The Cookiepocolypse will end privacy on the web

Cookies days are numbered. Ignored by users, blocked by browsers, disliked by regulators. How will websites track users once the cookie has crumbled?

Almost every website you visit drops cookies onto your device so that your behaviour on the website can be tracked and analysed. Cookies enable the website analytics software to identify you, not by name but by IP address which on the internet is as good (better, in fact) as a name. Which pages you visit, how long you were on them, the buttons you click, all of it is tracked. Those cookies remain on your device after you leave the website so that ads can be served to you on other sites in an attempt to get you to return. Many people consider the way cookies are used to be an invasion of privacy, and this is leading to cookies no longer being a viable option for website analytics.

Under the Privacy and Electronic Communications Regulations, which are enforced by the ICO, websites are supposed to allow users to choose whether they accept cookies or not, and adhere to that choice. In fact, the majority of websites completely ignore the cookie selection made by their users and drop tracking cookies regardless of users clicking the accept button. They do this for a combination of reasons including the ICO not enforcing the regulation, technology from before the law came into force that hasn’t been replaced, and knowing that it’s the only way to track sufficient numbers of visitors.

Website visitors ignore the cookie banner. Only 11% of website visitors accept cookies. This means that any organisation that wishes to comply with the regulations, or treat its visitors with some respect and give them the choice of whether to be tracked, is going to find it impossible to understand user behaviour using cookies. That doesn’t sound like it should be a tough choice; adhering to the regulations and treating users with respect versus being able to report of website metrics, but people have different priorities.

And browsers are blocking cookies. Firefox blocks third-party tracking cookies and cryptomining by default and Google is to ‘phase out’ third-party cookies in Chrome, but not for two years. This move by the browser companies is being talked about as about achieving privacy for users, which might be the case for Firefox, but it isn’t for Google.

Regulators don’t like cookies, website visitors don’t like cookies, tech giants don’t like cookies, and in a sense, I think all for the same reason; they don’t have any control over them. Anyway, all of this means that using cookies as a technology for tracking users on a website doesn’t have a future. If your business relies on cookie technology to serve ads and bring customers to your website, you might be worried. If you are a media buying agency that offers advertising services, you might be worried. If you are a major provider of online ads and make billions of dollars a year from advertising, you might be worried. No longer using cookies to track users is going to have considerable impact on businesses and how every user experiences the web. This is why it has been called the cookiepocolypse.

Of course, humans have ingenuity. They find ways around these kinds of problems. 

Visit the New York Times website in a desktop browser and you’ll be presented with a cookie acceptance banner. Visit the New York Times website in a mobile browser and you’ll be asked to login using your google account. Signing-in to a website replaces the need for anonymous tracking using cookies, now the website knows who you are and can track the usage associated to your account. The signin was so easy, just a click of a button, you barely even noticed doing it. You didn’t set up an account in an explicit and obvious way as you might on other websites, but you now have an account with this website. 

We’re seeing it now, but in the future we will see far more websites force users to sign-in before they can read content on the site. It offers them a solution to be able to track users more than they currently can and without the need for third-party tracking cookies. 

This will have two major impacts on the web as we know it: Google will get more data about what we do on the internet, and websites will have to get much better at providing value. 

Google already knows loads about what you do on the internet and on your mobile if you have an android phone. If you don’t believe me go to My Activity and login to your Google account (of course). The reason Google knows so much about you is because you’re logged into your Google account for so many of the activities you do on the web. As you go from Google search results into a website that isn’t owned by Google, Google hopes that they can continue to track you with Google Analytics, which uses cookies dropped on your device by that website. That’s an imperfect way to track users because cookies are non-proprietary technology, which means other companies can also use cookies to track users, and that’s a problem for Google, no market dominance. 

That’s why Chrome isn’t going to start blocking for cookies for two years (around 2022), to give Google time to build up its capabilities in social login and convince businesses to use it to power Google Analytics. Google is in the business of tracking and understanding users. They don’t want internet usage to be private, they want it only available to them. They are using the end of cookies to drive users to login to websites using their Google account so that they can track their usage in third-party websites on an individual level as they do with their own websites.

Once websites have got used to, and got their users used to, using social logins, those that want to monetise their site will turn that login into a paywall where payment is taken as via the users Google Pay account, which of course Google will take a cut of, creating a new revenue stream for them.

The other impact is going to be on the websites that implement login to their site, whether it is enabled by Google or any other provider. These websites will become subject to the economics of information goods. They’ll need to be able to communicate the value of the content before they reveal it to their users, just as you can’t read an ebook until after you’ve bought it. Once users have accessed the webpage that information will become non-excludable, meaning that even though it’s behind a login or paywall, we should expect that other businesses will offer better ways for users to access it. 

Take my website for example, the one you’re reading this on. If you had to create an account before you could read this, would you really have bothered? All that extra time and effort, and more of your data going who knows where, just so you can read the ramblings of someone who late one night convinced himself he’d reached a sufficiently insightful understanding of how websites will track users when they can’t use cookies that he decided to write a blog post about it. Let’s be honest, we’re both surprised you’ve got this far.

If you run a charity website (which is my particular area of interest) there are some things you could try (I say try because there are no tried-and-tested solutions so these need to be viewed as experiments) as the Cookiepocolyse takes away your ability to track users. 

  1. Stop tracking users – Visitors to your website will have a slightly nicer experience because they won’t have another cookie banner to click, and you might be able to get some good PR from taking a stance of putting your users privacy ahead of the organisations need to track and report. There are lots of other ways to understand the experience visitors have of a website, including user research groups and surveys, which will provide a much deeper understanding than some unreliable analytics data.
  2. Only track those that allow it – If you are still tied to using cookies, and you’re going to adhere to the choices your visitors make, but you want to try to increase the number of people that allow themselves to be tracked on your website, then try turning tracking into a way to support the charity. Change the messaging on the cookie banner to something like, ‘We’d like to track your visit to our website today because it helps us show our funders that people need the work we do” (good luck with the legal team). Push the message that user’s data has value and that they can do good things with it.
  3. Create such high value that users will want to login – Make the login super easy (not a lengthy sign-up form to try to collect lots of information) and have tough discussions about the ethics of using social logins vs a means within your control, and then make it worth their while. Decide whether there are some parts of the site that don’t really need to be tracked and so can be outside the login-wall, and then work really hard to make sure that everything behind the login, whether its content to read or a service to be accessed, is worth so much more to them than having to login (and it won’t be every time they visit because those essential cookies will be used for what they were intended for).