Uh, What Are Cookies Again?
Cookies are small data packets that are stored on a user’s device by websites and can perform a variety of tasks. For example, they track website interactions, save login status and personal settings such as language or design. They also allow user activities to be tracked across multiple pages and thus provide personalized advertising.
What’s the difference between first-party and third-party cookies?
Depending on the domain that sets the cookies, a distinction is made between first-party cookies and third-party cookies:
First-party cookies are set directly by and for the website the user is visiting. These cookies are allowed by default by most browsers because they improve the user experience on a particular website.
Unlike first-party cookies, third-party cookies are set by external domains. For example, if you are on diconium.com and an embedded video from youtube.com stores a cookie for this domain on your device, this is a third-party cookie. These are mainly used for tracking and targeted online advertising, as they allow users’ surfing behavior to be tracked across different websites. They are considered questionable because they allow insights into the activities of users on numerous, thematically unrelated websites.
To summarize, first-party cookies improve the user experience on a particular website, while third-party cookies are mainly aimed at tracking and advertising across multiple websites, which is highly questionable from a privacy perspective.
Data Protection and Cookies
With the introduction of the General Data Protection Regulation (GDPR) in the European Union, the data protection authorities have reacted to the uncontrolled collection of data through cookies. The GDPR, which came into force in 2018, significantly changed the handling of cookies on websites. Cookies are now more strictly regulated. Before the GDPR, many websites could set cookies without explicit consent. Now the GDPR demands:
1. clear information about cookie use.
2. explicit consent for non-essential cookies.
3. an option to withdraw consent.
The focus is particularly on third-party cookies. The aim of the GDPR is to offer users more data protection and control over their data in the digital space. Therefore, websites operating in the EU or targeting EU citizens must strictly comply with these provisions.
Browser Manufacturer and Cookies
In recent years, browser manufacturers have significantly tightened their cookie policies, driven by growing data protection requirements and regulatory requirements such as the GDPR. While Safari and Firefox blocked third-party cookies by default early on, Chrome was long the last major browser to continue allowing them. Google repeatedly planned to phase out third-party cookies – initially for 2022, later for 2024 and 2025 – but postponed these plans multiple times and finally abandoned them in July 2024. Instead of a complete phase-out, Chrome now relies on stronger user controls: Users can decide for themselves whether to allow third-party cookies, while the “Privacy Sandbox” (here is the current feature status) is being further developed in parallel as a more privacy-friendly supplement for advertising and measurement applications.
The status of the various implementations is documented at https://www.cookiestatus.com/.
The tightening of data protection guidelines by authorities and the initiatives of browser providers to strengthen user privacy have a significant impact on the quality of tracking (see Figure 1) and are forcing the industry to break new ground. One of these is cookieless tracking.
Cookieless Tracking
Cookieless tracking includes methods and techniques that collect data about users’ online behavior and activities without relying on the use of cookies. This classification often also includes methods that use cookies in a first-party context or only for a short period of time, e.g. to create a session, which is of course contradictory.
Cookieless tracking can be implemented in various ways:
Complete cookieless tracking (anonymous tracking)
Full cookieless tracking captures all website activity by default. Although no cookies are set by the tracker, traffic, marketing efficiency and user interactions can be recorded while maintaining data protection.
Cookieless tracking in combination with consented tracking
Once a user has given their consent, it is possible to switch from anonymous to consented tracking. In this case, the data collected is enriched with additional user and session information. With this approach and server-side session management, a session can also be tracked without cookies and assigned to the respective user after consent has been given.
Fingerprint
A technique that collects information about the user’s device, such as browser type, operating system, installed fonts and plugins, to uniquely identify users. Fingerprinting can be used to track users across different browsers, as it can also be based on characteristics that are device-specific. This method is therefore criticized by data protectionists.
- Client-side fingerprinting is a method of collecting information and characteristics of the end-user device (such as browser, operating system, installed fonts and plugins) to create a unique profile or “fingerprint” of the device. This fingerprint is used to recognize the user or device on subsequent visits, even if cookies are deleted or blocked.
- Server-side fingerprinting uses specific characteristics and patterns of browser requests to recognize and track users or devices. Rather than relying directly on data submitted by the client or user device, this approach allows identification to be performed even when client-side methods are limited or unavailable.
A combination of server-side and client-side technologies is often used to optimize the identification of users. The website Am I unique lists the various methods and evaluates them using a similarity rate.
ETag tracking
A mechanism used by web servers to track changes to a website. It can also be used to track users, as ETag values are stored in the browser cache.
Behavior-based
tracking analyzes user behavior, such as click patterns, scrolling behavior and keystrokes. This behavioral data can be analyzed for patterns that make a user unique.
Identity solutions
Identity solutions expand the possibilities of user identification by using both deterministic and probabilistic approaches to link user identities across a variety of channels and devices. They rely on data points such as hashed emails or anonymous identifiers to create a consistent user profile.
Conclusion
The market is looking for alternatives to data collection without cookies, with a focus on innovative technologies and processes to precisely determine user identities and create comprehensive profiles. Nevertheless, the issue of data protection will once again come to the fore with these new approaches. Browser manufacturers are already working on measures to restrict fingerprinting, and regulators are also viewing these practices with increasing skepticism. A new approach is therefore required.
Trust is the key!
It is important that users understand the added value they receive in return for providing their data. A well-thought-out strategy for first-party data is essential. Diconium is at your disposal as a consultant and advisor in all aspects of digital transformation and is happy to support you in the development and implementation of a comprehensive first-party data strategy.
From identity-based tracking towards behavioral data models
One promising direction in this context is to move away from purely identity-based tracking towards behavioral data models, which focus on user actions and their context rather than on persistent identifiers. Behavioral data models are mathematical or computational frameworks that analyze, predict, and optimize human or system behavior based on observed interactions. These models transform raw behavioral data such as clicks, purchases, or login patterns into actionable insights for personalization, security, and system design. Sounds interesting? Then continue reading here: Behavioral Data Models – Bridging Raw Data and Strategic Action.
Cookies are small data packets that websites store on a user’s device. They save login status, settings, or track user activities across pages for personalized advertising.
Cookieless tracking is technically feasible but not without problems: It only seemingly replaces cookies with fingerprinting or behavioral analyses, which are just as regulatorily uncertain and legally vulnerable under data protection law. Browsers are already blocking fingerprinting, and authorities are viewing these methods increasingly critically. In the long term, it carries high risks of legal issues and user attrition, because cookieless tracking does not automatically comply with GDPR. What matters are a valid legal basis, transparency, and data minimization. Methods like fingerprinting are generally considered processing of personal data and require consent – especially for tracking or marketing purposes. Moreover, explicit consent is regularly required for non-essential tracking.