Call it a browser cookie, a web cookie, an HTTP cookie—it’s all the same thing, just a small text file, not even executable code. A cookie takes the form of a name-value pair (e.g. name=value). Originally designed to recall information like logins, form data and shopping cart contents, they’ve been a core component of digital advertising since the ’90s. The industry has historically relied on cookies to do audience targeting, determine which creative to serve, handle frequency capping and perform many other functions.
When a user visits a website for the first time (or the first time since the user has cleared their browser history), the site sends a cookie to the user, and it’s stored on their device by the browser. As such, cookies are browser-specific, so if you’re running Chrome on one device and Firefox on another, you’re dealing with two different sets of cookies. When the user returns to that site, the site reads their cookie, matches the user’s browser to the identification number stored in the cookie file, and may then edit the identifier to reflect information about the user’s behavior during that current visit. That information goes into additional name/value pairs in the cookie. All of this can help customize a user’s experiences on the site to their own preferences, and it can tell the site when it is or isn’t acceptable to send the user secure information.
A first-party cookie will share a domain attribute with the domain the user sees in their address bar. A third-party cookie will have a different domain attribute than whatever is in the browser address bar. Third-party cookies are used in content that comes to a website from an outside source, like an ad server, which allows advertisers to track information about a user’s browsing behavior around the web. In order to understand that two cookies from two domains pertain to the same user, those cookies need to be synced.
Session cookies are temporary, and last only as long as a user’s browser session does—while they don’t expire, they’re automatically deleted when the user closes the browser or leaves the site. Persistent cookies will remain in the browser beyond a single session, but they expire at a set time, usually no later than a few months out—the data will get old and become less useful beyond that point. Many users regularly clear their history, too, which flushes out any persistent cookies regardless.
One more thing about cookies: The oft-repeated line about cookies in mobile is that “cookies don’t work in mobile,” which is and isn’t true. More accurately, Safari comes with third-party cookies disabled by default, and apps generally don’t share user data with other apps. Those limitations (plus the fact that cookies really don’t work with connected TVs) have driven many players in the ad ecosystem to lean on alternate identifiers for users.
First-Party Data Playbook (2015)
State of the Cookie (2013)