Cookies are small text files, stored locally on a user's device by the websites they visit, that enable the websites — and sometimes other sites — to recognize the user across pages and visits. Cookies are usually used to track a user's previous preferences on a site, usage of a site, login info, and even activities across websites and devices. A first-party cookie is implemented by the site the user visits, while a third-party cookie is implemented by another business, like a data analytics company. Publishers use first-party cookies to calculate page views, monitor sessions, deliver essential functions and analyze other activities to better optimize their site and user experience. Publishers can also share data from first-party cookies with advertisers for ad targeting. Third-party cookies can be used for web analytics, social media integration and cross-site authentication, but they are most often associated with uses that power behavioral advertising.

The cookies users typically see in consent banners online are functional, necessary, and analytics cookies. These are used to remember the user's site preferences, like language choice and use of location data on a weather site, to provide basic functions, like allowing a user to proceed to a secured area of a site upon log in rather than redirecting them to the homepage, and to track how users navigate and interact with a site for statistical purposes, respectively.

The passage of the EU General Data Protection Regulation and the California Consumer Privacy Act required publishers to become more cognizant of consent requirements. Under the GDPR, covered entities must obtain freely given, specific, informed, unambiguous and revocable consent to process a user's personal data, unless such processing meets one of the other six legal bases. Under the CCPA, covered entities must allow users to opt out of the sale of their personal data and must obtain consent from users under 16 years of age, or from the user's parent or guardian if they are under 13, to sell the user's personal data. The related additions to the cookie banners required by the EU ePrivacy Directive led to the awareness of cookie banner-induced consent fatigue.

Tracking pixels, also interchangeable with web beacons, are single-pixel sized images placed on websites that are typically used to target ads to consumers and track consumer behavior like page views, clicks and ad interactions. Users that utilize ad-blocking software or browser plug-ins cannot directly remove pixels, but they can use blacklists to prevent the call a pixel makes to another site in the same way the software prevents ads from loading. Some pixel providers hash identifiable information aggregated from pixels, like names and email addresses, but hashes can be used to link data.

A referrer is a website that sends users to another site using a link. Advertisers and site owners use referrer URLs to track how users got to a website. For example, if a user clicks on a link from an influencer's blog to purchase a sweater that influencer wore, the user's URL on the sweater purchase page will show an added block of text letting the site that the user was redirected to know the user came from the influencer's blog. Referrer URLs are logged by web analytics programs to help site owners and advertisers get insight on their web traffic.

There are two main types of fingerprinting. In device fingerprinting, a user's device sends system information to a site, ensuring site functionality on the device and, in essence, forming a "fingerprint" of the device. This process is important to ensure that a news site, for example, loads images and text in a readable and appropriate manner for the respective device, whether it is an older generation smartphone or the newest tablet. Browser fingerprinting involves the same process, but for the user's browser. When a user clicks on a link to visit a site, the site sends a request to the server along with information necessary to receive the requested content like IP address, browser type and version, and other information like time zone, battery level and CPU usage. A browser or device does not send out personal information about a user but, since most fingerprinting is performed via a third-party tracker, the third-party can track an individual across multiple sites and form a profile about them. Some browsers offer the capability to block fingerprinting from third parties known to do so.

Mobile advertising does not include web tracking technologies like cookies, but it does involve ad IDs. Mobile advertising IDs are shared by the mobile device's operating system with servers of apps that the user is using. These identifiers are provided by Apple in the form of Identifiers for Advertisers, now in conjunction with Apple's SKAdNetwork, and by Android as AdID. Developers and marketers use MAIDs similar to the way they use web tracking technologies: to track user activity for advertising purposes, e.g., remarketing, frequency capping and conversion tracking, and to fine-tune existing ads to make them more relevant to mobile users.

Google's Privacy Sandbox was built to be a privacy-preserving system that removes third-party cookies, limits fingerprinting and operates without MAIDs, while sustaining targeted ads on the Chrome browser on laptops and Android devices. The tool initially relied on Federated Learning of Cohorts, a type of web tracking that groups users into cohorts based on their browsing history, i.e., runners, museumgoers, millennials with dogs. Last year, the FLoC-based system was replaced with Topics. In this new system, Chrome determines the topics a user is interested in based on their browsing activity and shares them with advertising partners to serve relevant ads to user groups categorized by topics. In the current concept, users can review and remove topics from their lists and turn off Topics application programming interfaces as a whole. Cookies are replaced by APIs that receive aggregated data about metrics like conversion and attribution, so advertisers and publishers still receive the data they need. This increases the value of first-party data, which in turn decreases the value of third-party data and, over time, the need for data brokers.

If these outcomes make you wonder where the regulators stand, you are not the only one. Google extended its deadline on the Privacy Sandbox for a few reasons. The first reason for the delay was the U.K. Competition and Markets Authority investigation into the Privacy Sandbox's approach to replacing cookies that determined the company's technical measures were not more anticompetitive than beneficial to consumers. The second reason for the delay was the concern for consumer trust in the U.S., as regulators are on high alert after recent charges for privacy violations. Similarly, the third known reason for the delay was the concern voiced by EU regulators regarding Google's intention to focus on a privacy-first tool given its record-holding GDPR fine.

Apple innovated in a similar direction with its changes to the IDFA and introduction of the SKAdNetwork. An IDFA is a unique, random, resettable device identifier assigned to a user's iOS device and designed to give advertisers and app owners the ability to identify a device and collect usage information. Two years ago, Apple introduced App Tracking Transparency with iOS 14.5 to change how IDFA works. This privacy framework includes an alert prompting the user to affirmatively opt in to tracking across apps and sites to provide the user personalized ads. If a user opts out, advertisers can use Apple's SKAdNetwork. First introduced in 2018, the SKAdNetwork is an attribution and measurement API that allows advertisers to continue to receive statistics and insights on mobile users without relying on IDFA. It was built as a privacy-first tool that relays aggregated user data from an iOS device to Apple, and then to ad networks, developers and mobile measurement partners, so no individual user data is shared. While the SKAdNetwork was initially an optional tool, it evolved into the only method for advertisers to access iOS user data, if the user opted out of cross-app tracking.

Privacy Tech and Privacy By Design topic page

Data clean rooms: An adtech privacy solution?

Are cookies a new currency for the online world?

Measuring the carbon footprint of browsing cookies

The way the third-party cookie crumbles: Part 1 – EU and UK developments

The way the third-party cookie crumbles: Part 2 – Shifting industry practices and alternatives to third-party cookies