Ads & Cookies: Can Ads Read Website Data?

TL;DR

Generally, ads can access cookies from the website they’re displayed on, but it’s complicated. Modern browsers and privacy features limit this access significantly. Websites control how much data ads can see through careful configuration and using trusted advertising partners.

Understanding Cookies

Cookies are small text files websites store on your computer to remember information about you – like login details, shopping cart items, or preferences. There are different types of cookies:

• First-party cookies: Set by the website you’re directly visiting (e.g., www.example.com).
• Third-party cookies: Set by a domain other than the one you’re visiting, often advertising networks or analytics providers. These are the ones most associated with privacy concerns.

How Ads Access Cookies

Ads don’t directly read cookies themselves. Instead, they rely on JavaScript code embedded in webpages to do this. Here’s how it works:

1. Ad Tags: Websites include snippets of code (ad tags) from advertising networks like Google Ads or Facebook Pixel.
2. JavaScript Execution: When a webpage loads, the browser executes this JavaScript code.
3. Cookie Access: The JavaScript can access cookies that are accessible to the domain hosting the ad tag. This is usually limited by the same-origin policy (see below).

The Same-Origin Policy

This is a crucial security feature in web browsers. It prevents JavaScript code from one website accessing cookies set by another website, unless specific permissions are granted.

• Example: A script on www.example.com can read cookies set by www.example.com but not directly access cookies set by www.anotherwebsite.com.

How Ads Bypass Restrictions (and How it’s Limited)

1. Cross-Domain Tracking: Historically, ads used techniques like cross-domain tracking to share cookie data between different domains owned by the same advertising network. This is becoming harder due to browser restrictions.
2. Third-Party Cookies (Historically): Ads heavily relied on third-party cookies for tracking users across multiple websites. However, browsers are phasing these out.
3. First-Party Cookie Sharing: Some ads now work by having the website share first-party cookie data with advertising partners in a controlled way. This requires explicit consent and configuration from the website owner.

Browser Protections

Modern browsers offer several features to limit ad tracking:

• Third-Party Cookie Blocking: Most browsers now block third-party cookies by default or allow you to easily disable them in settings.
• Intelligent Tracking Prevention (ITP): Safari’s ITP and similar features in other browsers limit the ability of ads to track users even with first-party cookies.
• Privacy Extensions: Browser extensions like Privacy Badger, uBlock Origin, and Ghostery block ad trackers and prevent cookie access.

What Websites Can Do

Websites have control over what data ads can access:

1. Choose Trusted Partners: Work with reputable advertising networks that respect user privacy.
2. Configure Ad Tags Carefully: Limit the amount of data shared with ad partners. Avoid sharing sensitive information.
3. Consent Management Platforms (CMPs): Use a CMP to obtain explicit consent from users before setting cookies or sharing data with third parties.
4. Cookie Policies: Clearly explain which cookies are used and how they’re used in your website’s cookie policy.

Checking Cookie Access (Developer Tools)

You can inspect cookies using your browser’s developer tools:

1. Open Developer Tools: Press F12 or right-click on the webpage and select “Inspect”.
2. Application Tab: Navigate to the “Application” tab (or similar, depending on your browser).
3. Cookies Section: Look for the “Cookies” section. You’ll see a list of cookies set by different domains.

You can also use network monitoring tools within developer tools to see which requests are making cookie calls.