If the Third-Party Web Cookie Crumbles, Can AI Replace It?

The cookie is at the center of many consumer privacy debates as legislators, companies, and consumers become increasingly worried about their privacy as cookies can track consumers without their knowledge or consent. With this, it is likely other forms of analytics, like using artificial intelligence, will contribute to crushing the cookie.

In 1994, Netscape engineer Lou Montulli built the cookie, a small text file with pieces of data that can be placed on a user’s device, to add short-term memory to the browsing experience of early websites. Montulli built the original cookie to avoid other solutions like giving permanent IDs to users so they couldn’t be tracked. However, people found ways to hack cookies and track just that. 

The cookies most brought up in privacy debates are third-party cookies, implanted and stored on-device by websites you are not currently using. They ride along with you, as you surf the web, and can be used to triangulate demographic information for ad targeting and attributing your transactions to ad exposure.

The Cookie’s Disappearance

Recently, more and more companies are choosing not to use third-party cookies. Ever noticed that Apple’s Safari browser already blocks cross-tracking third party cookies across sites? Third-party cookies are also gone from Firefox through its Total Cookie Protection feature. Google plans to phase out third-party cookies on Chrome by 2023 because “users are demanding greater privacy—including transparency, choice and control over how their data is used.” Advertisers will feel the loss of the third-party cookie most strongly and will have to seek new ways to access similar sets of data. 

More recently, Apple rolled out its new App Tracking Transparency (ATT) feature by revoking advertising access to each user’s unique identifier if users say “no” to tracking with each pop-up. While large companies like Google or Facebook can likely still access your first-party data through website log-ins and other methods, the move reportedly cost Facebook’s parent company, Meta, $12.8 billion in 2022. This loss of revenue will likely encourage Meta to seek other avenues. 

Apple’s ATT feature and the search engines’ move away from cookies is likely due to the influx of legislators and policymakers pushing for data privacy bills related to third-party cookies globally. 

The most comprehensive set of data regulations issued by an official governing body to date, known as the General Data Protection Regulation, or GDPR, came into effect in 2018 within the European Union. While cookies are only mentioned once, GDPR establishes most cookies—ones used for analytics, advertising, and more—as personal data, which means that companies must give users a clear choice to opt-in or opt-out before proceeding to use the site. Companies have found ways to sneak around this by utilizing deceptive design (so-called “dark patterns”) or failing to include a clear way to withdraw consent. Nevertheless, forcing at least the appearance of a consent banner sets a precedent by making consumers aware that they can be tracked across the web. 

As for regulations within the U.S., the California Consumer Privacy Act of 2018, amended in 2020 to include additional data protections, requires businesses that “sell” personal information to provide opportunities to opt out of cookies, but expressed content is not required by the law for businesses to get the consumer’s consent before placing a cookie on their browser. However, California is not alone in its efforts. 

35 states have considered some semblance of data privacy regulation, and there was conversation about the American Data Privacy and Protection Act that has brought considerable discussion amongst technologists despite not passing in the last Senate session.

Alternatives to the Cookie

With the third-party tracking cookie potentially gone, what’s next for advertisers? 

Advertising agencies can work around these cookies by utilizing a strategy called contextual advertising, where users are not targeted behaviorally but rather based on what categories their online experience belongs to. Agencies first figure out which categories of content are most relevant to their potential buyers, such as advertising repair parts for the power tools a user is currently viewing or workout equipment if a user is looking at an at-home workout subscription. The more an agency narrows down its content categories, such as clothing and dresses, to full-length evening wear, the more easily they can adjust their advertising to the user’s interests. 

There are already several algorithmic approaches for clustering users into groups and classifying interests into categories. One such approach is federated machine learning, offered as a more protective form of advertising. Apple utilizes federated machine learning to personalize Siri on-device, preserving privacy in the process. Different speech recognition models are trained on local user data, and Apple also adds noise to the audio so it cannot be reverse-engineered from the models.

However, federated machine learning’s future in advertising remains uncertain. Google’s attempt at federated machine learning based advertising, or Federated Learning of Cohorts (FLoC), was quickly discouraged by browser vendors. FLoC is intended to cluster users by interests, which hides the users amongst the crowd because each crowd is given an ID rather than a user. However, data privacy advocates had concerns about the many categories of users in FLoC, which could potentially allow for fingerprinting to identify individual users and assign them unique IDs. Other advocates also argued that FLoC still meant that users could be tracked, making it not too different from third-party cookies. 

Instead of FLoC, Google decided to implement topic-based ad distribution. This means that users will receive their top five topics each week based on the last three weeks of their browsing history. The user must visit the site, as opposed to being redirected, for the topics of that site to potentially be considered part of their browsing history. While the initial design includes 350 topics, advertisers dispute the number and say it won’t be enough to specialize content for users. The smaller number of topics, unlike the categories, makes users harder to track, which in turn also leads to potentially broad advertising. 

Google does not use demographic or geographic data with its Topics API currently, but Meta does use this data in its advertising. With the limitations in tracking features, especially due to Apple’s transparency feature, Meta is using modeled conversions—a machine learning tool based on aggregated anonymized data like unattributed website traffic to estimate how successful advertising efforts are—to inform advertisers about their efforts. Meta added these estimations to its 7-day click view for advertisers, which only showed data from users who opted into tracking for advertisers. 

We’ve talked a lot about Meta, Apple, and Google, but what about other big tech companies like Microsoft or Amazon? Amazon does not necessarily need to rely on third-party cookies because much of a consumer’s browsing habits and purchase history, like if you specifically buy coffee beans monthly, is within the platform in the form of first-party data. Unlike some of the others, the bread and butter of Microsoft is cloud computing services, not advertising. But back in July 2022, Microsoft agreed to an advertising partnership with Netflix. It will be interesting to see if the slow death of the third-party cookie will affect the quality of ads on Netflix and the quality of the viewing experience, especially with the disgruntling news of Netflix’s crackdown on password-sharing.

Sweeping The Trail Of Crumbs

While it is not yet time to see the efficacy of Facebook’s modeled conversion or Google’s topic-based API, advertisers do need to find new ways to maneuver around the third-party cookie, especially as large firms come under fire from data privacy advocates. Recent legislation like the update to the California Consumer Privacy Act or even talk about a nationwide data privacy act puts pressure on companies to reconsider how they disclose the data they collect from users. Apple’s ATT feature also forces advertisers to reconsider how they can reach consumers. 

Because of these hits, we see new techniques like federated machine learning or modeled conversions as potential ways to target marketing without tracking consumer data directly, but it has not yet been long enough to know if these techniques will be a success. The cookie will crumble, but it seems that advertisers have yet to find a clear-cut recipe to replace it. All we know is that where the cookie will go and what will replace it is important to our privacy rights as consumers.