October 10, 2017

The ability of web users to opt out of being tracked threatens analytics data. But, the entire discipline of web analytics is premised on cookies working. So, what next?

The ability of web users to opt out of being tracked threatens analytics data. This is what happens when a user's browser rejects cookies that are set by an analytics vendor, such as Omniture and Google Analytics. The entire discipline of web analytics is premised on cookies working.

Today, I spent some time analysing web and mobile applications to understand their SiteCatalyst implementations and effectiveness. Companies with first-party cookies (Set A) had rejection rates between 1 and 5 percent. This is quite low and what I'd expect, as many websites — notably e-commerce sites — require first-party cookies to function. Companies with third-party cookies (Set B) had rejection rates between 15 percent and 20 percent.

The most interesting finding was the growth in the rejection rate for Set B. The cookie rejection rate for set B increased from 15.4 percent to 21.2 percent from October 2012 to August 2015.

Efforts towards greater consumer privacy have moved browser security increasingly towards third-party cookie rejection. One force behind the growing divide in the first party vs. third party cookie acceptance is the rise in mobile web usage.

In particular, the Safari browser — the default browser for Macs and iPhones — is the only major browser to reject third-party cookies by default. This has material implications for any website with substantial mobile traffic. As users become increasingly comfortable with browsing on mobile devices — smartphones and tablets — expect the gap between first party and third party cookie rejection to grow.

What I observed was quite surprising. 30-35% of web applications are using s_code version lesser than H.25 and fails to take advantage of first-party cookie (s_fid) set by js code while using a third-party cookie.In analytics world, cookies are used to track and count unique visitors.

But, before we move ahead let's understand first-party cookies and third-party cookies. First party cookies are set by the same domain as the page the user is currently viewing. Third party cookies are set by a domain different from the page the user is currently viewing. As browsers add features to support greater Internet privacy, the acceptance of third-party cookies is diminishing.

However, Adobe uses a fallback method to determine a unique visitor when cookies are rejected. The fallback method varies depending on the analytics code version implemented on your website. Broadly speaking, there are three possible fallback methods, the original method using IP address and user agent string, the new fallback method using the s_fid first party cookie, and the option to use a true first party cookie.

As we speak of fallback methods... it's important to know their impacts too. I have listed a below.

1. Third Party Cookie – Original Fallback Method:

All code versions previous to H.25.3 use the original fallback method to handle cookie rejection. When a third party or first party cookie is rejected by the browser, Adobe uses a combination of user's IP address and the user agent string to identify visitors.

Impact:

• Multiple users may be counted as a single visitor: If two users are on the same network and use the same browser, which rejects third-party cookies, then both users will appear to have the same IP address and potentially the same user agent string, resulting in two separate users being counted as a single visitor
• A single visitor may be counted multiple times: If a user's IP address changes halfway through the visit or the user agent changes in the future, a new visit and visitor will be counted as the same user.

2. Third Party Cookie – New (s_fid) Fallback Method:

For analytics code versions from H.25.3 onwards, the code contains a new fallback visitor identification method. If the visitor id cookie is rejected, the code will set a first party cookie using the site's current domain. The new first-party cookie, s_fid, is created and set to a randomly generated unique ID with an expiration of two years. If a s_fid, first-party cookie cannot be set, then the Adobe solution will use the original fallback method of IP address and user agent combination.

Impact:

• Visitor accuracy matches true first-party cookies: This solution sets a first party cookie and its rejection rate is as low as any first party cookie implementation
• Visitor Uniqueness: The methodology used to generate the s_fid value does not guarantee a unique value for each visitor. Factors that impact uniqueness include the volume of s_fid values set across the site and the number of concurrent hits from visitors who arrive at the same millisecond. It's important to note that the odds of this are very low, and you shouldn't notice an even remotely significant difference between visitor counts using this methodology and using CNAME first-party cookies.
• The decrease in visitors after code update: If you update your analytics code to H.25.3 or higher, you may see an overall decrease in your visitor count because of the decrease in overall cookie rejection.

3. First Party Cookie:

For all versions of the analytics code, first-party cookie tracking is the recommended approach. First party cookie implementations provide the most accurate count of visitors because of the very low cookie rejection rate, as well as the guarantee of a unique and persistent visitor id value.

Impact:

• The decrease in visitors after update from the original: If you choose to move from the original fallback method to the first-party cookie, you will see an overall decrease in unique visitor count but resulting in a more accurate report
• Increase in visitors after update from s_fid: If you choose to move from the s_fid fallback method to a true first-party cookie, during the transition phase you will see an increase in visitor count because Adobe will disregard the s_fid value and instead set a new cookie value resulting in visitors being recounted

Again, Adobe's recommends to always use first-party cookie tracking. First party cookies will always give you the most accurate visitor count. However, if you need to use third-party cookies, the new s_fid fallback method will provide you with a good degree of accuracy.

Now that you know how each method works, figure out which approach best meets your needs to be a profitable business.

Reference: Visits and Visitors; Cookies