Tougher measures on how people’s data is used to track advertising are coming. That means more acute scrutiny of the use of cookies — the prime method of ad tracking.

For all the advertising industry’s gesticulation about the cookie’s demise and the rise of people-based audience planning that is ID- rather than cookie-based, online advertising still relies heavily on cookies for tracking.

The laws on cookie use are likely to get much tighter due to the new ePrivacy law, so it’s worth brushing up on what each cookie type does and, more important, which will be acceptable under the new law if it’s passed.

To give a rough idea of how much websites rely on cookie data, we’ve selected some of the biggest U.K. publishers and checked how many third-party cookies they’ll need explicit consent to use if the ePrivacy law redraft passes, which appears likely. The Daily Mail has 19,136 third-party cookies on its site, and The Telegraph has 14,025, according to data from Cookiepedia.

Source of data: Cookiepedia

Here’s a guide to the most common cookie types:

First-party cookie
First-party cookies are dropped by the publisher or website owner when a user visits their own site. If an individual visits a specific publisher’s website to read the news, for example, that publisher will drop a cookie. This helps with defining user experience. British Airways uses cookies to remember things like a user’s chosen language and country so it can present relevant content and their selected departure airports — all to make the user experience more seamless. Most publishers and website owners monitor website traffic via external vendors such as Google Analytics. Those still count as first-party cookies because they are monitoring visitors to the publisher’s own site. Publishers and marketers are likely to have to gain explicit consent from users for dropping first-party cookies under the new ePrivacy law.

Third-party cookie
Third-party cookies are used for all ad retargeting and behavioral advertising. By adding tags to a page, advertisers can track a user or their device across different websites. That helps build a profile of the user based on their habits, so messages can be better targeted to their interests. This kind of cookie will likely be the most under fire under the new ePrivacy law because those setting the regulation view them as an invasion of privacy. Bad practices like cookie bombing, incessant retargeting and other spray-and-pray approaches used and abused throughout the years in marketing haven’t helped their reputation with lawmakers in Brussels. It’ll also be harder to gain consent for these cookies, given the use of third-party data is more difficult to police than first-party data due to the digital ad supply chain’s complexity.

Session cookie
These cookies allow websites to link the actions of a user during a browser session. They’re only stored temporarily in a browser’s memory, so once a user closes their browser, the cookie disappears. That’s why session cookies are considered less intrusive than persistent cookies. Session cookies are used for website logins, storing an individual’s login credentials every time they visit a particular site. Websites also use session cookies for important site functions like ensuring fast page loads. Explicit consent shouldn’t be required to use these under the new cookie law.

Persistent cookie
As their name implies, these cookies stick around longer on your computer. The website or developer that creates them usually gives them an expiration date, which can be anything from a few seconds up to 20 years. The best way to check for a persistent cookie: Log in to a website, then restart your computer and return to the same website. If you’re still logged in, the site is likely using a persistent cookie to remember you. They’re most commonly used for web analytics — to track visitor behavior while on site. Publishers typically use that data to understand what people prefer so they can adapt and improve user experience.

Secure cookie
Not everyone will need this kind of cookie, but it’s an ultra-safe way to store information. Secure cookies are only transmitted via HTTPS, ensuring the data within the cookie is encrypted as it passes between the website and browser. They’re typically found on the checkout pages of online shopping websites. Any site with e-commerce services that remembers credit and debit card details will usually be secure. Consent shouldn’t be needed to use these cookies under the new ePrivacy law. Consent also shouldn’t be required for any cookie that provides security for an online service, like online banking.

  • LinkedIn Icon