Guidesweb cookiescookie syncing

What Is Cookie Syncing and How Does It Work?

first-party cookiesthird-party cookiesDSPDMPad exchangeSSPcookie-matching tableuser ID mappingcookie churnGDPRIntelligent Tracking Preventionreal-time biddingpixel redirectad-blockingtracking

Cookie syncing is one of those mechanisms that sits quietly at the centre of programmatic advertising infrastructure, yet rarely gets explained clearly. This guide covers what cookies are, why AdTech platforms need to sync them, and exactly how that synchronization process works — step by step.

Few people realize how frustrating the Internet would be without cookies. Without them, products added to an e-commerce shopping cart would disappear the moment a user navigated away, login credentials would need to be re-entered on every visit, and language preferences would reset constantly.

Cookies remember user preferences and state information in order to deliver a better, more efficient browsing experience. But these small bits of data are also foundational to online advertising.

Advertisers use cookies to collect anonymous information about a website's visitors, then use that information to build profiles and display relevant ads. As the number of people online has grown and the display-advertising ecosystem has expanded, accurately targeting the right audience has become increasingly complex — and cookie syncing is one of the key mechanisms developed to address that challenge.

What Are Cookies?

Cookies are small text files that collect certain pieces of information about online users. Each time a user visits a website, the browser creates cookies and saves them to the user's computer. When the user returns, those cookies help the website remember certain things — content viewed, pages accessed, preferences set.

Cookies serve several distinct functions across the web:

Website setup: Some cookies remember personal preferences users have previously set, such as the preferred display language or currency.

Sign-in: When a user signs into a website, a unique session ID is stored in a cookie so the website knows which user is logged in. Depending on the site's security settings and the user's browser configuration, sign-in can be made automatic.

eCommerce: Cookies allow online stores to remember which products users viewed, added to a cart, or purchased.

Analytics: Cookies store an anonymous user identifier that ties a user's interactions with a site into a single profile and session.

Advertising: Cookies record which advertisements a user has seen and interacted with.

Behavioural profiling: Cookies can build anonymous profiles that track user behaviour across websites implementing a third-party tracking tag. Advertisers use data from these profiles to select the most relevant ads to serve to that user.

Different Types of Cookies

There is a common misconception that all cookies are inherently privacy-invasive. In practice, some types of cookies genuinely improve user experience, while others used for tracking and data collection do not typically contain highly personal information such as a person's name or email address.

First-Party Cookies

First-party cookies are created by the website a user visits directly. If a user visits techcrunch.com, the cookie is created in the techcrunch.com domain — not in a third-party domain like appnexus.com.

First-party cookies in cookie syncing

These cookies help deliver a good user experience by retaining specific information about the user and their behaviour — login state, shopping cart contents, language preference, and so on. The website itself decides what information to collect and store.

Third-Party Cookies

Third-party cookies — also called tracking cookies — are set not by the website being visited, but by advertisers and AdTech platforms whose code is embedded on that site.

When a user visits a website, multiple third-party trackers may be collecting information simultaneously. This can include data passed from the publisher, such as the user's interests, location, and demographic signals. Third-party trackers also observe behaviour on the site itself — content viewed, products clicked, ads interacted with — and use that data to serve targeted ads on other websites the user subsequently visits.

A straightforward example: a user visits bestbuy.com and views a Samsung TV. Third-party trackers collect that signal. Later, when the same user visits techcrunch.com, they may be shown an ad for that exact TV, or a similar product. The mechanism relies on both bestbuy.com and techcrunch.com loading code from the same ad server — for instance, ad.doubleclick.net. Because that code originates from a different domain than the one in the browser's address bar, the cookies it sets are classified as third-party cookies.

From Cookies to User IDs

Cookies are restricted in size, which limits how much data they can hold. The standard approach in AdTech is to store only a unique user ID in the cookie and keep all the associated profile data on the platform's own servers. This frees up cookie space and allows platforms to maintain much richer user records.

The Core Problem AdTech Platforms Face

The fundamental limitation of cookies is that they can only be read by the domain that created them. An AdTech platform operating under one domain cannot read cookies set by a platform operating under a different domain. This domain-specificity limits each platform's ability to recognize the same user across different advertising contexts.

To share user data across platforms, the industry developed a process known as cookie syncing.

Because cookies are domain-specific, a cookie created by one third-party tracker — say, lotame.com — cannot be read by another, such as appnexus.com. For advertisers trying to build comprehensive audience profiles and target users accurately, this is a significant constraint.

The solution is to map user IDs from one system to another. For example, mapping a user's ID from a demand-side platform (DSP) to a data management platform (DMP). This mapping process is what the industry calls cookie syncing.

Cookie syncing is used across most AdTech platforms: ad networks, DSPs, DMPs, ad exchanges, supply-side platforms (SSPs), and various data providers. The outcome is that these platforms can exchange user data and target audiences more precisely with online advertising.

Cookie syncing works when two different advertising platforms map each other's unique user IDs, enabling them to share information they have independently gathered about the same user.

It begins in the browser.

Each time a user visits a website containing ads or third-party tracking tags, the browser sends an ad request to an AdTech platform — typically a DSP. The DSP creates a unique user ID (if one doesn't already exist for that user) and stores it in a third-party cookie, since the request is made to the DSP's domain rather than the publisher's domain.

Within that same ad request, the DSP calls a pixel URL provided by a different platform — say, a DMP — and includes its user ID as a parameter in that URL call.

The DMP's server reads the DSP's user ID from the URL parameter, then checks its own domain's cookie to see whether it already has an ID for this user. If it doesn't, it creates one. It then stores a mapping of its own ID alongside the DSP's ID in a cookie-matching table.

To make the sync bidirectional, the DMP can pass its own identifier back to the ad exchange via a pixel redirect, including its ID as a URL parameter.

At this point, the cookie-matching table for both the DSP and the DMP would look something like this:

Internal ID (profile ID) DMP ID DSP ID
123456 5f5dad31b 9f72dd4c

Both platforms now have each other's IDs on record for that user.

Here is the full process, step by step:

  • A user visits a website containing an ad.
  • The DSP receives the ad request.
  • The DSP responds to the request and creates a third-party cookie storing a unique user ID.
  • The ad exchange redirects the ad request to the pixel URL on the DMP's side, passing the DSP's user ID as a URL parameter. The DMP reads its own cookie (or creates a new one) and saves the DSP's user ID alongside its own user ID in the cookie-matching table.
  • If the sync is bidirectional, the DMP redirects back to the DSP, passing its own ID as a URL parameter. The DSP reads its own cookie and stores the DMP's ID alongside its own in its cookie-matching table.
  • Both the DSP and the DMP now have each other's user IDs stored in their respective databases.

This technical approach is also used in cloud infrastructure contexts — for instance, Lambda@Edge on Amazon Web Services (AWS) is one implementation path for handling cookie syncing at scale.

How Is User Data Shared Between AdTech Platforms?

Matching cookie IDs is only the first phase. The second is sharing the actual user data.

Once IDs have been synced, platforms can reference each other's user IDs to share or request the profile data associated with those users. This is typically done via a server-to-server integration, with data transferred in large batch files. The cookie-matching phase happens in real time, but the data-sharing step typically occurs on a scheduled basis — commonly once per day.

It is also worth noting that cookie syncing only applies to web browsers — both desktop and mobile web — across display, native, and video ad formats. Native mobile apps are a different story: they use the device's Advertising ID (IDFA on iOS, AAID on Android) as a consistent cross-domain user identifier, so the syncing problem doesn't arise in the same way. Web browsers, by contrast, do not emit a consistent user identifier across domains, which is precisely why cookie syncing is necessary.

Cookie-match rates — the percentage of cookie IDs that can be successfully synced between two platforms — vary considerably across the AdTech ecosystem.

As a rough industry benchmark:

  • Below 40% is generally considered a poor match rate.
  • 60% and above is considered a decent match rate.

Several factors drive this variation:

Cookie churn: The loss of cookies due to user behaviour — regularly deleting cookies, running ad-blocking software that prevents third-party tags from firing, or browsing in private or incognito mode — all reduce the pool of available cookie IDs.

Geographic location: If a US-based DSP attempts to sync with a European-based DMP, the DMP's cookie pool may not contain sufficient overlap with the DSP's audience, resulting in a low match rate.

Final Thoughts

Cookie syncing is a foundational mechanism in the online advertising ecosystem, enabling data to flow between platforms that would otherwise be unable to recognize the same user. It is not without challenges, however.

Ad-blocking software — ranging from browser plugins to built-in privacy features like WebKit's Intelligent Tracking Prevention — reduces the effectiveness of third-party cookies and, by extension, cookie syncing. The EU's General Data Protection Regulation (GDPR) adds another layer of constraint, requiring companies to obtain valid consent from EU/EEA citizens and residents before sharing their data across platforms.

These pressures have not eliminated cookie syncing, but they have pushed the industry to consider alternative user-identification approaches for contexts where third-party cookies are unavailable or restricted.

<Related />