The changing role of Cookies

The changing role of CookiesA dark art?

In the world of relevant, personalised, data-driven marketing, cookies play a critical role in serving the right content to the right consumer, at the right time, in the right context.   But as SCHEMA® benchmarking shows, often marketers neither fully understand how cookies work nor have fully considered the role, benefits and limitations of using cookies to enhance the consumers’ experience with them.  And few understand what will replace cookies in the future to allow better targeting.  In this article, we demystify how cookies are used now – and predict how they will evolve in future.

How do they work?

A cookie is a piece of computer code, which is tagged to a unique device (e.g. PC, phone, tablet, TV) which stores certain information about the browsing habits of the user of that device.  When a web server reads the cookies it previously placed on the device, it can help users log in more quickly by remembering their details, deliver content (say a customised page layout) tailored specifically to them, send them a prompt after they have visited the site and/or report information about them and their browsing habits back to the site owner or third party company (e.g. an ad network, ad exchange, demand or sell side platforms).

Types of Cookie

The two parameters defining different cookies are ‘persistence’ (how long it stays on the device) and the amount (and type) of data it contains.  There are a number of different types of cookie, from the basic tracking pixel which sends consumer information (such as a page visit) to the site owner or third party network – through to the EverCookie which has powers to survive deletion, propagate to other sites, and actively track behaviour in the background.

In between these two extremes are other types of cookie which can either store different amounts of ‘consumer’ information or can persist when users close a browser (firing up when the user opens the browser again) or until deliberately deleted by the user.  A simple tracking cookie can hold about 4kb of information, a flash cookie can store 100kb and an ‘HTML5 local storage’ cookie can store a whopping 5MB.

The persistence of some of these cookies, and the data they can store, will be impacted by the upcoming Global Data Protection Regulations (GDPR).  Falling foul of GDPR could result in a prison sentence for the nominated ‘data governor’ and/or a fine of up to 4% of global revenue – so understanding the cookies you use and the protections you offer consumers will become essential.

Applications of Cookies

‘Retargeting’ is what most consumers think of when they hear the term cookie, that is, the ability to send follow-up messages to users who have previously shown interest in a product.   Retargeting can be very effective, but is often misused with frequent, irritating messages popping up on websites or social media long after the search event.  So much for relevant, personal content!

But there is more to cookies than retargeting.

Cookie profiling is the use of persistent or permanent cookies to track a user’s overall activity online.  This tracking does not just happen when a consumer is accessing a particular site, it occurs the whole time they are browsing.  Data collected (e.g. type of content, time of day, location, device) can be used in understanding detailed behaviours and attitudes, likes and dislikes.  For instance, it will help tag users (of devices, not specific consumers at this stage) in a multitude of ways such as age, active sports person, armchair sports fan, parent of young boy or girl, gender, sexual / religious / political / club / brand affinities, holiday interests, financial competence.  This list of tags is endless.  Some tags can be spookily accurate.  Some of them can be embarrassingly inaccurate.

Cookie profiling is often carried out by marketers who buy advertising rights on thousands of popular websites in order to collect and collate cookie information and create a single “profile” of a device and through matching (see below) all devices of a user. 

Do cookies work?

Behavioural advertising based on cookie profiling presents targeted communications to consumers using the information collected about their browsing behaviour.  Data accuracy will vary of course, but with cookie-informed behavioural profiles from reputable suppliers, more relevant targeting is possible, leading to improved relevance, engagement and results.  Hubspot has found that personalised content performed 42% better than standard content[1] and according to a significant survey by the Network Advertising Initiative, targeted advertisements based on user behaviour converted almost 2.5x better than non-targeted ads.[2] In addition, because targeted advertising can result in fewer digital ad serves, media cost can be reduced.  Tests we have done recently with a large consumer packaged goods client resulted in 20-43% lower media costs (the % depended on the specific campaign) for the same results.  So, better conversions and lower media cost, if you get it right. 


Apart from data protection regulations, which will limit cookie use and application, there are three other major limitations.

  1. Misleading information from one device: One device, a home PC for instance, may be used by multiple people accessing very different content; an individual may be searching for something on a one-off basis; they may have already bought the product and not be looking anymore; the searching may be aspirational (i.e. the consumer could never afford the product) – so profiling based on online behaviour may be inaccurate.  Testing can show which tags and data suppliers are most reliable, and which aren’t.
  2. A customer uses more than one device. Many of us use multiple devices; laptop, work PC, mobile, tablet.   Cookies are associated with a single device and a single browser. One individual could have multiple cookies if they use multiple devices and/or browsers.  
  3. Not so good on mobiles: Cookies and tags were invented for browser based technology in the mid-1990’s and they don’t work well in today’s mobile-first, super-connected world.  Whilst cookies exist on mobile, they are unreliable in the mobile web browser (they reset every time users close the browser) and Apple’s Safari browser blocks 3rd party cookies (i.e. only a brand’s own 1st party cookies are accessible).  Cookies in-app can’t be shared across apps (building a deeper profile), rendering them essentially useless, yet 86% of mobile consumers spend their time within apps.  Considering over 50% of searches are carried out via mobile devices[3] this is a significant and growing limitation.

Matching multiple devices to one user

In an attempt to overcome one of these limitations, marketers have tried to link cookie data across devices used by the same user and, if permissions allow, to match the cookie data with known consumer data (personal identifiable information or PII).  To do this, two techniques are used; deterministic and probabilistic matching.

Deterministic matching links cookie data to a known user.  Generally, the matching data field is ‘email id’, used to log into sites from multiple devices (think Facebook, Google, Amazon, Twitter, AOL – all provide a ‘log in using…’ option, so they can collect data against the email id).  The deterministic method relies on PII to make device matches when a person uses the same email address to log into an app and a website, thereby creating cross-device linkage.  This technique requires lots of data in order to be effective, so it’s mostly reserved for giant portals like Facebook, Twitter, Google and Apple, all of which have enormous user bases and maintain mobile and desktop properties that require logins.
Advertisers and publishers can use this unique identifier to target consumers on multiple screens with precision.  But even the best deterministic approaches are subject to imprecision; matching may be inaccurate and duplicates may occur because of the way we, as consumers, often use multiple email accounts on a single device.

Probabilistic matching draws on a variety of anonymized data like IP address, device type, browser type, wifi network id, location, time of day and operating system to look at the probability of a match.  For example, if a phone, tablet and laptop connect to the same Wi-Fi hotspots in the same places every morning and evening, it’s possible that all three devices belong to a specific individual.  If they access the same type of content, or the same site from each device, this increases the probability.  And so on.  Probabilistic is inevitably less accurate than deterministic matching.  Predictive algorithms require a great deal of data; the more data they crunch, the more accurate their predictions.  The leading approaches to probabilistic matches therefore rely on access to a large sample of users.  

‘Walled gardens’ challenge strategic thinking

A walled garden or closed platform, is a software system where the carrier (e.g. telco) or service provider (e.g. Facebook, Google) has control over applications, content, media, data and restricts access to non-approved applications or content. 

Facebook has grown its own ad network and a marketing application called ‘Facebook Custom Audiences’, based on its own logged-in user data, giving brands access to deep and varied data segments to understand their consumers.  Google has traditionally relied on cookies and mobile IDs to identify and track users for remarketing lists. This isn’t effective enough for cross-device and cross-channel campaigns.  Google is trying to shift how it identifies people in an ever-changing digital world that includes smartphones alongside computers and more traditional screens like TVs; and it’s attempting to harness more of its immense footprint across services like maps, email and Android to stay on top in advertising.

Google, Facebook and Twitter are replacing cookies with their single sign-on (SSO) approach, which authenticates users through logins on their owned properties and on some third-party websites and apps.  The SSO method gives these companies access to
cross-device (including mobile) user-level data without using cookies or tags, enabling them to create vast stores of rich audience data that can be used for better media targeting.

It is easy for brands to use these companies for media targeting.  However, the downside is that brands who effectively shift their targeting over to these “walled garden” players lose control of their first-party data.  They aren’t allowed access to consumer or detailed campaign data, so they are unable to deeply understand their consumers’ behaviour or their marketing outcomes.  They are giving control of a key strategic asset, data, to a powerful third party. 

The future, ‘cross-device’ replaces the cookie?

Gartner anticipates 20.8 billion connected devices by 2020.[4]  Most of these, like mobile, are expected to operate cookie-free environments so cookies will continue to decline in importance.
“We were talking about the cookie – now we’re talking about cross-device,” said Brian Anderson, speaking at AdExchanger’s recent Industry Preview event[5]. “Cross-device is a
critical component in the marketplace in order to provide mass personalization.”  Mike Sands, CEO of Signal explains ‘This enables marketers to collect data from all devices and touchpoints and connect all of the data into one clear user profile for immediate marketing activation’4.

Cross-device attribution reports, in theory at least, will show not only that customers interacted with multiple ads before buying, but also will enhance that with information across multiple devices (e.g. TV ad watched; PC search to ‘review’ site, click to web site, mobile search for store location, mobile price comparison in store). This will provide deeper insight into how your customers use different devices on their path to conversion.

Data Management Platforms are evolving.  What is needed is a single DMP that can excel at both cookie and device/mobile ID.  We expect to see device IDs being increasingly ingested and matched into Data Management Platforms (such as Adobe’s Audience Manager or Salesforce’s Krux), which are currently mainly cookie based.  This will enable marketers to cross match via the creation of an ‘uber-ID’ for a user.

Oracle have developed an ‘ID Graph’ to manage a single identity across devices, enabling marketers to target across multiple devices, including mobile. This is based on probabilistic matching and Oracle now have 6bn device ID’s for around 2bn profiles in their BlueKai DMP.


This is a fast-paced continually changing environment.  Undoubtedly, device data has a role to play in planning, executing and analysing a relevant, personal consumer experience.  Whether you have PII data or not, the use of DMPs that ingest data across devices and groups them at user level using probabilistic matching represents the likely future state of digital consumer experience.  GDPR will have a significant role to play of course (Brexit will not change this), and it will be up to marketers to develop a data strategy that both enhances the consumer experience and does not abuse the brand trust that has taken so long to build.  An interesting future.

Thanks for reading and please contact me if you have any questions