Insights/ Created August 2020

The Cookie Apocalypse

It’s not as delicious as it sounds.

First, they said cookies were only a “sometimes food” and now there is a cookie apocalypse?!?

The Cookie Monster is definitely going to flip his lid.

The truth is that there are some very large, very well-known technology companies that have fundamentally relied on a hack to make many billions of dollars. That hack being the exploitation of…………. you guessed it, Cookies.

Big, fat, juicy(?), data filled Cookies.

Cookies were never really meant to do as much as they have been used for over the years. Respect goes out to those creative enough to use something so simple to make soo much money. Just look at how you set a cookie in javascript: document.cookie = “stringy mc stringface”. It’s not fancy, it’s just plain text. You can’t do much with just plain text right?

Wrong. You’re so wrong, and who would have thought such a small thing as plain text would have such a major impact on the world of advertising and marketing.


Let’s get back to basics

So what is a cookie? Well we know its text, but what do they actually look like? Is there a cookie jar? Do they go stale?

The intention of a cookie was to be able to persist information across user sessions so it could be accessed when the user navigates away from a page (or site) and returns at a later time/day. For example, have you ever entered a username and password or chosen a language preference when visiting a website, then when you’ve returned to the site, it automatically logs you in and knows what language you selected previously. This is the magic of cookies. Your credentials and language preferences are stored as a tiny bit of data stored in a cookie.

The cookie data is passed every time a HTTP request is made.

“What’s a HTTP request?” I hear you asking. Good question. A HTTP request is whenever your browser requests something from a server, so when you visit a website, your browser will do many many requests to get the resources needed to display the page. Eg: images, javascript, css etc etc


Yes, you heard correctly, every time you request something on a website the cookie data is passed to the server. The server can do whatever it wants with your cookies, and then return them to your browser (Set-Cookie). This can occur even if the resource you are requesting is from a different server……. a Google server, a Facebook server, a Skynet server…….Oh no, RUN! (delete your cookies before you leave though).


Terminator meme


Which brings us to our next topic:

The good, the bad and the ugliest of cookies.

There are 2 main types of cookies, “First-party” and “Third-party”. So what’s the difference between them? It all comes down to the domain.

The “Good” - First party cookies

If the domain of the cookie matches the domain of the page you are visiting, then the cookie is classified as First party. First party cookies are primarily used to enhance the user experience, collect analytics data and perform other useful functions like storing language settings etc. First party cookies can only be accessed via the domain that created it.

The “Bad” - Third party cookies

If the domain of the cookie does not match the domain of the page you are visiting, then the cookie is classified as Third party. They are generally created by someone other than the web site owner, hence the name “Third party”, and are typically generated by a third-party script inserted onto the website - think Google or Facebook.

The beauty of these bad boys is that they can be accessed on any website that loads the third-party script. Hence, they are typically used in cross-site tracking, retargeting and ad serving.

The “Ugly”

Yes there are such things as “Second-party” cookies, which are defined as “transferred from one company to another”, I think that requires a whole article in itself. They aren’t that relevant to the topic, let’s just forget they exist!

So, what’s the problem?

So now comes the kicker, if you haven’t figured it out already. If a third-party script is running on a website that you visit, the owner of that cookie can store various bits of data in their cookie. And if that script (cookie) is running across lots of different websites, the owner of that cookie can quickly identify you and build a profile of who you are, what you are interested in and use that information in a variety of ways. This is the premise of most advertising platforms; they use the data in the cookie to serve you relevant ad’s.

The Cookie Apocalypse

“This is out of control!!! I want to keep my privacy private”, you might say.

So as you can imagine, most good things come to an end, and governments have had to step in. They have formed an elite team of cyborg warriors and are planning to send them back in time to kill the person who invented cookies. That poor bastard will never know what hit him ... unless we band together and get to him before they do!! Who’s with me????

It won’t work, time travel never works :( Lets just accept it and move on.

So governments of the world are coming up with their own privacy policies and requirements to govern the use of Personally Identifiable Information (PII). eg:

  • GDPR - General Data Protection Regulation
  • CCPA - California Consumer Privacy Act
  • ePR - ePrivacy Regulation (European Union)

And i’m sure we have all seen the outcome of these policies on our sites and apps, our lovely Cookie Policy pop ups that nobody actually reads - just give me the website already!

Alongside these policies, technology platforms like Apple and Google are trying to solve the issue from their side, or should I say, make an opportunity out of it. Some are making their users aware of the use of third party cookies as it happens, and some (Safari, Firefox) are blocking them by default. Either way they are now letting us know that they are aware that privacy is a concern of ours and are willing to go out of their way to sell you the latest phone, ecosystem, browser etc that has privacy built in by default :) Hmmmm….sounds suspicious to me!

What does the future look like?

The shift in the industry has already begun, there is definitely more focus on the customer and their privacy needs. This move towards a more private web will not nullify advertising, it will enable big tech companies to ‘manage’ our privacy for us… as long as you stay in their eco-systems. Maybe what is required is the ability for privacy to be put back in the hands of the customer, where it should have been in the first place.

The marketing and advertising world will pivot and rely on having a more solid way of identifying users, as well as focusing on consent to gain trust and a lasting relationships with their customers. So all in all it’s nothing to freak out about, it's really not the end of the world…… Besides, cookies were only supposed to be a sometimes food.

James Whittingham - Technology Director, Elephants Can Dance


6 Middlemiss Street,
Lavender Bay 2060. Sydney

Copyright Elephants Can Dance 2024. All rights Reserved