Following the privacy turmoil, all browsers are starting to revamp their approach to their customer’s data and implement stricter rules for cookies and for businesses that use cross-tracking. Privacy, transparency, choice, control seem to be the biggest buzzwords, and they all converge towards the same goal: increased user privacy.


It all started with Safari 12.1 (Released March 25, 2019), which included an updated version of Intelligent Tracking Prevention (ITP 2.1). With the new update, Apple aims to further reduce a company’s ability to track users across website visits.


The ability to fetch resources such as images or scripts from different domains is one of the most powerful web features, commonly referred to as cross-origin or cross-site loading. However, the same feature also enables cross-site tracking of users using first or third party cookies, which could be a privacy concern.


You can check here how the new ITP impacts Google and Adobe platforms and data in general.


Following in Safari’s footsteps, Firefox and Chrome also announced new rules for cookies, but it is yet to come into light exactly how cookies will change.


But what exactly is a cookie, what is it used for and how can users and companies profit from using it?


What is a cookie?


A cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.


Originally, cookies were designed to be a reliable mechanism for websites to remember useful information.  They are essential to the web browsing experience, helping you easily navigate through web apps, saving time and enhancing the overall user journey.


Without a cookie, when a web server has sent a web page to a browser, the connection is shut down, and the server forgets everything about the user. Cookies were invented to solve the problem “how to remember information about the user”.


By using cookies, digital properties are able to keep you logged into their web apps, such as email or different accounts, save credit card information, shipping addresses, remember passwords, or simply remember your website preferences. They can also be used to record the user’s browsing activity, including clicking particular buttons, logging in, or recording which pages were visited in the past, etc.


However, this also means they can be used to intrusively track your browser activity, not only for delivering relevant ads or content.


For example, when users clear all their cookies, they are also logged out of all sites and their online preferences are reset. This is one of the reasons why tools or solutions that block cookies negatively impact the experience we know today.


At the same time, heuristic-based approaches such as those where the browser guesses at a cookie’s purpose, make the web an unpredictable environment for developers.


The tracking cookies, and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories, which became a potential privacy concern that prompted both European and U.S. lawmakers to take action. European law requires that all websites targeting European Union member states gain “informed consent” from users before storing non-essential cookies on their device, and prompted the enforcement of the new GDPR – General Data Protection Regulation.


How to create a cookie and how you can profit from using it


There are several ways in which you can create a cookie. With ITP 2.1, all cookies created client-side via JavaScript’s document.cookie method, whether first-party or third-party, are capped to a seven-day expiration. Cookies that are created server-side using the HTTP header are not impacted.


The most common way to create cookies is through JavaScript. Developers can create, read, and delete cookies with the JavaScript document.cookie property.


A cookie would be created with a simple line of code:


Document.cookie = “username=Sebastian Stan”;


By choosing this method, you can also add an expiry date (in UTC time), therefore increasing the number of days a cookie can remain active before it refreshes. By default, the cookie is deleted when the browser is closed.


document.cookie = “username= Sebastian Stan; expires=Sat, 25 May 2019 12:00:00 UTC”;


Also, via a path parameter, you can inform the browser what path the cookie belongs to. By default, the cookie belongs to the current page.


document.cookie = “username=Sebastian Stan; expires=Sat, 25 May 2019 12:00:00 UTC; path=/”;


Types of cookies


  1. Session cookie


A session cookie exists only in temporary memory while the user navigates a website. Normally, browsers delete session cookies when the user closes the browsers. These cookies do not have an expiration date assigned to them.


  1. Persistent cookie


Instead of expiring when the web browser is closed as session cookies do, a persistent cookie expires at a specific date or after a specific length of time. This means that, for the cookie’s entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an ad).


This is the reason why persistent cookies are referred to as tracking cookies because they can be used by advertisers to record information about a user’s web browsing activity over an extended period of time. However, they are also used for “legitimate” reasons (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit).


  1. Secure cookie


A secure cookie can only be transmitted over an encrypted connection, such as HTTPS. They cannot be transmitted over unencrypted connections like HTTP. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. A cookie is made secure by adding the Secure flag to the cookie.


  1. Http-only cookie


An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting. However, the cookie remains vulnerable to cross-site tracing and cross-site request forgery (XSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.


  1. Same-site cookie


In 2016 Google Chrome version 51 introduced a new kind of cookie, the same-site cookie, which can only be sent in requests originating from the same origin as the target domain. This restriction mitigates attacks such as cross-site request forgery.


  1. Third-party cookie


Normally, a cookie’s domain attribute will match the domain that is shown in the web browser’s address bar. This is called a first-party cookie. A third-party cookie, however, belongs to a domain different from the one shown in the address bar.


This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. This opens up the potential for tracking the user’s browsing history and is often used by advertisers in an effort to serve relevant advertisements to each user.


As an example, suppose a user visits This website contains an advertisement from, which, when downloaded, sets a cookie belonging to the advertisement’s domain ( Then, the user visits another website,, which also contains an advertisement from and sets a cookie belonging to that domain (


Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser.


What should analysts expect from the new changes?


One important impact that people may see in the short term is the increase of unique users coming from Safari browsers to their websites since the expiration window was shortened to seven days. It is important to note that page views should not be affected by the change. ‘


Advertising campaigns are also likely to take a major hit. If a user does not revisit the site within 7 days since its last visit (in order to refresh the cookie), even if it will come back later, it cannot be attributed to the advertising campaign.


Remember that first-party cookies which are created through document.cookie are affected by the change. If you build any of the cookies via server-side HTTP response or using CNAME certification, those will not be affected by the new changes.


It is important to know what kind of traffic you have. This change will not equally affect all types of traffic. Seasonal traffic, such as tax services or holiday retail, will be more affected by the change since the time period between two sessions for the same user is usually significantly greater than 7 days.


To see the impact of this, let’s take an example: a user came to your website from a paid social campaign, read your content or interacted with your platform and left, without completing any goal, Before ITP 2.1, if the same user returned 8 days later and completed a goal, the whole journey could be visible and you could attribute the interactions to the paid campaign. Now, you won’t be able to track the user back to the original paid campaign. This will greatly alter campaign results for users who do not interact with your digital property more than once within a 7-days time frame.  


About the author

Sebastian Stan

Sebastian is a journalist and digital strategist with years of experience in the news industry, social media, content creation and management, and digital analytics.

eBook: Understand Your Customers

Cognetik eBook: Guide to User Journey Analysis


Related Articles