Filling the third-party cookie gap with first-party and zero-party data

With third-party cookies poised to disappear, many marketers are wondering how to fill the coming information void.

The bad news is there isn’t a straight substitute for the broader context third-party cookies provide. But the good news is other data sources can help marketers make informed strategic and tactical decisions and continue driving personalised experiences.

Plus, the better news is these data sources are proprietary, because they come from a brand’s direct relationship and interactions with their user base — meaning that the companies who know how to collect and leverage them can gain a real competitive advantage.

In this post, we’ll begin by outlining the difference between third-party and first-party cookies and reviewing why third-party cookies are reaching end-of-life status. Next, we’ll examine how zero-party data (ZPD) and first-party data (FPD) fill the information void. Finally, we’ll show why Customer Identity and Access Management (CIAM) is vital to collecting ZPD and FPD — and to ensuring the data you collect is accurate and gathered with your customers’ informed consent.

A crash course in cookies

Cookies — variably known as HTTP cookies, web cookies, internet cookies, and browser cookies — are text files created by a web server when a user visits a site and then stored on the user’s device by the web browser.

When a user returns to the site, their web browser sends relevant data back to the web server, providing the server with information that helps shape the user’s experience.

Each cookie is labeled with an identifier unique to each browser, so by reading cookies, web servers can recognise website visitors. While the server may not know who a visitor is (i.e., as an individual person), it can still distinguish that visitor from others — which is why a user who isn’t logged in can return to a site and have it reflect their previous activity.

Just as cookies in the real world come in different flavours, internet cookies also offer some variety (although the options are more limited, and they don’t taste nearly as good as the real thing).

What are first-party cookies?

A first-party cookie can only be created and read by the web server whose domain is being visited. That is, a first-party cookie created by domain A cannot be read by domain B.

First-party cookies are important — and sometimes essential — for much of the functionality offered by today’s services. For example, because they store stateful information, cookies are often used to keep track of items in a cart and save information for forms (e.g., name, address, contact details, etc.), enabling and improving user experiences.

Plus, because first-party cookies gather information about how visitors interact with a site or service, they’re incredibly useful for understanding user behaviour (both on a per-user level and in aggregate across the user base), optimising website performance, and enabling personalisation.

What are third-party cookies?

Third-party cookies are created by web servers corresponding to domains that a user doesn’t directly visit. For example, suppose a user visits a website, domain A. The web page that the user’s browser loads may contain elements — e.g., images, JavaScript, etc. — stored on servers in other domains: domain B and domain C.

In this instance, any cookies created by domains B and C are considered third-party cookies because the user didn’t visit either domain.

Unlike a first-party cookie, which is only accessible on the domain that created it, third-party cookies are accessible on any website that has a third-party server’s code. In practice, while third-party cookies can enable functionality (e.g., a support bot plugin from a third-party service) within a site, they’re primarily used to enable cross-site tracking of user habits, online advertising based on those collective observations, and retargeting of users as they visit other sites.

The table below summarises the major differences between first-party cookies and third-party cookies.

The third-party cookie crumbles

It’s been more than a decade since Apple’s Safari and Mozilla’s Firefox started blocking third-party advertising cookies, but with both browsers having relatively low market share, these shifts served more as an early warning than an overall death knell for third-party cookies.

However, attitudes shifted in January 2020 when Google published a blog under the title Building a more private web: A path towards making third party cookies obsolete. The post stated the company’s intention to “phase out support for third-party cookies in Chrome … within two years.”

At that time, Google Chrome enjoyed more than 60% market share across global desktop, mobile, tablet, and console browsing, so the entire marketing and advertising ecosystem took notice of this sea change.

While the timeline has shifted in the years since, the latest word from Google is that the phase-out will begin in Q1 of 2024.

With Chrome’s market dominance unchanged in the intervening years, the end of third-party cookies is just around the corner — and marketers stand to lose significant signal.

Why are third-party cookies disappearing?

The reason third-party cookies are disappearing can be summed up in a single word — privacy.

Today’s customers prioritise privacy, as demonstrated by Okta’s Customer Identity Trends Report. Based on a survey of 21,512 consumers from 14 countries, the report revealed that the large majority of customers — about 71% — are aware that their online activities leave a data trail, and most of that majority report taking steps to mitigate it.

Apple and Mozilla recognised these changing attitudes long ago and differentiated their browser offerings — and, in Apple’s case, their consumer devices — with privacy-conscious features and messaging.

In parallel, governments and other authorities saw the need to regulate data collection and user tracking, and legislation (e.g California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), etc.) is giving consumers additional rights.

It’s also likely that there’s a virtuous circle effect happening, in which media attention to privacy regulations increases awareness in the general population of how much our online activities are tracked, and how our data is bought and sold. This awareness leads to more pressure on governing bodies to act on our behalf.

Neither Apple nor Mozilla run vast ad networks, so they had little to lose by prioritising privacy a decade ago.

But Google faced a complication: The company depends on ads for about 80% of its revenue.

So, while Google recognised the same shifting consumer attitudes (their January 2020 blog post states, “Users are demanding greater privacy — including transparency, choice and control over how their data is used — and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”), they couldn’t act right away. Instead, the company had to wait until they had an alternative that preserved (or, some would argue, even strengthened) their enviable position within the online advertising market.

On September 7, 2023, Google’s Privacy Sandbox for the Web reached General Availability, and third-party cookies reached their denouement.

As third-party cookies disappear, CIAM’s role in your MarTech stack grows

In the privacy-conscious cookieless age, campaigns and personalised experiences will be powered not by third-party data but instead by data that customers have consciously consented to share.

And, as the dependence on such data grows due to the demise of the third-party cookie, so too does the importance of Customer Identity and Access Management (CIAM) as an enabler of compliant collection of trustworthy data.

The importance of ZPD and FPD

In the emerging privacy-conscious paradigm, marketers will become reliant upon:

• ZPD that customers willingly share, such as fields on a sign-up form, their shipping details, or an email survey they completed. ZPD often includes personal data that can be attributed to a single person and is protected by data privacy regulations.
• FPD that customers generate as they interact with your site or application, including search history, analytics information, session metadata, and more. Many types of FPD require consent to acquire and use. Unlike zero-party data, some kinds of first-party data can be anonymous (e.g., web analytics) and, in certain cases, later de-anonymised.

Both ZPD and FPD will hold tremendous value — for example, both are vitally important for getting the most out of Customer Data Platforms (CDP) — and companies that excel in collecting this data will have advantages over those who struggle to do so.

To effectively collect reliable data associated with real, known customers in a manner that complies with privacy regulations, companies need a way to authenticate and manage user identities.

A word about second-party data (SPD)

Some brands and organisations have limited direct access to or interaction with their end customers and therefore aren’t in a position to collect ZPD or FPD. For instance, many consumer packaged goods (CPG) companies sell exclusively through distribution channels.

In such scenarios, second-party data (SPD) — which is simply FPD and ZPD from partnerships — fills the information gap.

SPD has its own data privacy compliance considerations, but as long as your partners collect their ZPD and FPD responsibly, this information channel will remain even as third-party cookies disappear.

CIAM is the gatekeeper of reliable ZPD and FPD

CIAM is at its core customer data, plus the tooling to protect, respect, and connect that data. In Identity terms, the four essential features of an effective CIAM solution are registration, authentication, authorization, and Identity management:

• User registration (identification) creates the record that makes the rest possible. During user registration, a CIAM platform typically verifies that identifiers (such as email or phone number) are legitimate, but can also include more advanced forms of Identity proofing. 
• Proper authentication ensures that the users logging into accounts are who they say they are — and can include multiple factors and advanced techniques like passkeys. 
• Effective authorisation helps businesses provide users with the appropriate level of access to resources or within applications.
• Comprehensive Identity management is the suite of tools that covers updates and changes to users’ data and access. In CIAM, user access permissions and security policies are typically assigned automatically but can be updated by authorised personnel (business customer administrator, customer service, etc.). Also, customers will typically manage — to the extent permitted by the use case and required by regulations — their own identities, data, and preferences.

Within a modern CIAM solution, and in the context of collecting customer insights, these functions work together and with other systems to enable organisations to:

• Provide levels of assurance that a user is a real person versus a bot
• Manage customer consent and satisfy customer demands and regulatory requirements for data privacy, regardless of downstreaming tooling changes
• Collect ZPD and FPD, and integrate this information with other systems for strategic and tactical decisions and experiences
• Help create meaningful relationships with customers that evolve over time and across channels and brands under the same corporate umbrella
• Turn anonymous user data into holistic customer profiles

With the imminent demise of third-party cookies, companies lacking a modern CIAM solution will be at a tremendous disadvantage to those who can effectively collect and leverage ZPD and FPD.

Looking ahead

If your personalisation strategy relies on third-party cookies, it's time to start shifting to other data sources. The third-party cookie is about to become a relic of the internet’s Wild West phase, when user behaviour could be easily tracked across sites, and the associated data could be cheaply and easily acquired.

By the end of 2024, companies who haven’t updated their data acquisition strategies and tooling will be playing catch-up to better-prepared competitors. Or, framed more positively, proactive companies will regard ZPD and FPD as engines of growth within a rapidly changing digital marketplace.

In short, the more authenticated customer traffic you have across your digital channels, the more reliable ZPD and FPD you can collect. Equipped with this data, and the ability to activate it, marketers will be able to trigger more effective campaigns, better personalisation and loyalty, and stronger strategic decisions, to list a few benefits.

But collecting ZPD and FPD (in a customer-friendly and legislation-compliant manner) doesn’t just happen — it takes conscientious planning and the foresight to deploy a modern CIAM solution capable of doing the heavy lifting.

To learn how CIAM can unlock the power of data, check out this ebook.  

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.