• by Mitch Oscar , Op-Ed Contributor, August 25, 2009

A shy friend has written a piece about cookies that I thought merited visibility. With his consent, here it is:

Cookie, anyone? If you mention the term "cookie" to anyone outside the Internet business they will likely begin to salivate. If you mention the term "cookie" to anyone inside the Internet business they will immediately know you are referring to a small piece of information that is dropped on a user's computer by a Web site or Web server on the Internet.

The cookie began as a useful navigation tool for Web sites to store user preferences, login information or other data used by that Web site. Netscape first introduced the cookie in 1994 to enable and store user's inputs for virtual shopping carts. Since then the marketing industry has adopted the cookie as an integral part of user tracking for targeting of online advertising. To fully understand the cookie, it is critical to define the difference between "first" and "third" party cookies.

First party cookies are cookies that are dropped on a user's computer by the site they are visiting. If you visit www.amazon.com, they place a first-party cookie on your computer for auto-login next time you visit to seamlessly access preferences, shopping cart entries, profiles etc.

Third-party cookies are cookies that have been dropped on a user by someone other than the domain they are visiting. Third-party cookies enable cross-site behavioral tracking and are widely used by ad networks and exchanges. An external request from a Web site to a third party like an ad networks is common for publishers to display advertising creative from companies who specialize in ad placements. Generally third party cookies are delivered in combination with the creative....many times without the knowledge or consent of the user or publisher. With the explosion of the Internet and the rapid rise of online marketing, the cookie... mostly the third-party cookie... has come under privacy scrutiny. All new browsers have increased their security features in regards to cookies and allow users better control where and when a cookie gets dropped on their computer.

Most security and anti-virus software automatically delete third-party cookies as a security measure and many users are simply wising up and deleting unwanted cookies themselves. All this makes me wonder: Why is the Internet advertising industry so reliant on such an unstable and archaic technology? While the Internet advertising industry is heavily dependent on cookies, it's strictly taboo to actually discuss cookie blocking and deletion rates publicly. A cursory search shows several studies by prominent organizations like Nielsen and comScore that readily admit cookie deletion rates are anywhere from 31%-43%, for both first and third party cookies. All of these studies are from 2-4 years ago, prior to any advanced browser or user controls, making me believe that these numbers are likely higher now.

Many large publishers will unofficially admit that they are seeing cookie deletion rates over 40% domestically and even greater in European countries. Cookies blocking and deletion rates in Germany are estimated at well over 90%. Anyone on the ad network or exchange side of the ecosystem will quickly state the over-exaggeration of cookie deletion rates and nervously try to justify their tenuous business model that is completely reliant on third-party cookies.

The advertising industry associations and privacy groups will quickly point out that any user can opt-out of being tracked via a cookie. What I find humorous and ironic is that the opt-out of cookie tracking is via a cookie. Meaning, if I delete all of my cookies I also delete the cookies that request that I don't want be tracked by those cookies. WHAT?..... Exactly!

This is far from an exact science -- and the discussion of how, where, when and why to use cookies will likely continue to swirl inside the industry and on Capitol Hill for some time. Congress, and even the White House, is getting involved in the conversation as legislators have publically pushed industry groups to self-regulate. At the most recent OMMA Networks and Behavioral events the overarching theme for the first time was....you guessed....privacy!

The days of flying under the radar are over, and even industry figures like Dave Morgan are begging leaders to get involved in "implementing a self-regulatory framework, so that we might stave off the passage of broad and onerous new privacy laws and regulation." I find it hard to believe that any industry would self-regulate itself out of business, which likely explains why little has been done to satisfy the watchful eye of Washington.

The government easily waved their legislative wand with the Do-Not-Call list and destroyed the telemarketing industry over night. I hope it does not come to that in regards to regulating privacy online, but it is becoming increasingly clear that something needs to be done to educate and protect consumers. There are minimal alternatives to the cookie available today. Large sites like Yahoo, Microsoft and Google have the benefit of scale to use first-party cookies for tracking users across their own kingdoms. Many sites also rely on registration data to track users. However, most large marketers find registration data to be notoriously unreliable and the common deletion of first party cookies means the user must re-sign into the site for targeting to be possible.

Recent industry reports and academic research from UC Berkeley (http://www.wired.com/epicenter/2009/08/flash-cookie-researchers-spark-quantcast-change/ ) has uncovered that companies like Quantcast have been using Flash cookies for tracking. [Editor's Note: Quantcast resolved FSO cookie synchronization within 24 hours of the UC Berkeley report, and provides an overview on its blog.] Flash Cookies are different from conventional cookies because they store user information as a "local stored object" in all versions of Adobe Flash. The study showed that companies "used Flash cookies on the net's most popular websites to re-spawn traditional browser cookies after users had deleted them."

Other technology companies are contemplating the use of the Internet Protocol Address (IP Address) as a persistent and unique identifier of a consumer for behavioral and tracking purposes. The use of Flash Cookies and IP addresses are simply mechanisms to override consumer control. Even savvy Internet users who closely manage and delete unwanted cookies can't easily detect or opt out of being tracked by IP Address or Flash cookies.

Mandating user opt-in for targeting on mainstream sites is equally challenging, as publishers and networks will have to disclose their tracking practices or close off their sites until users relent. The origin of the cookie as a beneficial user navigation tool is sound. Use of the cookie by the online advertising industry, and the emerging work-arounds like Flash Cookies and IP addresses, raises serious questions about industry dependency and consumer privacy.

All this seems to indicate that we, as an industry require leadership which results in better mechanisms to protect user privacy, to foster innovation where consumer privacy is central, not an afterthought, and still allow the Internet advertising ecosystem to grow and thrive.