cookies localstorage ads and gdpr

February 1, 2024

© 2024 borui. All rights reserved. This content may be freely reproduced, displayed, modified, or distributed with proper attribution to borui and a link to the article: borui(2024-02-01 13:43:26 +0000). cookies localstorage ads and gdpr. https://borui/blog/2024-02-01-en-cookie-localstorage-ads-and-gdpr.
@misc{
  borui2024,
  author = {borui},
  title = {cookies localstorage ads and gdpr},
  year = {2024},
  publisher = {borui's blog},
  journal = {borui's blog},
  url={https://borui/blog/2024-02-01-en-cookie-localstorage-ads-and-gdpr}
}

What are cookies?

Cookies are tiny text files that are stored on a user's browser. Most cookies contain a unique identifier called a cookie ID: a string of characters that websites and servers associate with the browser on which the cookie is stored. This allows websites and servers to distinguish the browser from other browsers that store different cookies, and to recognize each browser by its unique cookie ID.

When does AdSense send cookies to a browser?

AdSense sends a cookie to the user's browser after any impression, click, or other activity that results in a call to our servers. If the browser accepts the cookie, the cookie is stored on the browser.

Most commonly, AdSense sends a cookie to the browser when a user visits a page that shows Google ads. Pages with Google ads include ad tags that instruct browsers to request ad content from our servers. When the server delivers the ad content, it also sends a cookie. But a page doesn’t have to show Google ads for this to happen; it just needs to include our ad tags, which might load a click tracker or impression pixel instead.

📓 Note: impression pixel is normally a png with only 1 transparent pixel, whenever retreived from server, server will send along cookies using set-cookie header. The image could also carry cookies already stored as well.

  1. How AdSense uses cookies. (n.d.). Google Adsense Help. Retrieved February 1, 2024, from https://support.google.com/adsense/answer/7549925?hl=en

An example of part of the contents of a site's Marketing cookies

| Cookie name | Cookie expiration | Domain | Provider | Cookie purpose | |---|---|---|---|---| | _fbc | Session | .eset.com | Facebook, Inc. | This cookie is used by Facebook for advertising purposes and conversion tracking. | | _fbp | 3 months | .eset.com | Facebook, Inc. | This cookie is used by Facebook for advertising purposes and conversion tracking. | | fr | 3 months | .facebook.com | Facebook, Inc. | This cookie is used in the targeting of Facebook adverts. | | bcookie | 2 years | .linkedin.com | LinkedIn | Cookie from LinkedIn used by share buttons and advertising tags. Uniquely identify devices accessing LinkedIn to detect abuse on the platform | | bscookie | 2 years | www.linkedin.com | LinkedIn | Cookie from LinkedIn used by share buttons and advertising tags. Used for remembering that a logged in user is verified by two factor authentication. |

  1. Cookie Policy. (n.d.). ESET. Retrieved February 1, 2024, from https://help.eset.com/cookie-policy/

gtag.js cookies

The following table describes each cookie set by gtag.js. To learn more about the data that Analytics collects, see Safeguarding your data.

|Cookie name Default |expiration time |Description |---|---|---| |_ga| 2 years |Used to distinguish users.| |_ga_<container-id> |2 years |Used to persist session state.|

  1. Cookie usage on websites. (n.d.). Google. Retrieved February 1, 2024, from https://support.google.com/analytics/answer/11397207?hl=en

Example of some of the information might be included in cookies:

For example cookies from taobao(ecommerce site) can contain following attributes

  • serach_radio_all
  • GongYingLianDIsts
  • list_model
  • isp4p
  • item_click_form

Values for those attributes accordingly:

  • You opened Taobao
  • You searched for backpacks on Taobao homepage
  • You clicked on a backpack on the first page
  • You just looked at it and didn’t buy it ......
  1. 微医前端团队. (11 Jan, 2022.). 广告是如何跟踪我们的?所有关于 cookie. 稀土掘金. [Blog post]. Retrieved February 1, 2024, from https://juejin.cn/post/7052507369690890270

Preparing for the end of third-party cookies

Because incresing concerns on privay for cookie usage, cookies are becoming more restricted.

Quote from Google developers:

If your site uses third-party cookies, it's time to take action as we approach their deprecation. To facilitate testing, Chrome has restricted third-party cookies for 1% of users from January 4th, 2024. Chrome plans to ramp up third-party cookie restrictions to 100% of users from Q3 2024, subject to addressing any remaining competition concerns of the UK's Competition and Markets Authority.

gdpr

GDPR is not only applicable to cookies buit any form of storage for identifiers such as localstorage.

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

  1. Cookies and the GDPR. GDPR.EU. Retrieved February 1, 2024, from https://gdpr.eu/cookies/

technical concerns

Localstorage is more restricted with the broswer.

Access to data stored in the browser such as Web Storage and IndexedDB are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.

  1. Same-origin_policy#cross-origin_data_storage_access. (n.d.). MDN docs. Retrieved February 1, 2024, from https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access

And localstorage can't be set by server side like cookies with set-cookie, also can't be automatically sent to server with request.

To acheive cross domain localstorage, we have to perform hacks with iframe and Publish-Subscribe Model.

localstorage_crossdomain0alt

This code is in javascript and html so that can used in any javascript framework and html website. I have used this in combination of WordPress and Angular project.

Consider we have two domain example.com and example2.com.

Step1 : Add postCrossDomainMessage function in landing page like index.html

    //www.example.com/index.html
    function postCrossDomainMessage(msg) {
    var win = document.getElementById('ifr').contentWindow;
    win.postMessage(msg, "http://example.com/");
    }
    var postMsg = {"login": "user"}; // this is just example
    postCrossDomainMessage(postMsg);

Step2: Add iframe tag in landing page where everywhere reflected. For Angular/React you can add it in index.html

<iframe style="display:none;" src="http://example.com/getlocalstorage.html" id="ifr"></iframe>

Step3: On recipient domain www.example2.comcreate getlocalstorage.html file and put this code 👇🏻 in file getlocalstorage.html

var PERMITTED_DOMAIN = "http://example.com";
/**
 * Receiving message from other domain
 */
window.addEventListener('message', function(event) {
    if (event.origin === PERMITTED_DOMAIN) {
        //var msg = JSON.parse(event.data);
        // var msgKey = Object.keys(msg)[0];
        if (event.data) {
            localStorage.setItem("localstorage", event.data);
        } else {
            localStorage.removeItem("localstorage");
        }
    }
});
  1. Avinash Dalvi. (15 Oct, 2020.). Share cookies or local storage data between cross domain?. medium. [Blog post]. Retrieved February 1, 2024, from https://adiachituve.medium.com/how-to-achieve-cross-domain-localstorage-790a657ec36f

  2. Adi Achituve. (27 Jan, 2023.). How to achieve cross-domain localStorage. medium. [Blog post]. Retrieved February 1, 2024, from https://adiachituve.medium.com/how-to-achieve-cross-domain-localstorage-790a657ec36f

  3. Document: requestStorageAccess() method. (n.d.). MDN docs. Retrieved February 1, 2024, from https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess

other methods than storage -- privacy sanbox

📓 Note: This method use machine learning to divide users into different topic groups.

The Privacy Sandbox initiative aims to create new technologies that both preserve people’s privacy online and give companies and developers the tools to build thriving digital businesses, which keeps the web open and accessible to everyone. The Privacy Sandbox is an ongoing collaborative effort to build alternatives to third-party cookies, by incorporating ideas from across the industry into new proposals that are tested, publicly discussed, and iterated upon.

One of the Privacy Sandbox proposals being tested in Chrome is called the Topics API. As browsers phase out third-party cookies, advertisers need new ways of reaching customers with relevant ads, and Topics proposes a new, privacy-preserving signal to help indicate a user’s interests.

With the Topics API, a user’s browser would gather topics (for example, "Country Music," "Make-Up & Cosmetics," or "Vegetarian Cuisine") associated with that user based on their browsing activity during a period of time known as an epoch, currently proposed to be one week. The topic selected for each epoch would be randomly selected from the user's top 5 topics, with random noise added for privacy, for that time period.

  1. How Google Ads and Display & Video 360 are testing interest-based ads without third-party cookies. (n.d.). Google. Retrieved February 1, 2024, from https://support.google.com/displayvideo/answer/13627093?hl=en