While they removed cookie banners and say they no longer include dependencies that set cookies, browsing around the site for a bit I still see several cookies set. For example, visiting https://changelog.getsentry.com I get first-party cookies "_GRECAPTCHA", "ph_phc_UlHlA3tIQlE89WRH9NSy0MzlOg1XYiUXnXiYjKBJ4OT_posthog", and "_launchnotes_session", plus third-party cookie "_GRECAPTCHA" on recaptcha.net.
I also got a player.vimeo.com cookie at some point, but wasn't able to reproduce.
If you're running a complex modern site and decide to do away with cookie banners, you generally need to pair this with browser automation that crawls your site and verifies that you (and your dependencies) are in fact not setting any cookies.
You're right that fighting these cookies is not trivial and automation helps a lot. The remaining cookies are functional ones which are needed to use the sandbox for instance. That the changelog sets cookies is a known issue that will be resolved once the changelog is moved off launchnotes.
Poking around a bit more, visiting https://sentry.io/auth/login/ but performing no action sets first-party cookies __stripe_mid, __stripe_sid, session, and sentry-sc. If I don't log in, but then visit other pages on the site those cookies are still sent.
I don't see why it's necessary that that these cookies be set before I actually log into the page? Or, if it is necessary for a non-obvious reason, I don't see why they need to be sent when visiting other pages under sentry.io instead of being scoped to /auth/login/ ?
A lot of these cookies are used to prevent CSRF or tracking flow state (eg: redirect target for login) through SSO. I'm not sure about the behavior of the stripe one. Generally once you go to a login page I'm pretty sure you will log in :)
I really don't see how a duration of one year and Same-Site=Lax on the sentry-sc cookie passed legal review, but perhaps your legal team is comfortable with a more aggressive approach than I'm used to.
The duration is part of the functionality. In interpreting the e-Privacy directive a general principle is that durations should not be longer than required to implement the required functionality. If you read through https://ec.europa.eu/justice/article-29/documentation/opinio... you'll see lots of discussion of appropriate durations.
The opinion document as far as I'm aware has no legal force. That said, I'm sure durations can always be re-evaluated but the case of "i'm going to log in but then not" is a corner case that's not exactly top of mind. I think the bigger task here is to defer loading stripe until necessary.
I think this is a grey area: I can't find any explicit official guidance on whether using cookies to detect bots fits within the e-Privacy exemptions. (I had thought it didn't but that's not worth much!)
> If you're running a complex modern site and decide to do away with cookie banners, you generally need to pair this with browser automation that crawls your site and verifies that you (and your dependencies) are in fact not setting any cookies.
Correction: any cookies which are not technically required for the basic operation of the site (such as a shopping cart ID).
I'm out of the loop on the latest and greatest web technologies:
if I'm a shopping cart website, how do I keep track of you as a user/session enough to identify you and pair you to the contents of your cart on my backend without a cookie?
Cramming a sessionId into localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?
The post you were replying to (unless it was edited after your reply) specifically mentioned a shopping cart cookie as one that could be classed as strictly necessary. There are other options but they have issues (tracking via query string or form values doesn't work well with multiple tabs open for instance). The cart ID can be the session ID too for as long as it is needed.
Of course they don't have to be stored, in fact they shouldn't be stored. They are session level naturally so belong in session level cookies not more permanent storage.
Also, while session tokens in cookies are usually fine to be defined as strictly essential for the main site, they are generally not for 3rd party cookies.
> localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?
No, those are more often used in equivalent ways to cookies though they don't do exactly the same job, extra logic is needed if your server-side needs to access the stored information. Cookie values are sent to the web server(s) with every request (except where certain flags are set), data in session/local storage needs to be explicitly read out and sent on in GET or POST parameters when needed.
Before cookies we used session ids in the query string of the URLs. Maybe you noticed some URL with a JSESSIONID argument in the URL. Same thing.
Those are worse than cookies for a number of reasons but they are functionally equivalent.
Anyway, there is nothing wrong with cookies in general. Privacy-wise the problem are cookies used for tracking. Any other technology would have the same problems and would need an explicit consent from the user, if you are subject to GDPR and similar legislation.
I believe that under GDPR cookies that are used only for technical purposes and not related to personal information are exempt from any consent and don't need to be informed with the infamous cookie banner.
Is not about cookies, is about their content and purpose.
Persisting login cookies if the user didn't explicitly consent to data collection is specifically _not_ exempted by ePrivacy. To quote a EU Working Group's opinion on this: 'Persistent login cookies which store an authentication token across browser sessions are not exempted under CRITERION B. This is an important distinction because the user may not be immediately aware of the fact that closing the browser will not clear their authentication settings. They may return to the website under the assumption that they are anonymous whilst in fact they are still logged in to the service. The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.'
While the GDPR has added additional restrictions, the basic framework is still in force: you can't store information client-side (cookies, localStorage etc) unless (a) it is "strictly necessary" to fulfill a user request or (b) you get user consent. All the cookies above look to me like they don't meet that bar; the site seems to still fulfill my requests with cookies disabled.
They might be tracking whether I'm logged in, but since I didn't log into the site I didn't consent for them to store that state on my client. The e-Privacy directive is quite particular, and unless these cookies are "strictly necessary" to operate the sandbox they're not allowed.
A CSRF vulnerability on a login form is a bit of a weird one: doesn't this require that the user has submitted their username and password to a site that isn't yours, in which case the attacker has successfully phished the user and can impersonate them or keep them on a proxy of your site?
(Spitballing: a standard way to implement CSRF protection with no cookies at all is when you generate the form you include a nonce. Then when the form is submitted you check whether it's a nonce you generated, which you do either by having stored it or generated it by hashing information you've stored. Implemented naively on a login form this would allow the attacker to fetch your page, extract the nonce, and include it in a cross-site request. But you could require it to be from the same IP. Alternatively I think you could fix this by having your login form set a custom header, which then browsers won't allow a cross-site POST for without a CORS preflight which you'd reject. But at this point I'm brainstorming and please don't take any of this very seriously!)
Why would you ever use a cookies to store a CSRF token? A CSRF token is a per request value and that's not what cookies are designed for. Generally the CSRF token is a hidden value on the login form.
In that case the cookie can at least be scoped to the login form with a Path attribute and limited to the current session, which these aren't. The cookies on https://sentry.io/auth/login/ set without user intervention are valid beyond the current browser session and two of them have durations of a year. One even has Same-Site=Lax!
(It's also not clear to me that cookies are required, if there are other technically sound options that do this without setting cookies.)
If you authenticate users only via Same-Site=Strict cookies you're protected against CSRF in modern browsers: a cross-site request won't have the auth cookie.
Session cookies are often encrypted by frameworks using a server side secret.
This allows storing data such as the CRSF token value to check against the one in the hidden form element or X-CSRF-Token without inserting in a DB every time someone loads up a form.
Note that to prevent session fixation, the session ought to be reset on a successful login (and logout), so it would require additional code to perform tracking across a successful login.
Session cookies are also used for Rails flash messages, commonly used to display errors in forms (including login forms), which often do HTTP redirects to GET routes in their non-GET controller actions.
The underlying subtext is that these session cookies can be a necessity of securing the provided service, and thus can fall under valid "strictly necessary" usage, as long as they are not abused for tracking (by default nothing in the session cookie is stored nor logged anywhere)
It might also just be done by whatever underlying web framework they use without them realizing. Like maybe a call to a method that checks if you are authenticated creates those cookies deep in some library they have less control / ownership of. Just taking a guess.
Possibly! But then they need to choose: take full control of their stack to where they can ensure it doesn't set unnecessary cookies, or use cookie banners.
If they're essential for doing what the user wants, though, then (a) no one cares and (b) they don't need e-Privacy consent and so don't need a cookie banner.
So Google AdWords performance absolutely tanks with the sunsetting of 3rd-party cookies…
It looks like this mostly happens because they lose the conversion signaling which is the most important input to their bidding model, making them pay for 4x as many impressions which still only concert to 1/10th the sales.
Is this the experience that all Google AdWords customers will be waking up to later in 2024? It sounds like Sentry is being pro-active and getting ahead of the curve, and not just cutting their advertising performance for purely benevolent anti-tracking reasons.
When this happened to FB they lost tens of billions of dollars. Will the impact to Google be even greater? If there’s anything that could truly disrupt Google, destroying AdWords ROI has got to be their #1 existential risk.
It’s not like their search experience is even that decent anymore. It would make me quite happy to see Google peak as a company due to internet privacy initiatives winning out over invasive corporate panopticons.
I'm one of those extremely against ads people who use an adblocker all the time, or pay for services that allow me to in order to remove ads. That said, I still click on accept for those cookie dialogs.
I think it's entirely fair that someone track me on their own web property, or within their own application. Cross-site tracking is not wonderful, unless it's between a collection of related products from the same product suite. But overall I think it's a huge misstatement to say that people who are against ads are also rabid anti-track-anything people.
Within product tracking is both useful and important for helping companies improve their products. And often it's crucial for security, to detect attacks and the like.
It's trackers. I don't block ads, I block trackers. I block large swathes of rentable name / address space (being vague, don't know you, protecting my TTPs) that trackers like to rent by default; anything that lives in there that I decide I want I whitelist. So my actions affect those who utilize the network(s) I administer.
Only if you use the cookies to track users. Cookies like authentication and things needed by the website to work do not require the banner. And so I think Sentry did the right thing, one can go to sentry.io and browse without having this fugly banner to dismiss every time.
Sometimes I think the ad industry made up the misleading term cookie-banner.
At least GDPR does not limit the technology used for collecting personal information.
You still need to ask for consent if you track users with some other technology.
Using cookies does not require consent under GDPR, collecting and sharing PII does though (if not necessary for the service to function)
It's the ePrivacy Directive (and not the GDPR) that prohibits storing any data on the user's machines unless they are a) strictly necessary to provide the service, or b) the user consents.
Thanks for the correction. But the point still stands. This isn't about cookies per se, but about not extracting value from a user beyond what the service needs when users do not consent.
I’ve seen countless occurrences of Google Tag Manager being routinely used for all kinds of things that aren’t “advertising cookies”. There really is no need for the snark.
It is in the same league as advertising cookies. If I visit a website, I want to read or interact with that website, not with Google. Trying to shove Google into my face will meet the same reaction as trying to shove ads in my face. Getting blocked.
> You will have a hard time browsing the web, including this site ;)
No, HN works even js disabled.
I did this experiment a while ago, blocking google in my hosts file. Usually fonts break (arrows, icons), and javascript breaks (reddit and stackoverflow need google ajax jquery to uncollapse collapsed messages).
But in general most of the web is usable.
In theory it should be possible to host fonts and jquery locally, but I wasn't able to manage that.
Content blocking is not an all-or-nothing process. Popular blocklists have different flavors depending on whether you value privacy (blocking almost everything Google, etc.) or usability (blocking ads, telemetry, third-parties) but allowing everything else.
It is really not very complicated. It is actually very simple. When I visit a new website, I check what it requests using uBlock Origin. Then just block those unwanted stuff.
If the website does not work without something like Google fonts or tag manager or whatever other bloat, it means, that it is shoddy-made, by an either uninformed or ignorant entity. It probably is illegal according to EU law as well, since I never gave consent to being tracked by third parties. I do not use that website. Browser tab closed.
In the cases, in which an external entity forces me to use crap websites, I isolate them in browser profiles and/or container tabs.
In cases, in which the content is only available on that website, I can try reader mode. Or try to find some other frontend, like Invidious for YouTube.
So in most cases I can do something to reduce the toxicity of the cocktail, that modern web development practices have cooked up for me.
Websites load faster. I filter out BS websites with low information density. I avoid ads and being tracked by random companies that I don't trust. I feel more comfortable visiting websites knowing, that my personal data does not automatically flow to random companies. I don't have to sit through YouTube ads either. I get what I came for, then I leave. To me this is a great benefit.
But lets not forget, that we are all part of a human society. Almost no ones, if anyone's behavior has no effect on others. By using the Internet like I do, I am also acting in a responsible way regarding my effect on society. We need more people resisting big tech surveillance and daily violation of privacy. I hope some day more of us can look beyond immediate personal benefit.
> "I hope some day more of us can look beyond immediate personal benefit."
Look, I'm ok if you want to be individualistic and say "screw the creators, content producers, journalists, and everyone else I'm freeloading their work for MY personal benefit". It's immoral in my book, but it's certainly not illegal.
But at least be honest with yourself, and stop pretending you're doing this for the greater good of human society.
You can try to frame it in whatever way you want, but that does not change the fact, that you have zero idea, whether or how much I support creators that I like. It would do you good to not just assume things on the basis of someone's browsing and ad blocking habits.
That's reasonable. So, out of all the content you consume, for what percentage of it do you contribute to the content's author/creator/company? How much value per year?
I do the opposite. I block everything, and if a new site I’m curious on doesn’t work, I’ll look at what’s needed to let it work. Your method would potentially require some cleaning up since things were allowed to initially run. If the site requires things I don’t like, I just close the tab and move on.
I block it too. However, it is only what it says on the tin: a tag manager. IOW it's a convenient place to hold all those useful snippets[1] of javaScript in one place. Most companies want that place to be google because it's seen as bulletproof.
[1] And yeah most of those useful snippets are for tracking, but actually several privacy solutions like cookie management platforms can be held inside a tag manager as well. To me it's still worth it because if I block those CMPs along with GTM it means no banner and no agreeing to any tracking.
Indeed, you can use that for a plethora of things besides the advertising.
Also many websites are using Google Analytics as base tool for reporting and monitoring activities
I think people might be shocked that access to this RCE backdoor is often given to non-technical roles and even outsourced marketing resources..With no controls in place at all.
That's why at Sentry non-technical people don't have the ability to publish new GTM versions. It's tightly controlled because we don't want marketing to shove things in there without engineering and security reviewing.
The joys of reviewing a GTM change submitted by some Chad at "Marketers R Us" where they copied a minimized, practically obfuscated, JavaScript blob of unknown origin into the browser.
I judge the headline as clickbait as well, and skipped reading it because of it.
Sounds like I made the right decision based on other comments.
It (probably) could've easily said, in say one to ten words, what actually happened, in the headline, so that I could decide whether I wanted to read into the details or whether it didn't interest me at all.
With the headline being "something happened" and you'll have to read multiple paragraphs before you find out anything at all, I'm immediately put off. I feel like my time is being wasted.
Entice me by describing an interesting outcome in the headline, that I want to read more about, or inform me, in the headline, that it's not an article for me.
Attempting to artificially drive more traffic and eyeballs to an article, by withholding details in the headline of what it is about, is the definition of clickbait in my book.
What many, including myself, wanted to hear is: See, tracking cookies does nothing. Instead what we got is an article that explains that companies do in fact not need cookies, they are plenty capable of tracking our reactions to advertising without them.
Then there are paragraphs like this one:
> We decided to rely on ad engagement retargeting (rather than traditional retargeting) on most of our ad channels which isn’t the same, but still gives us a semblance of a funnel. We tailored our ads that are focused on middle of funnel (MOF) and bottom of funnel (BOF) to this engaged audience.
Which for people like me is a big "WAT?" What does that even mean, what are consequences, why didn't they do this earlier? I am aware of "retargeting", which is really what I want companies to stop doing, I don't care if they do it without cookies.
But yes, this isn't for the technical or privacy focused crowd. This is for marketing people, about how they can adjust their workflows when Chrome starts blocking 3rd party cookies.
> Which for people like me is a big "WAT?" What does that even mean, what are consequences, why didn't they do this earlier?
Traditional retargeting is done discriminatory. You visited a site, got enrolled in a list, etc. and they start targeting that. Ad engagement retargeting on the other hand waits until you "engage" with the ad, meaning that you have explicitly showed interest. Is another explicit vs implicit.
I'm waiting for the article about online marketing no longer being possible. And everything (except the marketing department) becomes better because search directs you to what you want to find, rather than what the highest marketing budget wants you to find.
Article mentions Sentry's shift from tracking to "brand and awareness marketing". Thanks to their recently acquired Syntax Podcast (recommended), I am now quite aware of their brand. Seems like a positive, creative approach to marketing. I wonder if there is a noticeable "Syntax effect" in their business metrics.
Hard to tell as we always advertised with Syntax. I would say the investments are related, but not connected (and made independently). We love Syntax, believe in brand advertising, and wanted to push more thre. We also hate the CX of cookie banners, I personally dislike wasteful tracking, and wanted to push the boundaries a bit on that front.
The most interesting part of this article personally was "Google's getting rid of cookies". Wait, what? How is this the first time I've heard of this?
Apparently the move is already delayed until Q2 2024 (lots of pushback at the office) [1] However, it's still difficult to believe. Must be an utter nightmare for people who built their entire business stack on cookies.
I'm not a developer and have no use case for your service but thanks for the forward thinking, experimenting, transparency, and efforts to improve one of the things that enshi*ified the Web.
Performance tanked. Targeting and optimisation dwindled, measurement became directional last click. They still switched to solutions that leverage IP Addresses.
As they burned through their marketing budget, they focused on bogus metrics like dwelltimes and patted eachother on the back.
> Because we lost so much data, we also instituted a self-reported attribution “how did you hear about us” survey. Eight months in, and we’ve actually found new channels and learned a lot about our old ones. Ironically, a lack of data actually led to new insights.
As a user you'll probably find you get more clickbait, more ads, more paywalls, less access to high quailty content, etc as publishers scramble to survive. (Because the value of their ad inventory drops.)
And as marketing is less efficient, higher budgets are required to drive the same results. We can potentially expect to see these costs gradually passed on to the consumers and watch more businesses fail.
How many times do you actually click on, or buy things from the ads you are shown?
You make it sound like we should all be grateful. Like ads are adding value to our lives. They don't. Outside of marketing, nobody cares about ads. We train our cognition to cancel out ads. We avoid them. The only people looking at ads and appreciating them are the ones, like yourself, who find them useful for things nobody asked for. I'd much rather you DON'T track me and --gasp-- DON'T show me an ad either. "But then you'll see worse ads!" Good. I'll ignore those too.
In my lifetime I've probably been shown $10,000 worth of ads on the internet, and I've probably spent $12 on them. Ironic that the only people who think that ads matter are the ones who's job it is to buy them with other people's money. Keep spending your bosses money, and I'll keep wasting it for you.
Well said. I'm also perplexed and frustrated by all the ad-tech apologists I'm hearing lately both here and IRL. There's the soft "no alternatives!" version where ads and enshittification are some kind of obviously necessary force of nature that we should expect and just have to deal with, and the more extreme stance that it's actively good for us somehow.
Anyway like many other humans on the internet, I've been tracked for decades now and somehow the junk thrust on me is still not even close to relevant for my demographic, and it's usually like they don't even know my gender or age group within 20 years. Except of course surely FANG have figured that out, so are they just routinely defrauding people that buy "targeted" ads and throwing them at any random eyeballs they have access to? It sounds paranoid to think that a crime on that scale would exist since it seems hard to pull off or keep quiet, so I guess we just keep listening to self-reported statistics that every dollar spent on ads wins $8 in sales. But.. I'm glad it's not my dollar
> We train our cognition to cancel out ads. We avoid them.
Anecdotally, I've noticed that with Reddits latest addition of allowing users to highlight posts yellow with a "super upvote" that, without thinking about it, my eyes immediately ignore those posts.
The part I like most is how every time I buy something I then get ads about that exact thing.
Mate I've already bought the thing, I'm not making a collection, and I'm not buying a $200 ham every other week either, that was a christmas gift you goof.
Without hashes, there's some trust, statistics, and customer support involved. If the affiliate sender sees a lot of referral traffic from their end, and you don't report many visitors or conversions, often the affiliate providers will try and troubleshoot that to make sure you're seeing results that are in line with their other partners.
> We market to developers who notoriously do not like being marketed to (we should know; we are a developer-led company and Sentry users ourselves), so the idea of removing ad cookies instantly intrigued us.
Ooh, they're going after that anti-marketer market. That's a huge market! Look at our research!
Well fellow marketing person, what was the experience? You seem to be the only one that speaks the language to know. The rest of us are left wondering what the point of this self back patting exercise actually was.
- Issues you're already having will get worse in 2024
- Cookieless performance marketing is achievable
- You will need all your stakeholders aligned
- You will need to reimagine how you do things
GDPR is about consent, not cookies, storage or anything.
If you track a user then you need consents. Nothing about GDPR is tied to cookies. They are just one way to generate and keep PII (a tracking ID).
Now if the UTM only identifies the source (user coming from X, FB, ...) and does not identify or reveal the user then you are probably fine. It should even be fine as a cookie, although there have been talks about storing on a users device without consent. Not sure about the current exact legal status, so you might want to set it to never persist the browser close.
It might get a bit more complicated at sign up. You probably would want to disclose that you track and keep this information. But at this point GDPR is active for sure as you have a somehow identifiable user.
Consent is one of six different legal bases for processing personal data. Consent is important, yes, but it's not the be all and end all.
>It should even be fine as a cookie, although there have been talks about storing on a users device without consent
That will require consent, because the use of cookies is regulated not by the GDPR but by a different law (the ePrivacy Directive).
Under the ePrivacy Directive all cookies[0] that aren't strictly necessary to provide the service require consent.
[0] In fact it's even broader than cookies as the law covers storing any information on the user's device, so it includes things like the local storage API and indexed DB.
I kept waiting for their findings but halfway through it's just a bunch of self-gratifying talk and deflecting talking about why they think it's important - I read for two solid minutes without them getting to any hard numbers or findings.
It does have findings, it’s just a long article. Maybe longer than it needs to be. Looks like their SERP ads CPC increased by 30% and conversions decreased, display ad conversions plummeted (partially offset by cheaper CPMs) and YouTube ads switched to optimize for watch time instead of conversions seemed to perform better and lead to cheaper conversions.
The one number that should be of interest to anyone who's not a professional "growth marketer" is missing, though, don't you agree?
I skimmed the whole article, read your posting, and even though I know some of these words, I still have no idea if the decision was hurtful to the business, or if it did not move the needle at all, or if it even was a net positive, all things considered.
> I still have no idea if the decision was hurtful to the business, or if it did not move the needle at all, or if it even was a net positive, all things considered
It's incredibly hard to tell. For us the goal of eliminating Cookies was important given the stance we have on privacy so everything went from there. The folks working in marketing for sure were not happy with the directive as it makes their job much harder.
But the world is still spinning, even without cookies. That's enough to call this a success.
Yeah, the fact that they don't have a clear indication of impact means one of two things:
- Cookies weren't doing a whole lot for them to begin with, and removing their use had negligible impact.
- The other work their marketing department did to try and compensate for discontinuation of cookie usage interfered with the test, making the results useless for evaluating the value of cookies.
I'm leaning towards the second one based on the response above you.
Agree, but your second bullet is kind of the same as the first, right? It’s saying that on the whole, inclusive of changes to marketing processes, removing cookies didn’t impact bottom line enough to be measure able as positive or negative.
There's definitely a difference between "Cookies provide X value" and "We were able to mitigate the loss of cookies by doing A, B, and C - but we don't know the value of doing A/B/C individually."
If the point is to quantify the value of cookies then you need to measure that as an independent variable. Attempting to compensate with other actions, each of which you also don't know the independent value of, means you will be unable to quantify the true value of cookies or the value of your other actions.
What if none of the tools they're using, including cookies, provide any measurable value? How would you know? What if the value of cookies (X) and item A is positive in terms of impact, but B and C are both negative, but not enough to offset A so it comes out in a wash?
This seems to be very much the case for behavioral ads as far as I can tell. At some point Google et al convinced everyone that tracking the user's every move across the Internet made for better conversions than just providing ads that are relevant to the content they appear alongside and everyone just nodded along. Given that we now know that Meta (née Facebook) blatantly lied about the effectiveness of video content (which single-handedly killed various news sites who made hard pivots based on these claims) I'm not convinced behavioral ads really do perform that much better. The biggest value add of Google ads was that it provided some safeguards against abuse and a reasonable expectation of safety and moderation.
It sounds like you're still using tracking, just without cookies. I understand the push to eliminate cookies was motivated by Google announcing it would force the decision eventually but it sounds like you're still using alternative means of tracking and identifying users.
Laws like ePrivacy in the EU do indeed have specific provisions regarding cookies but e.g. the GDPR is much broader than that and would still apply. How truthful is it that eliminating cookies is motivated by a strong stance on privacy rather than just getting a head start in marketing instead of having to scramble when Google pulls the plug? It doesn't sound like you reduced the tracking and behavioral analysis beyond what was technically unavoidable?
> I skimmed the whole article, read your posting, and even though I know some of these words, I still have no idea if the decision was hurtful to the business, or if it did not move the needle at all, or if it even was a net positive, all things considered.
I mean, based on my interactions with marketing people, they often don't really know if much of what they've done has helped the business at all, and the majority of their work (apart from actually creating marketing copy and interacting with customers) seems to revolve around figuring out how to attribute booms in business to their previous campaigns while building plausible deniability for inevitable busts. Don't get me wrong, not ALL of it is completely incomprehensible: email and referrer links are pretty straightforwardly calculable in terms of their impact; but things like "brand awareness" campaigns are nigh impossible to actually gauge the impact of.
I never understood why businesses accepted this. At least with digital marketing, it is possible to track pretty much everything and connect marketing campaigns with concrete results. It's actually not impossible to gauge the impact of a brand awareness campaign if you run the campaign properly using good principles of experiment design, especially if you associate it with keywords and track those or are using search ads.
This is probably whats going to happen everywhere, Google will be even more dominant in adtech with 3rd party cookie removal. Everyone moving to 1st party advertising (SERP, Youtube ads), display ads are race to the bottom without targeting..
It took awhile but I finished the article. I don't see much self-gratification in phrases like:
> we saw around a 30% increase in our cost per click (CPCs) in Google search.
Or this:
> This took a TON of back and forth, basically building logic that an out-of-the-box attribution solution already has in SQL, but we finally got to a place where we could salvage around 50% of attribution data.
The self congratulating I saw was
* they decided to try this before it was foisted on them by externalities.
* they worked their asses off to make it work.
* they have a competent BI team.
I don't understand why they also eliminated most first party cookies though. I respect that level of respect for user privacy but it goes beyond my personal expectation for privacy.
This morning, I opened a help page for a B2B product. There is a wiki with all API calls, but not a hint as to how to use them, and there are some pages for people who use it via their frontend. To get some bearings on the API, I opened the latter, and the first topic I opened said:
"We at [...] understand that being able to accurately manage [...] while fielding is essential to a successful project."
The entire text was two more sentences and a video. That's just taking the piss. Just say "watch the damn vid." if you really want to add text.
Can I voluntarily register somewhere and profile myself for the purposes of ad targeting? I'd really hate to just get completely random ads everywhere.
It's not that bad. For a long time ads could only be targeted based on correlations rather than personal information. Ads weren't completely random. You would read a travel magazine targeted at men and there would be advertisements in there about flights to some location or recreational activities or male-coded razor blades, whereas a travel magazine targeted at women would have advertisements in it about flights to the same location, different recreational activities and female-coded razor blades. You would take a train to work and there would be advertisements about local restaurants and banks offering home loans in your area. You would exist and you'd get advertisements about an American soft drink.
In the early days of the internet, few enough companies wanted to advertise on the internet - advertisers viewed it already as targeted at a certain segment of society - so advertisements were generally very low value i.e. crap. Tracking technology let advertisers know that they could actually find the people didn't realise were using the internet. But nowadays we all know everyone is on the internet, and we tend to use the same sites regularly, so you could get adequately targeted ads (as a set of eyeballs - not necessarily as an advertiser) just by using the internet.
That's the crux of the issue: 99% of companies wanting to sell me something doesn't have a product I want. Of the remainder, I already am a customer in 99% of the cases.
Are people downvoting because they think that no targeting means no ads? It just means worse ads and MORE ads because the ones that are there are less valuable. Ironic.
No targeting means they aren't keeping a dossier on my movements around the web. I don't want that, and I don't care what it does to the quality of ads I see. Besides, I'm sure my ad-blocker is up to the task.
Yes, but you don't have to do anything. Google is pushing a new advertising paradigm [1] wherein the tracking is done client-side and then sent (at your discretion) to websites for ad-serving.
EDIT: classic, didn't dig into the context, assumed Sentry was some ad ecosystem middleman -- apologies for the below (will leave as it was because there are child comments). These guys have a real product doing real things.
----
It's fascinating to me how this org (and so many others) are hard at work, day in and day out, basically shovelling garbage into peoples' faces. They produce absolutely nothing of value (other than, arguably, the parasitic relationship which allows Free Content), but so much money flows through them.
I wonder what effect the exclusion of third party cookies will have on the dark patterns that are so prevalent -- but I doubt it will be much. We may have "free" access to so much information online, but we pay a terrible place as the quality of discourse has devolved into antagonistic feces-flinging in most of the big walled gardens, and majority of the open forums. It seems only the domain-specific, niche places still maintain a quality noise-to-signal ratio.
Sentry produces nothing of value? You don't value an open source error tracking and performance monitoring platform? https://github.com/getsentry/sentry
I’m with you in theory, but Sentry is for error ingestion, not for tracking users. We find it quite useful for discovering client-side errors we’d otherwise be blind to.
Similarly, visiting https://try.sentry-demo.com I got cookies "sentrysid", "sc", and "sudo".
I also got a player.vimeo.com cookie at some point, but wasn't able to reproduce.
If you're running a complex modern site and decide to do away with cookie banners, you generally need to pair this with browser automation that crawls your site and verifies that you (and your dependencies) are in fact not setting any cookies.