28. December 2021

5 tools to audit your reliance on third party cookies.

How to analyse your own and your competitors' website to prepare for the cookieless era.

Introduction

A lot of excitement around the 3rd party cookie arose in 2021. The phase-out of supporting 3rd party cookies by Chrome was announced to start in 2022. Then it was postponed until the end of 2023.

By now, everyone should understand that there is a need for action. The best starting point is to evaluate how many cookies we are talking about. And since we live in a world where competition is fierce: do you even know how many cookies and tools your competitors use? Are they already solving their 3rd party cookie dependence? Or are they facing a problem you can benefit from?

In this blog article, I am going to introduce some cool free tools to use to get a great overview of your potential “cookie dilemma”. Let’s jump right in.  

The Markup Blacklight

Blacklighta real-time website privacy inspector – scans a website and reveals the specific user-tracking technologies on the site – and who is getting the data. 

Blacklight visits a website with a headless browser, running custom software built by Surya Matta. The browser emulates an iPhone, so the server loads the mobile version of the site. It visits the home page and a randomly selected page.

For detecting 3rd party cookies, Blacklight monitors network requests for the “Set-Cookie” header and observes all domains that set cookies with the document.cookie javascript property. Blacklight identifies third-party cookies as those whose domains do not match the domain of the visited website. Blacklight looks for these third-party domains in DuckDuckGo‘s tracker radar data to find out who owns them, how common they are and what kind of services they offer.

Example of scan for ibs.it. There is more info available once you fold out the findings. For example, the ad trackers found on this website are scripts belonging to Alphabet, Inc., Microsoft Corporation and Quantcast Corporation.

Page X-Ray

Agustin Fou is a well-known cybersecurity and anti-ad fraud consultant. He has been in marketing for 25 years and now helps marketers audit their digital campaigns for ad fraud and optimize campaigns based on accurate analytics. On his website Fou Analytics, he has published an analyzing tool to detect the trackers and time needed for the requests that are made. After an X-Ray you’ll know the amount of ad server requests, tracking requests and the time needed to load them all. The fun part is, that you can even simulate the request timing.

An example from marca.com, where the blue offsprings are the ad server requests and the orange offsprings are the tracking requests. On the website itself, you can zoom in on the visualization, so you can see which ad servers and tracking requests are made.

Tracking the Trackers

Sometimes it is all not what it seems to be. Tracking The Trackers, built by NextDNS, developed a tool to check if a website is disguising third party trackers as first-party trackers. 

NextDNS found that tracking companies disguised their third-party trackers as first-party trackers to circumvent browser restrictions and other privacy-protection tools. This method is called CNAME cloaking, and the cloaking is not obvious unless you know where to look. With Tracking The Trackers, you can now see if this is the case.

After analyzing Bol.com it seems that there are trackers present that are disguising themselves.

PageSpeed Insights

This tool is provided by Google with the intent to help developers take advantage of the latest modern technologies to build user experiences for everyone. The PageSpeed Insights are so intuitive, that you don’t need to be a developer to understand what is happening on a website.

By entering a website URL, a performance analysis starts to run. A result will be shown on how long it takes for things to load. If you want to understand the FCP, LCP, FID and CLS as a measurement better, you simply click on the link, and you are directed to a blog article explaining it all.

Most interesting here is to scroll down a bit until you see ‘View Treemap’ as a clickable item.

Once you have clicked here, a Lighthouse Treemap is presented, where you can learn more about all the scripts that are loaded and how big they are.

The Treemap from fnac.com. Here you can see, that e.g. Kameleoon, an A/B Testing Tool, is in place.

Cookiebot report

Check if a website’s use of cookies and online tracking is compliant with GDPR and the ePrivacy Directive (ePR). Cookiebot offers you the possibility to receive an extended report in which you can see what data a website collects and shares with 3rd parties.

Once you have filled out the website in the designated box, you’ll receive an e-mail with a short summary and a PDF with the complete findings. It reveals which cookies are in use, what their lifetime is and which of them send data, f.e. to the US or if data transfer is blocked till the user has given consent.

The results for ibs.it. Cookiebot identified 39 cookies in total. For several cookies, data is sent to the US and/or data is collected before the user has given consent.

In conclusion

There are many more tools available to learn about the your “cookieless” readiness (in comparison to your competitors). As we transition into 2022, we will see a lot of change as serious and digital-focused companies move away from 3rd party cookies and increasingly adopt server-side tracking and tagging technologies. This is not a matter of if, but when. 

So, what did your analysis show? How dependent are you on 3rd party cookies? Does your situation look similar to your competitors, or are they moving ahead?

I recommend doing the analysis on a regular basis. Save the gathered data and track how you and your competitors are mastering the end of 3rd party cookies. It will be critical for your future competitiveness.