Planning for when the cookie crumbles.

Related Articles


Why Mail Privacy Protection is increasing the importance of UTM tracking


Google to sunset Universal Analytics. Act Now!


Planning for when the cookie crumbles.

There is a lot of scaremongering taking place about the removal of third party cookies and how this will in turn destroy a brand’s ability to advertise efficiently or attribute accurately.

That type of editorial is attention seeking, designed for commercial gain. We’d rather take a more helpful approach via this article, giving you an informative guide that’ll tell you what is taking place, how it fits within a broader direction of travel for our industry and what you can do to prepare.


We’d normally avoid a history lesson, however in this instance it’s important to see what is happening within the context of a broader direction of travel that we’ve been journeying along for some time. 

For the last 25 years, digital advertising technology has been underpinned by persistent storage, like cookies, which are used to store identifiers as you navigate the web. The likes of Google and Facebook take these identifiers and, with the assistance of marketers and data brokers, build customer profiles by enriching them with a vast array of attributes such as geographic location, interests, and purchase behaviour. These profiles are then combined into groups that share similar attributes and sold to advertisers in the form of audiences, creating the multi-billion pound industry we know today.

However, as consumers become increasingly enlightened, they rightfully demand greater control over what is collected, who it is shared with, and how it is used. This consumer pressure has resulted in legislative and technological changes that have modified the digital advertising landscape and will continue to shape it for many years to come.

The current headline news you will have heard is that third-party cookies are on their way out, with Google announcing that they will be gone from their Chrome browser in 2022. In many regards, Google is behind the curve. Browsers like Safari and Brave have been leading the charge towards a more privacy-centric browsing experience for many years now. However, it is important to understand that the deprecation of third-party cookies is only a fraction of the broader technological changes that will impact advertisers. By looking beyond the immediate technical changes, and instead evaluating the broader direction of travel, we feel marketers will be better prepared to anticipate and benefit from the changes that are to come.

Landmark moments on this journey

This is not new, it’s been an evolving picture for several years. Knowing some of the technical changes, and how advertising technology has worked through it, will help you prepare for the future. Here’s some landmark moments:

Intelligent Tracking Prevention (Safari)

Since June 2017, Webkit browsers, which includes Apple’s Safari, all iOS browsers, BlackBerry Browser, and Amazon Kindle, have included Intelligent Tracking Prevention (ITP). In its first iteration, ITP modified the behaviour of third-party cookies to greatly limit the timeframe and circumstances within which they could be used for tracking purposes. AdTech vendors fought back and started using ‘link decoration’, the process of passing identifiers via the URL and then using them to create first-party cookies which weren’t subject to the same restrictions. ITP responded by limiting the lifetime of any first-party cookie created by link decoration to only 24 hours. This inevitably led to a game of cat-and-mouse as advertisers continually evaded ITP by using alternative methods to transfer and store data between websites.

Fast forward to today and you’ll see the scope of ITP goes far beyond just third-party cookies. As of version 2.3, ITP will limit or prevent third-party cookies, first-party cookies, link decoration, referrer decoration, localStorage, IndexedDB, and CNAME cloaking, to name a few. To add even more complexity to the situation, all major browsers have now introduced some form of tracking prevention, each with their own nuances and implications.

To better learn about the purpose and motivations of ITP, and why we’ll continue to see updates, you only need to read their Tracking Prevention Policy.

iOS 14

Changes to the ways in which we identify users aren’t just limited to the web. In 2020 Apple announced that their latest mobile operating system, iOS14, would require apps to request permission to access the IDFA (Identifier for Advertisers). This was later delayed until early 2021 to give mobile advertisers and publishers more time to prepare.

The IDFA has been fundamental to the way in which most mobile app advertising is served and measured on Apple devices. It’s an anonymous identifier unique to each phone that can be accessed by apps and advertisers. Each time an ad is viewed or clicked, or every time a user completes an in-app conversion, it’s the IDFA that lets us know which user to attribute that action to.

In its place, Apple has proposed the SKAdNetwork, which aims to balance the measurement needs of advertisers with the data controls needed by consumers. The SKAdNetwork still allows advertisers to send in-app conversion data, but removes any user or device-specific data and takes steps to prevent advertisers from trying to circumvent this anonymity.

Going even further, the iOS14 update also requires apps to request permission via the App Tracking Transparency Framework before using any alternative identifier, such as a hashed email address. This means that even apps that have extensive first-party data will need to request permission before it can be used for any kind of tracking or advertising.

Although this update is significant, it’s not entirely new. iOS users have had the option to limit ad tracking across all apps since iOS6 was launched in 2012. The key difference we are seeing in 2021 is that this setting is now configured per app and defaults to being enabled, therefore requiring each app to explicitly request permission from the user. It’s estimated that roughly 20% of iOS users already have the limit ad tracking feature enabled, so while we will likely see a further decrease in our ability to use IDFA to measure in-app activity on iOS devices, advertisers have already been contending with this for many years.


Google announced in January 2020 that they would be deprecating all third-party cookies from their Chrome browser in 2022. While they certainly were not the first to announce such changes, Google’s is particularly notable because of their vested interest in protecting advertising revenue that is largely enabled by third-party cookies.

Needless to say, Google is working on effective alternatives to the third-party cookie, while balancing the privacy needs of their users. Their most notable initiative is named the ‘Privacy Sandbox’, and although many of the details are currently unknown, the general aim is to carry out collection and processing of user data in the browser, rather than sending it to a third-party.

Google is seeking feedback and collaboration from leading industry bodies, including the World Wide Web Consortium. Their aim is likely to create the new de facto standard for ad tech in the browser, and ultimately have it adopted by all major browsers. However, their success is far from guaranteed. The UK Competition and Markets Authority has already launched an investigation into whether the Privacy Sandbox proposal could be anticompetitive, and there are several other competing proposals such as Unified ID 2.0, each hoping to become the adopted standard.

As we went to publish this article Google confirmed their commitment to the Privacy Sandbox and stated that other initiatives planning to use email address based identifiers “aren’t a sustainable long-term investment”, and went even further to say that “once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.”. If email-based identifiers were to be restricted in future, it could certainly be a blow to Facebook’s most viable method of identifying users off-site.


Along with the Cambridge Analytica scandal, The General Data Protection Regulation was the catalyst that brought online privacy to mainstream attention when it came into force in May 2018. For millions of internet users in Europe, it meant that any website collecting data and setting cookies would first need to collect explicit consent.

Since its launch, more than €260M of fines have been issued, the largest of which (€50M) was issued to Google for failing to sufficiently inform users to the extent of data processing, and for failing to collect consent in a specific and unambiguous way.

Despite the strong regulation, strict penalties, and increased public awareness, it’s hard to call GDPR a resounding success. End users are now inundated with pop ups seeking permission to set cookies and process data, sometimes deploying deceptive UX patterns to coerce consent.

Annoying pop ups might be an acceptable price to pay for online privacy if it actually worked. The unfortunate reality is that many websites still set the same cookies and send the same data to third-parties regardless of what consent preferences a user sets. In our experience, this failure is not malicious and is instead often due to a misunderstanding of how consent management tools work, and a lack of technical expertise to effectively integrate them with advertising technology. If you’re curious to see what some of your favourite websites are up to, tools like provide a quick way to check which cookies and tracking are used on a website without consent.

While GDPR has been effective at bringing digital privacy issues to mainstream attention, it’s clear that relying on organisations to implement their own technical solutions that adhere to GDPR is not wholly effective. For this reason, we feel it’s appropriate and necessary for browsers to implement technologies, such as ITP or the Privacy Sandbox, to limit the unauthorised exfiltration of personal data.

Let’s start with what will not be affected

The walled gardens of search engines and social media platforms are relatively insulated from these changes, and the coming changes will likely strengthen their positions. They can operate on 1st party data gathered within their own platforms and have the benefit of being able to tie information to accounts used to log in to their platforms. 

The common challenge that affects these platforms is tracking and reporting on activity that happens outside of their ecosystem. But for now, with tracking pixels able to use 1st party cookies, and the ability to pass hashed user data through conversion APIs, marketers are relatively safe in this area too.

So what will change?

Advertising on search engines

Although the primary factor in paid search targeting is the words (keywords) that a consumer types into the search engine, and therefore intent, marketers also overlay audiences to improve targeting and performance. These come in two forms. 

Firstly, the platforms proprietary audiences (Google’s custom affinity and in-market segments for example), and secondly, the advertisers audiences imported from Google Analytics or tracking pixels (for segments like website visitors and past converters).

In general, Google’s proprietary audiences are based on data captured within their ecosystem (Google search) and used within their own platforms (Google Ads), and therefore will still be available after the removal of 3rd party cookies.

Audiences imported from Analytics, and those built using Google Ads conversion pixels, use a combination of 1st party and 3rd party cookies. Because of this, we believe that there will be some disruption to how we currently match a user to a remarketing audience when they are carrying out a search. 

Recent technology such as Google’s privacy sandbox, and specifically their TURTLEDOVE and FLEDGE proposals, are being developed to allow remarketing to be carried out in a privacy safe way. The documentation for FLEDGE states “We need a robust API to take flight before Chrome’s expected removal of third-party cookies in 2022”. So we expect remarketing to continue to be possible, but the technology powering the identification and targeting will be different.

Social media advertising

Platforms like Facebook have a huge amount of data on the actions consumers take within their platform, including the posts you interact with, the pages and accounts you follow, the videos you watch and the messages you send. These platforms use this data to build interest segments for targeting via their advertising platforms. 

However, to supplement this information, they also track consumer activity across the web when you visit sites that contain the Facebook Pixel or the ‘like’ button, for example. What pages you visit and therefore your interests, are sent back to platforms to help categorise you into interest groups.

This process is very opaque and the end user is often oblivious. This is why the changes to ITP in Safari, detailed earlier, sought to block this activity, and continues to do so. Moving forward, this data is likely to become harder to harvest and social platforms may have to rely on data captured within their own ecosystem to build their interest groups.

The other challenge these platforms face is attributing conversion data to a campaign. Again, this was historically the job of third party cookies, but various workarounds have already been developed to avoid this becoming an issue. Using tracking pixels and conversion APIs to send hashed user data back to the platforms, to match users based on things like names and email addresses, rather than IDs, are good examples of this.

The biggest challenge social platforms currently face is the implementation of the App Tracking Transparency Framework in iOS14 and the use of IDFAs to identify devices. 

If your brand has an app that you advertise, there are much greater implications that require more extensive reading and will affect your ability to promote and report on app campaign performance. 

However, even if your brand doesn’t have an app, there is still a knock on effect for those wishing to target users on Apple devices. In short, users who opt out of tracking will not be targettable using remarketing audiences and will not be included when building lookalike audiences, as both of these processes require the IDFA. Those who opt in to tracking and those on other devices (android devices for example), will not be affected. For reference, as of December 2020 51% of the mobile operating system market is on iOS.


When looking at marketing channels, programmatic display is the area that has the most reliance on cookies to power its infrastructure. 

Unlike the walled gardens of search engines and social media, display ads on publisher sites do not have an established ecosystem that sits under a single domain, with a single login, for capturing vast amounts of user data. The activity advertisers need to track for targeting and attribution is carried out across millions of publisher sites, that all need to share data with ad tech platforms to identify a person as they move around the web. This is done using third party cookies.

When third party cookies are turned off in Chrome, the display ecosystem will lose the identifier it uses to join the dots. This requires a complete overhaul of how we identify users, segment audiences for targeting, and report on performance. But this isn’t a surprise and this day has been coming for a long time. 

Ad tech businesses have been developing and proposing solutions to replace the third party cookie for some time now, with the likes of Google proposing FLOC and The Trade Desk proposing their Unified ID. However with Google’s recent announcement that they will block technology that replaces cookies with another individually identifiable process, it seems clear that the future of tracking and identification won’t be on a one to one level. Reporting and targeting will still be possible, but individual users will be hidden within larger cohorts. This will allow for performance reporting, and to target relevant users with a campaign, but only through targeting larger anonymised segments, that stop short of identifying an individual.

A focus on 1st party data capture is also building momentum, with publishers looking for other ways to identify users without the need for cookies, causing a rise in “free walled” sites, requiring a login and for users to hand over their email addresses to access content. 

Email addresses and the requirement to “log in” will always be a strong identifier. The publishers that offer content that compels consumers to share 1st party data and then offer it to advertisers in a technically elegant manner will win out when advertisers are looking to reach an engaged and relevant audience.


This is not a new story. It’s an evolving story, with a clear direction, meaning all marketers should evaluate the impact on their activity and plan accordingly.

The opaque behaviour of some marketing platforms has gained increased scrutiny over recent years, with consumers becoming more savvy about the value of their personal data and the tactics being used by advertising technology to profit from it. 

With governments, browsers and operating systems siding with consumers by helping them control the flow of their personal data, we’re likely to see a reduction in the amount of individually identifiable users within our targeting segments.

Some marketers will take a “wait and see” attitude, allowing events to unfold before fully understanding what will not be possible when third party cookies are finally banished.

This is not an advisable path.

No marketer should wait until the cliff edge to tell their business about a drop in the ability to target users, why they are diversifying tactics, or even worse – why attribution and therefore results appear to have dropped.

Your next steps

Here’s some simple steps we advise you take over the coming weeks and months to ensure there are no nasty surprises:

  1. Audit your marketing activity to see where this will impact you
  2. Audit your attribution to see where this will impact you
  3. Decide upon a plan that is needed based around what we know will happen
  4. Create some scenario plans for the less predictable elements

We’re here if you need help

We’ve got super talented Analytics and Media teams, who are lovely people too, and are ready to help you with one or all of the aforementioned steps, either as an outsourced full service or as a consultant to your in-house teams.