Guess What? Cookies Don’t Matter.
Cookies and the impending cookiepocalypse have been in the news for years now. But do you really know what a cookie is, or why so many digital marketers and data privacy advocates care about them? Read on to learn more about these topics, plus our “controversial” take on the matter.
First things first — what is a cookie?
In addition to being a sweet treat, the term cookie is also used to describe a small piece of data containing unique information that is created and stored within your device’s browsers or in local storage. A cookie’s main function is to collect and retain identifiers that link together data about you —where you’re located, what pages you visit, what you search for, and so on.
Companies can use the information stored in cookies to optimize website content based on your browsing history, recommend products you may be interested in purchasing using algorithms and data analysis, or simply to understand how you interact with the website so that development teams can prioritize bug fixes, new features, or enhancements.
There are two main types of cookies:
- Persistent cookies — these store data for convenient and expedient website experiences, such as login credentials, settings, preferences, and so on, and they expire after a set amount of time
- Non-Persistent / Session cookies — these are active as long as your browser is open and have no expiration date; once the browser is closed, they are automatically deleted
Sometimes you’ll hear about first party vs. third party cookies. This is also an important distinction to understand:
- First Party cookies — these are connected to a single website and can include things like login credentials, but are also used for convenience as you navigate around; for example, keeping a shopping cart full of the right items as you move from page to page, personalization based on your last visit, etc.
- Third Party cookies — these are connected more broadly and are used to collect and dispatch information about your activity across multiple websites; this is why you may see ads in your social media feed for specific products that you looked at on a retailer’s website
Many browsers are taking steps to discontinue support of third party cookies. This is already creating a greater dependence on first party cookies, and is a big part of why we at Data Sentinel feel so strongly about data quality.
But wait — why do we say that cookies don’t matter?
Cookies sound pretty important in the digital marketing world — so why is this article so dismissive of them? Simply put, cookies are absolutely meaningless if no one’s collecting, aggregating, or even looking at the data contained in them.
In other words, what we should really be talking about, especially in the context of consumer data privacy, are the technologies — tags and pixels — that access and use a website visitor’s cookie data.
Think of it this way: a cookie can contain all of the information in the world, but as long as it stays isolated to that cookie in your browser, there is almost zero cause for concern. However, if an analytics tag or a marketing pixel picks up that information and passes it into a database somewhere, that’s where you may find your data being accessed and used in a way that you don’t intend it to be. Many organizations have privacy policies that state that they do not collect certain data, such as personally identifiable information (PII). This policy is violated and consumer trust is broken every time a marketing technology accesses PII from a well-intentioned cookie and dispatches it into an analytics database.
Okay, so information contained in cookies can be accessed by marketing technologies — what does this mean for me?
Let’s explore a quick scenario. Imagine you’re in charge of data privacy for a major retailer. You’re tasked with ensuring that digital analytics are collected properly for 10 different MarTech vendors across your various web properties. You work with your legal team and your consent management platform (CMP) administrator to map out a cookie and tag categorization schema that assigns consent preference settings to each of the 10 marketing technologies on your site, and you synchronize those categories to each tag deployed within your tag management system (TMS).
Your CMP is deployed on every page of your site. Users see the cookie consent banner and are able to change their preferences. All is well in the world. Right? Well… Maybe not.
Here’s the problem: Most companies have no way to tell if the consent preferences set by the user are actually honored.
We’ve already established that the cookies alone aren’t the problem, so creating a category mapping and setting up your CMP are only the first steps in the process of managing consent. The marketing technologies deployed on the site need to abide by the preferences set by each user that outline how they consent to their data (which, as mentioned, can be accessed from cookies) to be used by your company. The rules outlining how marketing technologies should behave based on consent preferences are typically set in the TMS, aligning each pixel and tag to the categories configured in your CMP.
This is an extremely fragile process. What happens if a tag categorization is missed in the TMS? If a web development team deploys a tag or pixel natively on the site, bypassing the TMS? If a new developer joins the team and isn’t aware of the consent configuration process? If the governing rules are only set on a subset of pages? If page view tracking is controlled, but not event tracking? Your cookie consent management system is working as designed, website visitors think they’re all good, but a single mistake in any of these scenarios means that your users’ preferences are not being honored by the technologies deployed, and the data accessible in browser cookies can be erroneously sent out into the ether.
To make matters worse, it is possible that your tag implementation could be inadvertently sending PII (name, email address, IP address, etc.) from your users’ cookies into third party analytics systems where it should not be stored. Once discovered, this can be an extraordinarily costly exercise to remove — depending on the vendor, this could mean a six-figure professional services bill or the deletion of an entire report suite of data just to clear out the PII.
This sounds bad… but you don’t need to panic.
While neither of these situations is uncommon, Data Sentinel can help. Our technology is able to help you better understand and leverage a clean set of first party data, and check to make sure that 100% of your users’ consent preferences are honored.
Disclaimer: this blog post is in no way to be taken as legal advice. We’re technologists, not lawyers.