Guidescookie trackingweb advertising

Alternatives to Cookie Tracking in Digital Advertising

first-party cookiesthird-party cookiesflash cookiesETagsHTML5 local storagebrowser fingerprintingcookie respawningGDPRDNT headerFirefoxSafariInternet Exploreremail-based targetingsocial profile IDsopt-out mechanismspersistent identification

Cookies remain a foundational mechanism in digital advertising — powering ad personalization, behavioural targeting, retargeting, frequency capping, and more. Despite years of discussion about replacements, a large majority of ad technology providers still rely on cookies to a significant extent.

That reliance is increasingly difficult to sustain. Growing regulatory pressure, the European Cookie Law and its GDPR consent requirements, new browser defaults (enabled DNT headers in Internet Explorer, third-party cookie blocking in Firefox and Safari), and general bad publicity around tracking have made it critical for the industry to explore and implement alternatives.

What Are Cookies?

Cookies are key-value data stored by the browser at a domain or domain/path level. They are set either via an HTTP response from the server or through JavaScript code executed on the page. On every subsequent HTTP request, the browser sends back any cookies that match the relevant domain or path to the server they originated from.

Tracking Methods

In a typical tracker or ad server implementation, only a unique visitor profile identifier is stored in the cookie itself — the rest of the profile data lives server-side. Ad technology most commonly relies on third-party cookies, meaning cookies set under a domain different from the site the user is actually visiting. Their key advantage over first-party cookies is straightforward: ad tags loaded from the same ad server domain across multiple publisher sites will carry the same cookie in every browser request, making it easy to track a user across sites, record which ads they've seen, and build a behavioural profile.

The persistent challenge is that cookies become less reliable year over year. Blocking, rejection, and automatic deletion all erode persistence, and third-party cookies are losing ground the fastest.

The following are the primary deterministic methods for obtaining a unique visitor identifier on every server request:

1st-party cookies — stored under the same domain as the visited page; set and read via JavaScript or HTTP request/response.
3rd-party cookies — stored under a domain different from the visited page; set and read via JavaScript or HTTP request/response.
Flash cookies (Local Shared Objects / LSOs) — local shared objects stored by Adobe Flash; set and read via an Adobe Flash object.
ETags — part of the HTTP protocol, originally a cache-validation mechanism that can be repurposed for tracking; stored and read via HTTP request/response.
HTML5 local storage — persistent storage scoped to a domain; set and read via JavaScript.
Browser fingerprinting — derived by matching IP address with browser configuration details such as user-agent string, installed plugins, screen size, and similar attributes. Usually executed via JavaScript, though a server-side-only variant is possible using IP and user-agent alone.

Respawning: The Hybrid Approach

Some systems layer several of the above techniques together in what is known as respawning — a method of restoring an HTTP cookie by reading the visitor identifier from a Flash cookie, an ETag, or HTML5 local storage whenever the primary cookie is unavailable. In practice, this means storing the visitor's unique ID via multiple methods simultaneously and attempting to retrieve it from whichever source is accessible at the time of the request.

Even this hybrid approach does not work in 100% of cases. Some combination of browser settings, privacy tools, or storage restrictions will always leave a gap.

There is also a structural limitation none of these techniques can overcome: traditional cookie-based tracking methods cannot achieve cross-device tracking. As users increasingly interact with online services across smartphones, tablets, and desktops, the inability to link those sessions to a single person is a fundamental constraint.

Properties of an Ideal Tracking Method

Any genuinely better approach to visitor identification would need to satisfy the following properties:

Persistent identification — the identifier remains stable not just within a session, but until the user opts out or explicitly resets it.
Cross-device tracking — the same user can be identified regardless of which device they are using.
User opt-out — a reliable mechanism must exist for users to exit tracking.
Data anonymization — the stored identifier should not be linkable back to personally identifiable information, and users should be able to generate a new identifier on demand.

There is currently no widely adopted solution that comes close to satisfying all four of these properties simultaneously.

Existing Unique Identifiers

A few persistent identifiers already exist in the internet ecosystem and have been used in advertising contexts:

Email addresses — can be used for targeted advertising via platforms such as Facebook's Custom Audiences, which matches hashed email lists to platform users.
Social profile IDs — platforms including LinkedIn, Twitter, Facebook, and Spotify can use their own unique identifiers to track users across any site where their widgets are embedded.

Neither of these approaches supports anonymization or identifier reset. Both can be trivially linked back to a real person, which raises significant privacy concerns and limits their viability as general-purpose tracking infrastructure.

The Path Forward

The wide adoption of cookies means any transition will be slow and complicated. The IAB recognized this early, establishing The Future of the Cookie Working Group to develop alternatives that are more reliable, universal, and practical for broad adoption by ad technology suppliers.

The challenge is finding a workable consensus: any new standard needs to guarantee reasonable privacy for users while still providing reliable tracking mechanisms for publishers and advertisers. Those interests are not easily aligned, but a practical compromise — rather than a technically ideal solution — is the realistic outcome.

The GDPR-era cookie consent wave offers a cautionary example of what happens when regulation outpaces technical solutions: websites flooded with consent banners that users click through reflexively, with limited meaningful privacy benefit. The industry would benefit from approaches that build privacy in at the infrastructure level rather than layering notices on top of unchanged behaviour.