1. Browser security basics
Picture this, you use a web browser to visit two different websites:
Each website is able to record a cookie in your browser in order to store information about your browsing session. Examples:
- Assign a pseudo-random user ID (aka Client ID), so that it can track the user activities on the website is coming from the same “user”, even if you are not logged-in. These are often called “tracking” cookies.
- Remember your logged-in session as you navigate the pages. These are often called “essential” cookies.
(Otherwise, how annoying would it be if every page that you navigate to, you have to log in again?)
Let’s visualize how the cookies are stored in the browser:
Because of browser security, mywebsite1.com can only read cookies created by mywebsite1.com (first party). Likewise, mywebsite2.com can only read cookies created by mywebsite2.com (first party).
As it is, there is no way for the two websites to share cookie information.
Unless…
2. Cross-site tracking
Unless the two website owners agree to work together and put some codes into both (or one of ) their websites.
Let’s look at some examples and their limitations.
Method 1: Accessing third-party cookies
1. You use a web browser to visit myshopping.com, a shopping website. The website assigns you a Client ID in the cookie, and it knows that you have viewed, say, a Lego Star Wars set.
2. You leave myshopping.com, and go to another unrelated website, myblog.com, to read some articles.
On its own, when your browser is on myblog.com, there is no way for it to read the cookie set by myshopping.com.
Unless there is a prior agreement that goes something like (greatly simplified):
So codes can be implemented on myblog.com website, these are often image tag (aka pixel) or iframe tag. Examples:
<img src="https://myshopping.com/a36fbsdrsd/track.gif">
<iframe src="https://myshopping.com/s4fgdl324sdf/track.html"></iframe>Now, even through your browser is on myblog.com:
myshopping.com (whose web assets are now embedded in myblog.com) can now access cookies created by myshopping.com.
In this context, the myshopping.com cookies are known as third-party cookies.
In essence, myshopping.com will be able to:
- Know that this user has previously visited myshopping.com and has viewed a Lego Star Wars set but did not purchase it
- Know that this user is currently looking at an article on myblog.com
- With additional codes, display an advertising message like “Buy the Lego Star Wars set now before it’s gone!”, to entice the user to click the message link back to myshopping.com and to complete the purchase
The limitations
In recent times, pretty much all browsers except Google Chrome have disabled the ability to access third-party cookies. So this method is no longer as effective as before.
Update: Google has previously mentioned that they would kill third-party cookies but they seemed to have reversed course. We are still monitoring this for more concrete details.
For the latest browser cookie security info, you may refer to cookiestatus.com
Method 2: Passing URL parameters
A simplified example:
1. You use your web browser and search for “Lego Star Wars” on google.com.
2. You click on a paid link, Google knows the keywords that you searched for and that you have clicked on a result link, Google can store this info into a cookie:
3. At the same time, Google can add this info onto the link that you click on, to be passed over to the target website. For example:
- Original link: https://myshopping.com/lego/lego-star-wars-12567
- Add the click info as a URL parameter: https://myshopping.com/lego/lego-star-wars-12567?gclid=adf34fg4hgf78
4. When your browser comes to myshopping.com page, an embedded Google code (Conversion Linker) can read the URL parameter and record it to a first-party cookie so that the value can persist throughout your browsing session.
Notice the cookie domain is myshopping.com, which is in first-party context.
5. When you subsequently make a purchase on myshopping.com, the embedded Google conversion tag can use this cookie info and attribute the sales back to the paid link that you originally clicked on.
Limitations
As browser makers continue to fight cross-site tracking, this URL-passing method is also targeted.
For example, Apple’s Intelligent Tracking Prevention (ITP) can intelligently detect that gclid is a tracking URL parameter and does not impact the core website functionality, it can then limit any cookies created by JavaScript on the landing webpage to only 24 hours lifespan, thus greatly limiting the long-term tracking ability.
3. New advertising technology proposals to replace cookies
As you hopefully understand now, cross-site tracking using pseudo-random user IDs stored in cookies is becoming less effective.
However, we also recognize how valuable it is for companies to be able to measure their marketing spend. We all have heard of this phrase coined by John Wanamaker:
Half the money I spend on advertising is wasted; the trouble is I don’t know which half.
That is why some tech giants have come up with or are working on new technologies to measure marketing attributions without using cookies. Let’s look at some solutions/proposals and their limitations.
Method: Send user-provided first-party info
If we can no longer rely on pseudo-random IDs, it stands to reason that the most reliable way is to use user-provided info such as:
- User email address (most reliable)
- User phone number
- User home address
It basically goes something like this:
This is precisely what Google Ads Enhanced Conversions and GA4 Enhanced Conversions do.
Limitations
User-provided info often comes from:
- Logged-in users (some websites do not have user sign up / login feature)
- Checkout forms
Which means this technology may only be used on a small percentage of your traffic.
Also, sending user info (though it is hashed) presents a privacy concern for most companies and will need some convincing in order for them to adopt this technology.
Method: Aggregated Attribution
As mentioned, it’s very valuable for companies to be able to understand and optimize their marketing spend. But how do we do this while maintaining a level of user privacy?
One idea is that, instead of having practically unlimited tracking values:
eg. track_id=<xxxxxxxxxxxxxxxxxxxxxxxxx>
(you can track anything, down to the individual users and their activities, eg. viewed a particular product)
We limit the number of tracking values:
eg. track_id=<can only be value 0 to 255>
That means, you would have to carefully plan out the tracking values. For example:
- 1 = Signed up as a member
- 2 = Made a purchase
- 3 = Added any product to shopping cart
- 4 = Added a Toy category product to shopping cart
- 5 = Added a Clothing category product to shopping cart
- 6 = Added a Kitchen category product to shopping cart
And so on.
The point is that, by doing so, it greatly reduces the ability to track individual users. Rather, the tracking and attribution is based on aggregated values that can represent user interests or intentions.
This is the general idea behind technology proposals such as:
Limitations
- Many of these technologies are basically proposals and not “standards”. It takes a lot of convincing for the whole industry (companies, ad partners, attribution platforms, etc.) to adopt (one of?) the technologies as standard.
- Adopting the technologies requires a lot of resources. Eg. work with ad partners to plan out the tracking values, implement the tracking mechanism on the websites and apps.
These are the big reasons why we haven’t seen a massive adoption by the whole industry yet.
Although, in the iOS ecosystem, SKAdNetwork has seen a steady growth of adoption. This is mainly because Apple has full control over iOS.
4. The future
We were heading towards a (third-party) cookieless world until Google decided that they weren’t going to kill third-party cookies after all. From the blog post, it seems like Google will:
- Continue to allow access to third-party cookies in Google Chrome while developing a new on-browser method for users to opt in or out
- Continue to push for adoption of Privacy Sandbox
That means an “industry standard” tracking mechanism now seems even more far-fetched than before.
Currently, there is no concrete answer to what long-term strategy companies should adopt in terms of attribution technologies. We can only advise that we “get our feet wet” by trying out technologies that do not take up a lot of resources such as Google Enhanced Conversions, and then monitor the conversion data recovery rate.
Sparkline aims to provide data accuracy, comprehension and consolidation, and most importantly, tangible insights for businesses. Get in touch if you’d like to find out more.
