If you are using a modern web analytics tool (tag based or log based) it is quite likely that it is using cookies for tracking purposes.
In my conversations it is embarrassingly common to find a lot of FUD and confusion and lack of understanding (or appreciation of!) cookies and the role that they play in any analytics done on the web.
Hence my attempt at this simple easy to understand primer. If you are an Analyst or a Marketer or a Website Owner or a Website User it is critical that you read this short blog post – your data will make so much more sense after are done.
Why are cookies important?
Cookies, usually anonymously, allow the website owner to measure the number of Visits and the Unique Visitors to the website and hence understand the Customer's website experience and segment visitors that are New to the site from those that are Returning.
No more and no less.
Let's attack the rest of this complex issue in a few bite sized understandable chunks.
Transient vs. Persistent.
There are two types of cookies that the web analytics software will set when you visit a website. They are commonly called "Transient" and "Persistent" cookies. Some folks refer to them as "session" and "user" cookies respectively.
The job of the transient cookies is to help "sessionize" your experience on a website. Put simply, you are going to make a series of clicks and leave. That's a session. The transient cookie helps group those clicks efficiently.
The transient cookie is "set" when you visit the site, it disappears when you leave.
The persistent cookie is set the first time when you visit the website, and it will remain there for the duration that the website determines. For example, Analytics cookies are typically 18 months but many other tools will use anything from 18 months to 18 years. Persistent cookies are there to help identify a unique browser to your website, in as much they are the closest thing to tracking a "person" / "unique visitor".
The persistent cookie is on your browser until you either delete it, reinstall your browser or do other such things.
It is important to note that almost always persistent cookies don't contain any PII - Personally Identifiable Information - data. They just have a random string of numbers or alphabets that only the company who set the cookie can read. For example here is a cookie that Webtrends.com just set on my browser as I visited www.webtrends.com: C8ctADY1LjU3LjI0NS4xMS00MTU3MTQwMTc2LjI5OTQ0NzE5AAAAAAAAAAACAAAAo
I should see if I can mess with them by changing that cookie to COREMETRICSWILLALWAYSBEWATCHINGYOURSITE4LOVE+OMNITUREISGREATAND
First Party vs. Third Party.
A "third party" cookie is set by, well, a third party when someone visits your site. So if www.omniture.com is using WebTrends as the web analytics tool of choice then when I visit omniture.com a cookie will be set on my machine under the www.Webtrends.com domain. On omniture.com a Webtrends.com cookie is considered a third party cookie.
[Omniture.com is actually setting cookies using .2o7.net which would make them third party cookies on that domain.]
In the good old days it was easier for the web analytics vendors to use third party cookies and they were rampant. But it was discovered that there were other players using these cookies in sub optimal ways. This lead to default internet browser settings that would reject third party cookies, and many other anti spyware and malware programs auto deleting them etc etc. Suffice it to say they have fallen out of favor, and are considered quite sub optimal for tracking "unique visitors".
A "first party" cookie, hence, is set by the web analytics tool using the domain of the website itself. As an example when you visit www.coremetrics.com you'll notice (if you have WASP!) that they are setting cookies using the domain data.coremetrics.com – which makes those cookies first party.
First party cookies are the preferred tool of choice for tracking "unique visitors" because they are deleted / rejected a lot less by any objective measure. This means, for example, they are a far superior at tracking repeat visits or new and returning visitor segments etc.
Another reason first party cookies are rejected a lot less is that much of the internet does not work if you don't accept first party cookies. Email providers like hotmail (! :) or gmail.com, ecommerce websites like amazon.com or crutchfield.com, banks, even blogging platforms! They all require you to accept first party cookies.
Almost every single decent web analytics vendor now provides an easy ability for you to use first party cookies. Some like Google Analytics only offer the option of having first party cookies.
If you notice some initial push back from your vendor to use the easier-for-them third party option, do a little push back of your own. Insist on first party. Its good for your health.
Exception for Third Party Cookies.
There are some relevant uses of third party cookies. One of the most common is by ad serving platforms because that is the only way they can track a "unique visitor" across multiple websites. So even if that third party cookie gets blown away and rejected a lot more, they (you) really don't have much of a choice. That's just how the internet protocols work.
Here's a example of how that works.
We saw that omniture.com is using .2o7.net third party cookies. After going to omniture.com I could go to ebay.com and then to nytimes.com. .2o7.net knows that I was at the Omniture site a little while back and then I went to eBay and then NYTimes.
Now as I am reading the latest Maureen Dowd column .2o7.net (if it was a ad serving platform) could serve me a ad for Omniture next to the Maureen Dowd column. Knowing I also went to eBay they could even give me a deal on Omniture in that ad! : )
This is of course just one example to illustrate the use of a third party cookie and why Atlas and DoubleClick and Yahoo and all the others use them (and provide value to their customers).
First party cookies can't be "read" and "carried over" like the above scenario.
Does my choice (1st or 3rd) influence where my data is stored?
The type of web analytics software you use determines that.
If you are using a ASP based solution (say NetInsight or Microsoft AdCenter Analytics or VisiStat) then both your first party or third party cookie data is stored in the data center of your application service provider (vendor).
Cookie Deletion Rates.
It is important to remember cookie rejection is not the same as deletion. With rejection you don't even accept (worsens tracking). With deletion you collect data for the session (visit) but tracking after that visit worsens.
Everyone wants to know cookie deletion rates ("help my web analytics data is crap!"). There is no "global standard". Sadly I have never seen a study that was objective and not pushing the vested interests of the publisher (be it a company or a "analyst").
It is also extremely extremely difficult for a "third party" to have the kind of access required to actual data that would help them develop anything close to a objective "standard".
The biggest determining factors are your customers and their browser settings and software on their computer. And that can vary greatly from site to site.
My own personal experience across a number of ecommerce, support, and other corporate sites (excepting extremely "tech heavy audience" sites) has helped me come up with a "benchmark" of cookie deletion rates of 3% to 5% for first party cookies and 20% to 25% for third party cookies. They all tend to fall in that range.
If you want to know what the number is for you, I recommend putting in the sweat, blood and tears to measure it on your actual site. If it is important to you, it is important that you don't just take someone's word for it and proceed to evaluate your own web analytics data and get your own benchmark. I assure you that you are unique.
You won't be able to measure some of the above Key Performance Indicators, but you can still get good value from the cookie-less data that you do collect. Top Visited Pages, Revenue, Referring Websites (URL's), Search Engine Keywords and on and on and on.
The data won't be perfect but then again perfection is greatly overrated! (Chapter 13, Page 341 of my book.)
There are analytics tools that allow you to use alternatives to cookies to compute Visits and Visitors. You can use user_agent_id's, combination of browser_id and operating system etc. See if your Management or Customers are ok with that. If yes, use those. If not, to stress again, the data you collect, anonymously, can still reveal insights of value.
Is privacy important?
I know that sounds like the most obvious question in the world, with the most obvious answer in the world.
Yes. It is.
Be transparent, there are few things more important than the trust of your customers.
Besides as I have stressed several times, even with what data you can collect (say you just have your raw server web logs and nothing else) it is possible to find insights. Nothing's impossible for a Analysis Ninja!
You are now a graduate of Cookies 301. May the force be with you!
I would love to hear your feedback on this delightful and often beguiling topic. What do you think of cookies? What has worked for you? What did not? How have you overcome obstacles? Any tips for the rest of us?
I am sure you have stories you can't wait to share. Please do.
Couple other related posts you might find interesting: