WTF Is A Cookie, Anyway? Do You Really Know, Or Just Think You Do?

cookies[Editor's note: This column has been corrected to fix errors that weren't caught in the initial editing process. Thanks to those who pointed them out.]

This month’s column was inspired by a very brave CMO who bluntly asked, during a recent conversation, “WTF is a cookie, anyway?” This particular gent is smart — he controls a marketing budget of over $30m a year, a reasonable enough portion of which is digital.

cookies

His question stems from the many ways our industry talks about cookies (often incorrectly) and the peripheral terms than have become synonymous — RTB, big data, programmatic, pixel… He thought he used to know the answer to his own question, but found that he actually didn’t. And interestingly, the answers his team gave from around the room were inconsistent with each other….

We discuss big topics in this column but have not dealt with the basic cookie — until now.

What Is A Cookie?

A cookie is actually a small text file that sits on your computer in a folder dedicated to cookies. That cookie file contains information about you, which could be a simple ID number, or many other points of data. A cookie can only be understood by the company that put it there because they are encrypted, making them private.

A cookie can be used for remembering who you are when you login to a website, for analytics and for advertising, amongst other things.

A cookie is also specific to a browser, so if you have a Google cookie on your computer from logging in through Firefox, it will not log you in when you use Chrome because every browser manages its own cookies.

A cookie can be deleted by the user, most likely using the functionality within the browser itself, but some people do this manually, or install 3rd party software (such as anti-virus) to do it for them regularly.

You can actually open up these files and look inside them yourself, but because they are encrypted, you will only see random characters.

1st Party Or 3rd Party?

A first party cookie is one that comes from the same site you are currently visiting. For example, if you are on the Bank of America website and you log in, you will receive a cookie from bankofamerica.com. That is a 1st party cookie because it comes from the domain you are browsing.

Now let’s say the bank also wants to understand the number of their visitors to their site. They might install a package such as Google Analytics. Though the cookie isn’t from the site, it’s still a first-party cookie because it’s being set by the site itself, not by Google.

But what if there are ads running on the site that are served by an ad server like DoubleClick, or via an ad exchange? When either of those parties set a cookie on your computer — to track an impression or a click on an ad — that’s considered a third party cookie, because it’s not coming from the same domain that’s displayed in the URL window of your browser.

Server-Side Or Client-Side?

This may sound techy, but in reality it refers to where the data is kept about the individual. In a server-side situation (also called “sessions“), everything we know about the individual is kept back on our servers and can be accessed any time we want. All that’s stored on the user’s machine is a session-id, which can be connected to the additional data on the advertiser’s servers.

When something is client-side, it means all the data points are stored in the cookie itself, on the person’s machine, and so they can only be looked at when we actually see that person again.

Most companies in this space, including Chango, now use server-side cookies (aka sessions) because they allow us to add or edit that data, even when we are not interacting with that person.

A Cookie Or A Pixel?

This is one of my pet peeves! The two terms have become interchangeable, yet actually mean very different things. The expressions “can we put a cookie on your site” or “we will just drop a pixel when they convert” are both wrong!

A pixel is the code that goes on the page — a tiny (usually 1×1) image file that requires a call back to a server to render (although it’s too small to be seen by people).

A cookie is the small file that the server then places (or drops) on the individual’s device, or reads back if one already exists, after the call is made back to the server.

You install a pixel on your site, not a cookie, and that pixel drops a cookie, not a pixel.

Flash Cookies

A few years back, there was a company that became annoyed with people deleting their cookies; after all, if the cookie got deleted, they lost their data. So they created what’s called a Flash cookie (technically a local shared object) to cheat the system.

A Flash cookie is also a small file like a real cookie, but because it was Flash it was stored in another folder that the browser controls. When someone deletes their cookies through the browser, the Flash cookie stays in place, keeping the tracking and data in place. Sneaky!

If you get excited about these things, there is also something referred to as re-spawning Flash cookies, which is when a Flash file sits on the device and puts a real cookie in the real cookie folder, but every time it gets deleted, it recreates it! I have seen companies get into a lot of trouble doing this, and rightfully so.

How Does A Pixel Get Added To A Site?

The process is actually very easy – the code (1 line for an image pixel, a few lines for JavaScript) is copied and pasted into the page code – that’s it. You may find that the process in your company is much longer, and a rightful process of testing usually causes that, but it can also be caused by sheer stubbornness!

Some sites require a lot of cookies to be added, and as such they use a tag management company, of which there are several to choose from. The advantage of this is that the IT folks need only to do the implementation once; and then, the ability to add or delete cookies can be the responsibility of the marketing team using a simpler interface.

If the cookie is being used for advertising, it is not uncommon to see the advertiser using DoubleClick For Advertisers (DFA or Dart for Advertisers), in which case the pixel is not added to the site directly, but is instead placed inside a tag container. The “tag container” was created to make it easy to add a lot of tags to a web site. Examples include DoubleClick’s Floodlight tag or the Atlas Universal Action Tag.

Why Don’t Site Owners Want Cookies?

A debatable problem. Historically, the people responsible for a site worried about page load times, and pixels often impacted that. With better bandwidth, better engineering and something called a CDN (content delivery network) to speed up pixel delivery, this is rarely a problem.

In addition, marketers and publishers are becoming aware that some unscrupulous companies use pixels to “steal” an audience, or to gather data about an audience. Data is a valuable commodity, and they are right to protect it.

As an example, if I was a publisher and allowed another company to pixel my site, that company now has a cookie on all my visitors and can target those individuals themselves without the need to pay me. Suddenly, as a publisher, my advertisers don’t need to use me as often, and I lose revenue.

Fingerprinting Sounds Scary

As an alternative to cookies, some technology companies use “fingerprinting.” In cases where a cookie cannot be dropped, fingerprinting offers a good alternative to finding your audience again.

In simple terms, fingerprinting for digital tracking works on the same principal as fingerprinting in real-life – if you look at enough small technical details, you can build a picture for one device (which is a proxy for a person) that is unique against another.

In the online world, this means looking at data such as the individual’s browser type, OS, resolution, color palette, location, fonts installed, etc., and then matching against that profile the next time that individual is spotted. This data is already being shared when a device connects, because it’s needed to help web pages display properly. The more data analyzed, the more accurate the technique. With potential legislation to come, and browsers like Safari blocking cookies, fingerprinting may become more common.

The Funny Thing About Opting Out

And lastly, for now, what about opting out? If an individual chooses to not be tracked, they don’t have to be. There are plenty of tools that can be installed that help do this easily, and there are also initiatives that promote this, such as AboutAds. Ironically, many opt-out processes are reliant on the individual having an opt-out cookie placed in their browser… so if they delete their cookies, they effectively opt back in! There are now plugins and movements to correct this.

If you have something you want to know about cookies that wasn’t covered here, reach out with your questions and I will try and answer them for you!

Opinions expressed in the article are those of the guest author and not necessarily Marketing Land.

Related Topics: Channel: Display Advertising | Display Advertising | Display Advertising Column

Sponsored


About The Author: is the Chief Strategy Officer at Chango, the solution to programmatic marketing and "big data", and is based in San Francisco and London. You can follow him on Twitter @DaxHamman.



Sign Up To Get This Newsletter Via Email:  


Share

Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • Alia Formoy

    Interesting article Dax. I recently heard something about asynchronous cookies which are embedded in URLs so tracking tags don’t have to be inserted into your website. Is this the same as a cookie side cookie? (I may have got the terminology completely wrong, so apologies in advance).

  • Pat Grady

    Probably should append information about:
    +Browsers setting limits on total number of cookies, total per domain, and total file size.
    +Cookies expire, either through the expiration date set in each cookie, or because some browsers delete the oldest cookies when the max limit of total cookie count on that machine is reached.
    +Like writing your name on a chalkboard, tracking cookies aren’t bad and can’t do anything malicious – it’s just a marker of who and when. It’s people who try to erase your name (or other data), and write another name (most often theirs) in it’s place, who are sometimes up to no good. There are legit reasons to overwrite a cookie – like a last visit cookie, with each visit, it over writes old data, with new data. And there can be illegitimate reasons why someone overwrites a cookie. Point being, cookies themselves are harmless, it’s what people do with, and to, the cookie’s stored data that matters.
    +Some browsers have been restricting 3rd party cookies, because of data sharing abuses, or the risk thereof.
    +Might want to address “cookies” in the App ecosystem, maybe just direct people to an article like this one:
    http://techcrunch.com/2013/02/25/apple-rejecting-apps-using-cookie-tracking-methods-signaling-push-to-its-own-ad-identifier-technology-is-now-underway/

  • Stuart Kaufman

    @Dax, I’d like to chat with you and your knowledge of affiliate links, I run a very clean site which has some affiliate links which my advertiser is benefiting from much more than I am and I’d like to understand how to serve the affiliate link when clicked but not allow him to retarget and market directly to my visitors as you mentioned. Please see note to you on G+

  • Pat Grady

    article I read today…

    Think Cookies Hurt Your Privacy? You’ll Beg For Their Return Once You See What Google And Facebook Are Planninghttp://finance.yahoo.com/news/think-cookies-hurt-privacy-youll-123744973.html

  • ChrisHunt

    “If I was a publisher and allowed another company to pixel my site, that company now has a cookie on all my visitors and can target those individuals themselves without the need to pay me.”
    What exactly do you mean by that? How are you suggesting that this “targetting” can take place? Sure, an advertiser could place a cookie on a user to indicate to them that the person had been to my site, but that’s pretty much it. It wouldn’t give them email addresses or Facebook ids or anything else that would enable them to “target” the people concerned.
    Heck, I can’t “target” past visitors of my own site if they didn’t choose to leave an email address, and don’t choose to come back. What is a third party going to do with a cookie?

  • Dax Hamman

    Hi Stuart – if your affiliate has the pixel on your site, then they can absolutelty retargeting your audience. The only way around it from what you describe is to create code on your site that only fires their pixel when a conversion occurs that they drove.

  • Dax Hamman

    Hi Chris, good question.

    So let’s say I am a fashion brand. I want to advertise my products on GQ.com, and so I call them, negotiate a deal and have my ads placed. At that point I can not retarget the GQ.com audience, only those that subsequently come to my site.

    Now imagine I went to GQ and said as part of my buy, I want them to place my pixel so I could track the number of people that saw my ad or sponsored content. I now have a pixel on their site, and those people can then be added to my own retargeting pool.

    The next time I want to run a promotion, I don’t need to pay GQ to run my ad, instead I buy cheap inventory against that retargeting pool.

    GQ wouldn’t allow the pixel for this reason.

    (Dear Readers – I know there are lots of caveats and alternatives to this example, and there is of course value from having the brand associated with the GQ brand that couldn’t be generated from just running retargeting ads elsewhere… this is just a simple example :) )

  • Dax Hamman

    Hi Alia – sorry for the delay in responding, I just saw your comment. I would need a bit more information I think. You could be referring to click trackers that can tell when a client occurs, or perhaps a click that redirects through a page that isn’t seen, and that page drops a cookie.

 

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest

 
 

Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States

Europe

Australia & China

Learn more about: SMX | MarTech


Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!