A Beginner’s Guide to Cookies: Its Origin, Types, Uses and Future in Digital Marketing

Cookies are small pieces of text that a web server generates and sends to the web browser for purposes like authentication, tracking and so on. The browser then stores the cookies for a specified amount of time. The next time you request the same site, the relevant cookies will be attached again, and the site will know that you have been here before and give you suggestions based on your previous actions on the site. Cookies have for a long time been a friend of digital marketers but not to the users since they encroach upon the privacy of the users. 

Why are Cookies Important for Digital Marketing? 

Cookies are responsible for collecting user data and behaviour like interests, buying habits and so on. Cookies basically perform the role of market surveys, but are much more specific to individual behaviour and are consequently a security concern. Nonetheless, digital marketing still relies on cookies to maximise conversion. The data collected by cookies is fundamental in two arenas:

• Targeted advertising and personalised ads
• Performance measurement. 

GA4 Cookies, Google Analytics and Google Ads

GA4 Javascript tags (client side, read on to understand the difference between client side and server side cookies) use first party cookies to track unique sessions from a single user and send the information to google analytics. There are two kinds of cookies that this tag can set:

• _ga 

Distinguishes users

• _ga_<container-id> 

Used to persist session state 

These cookies are deleted by chrome in 400 days, if the user does not return and in 7 days by Safari. 

When google analytics is linked to google ads additional cookies are set from different domains like google.com, doubleclick.net, googlesyndication.com, or googleadservices.com, or the domain of Google’s partners’ sites. 

Google ads and google analytics have historically relied on third party cookies to assess its client’s performance on the web and to show personalised ads; however, considering the loss of privacy of the users, Chrome has gradually begun to phase out third party cookies completely.  Google Sandbox, a suite of APIs, supports the use of advertising without using cross-site tracking.  Firefox and Safari had restricted third party cookies completely. 

Digital marketers today should focus on creating campaigns that will work in a cookieless environment because that is the future. AI is effectively taking over the functions that were performed by cookies and proving to be much more efficient.

A Computer Lesson at a Restaurant: Understanding How Cookies Work  

Don’t worry if you have forgotten your class 10 computer lessons and cannot recall what in the name of God are web servers and web browsers. I got you! The internet is best explained using restaurant analogies.

Let us set a scene…

You go to a restaurant, what is the first thing you do? You choose a table. Similarly when you are seeking something on the internet you first choose your browser, Chrome, Edge, Opera and so on. After sitting down you open the menu and you…browse, in the computer world you type in your request and look at the results. When you are done choosing, you click/order and the server shows up with your food. Therefore, the web browser helps you browse through the internet and the server, the harbinger of food, the hoster of websites, shows up with what you have requested.  

If you are a regular at this website, the server may already know what you want or what kind of food you are looking for and offer you suggestions. This is what most if not all cookies do, they remember you and sometimes even offer to help you. 

In the Beginning There Was Flour: How Cookies Came into Being. 

Lou Montulli, a 23 year old computer programmer used cookies in web communications for the first time in June 1994. At the time Montulli was the founding engineer at Netscape Communications, an independent computer services corporation in California. Netscape was engaged in developing an e-commerce application for MCI.inc a vastly successful telecommunications company of the US. 

MCI.Inc requested something from Netscape which forever changed the position of the user on the internet. MCI did not want to retain the information of a half done transaction on their server and asked Netscape if there was a way to have this information stored on the user’s browser itself and voila emerged the cookie! Its first function was to let the user add something to a virtual shopping cart. 

Every time you open your cart, imagine a smol cookie taking its first step. Now it is all grown up and has proven to be a very morally gray character and quite the tool of late stage capitalism. 

Dramatis Personae: The Various Types of Cookies 

Server side and Client Side Cookies

Server side cookies – refers to the cookies that are managed and created using server side programming languages like Python, PHP, NodeJS. 

Client Side cookies –  refer to the cookies that are managed and created by client side programming languages such as JavaScript. 

Safari restricts third party cookies completely and a first party cookie is deleted within 7 days, if the cookie is programmed using client-side programming language like JavaScript. However, if the server itself sends a first party cookie, Safari will not delete it and it will expire only when it is programmed to. This makes server side cookies more effective than client side.

Third Party Cookie 

A cookie belongs to a domain. A third party cookie, as the name suggests is a cookie that does not belong to the domain you are visiting but a third domain that wishes to track your actions on the web. When the cookie belongs to the domain you are visiting it is called a first party cookie. 

This is where cookies get tricky, at times you may not be aware that you are being tracked by a cookie. Desperate digital marketers have been known to use third party cookies without the consent of the user to push ads. Here is how it works:

• A user accesses a website that has a cookie based ad.
• An embedded script, also known as “tracking pixel” collects the user specific browser ID tag (which the cookie itself generates).
• The tracking pixel then sends this information to the advertiser’s server. 
• The advertising agency is thus able to generate a sort of dossier that contains the user’s information. Primarily their shopping and searching habits.
• They use this information to showcase personalised ads to the users. 

Session Cookies 

Session cookies track a user’s behaviour only while they are visiting the website to which the cookie belongs. The cookies stop tracking once the user exits the website or logs out of their account. These cookies, unlike persistent cookies, do not have an expiration date, which tells the browser that they should be deleted once the session is complete. Session cookies are usually used by e-commerce sites, when you log in, the cookie sends your user tag to the server and the server remembers what you were up to the last time you were here and updates your page accordingly. 

Persistent Cookies

These cookies have a predetermined expiration date and remain in the user’s browser until they expire. They also pose a security threat because the users are usually unaware of how long they remain in their browser and what behaviour they are programmed to track. 

Authentication Cookies 

Authentication cookies are generated when a user logs into an account. They are responsible for managing user sessions. This is how they work:

• You log in by putting in your username and password.
• If your password is right, the server generates a unique identifier, a sort of secret code and it stores your information on the server under this identifier. 
• The server sends your browser a cookie which it saves.
• Every time you switch to a different page of the same website, your browser sends this cookie back to the server.
• The server recognises you and shows you your account information on every page and not anyone else’s. 

Tracking Cookies 

These cookies are generated by tracking services. They track the user’s activities and the browser sends it to the tracking service. Every time a user opens a website that makes use of the tracking service, they get notified of the user’s activities. 

Secure Cookie

These cookies can only be sent across through an encrypted connection (https). This protects the cookie from being stolen. 

Http-only Cookie

These cookies cannot be accessed by client-side APIs (like JavaScript), this mitigates the risk of cross site scripting (XSS). Cross site scripting refers to the process in which an attacker injects malicious code into a website’s JavaScript which enables them to steal your cookie and impersonate you on the internet.  

However, the http-only cookie is vulnerable to:

• Cross site tracking (XST) – When a cookie follows you around as you visit sites on the internet, collecting information about your interests and buying habits, sometimes even sensitive information like passwords and user ids. 
• Cross site request forgery (CSRF) – This is when a cookie makes a request to a website you are already logged on to, pretending to be you.  

Same-Site Cookie

A same site cookie refers to a cookie that belongs to the website you are currently on. Say you are on a news site and there is a cookie from the same site asking you to like something. Oppositionally,  you may have often noticed that a like button from another website, say facebook, sometimes shows up while you are visiting a page that does not belong to facebook. This is an example of a cross site cookie. 

There are three options for same site cookies:

SameSite=Strict

This attribute makes sure that a cookie is sent to your browser only when you are on the main website to which the cookie belongs. For example: When the cookie belongs to onlinebanking.in and you are on the website, the cookie gets sent, but when you are on another website, say istealyourstuff.com and it tries to make a request to onlinebanking.in the cookie is not sent. 

SameSite=Lax

Sent during normal navigation, that is, when you click on onlinebanking.in its cookie is sent to you. But if another website tries to submit a form to onlinebanking.in it is restricted. When a hidden iframe tries to access onlinebanking.com, the cookie is again not sent. 

SameSite=None

The cookie is sent anywhere. This is required for cross-site features like embedded videos, social media buttons and so on. 

Conclusion 

Cookies have traditionally been instrumental in digital marketing. They have been extensively used and misused. The gravity of its misuse far outweighs its advantages, and that is why we are gradually moving to a cookieless internet space where zero party data is collected. A feature of Chrome’s cookie deprecation policy is Google sandboxes’ Topics API which enables interest based advertising without tracking specific websites visited. A lion’s share of the functions of cookies will eventually be performed by AI. Keep an eye out on this page for our upcoming article on AI as the replacement of cookies in digital marketing.

FAQ’s