As digital marketers, we like to think we're pretty savvy when it comes to the cookies that track our online activity. We know the difference between first-party and third-party, and we're well aware of the implications of cookies that are used to track our online activity. But what about fake first-party cookies? Are they malicious or just a product of incompetence? Does it really matter? Either way, it's not the right approach to customer data capture.
Let’s start with the basics. First-party cookies are small text files that are placed on your computer by the website you're visiting. They can be used for things like remembering your login information or what's in your shopping cart. But they can also be used for more deliberate purposes, such as targeted advertising. Persistent first-party cookies can be stored on your computer for a significant period of time, usually between 30 days and 2 years. They're the ones that allow websites to track your behavior and target you with ads. Most importantly, first-party cookies are placed by a brand on their own web properties and owned marketing channels. While browsers typically allow first-party cookies by default, most now block third-party cookies and these restrictions are growing. This is why the difference between a true first-party cookie and a fake first-party cookie is vital to effective customer data capture.
Fake first-party cookies are, as the name suggests, cookies that falsely appear to be from the same domain as the website you're visiting. They're used to track online activity, just like any other cookie, but because they're masquerading as first-party cookies, they bypass some of the security measures that have been put in place to protect user privacy – at least for now.
Simply put, fake first-party cookies are designed to look like first-party cookies, but they're actually created by third-party entities. And they can be used to evade cookie blockers and collect data without the user’s knowledge or consent.
These cookies can be used for many purposes, from building up a profile of a user’s online activity to selling their data to the highest bidder.
So, how are fake first-party cookies placed? There are a few ways. One is through scripts that are embedded in ads or other elements on a webpage. When these elements load, the script creates a cookie and stores it on the user’s device. Another way is through so-called "cookie syncing." This is when third-party companies connect with each other to share data about users who have visited their websites. By doing this, they can create profiles of individual users without their knowledge or consent. In the context of a Customer Data Platform (CDP) fake first-party cookies are typically placed using a CNAME workaround that masks the JavaScript (JS) tag to look like it’s on the host domain. A true first-party CDP doesn’t use JS to set cookies, it uses embedded first-party cookies within the client’s environment. The others fake it with code.
Think of it as two flavors of first-party cookies used by CDPs: first-party location-based cookies and third-party location-based cookies. One ideal, and one with problems.
First-party location-based cookies stay on-premises, with the organization retaining full ownership and control within their own protected environment. There’s no external communication in any form. These are true first-party cookies. Third-party location-based cookies are installed on the organization’s pages by an external party, and eventually the data must go to another location – typically the third party who placed the cookies.
Why would someone go to the trouble of creating a fake cookie? Data is big business, and companies are willing to pay top dollar for information about online behaviors. That data can be used for things like targeted advertising or sold to other companies who might find it useful (think credit card companies or insurers). They’re also used by many CDPs who are unable to place embedded first-party cookies, so they must rely on workarounds like third-party cookie masking to collect customer data.
If you’re not sure which flavor your CDP uses, ask! Is the CDP embedded in your environment, so that cookies are set “server-side”? Or does it exist outside your network, requiring data to be sent to them – aka an environment outside your control? A dead giveaway is the quality of your data capture – are you collecting data across domains, channels, and devices? Can you persist identity over time, or does your solution generate multiple disconnected IDs because the cookies expire or are blocked? If your organization is experiencing major data gaps, and difficulty reconciling identity profiles, your CDP is likely using fake first-party cookies.
Unfortunately, it's not clear cut. While there's no doubt fake first-party cookies are a serious privacy concern, it's not always clear whether the solutions that use them are doing so with malicious intent, or simply because they're either incompetent or lazy. There are arguments to be made for both sides.
On one hand, some argue fake first-party cookies are simply an attempt by incompetent solutions to continue collecting as much information about consumer behavior as possible. After all, if they can't collect data on users, they can't target them with ads—and that means less money for them. It can also be a case of convenience – it’s the only way to capture the data marketers and data scientists need using the deficient solutions they have. In some cases, it might also be a case of ad networks or other third parties setting fake first-party cookies without the website owner’s complete understanding of the repercussions. These companies might not have malicious intent, but their actions still raise concerns relating to users' privacy.
Others argue that fake first-party cookies are a deliberate and malicious attempt to circumvent restrictions such as Safari's ITP, by taking advantage of lax security. The problem is that these cookies allow third-party trackers to collect data on users without their knowledge or consent—and that’s a serious privacy violation.
Looking specifically at the use of fake first-party cookies in CDP’s, in most cases it’s simply a lack of understanding, or the CDP not having the ability to place true first-party cookies. However, whether malicious or not, the use of fake first-party cookies is not the right way to approach customer data capture. It reduces accuracy, adds delays in data transfer, increases the probability of losing valuable insights due to third-party cookie blockers, and puts your organization at risk of non-compliance with privacy and consent regulations. Furthermore, it undermines the trust that users have in brands and online advertisers.
If your CDP uses fake first-party cookies, at best you’re skirting the edges of ethical and privacy-centric behavior. At worst, you’ll be crippled by the loss of valuable data as browser restrictions expand to prevent this subpar data capture method.
If you're a marketer or advertiser who’s has been using fake first-party cookies to collect data on users, it’s time to rethink your approach. Not only is it ethically questionable, it undermines user trust—and that's something you can't afford to do.
Fake first-party cookies are a major privacy concern regardless of whether they’re being set with malicious intent or not. Brands need to verify that the cookies they're setting are actually from their own domain, and ad networks and other third parties must ensure they obtain proper consent before setting any cookies on users' devices. Only by taking these steps can we work to protect users' privacy from fake first-party cookies, and ensure a scalable, privacy-first approach to marketing personalization.