us analyse the following scenario. Your friend is a Publisher. He owns 5 different websites. Each of them under a separate domain. To identify users without 3rd party cookies, he needs to implement some additional mechanism. Considering that none of those websites has a login functionality, the only option is some kind of anonymous identifier. So when the user enters a page, your friend will have to generate a UUIDv4 and save it on the visitor’s device. After that, each of his sites will be able to access this ID each time it is to be visited by this specific user. The identifier should be exactly the same, regardless of the site that called for it. 

HTML5 standard can work with a wide set of data storage mechanisms on the client-side. Those tracking techniques, based strictly on persistent storage on a user’s computer are some of the most well-known and commonly used alternatives for following users.

Web caches

By design, the cache is used to store data which rarely changes. This functionality limits unnecessary data transfer through the network and is crucial for the infrastructure of bandwidth maintenance. Browsers will have difficulties with limiting cache-based tracking mechanisms without impacting on user experience and internet performance. Mechanisms needed for caching can also be used as storage for user identification data.

In the story of our presented Publisher, a server may return a JavaScript document with a unique identifier embedded in its body (e.g. as variable value or even in comment). This JS file may be attached to all 5 domains. The ID will be generated as server-side whenever it is requested. But in order to store a once-generated identifier, a server sets Expires/max-age= to a date set in the distant future.

And what if we just want to know whether the user of a given site has been on one of our other sites. It’s actually pretty straightforward. Websites can use JavaScript to detect the time of the loading of any object (e.g. an image) from any URL. The measured loading time can be reported to the server, which can evaluate if the object is present in the cache (and therefore, if a user has visited the website previously). But you have to remember about user experience here, as this kind of “knocking” may quickly slow down the loading of your website.

Fingerprinting

Storage-based methods are the best-known and probably the most-used methods for identifying and tracking people online. However, these methods sometimes simply do not cut it. This is because the users are able to easily turn off or wipe out their browser storages. Most of the browsers also develop methods that restrict such tracking. There is an alternative of course, but it’s a bit more complex. And its name is … printing. Fingerprinting.

Fingerprinting involves the use of observable characteristics in order to create the digital “fingerprint” of each specific user in order to identify or re-identify their visitors, browsers, or devices. This kind of ID consists of one or more values readable by the website straight from the user’s devices.

Thanks to a fingerprinting website, owners can also:

• correlate a user’s activity within and across sessions,
• track users in cross-domain context,
• identify pseudonymous users,
• detect fraudulent activity.

As the fingerprint is relatively unique and the same for all origins, it makes cross-domain user tracking also possible. Several domains may be able to exchange information about the same user, even if a browser cookie policy does not allow third-party cookies. Tracking in this method is quite transparent to the user, and it works in some 3rd party cookies-defiant browsers, because no data is stored in storage or session-based mechanisms. And the users do not even need to authenticate it.

There are many different types of fingerprinting, such as Active fingerprinting, Passive fingerprinting, Browser fingerprinting, Network and location fingerprinting and Operating system fingerprinting; and their catalogue still remains open. But although many studies show that current fingerprint can be matched to the earlier one by way of a heuristic algorithm to an accuracy of around 99% (and this is due to the approach of Safari and Mozilla already adding fingerprinting as forbidden workarounds), we may soon have to look for other solutions.

Birds from the Privacy Sandbox

When Google announced that their plan was to shut down 3rd party cookies in Chrome by 2022, they have stated they want the whole industry to look for the alternative together; to work in the so-called Privacy Sandbox. Menlo Park presented some of their own ideas, which were commented upon widely by the members of the media industry as being too narrow and limiting for the replacement of cookies. Other companies, such as Criteo, have thrown their hats into the ring; or should we say, thrown their birds, as for some reason all the acronyms of the latest proposals have a feathery overtone, such as SPARROW, TURTLEDOVE, PARROT, or DOVEKEY. All of these solutions have one thing in common, in that they try to maintain the ability to track the users between the websites, and they give Advertisers a chance of measuring attribution and upholding frequency capping.

Some of them are actually highly promising, though complex; but as it might have been expected, the proposals placed by specific industry members are biased. They were already challenged by other entities, including Google. And despite the fact that C-Day is fast approaching, the industry seems to be still far from the achievement of a compromise and is not ready to say farewell to cookies.

3rd Party Cookie Alternatives: Finding the Future Leaders

Considering the above, the most promising alternative to cookies seems to be the cache-based HTTP headers and postMessaging between iframes. However, there will always be a doubt about privacy protection in each of the discussed scenarios; regardless of the methods used by website owners.

Most of the industry members and identity fanatics have so far been unable to predict who will lead the way when it comes to creating the new global standard. This best guest is Google, particularly given its dominant position. But looking at the scepticism towards their latest FLOC test results, and the unexpectedly good adoption of the Trade Desk ID, a historic transformation is in the offing.

 One thing is for sure. The future is bound to be highly interesting.