Marketing in a Cookieless World
The evolution of the internet cookie and consequences for brands
If you’re in Europe or the UK, you’ve probably come across these annoying cookie consent pop-ups that take over the screen and make you forget why you visited a site in the first place.
When Lou Montulli, the founding engineer at Netscape, invented the internet cookie, he intended to create a better experience on the web. In the early days of the internet, websites didn’t have a good memory. They couldn’t remember the actions of users across pages, meaning that features like adding items to a shopping cart were impossible. What the internet cookie did was give websites the memory they were lacking.
The internet cookie - good or bad?
Lou created the Cookies with privacy in mind, as the original cookie was only intended for a single website to remember interactions with its users and no one else. But the historical track record of technology innovators predicting the consequences of their innovations is very poor, according to Marc Andreessen, Lou’s colleague and Netscape’s co-founder.
It only took the advertisers two years to spot the opportunity and hack the cookie technology to their advantage. They figured out a way to gather and share the cookie data with other parties. Like the classic example of a user searching for a dream holiday, then getting haunted by ads on every website they go to for weeks.
Fast forward to 2022, you might know the original cookies as first-party cookies and the mutant cookie that the advertisers invented as third-party cookies. Even though third-party cookies are not the most ethical, no one tried to stop the technology because internet advertising was the primary viable business model in the early days. At the same time, e-commerce wasn’t really a thing. But 20 years since its creation and increased focus on privacy, it’s time to say goodbye to third-party cookies, and probably for a good reason. With the great fall of third-party cookies and user data that comes with them, martech vendors have been declaring that we should focus on first-party cookies and the first-party data that comes with them.
But not all first-party cookies are the same. First-party cookies have also gone through an evolution. We have the ‘original’ first-party cookies, now referred to as ‘essential cookies’. These are in line with Lou’s original invention of cookies, as without them critical functionalities of websites such as adding items to a shopping cart wouldn’t work. Then we have what I call the ‘modern first-party cookies’. You might know these as ‘optional cookies’. These cookies are not required for websites to work. The information we gather from these modern cookies enables things like rich web analytics, optimisation, personalisation, prediction, and more.
Optional cookies’ relationship with the law
For some time now, in the EU and the UK, there has been a ‘cookie law’, which requires websites to gain consent from users before dropping optional cookies into their devices. However, this legislation gained meaning once the GDPR was released, where it defined what constitutes compliant user consent to optional cookies. Compliant consent has to be:
- Freely given
- Informed
- Unambiguous
- Given by a clear affirmative action
- Easy to withdraw consent as it is to provide it
The key takeaway from these two legislations is that if a user doesn’t give a website their consent for optional cookies, it means limited web analytics, and the current model of modern digital marketing could collapse. And suppose your business is outside the EU and the UK and believes this information doesn’t apply. In that case, we are seeing similar data and privacy trends internationally, so brands must pay attention to this topic.
And how did marketers react to these legislations? Panic.
The quest to gain consent has begun so marketers can protect and continue to enjoy the rich web analytics and other things we do with optional cookie data. Testing the boundaries of the law, we have seen a new breed of cookie consent frameworks. Many are using dark patterns to lead the user to take action, which is not necessarily for their benefit. Like the example below, which is one of the more widely adopted cookie consent frameworks.
Here are a few challenges with this approach:
- A consent wall that is blocking access to the site and content, forcing an interaction with the consent pop up
- Leads the users’ attention to the ‘Agree’ button, which has a coloured button and a larger font size
- No option to close the pop-up or reject cookies
With several companies in the EU recently receiving hefty fines, the above approach is no longer compliant, and the legislators have published more granular guidance for compliant cookie consent. As a result, it will become much more challenging for companies to get away with the above approach.
Users’ sentiment toward optional cookies
While marketing and legal teams have been spending considerable time and effort crafting the design and copy of cookies consent pop-ups, the users’ perspective has been neglected. For this write-up, I tried to group the behaviours I see through my work at Thoughtworks into two main user categories. Suppose you were to go through this exercise and look into your target audience and their sensitivity to privacy. In that case, you will likely find nuances specific to your target audience. These should be taken into account when you design your cookie consent strategy.
- The average person: this user group doesn’t quite understand what cookies and privacy are about and represents most people. When this type of user is presented with a consent pop-up, it adds to the cognitive load and takes away from the reason they came to the site in the first place. For most people in this group, consent pop-ups go over their heads, and sometimes the best decision they can make is NOT make any decision.
- The privacy-sensitive: this user group understands what cookies are all about and protects their privacy. They actively choose who they allow to place cookies on their machine and track them. Usually, this would be when they perceive value from a particular brand and believe that they can trust this brand as they put the proper measures in place to protect their data. Instead of managing cookies directly on each site, this group of users usually sets their default settings at the browser level. They even install apps that prevent consent pop-ups from firing altogether.
At Thoughtworks, one of our earlier iterations of the cookie consent banner included.
- turning optional cookies off by default as per the legislator’s requirements
- allowing users to browse the site without engaging with the consent banner
- Using the accept/manage buttons with no option to close the pop-up in a single click
This approach led to a 70% reduction in trackable traffic. 96% of users were in line with the ‘average person’ and ignored or didn’t see the banner. 4% of users were in line with the ‘privacy-sensitive’, actively rejecting cookies through the hidden manage screen. We’ve had another iteration since, allowing users to close the cookie consent banner, and we now stand on an approximately 25% optional cookie acceptance rate on thoughtworks.com.
Even though the user groups have very different sentiments about cookie consent, the bottom line is the same. On thoughtworks.com, we have seen that users would proceed without accepting optional cookies when given the option.
Based on this information, what would you prioritise? Gain consent at all costs to keep your rich web analytics or create a good user experience?
Beyond cookies, imagine replicating a typical web experience in a physical store. There would be a barrier to entering the store unless you accept cookies and provide your email address. There would also be a creepy salesperson looking over your basket to predict what you will cook tonight and tell you there are additional products you need to buy.
Creepy huh? We seem to allow for online experiences that we would never roll out in a physical store. A user that goes through such an experience will likely leave the store, and regardless of all the re-targeting in the world, they will never return. In the digital marketing world, we got lost in a sea of tactics, tools, and obsession over data while getting disconnected from what matters, creating a good user experience.
It’s important to remember that iconic brands were created before the era of cookies, when there was a lot less data. If we take a proactive approach, we can do effective marketing in a cookieless world.
To frame the discussion with my stakeholders, I highlighted two primary considerations we must balance; the users and the business. Under each, I called out five principles applicable to B2B and B2C readers.
Users considerations:
- Make good first impressions:
Instead of putting barriers to engage, take advantage of the first few seconds when a user lands on your site. Don’t be like the brand on the left that has about five different pop-ups, including cookie consent, and be more like the brand on the right, which places a more discrete consent pop-up without taking away from the brand’s experience.
2. Pull vs push strategy:
With the death of third-party cookies and lower optional cookie acceptance rates, marketers have more pressure than ever to collect email addresses early in the journey. But asking for someone’s details, such as an email address, too early might lead to the opposite outcome. At Thoughtworks, we decided to ungate most of our site content, as it’s a core value of our company. If users like the content, they can subscribe for updates. If users don’t find the content helpful, we don’t have much to do with these users’ details either.
3. Contextual value exchange:
Users might reject optional cookies when landing on a website because they don’t see the value. But this doesn’t mean it’s the final opportunity to enable cookies. There’s much to learn from the application world where apps like WhatsApp would ask a user to turn on location services at the moment when the user tries to share a location with a friend. Bringing this thinking back to the web and e-commerce, imagine a user that rejects optional cookies and starts adding items to their shopping cart. Why not display a message ‘Save basket for later — Accept Cookie’ so the site can anonymously save the basket for more than seven days.
4. Ask instead of guess
The last ten years of digital marketing have been about personalisation and prediction. But without optional cookies, it’s harder to do it for anonymous users. When a person walks into a physical shop, it’s normal for the seller to ask for the purpose of their visit. Ormond College in Australia has used a conversational interface to ask users why they visit the site. The content then changes according to the selection. For brands to do this effectively, you must be very clear on your segments and the expected user journey.
5. Give VIP segments a reason to log in
An excellent way to have more data on your customers is if they were to log in early in their journey. In B2C, it’s easier because many brands have loyalty programmes with inherent benefits that encourage logging in.
On the left, there’s the classic example of having to log into an airline’s website early to book a rewards flight. In B2B, it’s more tricky as there’s not always a clear incentive to log in. Gartner is an example of a B2B brand that created an events application where users can see their high volume of upcoming events and engage with exclusive research available through the app.
Now that we covered the five principles under the users’ considerations, it’s essential to balance this view with the business considerations.
Business considerations:
1. Vet vendors’ compliance claims
It’s not surprising that more than 26 new web analytics tools claim to be privacy-friendly and compliant with critical legislations like the GDPR. Philipp Temmel from Creativerly has summarised the latest privacy-friendly tools into a list. There are some exciting tools on this list; however, when I reviewed some of these with our data protection team, it became clear that there is a lot of greyness, and the blanket statements of compliance don’t quite live up to their promise. I will touch on some of the things we discovered over the following principles.
2. Beware of Browser Fingerprinting!
At a high level, Browser Fingerprinting is an alternative approach to cookies, which can accurately detect a user across websites, and devices. You might be familiar with this technology from banking and finance to detect fraud, where it’s used for good. Since the GDPR doesn’t call out Browser Fingerprinting in the way it calls out cookies, we now see some web analytics vendors engage in this practice to identify users. As browser fingerprinting processes personal information, it requires users’ consent under the GDPR. I suggest doing your due diligence if you consider purchasing a martech tool that uses this technology.
3. Data minimisation
It might sound obvious, but for us marketers, it’s a challenging concept to embrace, considering the last ten years have been all about data is the new oil, so we should get as much as we can of it. But with the GDPR listing data minimisation as a requirement, it’s an opportunity to review your current measurements and ask yourself how you might narrow the focus and improve the presentation of your reports with the metrics that matter to your business.
4. Look for trends instead of individuals’ data
The martech industry has been obsessed with the marketing of one and building rich customer profiles. Apple, a leader in data privacy, is taking a different approach. To create a better user experience and improve their products, they need to access sensitive usage data, like the information you type in text messages or Siri. This data is sensitive because if a few of these data points are combined, it can reveal a person’s identity. Even anonymising the information is not enough. When Netflix and IMDB released anonymised data sets, hackers successfully matched the data and determined a person’s identity. So Apple is using an advanced approach called differential privacy, which at a high level randomises the data locally on the user’s device before sending it to a server. The information is transmitted in a way that data points from the same user cannot be associated. Apple adds noise to the data so they can safely get to statistics and trends to guide their product roadmap without compromising the identity of their users. You might want to consider this approach if you deal with sensitive user data.
5. Trial a privacy-friendly web analytics tool
If your brand is in the same boat as Thoughtworks and lost a significant chunk of trackable traffic overnight, it might be worth investing in a privacy-friendly web analytics tool. These tools are not overly expensive. They are relatively simple to implement and should not add too much load to your site. I recommend trying this alongside your cookie-based platform, considering we see a lot of movement in the data and privacy space, so it’s better not to make drastic changes to your stack during this period of uncertainty. In addition, at Thoughtworks, we still have 25% of our users accepting optional cookies. This could be a very important segement, so having richer web analytics for this group could be precious for a business.
To summarise, these principles helped my team and I introduce the topic of marketing in a cookieless world to our stakeholders and create a workstream to address it. Remember to present the user and business considerations when discussing this topic with your stakeholders.
My final tip is don’t get caught with your hand in the cookie jar! Embrace the principles of marketing in a cookieless world so cookies will no longer be your problem.
