Scroll to top
en de

Three types of cookies every marketer should know

Cookies have been a hot topic for quite some time. To get the obvious joke out of the way, I think you should know Macadamia White Chocolate, oatmeal raisin cookies and coconut macaroons. Back to business: A lot of technical background around how marketing and conversion tracking worked in the last decade was based on cookies. Cookies technically are text files that contain small amounts of data and are stored on client-side, that is within the users browser. The content of cookies can be determined by the provider and depending on how the cookie is set up it can either be only read by the site you are browsing on or by other companies. In order to understand the ongoing discussion around ITP, ETP and Google discontinuing support of third party cookies, here is a quick overview of the three types of cookies you should know:

First-party vs Third-party cookies

When a cookie is created, it receives a domain attribute of which domain set the cookie. You can easily check which cookies have been placed with a website when you press F12 or right-click and click on Inspect in your browser. You open the developer console and should see an overview similar to the one below, when you select “Application” in the top navigation

In our example after accepting cookies on wearekemb.com a number of cookies are dropped, parts of which state under Domain, that they have been set by .wearekemb.com (first-party, served by the domain you are visiting) while other cookies are served for example by .hubspot.com (third-party, from a different domain). A third-party cookie is kind of an access port to your data to other companies than the one you are visiting. The file (cookie) can be read by the issuer, so in this case Hubspot can receive information about your session from that cookie. EU privacy law requires websites to only deploy cookies when the user has given permission in order to prevent your data being delivered to other parties unwillingly. As a user you do not have a lot of control over what is stored in a cookie thus understanding the concept of first-party vs third-party cookies is essential. A lot of privacy features of browsers focusses a lot on third-party cookies as the main part of restrictions. For an overview of how each common browser currently treats cookies, you can regularly check under https://www.cookiestatus.com/

HTTP- vs “JavaScript”-Cookies

If we focus on first-party cookies there is another layer of differences. Depending on the implementation we differentiate between HTTP-only cookies and those that can be read out by javascript. The first ones are more secure in a way that really only the domain placing them can read out their content, where JavaScript cookies can be read by Javascript from third parties. In that regard you might check the list of cookies a few columns to the right

The last column in this example shows that cookie 2 and 6 are httpOnly whereas the others are not. Be aware that there are technical ways around the httpOnly limitation where third parties still can get access to the cookie’s content, for example by owning a subdomain of the page that is steering data towards another party. 

Session-only vs expiry date

Finally the third type of differentiation you should be aware of is the duration of the cookie. In the second screenshot above, you see in the second but last column an information that states either “session” or a date. This tells you how long the cookie “lasts” in your browser if you do not clean your cookies actively or have set up your browser to automatically clean out cookies when you fully close the window. Session cookies only last for as long as you visit that page, where as cookies with longer timeframe will aggregate data on your behaviour on that page (and maybe other pages if the owner of the cookie can match you across websites) over a period of time lending to retargeting, marketing attribution and other use cases. It needs to be mentioned that browsers such as Safari actively limit the time span a cookie can remain valid on browser-side, such as cleaning all cookies that are 7 days old.

We hope that overview helps you better understand the ongoing discussion on cookie restriction. As a marketer you should be aware of how that impacts your use cases and how the individual marketing platforms tackle the “loss of cookies” and their functionality that has basically already been ongoing for nearly two years and will see another level of urgency when Google Chrome drops third party cookies in 2022. Make sure you understand the implications on your steering and evaluation of campaigns. Also, be aware that a lot of what you can do hinges on users giving their consent. A properly optimized consent management leads to way more available information for marketing. If you need further input or want to discuss what measures you can take towards a future marketing setup, feel free to contact us. 

Related posts