First-Party Consent Can Replace Third-Party Cookies

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Manny Puentes, founder and CEO at Rebel AI.

Google’s recent decision to deprecate third-party cookies on Chrome will severely cripple browser-based targeting, cross-site tracking, frequency capping and retargeting. Ad platforms will be blind outside of the contextual attributes passed in any opportunity to serve an ad.

Third-party cookies have been an anonymous, necessary evil to deliver highly targeted ads. Though third-party cookies are discussed in terms of consumer privacy, the third-party cookie itself is actually completely anonymous. Platforms can’t determine who you are based on the generated ID representing your device. Real privacy concerns start to proliferate when you mix third-party cookies with form data, such as email, first name and last name, and send that data along with a cookie.

If you extrapolate this use case and allow for that same ID to persist from site to site, data platforms can get smarter about your behavior and interests.

Email won’t save us

Any ID, cookie or otherwise, that can eventually be tied to form-data/PII will become a privacy issue. In light of the coming changes to Chrome, some companies have announced they will use email or other types of identifiers to replace some of the consumer targeting that will be lost.

Some platforms are proposing email as the Rosetta stone to “anonymously” identify the consumer. Let’s take cross-site tracking as an example. If platforms are left with first-party cookies, all of the data will be siloed by site. That means the consumer will have a different first-party cookie ID from site to site as they surf the internet. In this new paradigm, email will be used as the key to stitch the data together to reveal behavior and interests, same as before, except with strong standardized joining criteria for offline data.

Email represents another ID tied to the consumer vs. the device, and is even more intrusive. With this change, consumers can further be tied to offline data, such as home refinancing applications or store visits if they gave their email to receive digital receipts.

Yes, I know it’s hashed and “anonymous,” and can’t be reverse-engineered. But an entity with raw consumer data and consumer emails can continue to link form-data/PII, therefore identifying the consumer all over again.

The problem isn’t a technical one. The industry will eventually figure out a way to technically track consumers. The real challenge is abiding by the emerging policy, legislation and regulation requirements that dictate what consumer data companies can and cannot collect.

The consent solution

Sites are highly dependent on the first-party cookie, and as the industry transitions to using first-party cookies to target advertising, consent becomes a more controllable asset. This is a new opportunity for consent platforms to provide the gateway to ensure that the needs of consumers and the ad ecosystem are met.

Consent platforms have come a long way in establishing a strong foundation to protect the consumer. As an industry, we are finally giving consumers the ability and opportunity to not be tracked.

In tandem with these platforms, there’s technically still a way to use first-party cookies for cross-site tracking, frequency capping, targeting and retargeting without the need of a hashed email to keep the ID anonymous without using PII.

Let’s say I browse to, receive a prompt to allow cookies, and I hit “Allow.” If the consent platform took the “” location in the browser and reset the location to point to “,” it would allow a first-party cookie to be set on “” If would immediately redirect back with “,” it would allow for the first-party cookie to be read off of the URL set on “” with the key of “opt_in” and the value of 123.

This technical workflow would allow for subsequent calls, if they had JavaScript on to query for “opt_in” and pass the value to ad platforms on the URL, along with any metadata appended as a query string parameter to reenable targeting and cross-site tracking. The redirect in this use case, after you hit “Allow,” would give back the same ID on “” any time the consumer allows cookies for tracking.

Click here to enlarge graphic.

For this to work, standards and specifications will be paramount, and the IAB must play a crucial role in standardizing the first-party cookie workflow outlined above. For example, we would need the key for the first-party cookie to retain a unique standardized name so that platforms that are interested in passing the ID (opt_id=123) know what key to query on the first-party cookie.

An open consortium would also be needed to manage and own the “” domain, the services required to apply the redirect and the open-sourced JavaScript to set first-party cookies off of the URL to later be queried by other platforms.

The aforementioned workflow would only activate after hitting “Allow Cookies” on a consent platform. As you can see, the ecosystem would share the same ID when targeting and tracking, granting the consumer more control over consent and providing the road map for a safer consumer experience.

There will always be a workaround to track the consumer. While the industry is fretting about the death of the third-party cookie, the real problem is not a technical one. The issue remains what we are legally able to collect on the consumer while adhering to evolving standards surrounding consent and privacy.

We should also be looking at the data that Facebook and Google are collecting. In-home devices, Gmail, Google Documents, Google Maps, Search and Google Apps are all collecting data on a first-party basis, and killing the third-party cookie will do absolutely nothing to stop them from collecting data and monopolizing the advertising market. In fact, it’s empowered their initiatives.

I’m optimistic about the long-term opportunities that this change heralds. The third-party cookie was messy for reasons not related to privacy. Though Google and other industry giants have given themselves an advantage, this change will spur the rest of the industry to innovate, creating new solutions to compensate for the changing environment. The death of the third-party cookie truly empowers us all to come together and build a seamless environment that adheres to privacy controls managed by one ID that represents a consumer and their consent.

Follow Manny Puentes (@epuentes), Rebel AI (@Rebel_AI_) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Hey, to my knowledge Safari’s ITP already protects against this kind of cross-site tracking and would delete all data.

  2. Hi Dirk, I sincerely appreciate the engagement and thank you for the question as it helps with the overall goal of the article to push our industry forward. If you try this link:, you can see it sets the cookie across all browsers including Safari. With that said, in Safari, if you’re classified as a cross-site tracker domain, you will have a maximum lifetime associated to the first-party cookie and they later expanded that method to localstorage.

    The idea was to raise awareness that you can still use first-party cookie for cross-site tracking, retargeting, and frequency capping etc. on Chrome, Firefox, and Safari (limited). We are better served to create a standard that’s acceptable by adhering to the guidelines and principles of consent and privacy.

    The consent solution described in the article was outlining a framework to address the following issues while making a case for Safari to not classify the optin[dot]com domain as a cross-site tracker for the following reasons:

    1. Using first-party and the same ID across the ad ecosystem would provide a way to provide cascading deletes if a user opts out of being tracked.
    2. The optin[dot]com domain would be a portal for the consumer to visit to get a better idea of what’s being tracked. Given that all platforms across the ad ecosystem use the same ID, it serves as a foundation for all companies to submit their tracking data. This serves as a portal for the consumer to opt out of opt-in and therefore shouldn’t be classified as a cross-tracking malicious domain.
    3. It would give the publisher selective access as to what scripts / companies are allowed to sync IDs on their behalf.
    4. Consent Platforms would have a controllable asset to work with to protect the consumer.
    5. This gives the consumer granular control on a site-by-site basis as to how they share their data as intended when they choose “Allow Cookies”

  3. If I delete my first party cookies, will a new ID be issued from optin?