IMPLICATIONS OF COOKIE CUTTING

Research shows that 58% of users delete their cookies regularly, with 40% deleting them every month. This means that metrics relying on tracking visitors via cookies are not as reliable as people have believed. However, only 1% delete cookies set by the site itself – it is third-party cookies which people are deleting.

DOES IT MATTER?

I wanted to know how big a problem this is. This issue may not be a disaster for everyone. The degree to which cookie “cutting” is affecting web stats, and the importance of this issue for your sites depends on your visitor frequency. I had a feeling that this would vary greatly according to the type of site. My company, ThinkMetrics, is currently beta-testing a new repeat visitor analysis system, so I thought I’d turn it loose on a variety of sites and see what we could learn.

I analyzed a real estate agent, a restaurant, a site selling homeware, a tourist destination, an insurance company, an accountant, and a business services directory. As you can see these represent a broad cross-section of site types, and you’d expect different repeat visitor behavior from them. The analysis was based on visitors identified by methods other than cookies, so there was no risk of the data being skewed by cookie cutting.

The key factor to determine was the percentage of repeat visitors who has ceased to visit within a single month. It doesn’t matter if these people remove the cookie every month, they’re not coming back anyway. There was a wide variation here, as I’d expected. The insurance company had the lowest level, at 52%. This means 48% of their repeat visitors are taking more than a month to make a purchase decision. Since their system is heavily dependant on using cookies for remembering previous quotes, cookie cutting is a problem for them.

At the other extreme was the shopping mall. This site is not selling furniture and electrical goods, so people won’t visit frequently. People will comparison shop with other sites, but you’d expect a purchase decision within a few days. However, even here 25% of repeat visitors had a lifetime in excess of one month. In all the other sites, more than 25% of repeat visitors persisted for over a month. I would have expected sites like the tourist destination or restaurant to have short repeat visitor lifetimes, but that was not the case.

Not all repeat visitors are regularly cutting cookies, only 40%. If 25% of your repeat visitors are persisting for more than one month, and 40% of them are cutting cookies, 10% of your repeat visitors as being seen as newbie’s each month. And that’s probably your best case. The worst case scenario, my insurance company, is missing 1 in 5.

Or are they?

WHO CARES?

Let’s just stop for a minute and remember what Jupiter Research said – people are not cutting all cookies. Only 1% cut a cookie set by the site. People are cutting third-party cookies. If you set your own cookies, the inaccuracy introduced by cookie cutting is less than that produced by general cookie blocking.

So this is only a problem if you use analytics software running on another company’s website which sets a cookie through yours – a third-party cookie. Tracking repeat visitors by other means, acceptable for audit standards, turns out to be as accurate as third-party cookies. In some cases (such as the insurance site) it may actually be more accurate not to use persistent cookies.

You can work out this for yourself. If you are using analytics systems which set third-party cookies, determine what percentage of the repeat visitors persist for more than one month. If this percentage is above one-third, my bet is you’re better off using other techniques to track these people.

The people who are most badly affected by monthly cookie cutting are the ad-delivery networks. These are the companies placing ads in many sites, and tracking exposure to the same users across all these sites. Third-party cookies are the life-blood of these agencies, and it seems 40% of the internet population doesn’t like them.

WHY?

Just because web metrics suppliers have the ability to track people across multiple sites and build profiles about them doesn’t mean it’s a good idea to do so. If people don’t want third-party cookies, it’s not because they don’t understand how great it is to receive an ad tightly tuned to their buying patterns. As an industry we need to recognize that just because we can do something, it’s not automatic that we should.

There is a range of intelligent opinion about what is acceptable in tracking users on the web. Cookie cutting is not born of paranoia and ignorance. Let’s recognize that most internet users live outside the USA. There are legitimately vast differences in attitudes to personal privacy across the globe. In France and Germany, a citizen’s right to privacy is actually enshrined in the constitution. All Europeans have a strong desire for privacy based on a different perspective about government and commerce. Generally, Europeans distrust private companies and trust their governments – they look to their government to protect them from unrestrained capitalism.

One of the world’s most popular cookie cutting programs is Ad-Aware. This product comes from LavaSoft, a German company, and reflects the German perspective on what constitutes acceptable tracking practices. LavaSoft’s Threat Assessment Chart (http://www.lavasoftnews.com/ms/tac_main.htm) lists their criteria for blocking. A key marker for Ad-Aware is that the data gathering is done by a company the user knows nothing about.

This goes to the heart of the web. One of the key attractions about the web is the anonymity it offers (hence the popularity of porn). When I visit your site I enter into an implicit contract with you. I can see who you are and I can decide to trust you, I choose to reveal something of myself to you. This trust is essential if you want me to give you my credit card details. However, a third-party cookie is not part of that relationship. It represents a company I know nothing about. I can’t decide whether I trust it or not and yet it can see me.

The key fact from Jupiter is that people are deleting third party cookies. People don’t mind if a site they choose to visit sets a cookie. What they object to is companies they don’t know doing it without their knowledge, especially if that information is used to follow them around and snoop on them as they surf.

THE FUTURE

Many people are searching for the solution to this problem. Some people are starting to look at Flash Shared Objects, which offer cookie-like functionality. Macromedia hate the idea and have already published information on their site telling users how to disable Shared Objects. Other people have talked about the need to inform the users of the benefits of having ad delivery more tightly focused. I think that’s unlikely – when was the last time you rushed home because there was an ad on TV you didn’t want to miss?

My solution is simple – don’t do it. Let’s recognize that the internet is still new, and we’re all working out what is and isn’t acceptable. User behavior is telling us pretty clearly that third-party cookies are unacceptable. Let’s not assume our customers are ignorant. Removing cookies requires some effort and knowledge, yet 58% of users are doing it. How many of the remaining 42% would do it if they were aware of the existence of a cookie and knew how to remove it? Our market is speaking loud and clear – setting a cookie on your own site, for your own purposes, is fine. Letting someone else insert cookies silently through your site is not. Tracking users between sites is out.

Given the level of cookie-cutting, it would appear that tracking users with third party cookies is about as accurate as not using cookies anyway. The web is the ultimate democracy, and the people have already decided. Let’s accept the will of the people and move on. Set your own cookies and accept there is a limit to how much data people will let you gather about them.