In this article, we explore how Nosto uses cookies. We aim to answer the most common questions regarding the cookie topic from a technical, practical, and regulatory perspective by starting with a short summary. You will see below we have broken the article down according to each of these themes.

The technical aspect of cookies is often brought up in the context of Apple’s Intelligent Tracking Prevention (ITP) and, to a small degree, App Tracking Transparency (ATT). ITP is a feature included in Apple’s Safari browsers in recent iOS updates, with iOS versions 14 and 15 adding stricter versions of ITP. Apple rolled out multiple iterations of ITP and continues to implement new restrictions on cookies.

In short, the latest versions of ITP restrict the use of cookies in multiple ways. For example, version 2.0 of ITP launched in November 2018, hence it is not exactly new, but the updates made after that initial launch have restricted the use of cookies (specifically on Safari) even more.

The other two major browser vendors: Google (Chrome) and Mozilla (Firefox) have also tightened up their approach to cookies, but as of now limiting these to third party cookies. In short, the approach taken by Google and Mozilla is not as restrictive as Apple’s and centres on third party cookies.

Safari is not the most popular browser (with 20% overall share globally, 27% on mobile ), but when we consider that the majority of e-commerce orders and sales take place on mobile, where Safari has a larger share of the traffic—especially in the US (where 55% of mobile is Safari), we realize it’s important to take a deep-dive into Apple’s cookie policy because it affects so many e-commerce businesses, whereas Google's and Mozilla's changes impact less.

Apple’s ITP and equivalent limitations by rivals Google and Mozilla impact many services that implement tracking across sites by deploying their own third-party cookies, sometimes referred as ad cookies.

Note that this does not include Nosto, as Nosto uses and writes only client-side first-party cookies. For example, every e-commerce website uses first-party cookies for shopping carts and to store log-in information—these are considered acceptable and normal. Where ITP has the harshest impact is with third-party cookies, which are typically used by (and are more relevant to) ad providers because ad providers track shoppers across multiple websites.

Nosto operates and monitors user behavior only on the site of the e-commerce account, so the tracking is limited to one single website and customer account only. Therefore, any changes or restrictions implemented by a web browser regarding third-party cookies do not impact Nosto.

At first, the ITP restrictions enacted by Apple were limited to third-party cookies (i.e. the ones that enable ad providers to track shoppers across multiple sites). But as Apple added restrictions, trackers came up with ways to evade Apple’s ITP by doing things like tracking customers across sites by using first-party cookies and url parameters.

To address this, Apple has continued rolling out new iterations of ITP, which now include restrictions for first-party cookies. In the latest versions of ITP, the cookie lifetime limit is 24 hours, but for now, that only applies to cross-domain trackers.

As it currently stands, Nosto would not be impacted by the strictest 24-hour rule. But, at most, even first-party cookies will be limited by a lifespan of seven (7) days on Safari—expiring if a user doesn’t revisit the site within the seven day period. In practice, this means that personalization still works on Nosto customer sites so Nosto can serve all of its onsite products normally and without limitations. But once the cookie expires, a returning user is effectively processed as a new visitor to the store unless they use a login for that site.

This is the main concern of ITP’s impact on Nosto customers. With cookies expiring and factually being cleared so frequently, this skews website analytics and services from web-analytics to technologies like Nosto. In terms of Nosto, this limits the opportunities for brands to create experiences based on lifecycle data and segments (or similar segment types) for Safari users as they are now likely processed as new visitors when they return to a store.

In the last section: Practical Perspective to Personalization, we will discuss how to mitigate the impact of browser changes like Apple’s ITP on Nosto programs so brands can continue delivering meaningful experiences despite these restrictions on historical browsing and shopping data.

As a resource for your technical and legal teams, you can find a list of cookies that Nosto writes and the purpose of each here.

Now let’s look at cookies from a regulatory lens—focusing on the European Union’s GDPR and California’s CCPA.

To start, neither the GDPR nor the CCPA prohibits the use of cookies in general, but both cover what is considered “proper” use of cookies in the context of data protection. In short, cookies are not banned, but the regulation governs more precisely how cookies should be used.

GDPR has been widely (and rightfully) criticized because it is set up as a general data protection regulation as the name would suggest. This becomes difficult because for regulation of cookies, it simply requires that “consent is needed” for cookies and tracking, but it doesn’t exactly stipulate anything beyond that or provide more detailed regulations. So as it stands, the rule is completely open to interpretation and is dependent on the situation in a specific country and/or a certain type of business.

We hope that the EU’s new ePrivacy Regulation, which will be lex specialis to the GDPR, will be an improvement for the EU area (and potentially later elsewhere); it will likely contain more specific rules for things like cookies and how they should be processed. However, at this point in time (2024) this regulation is still being drafted, and any speculation of its impact at this stage is relatively immature, whereas technical changes by browser vendors already impact how cookies can be used.

To conclude, from a regulatory perspective, it is currently more open to interpretation regarding how exactly consent should be asked for and obtained from site visitors. What this means for Nosto is that you have to review with your legal and tech teams what the right process is for you and in the areas you operate. We have seen some customers request consent for cookies and data processing by implementing cookie consent pop-ups and other similar methods, but please note, this should not be interpreted as legal advice.

In the instance that a user should not be tracked, there are two options:

As an outcome of both technical and regulatory restrictions on cookies, this typically leaves us with three types of shoppers:

Since Nosto’s inception, we have always been able and encouraged to change the personalization experiences mid-session in addition to basing it off past orders and browsing history. This is a key point of differentiation for Nosto, as many similar personalization technologies can only alter the experience based on the previous transaction. For example, if a shopper bought a pair of skis in December, the personalization would be based on skis, and these would be recommended to the same shopper in April when the shopper is perhaps more likely to buy warmer-weather gear, like hiking boots.

At Nosto we believe that as a best practise, personalization should reflect more the current session of a user who is intent on purchase—except in cases when the source they came from gives a more accurate idea of the intent, e.g., if they clicked on a product- or category-specific ad or email. In this case, the landing page can already be optimized and some conclusions of the current intent can be drawn.

It’s important to remember that the technical restrictions on cookie processing (mainly implemented by Apple) don’t necessarily render historical data useless in all instances. For example, if a shopper is not using Safari or if the shopper uses a login with which Nosto can recover the data for that profile. However, the restrictions do place added pressure to change a given site’s personalization strategy to make better use of current intent instead of relying only on past intent. Foremost because in many cases, statistically between 20-55% (global average and U.S. mobile share of Safari traffic), there is no other means to personalize experience for those shoppers than by using the signals based on the current visit. Therefore we encourage that the personalization strategy should lean and focus more towards current-session intent, whereas those shoppers who can be tracked across visits can experience even more granular personalization.

It's widely recognized that utilizing order history and data for traffic acquisition and enhancing landing page experiences should be used. However, with Nosto providing personalization doesn't rely on identifying shoppers through cookies between sessions as other sources like utm-parameters can be used for the purpose. Further, once a shopper has navigated the site, searched for items, viewed products, or added items to their cart, personalization efforts should shift focus to their current actions and interests, prioritizing present intent over historical behavior or even the click that brought them on the site.

In more concrete terms, this can be done by starting with a great landing page experience, and then weighing more heavily on current behavior-based content, recommendations and segments, and also with merchandising decisions and configurations, e.g., promoting key categories that are known to perform better (high conversion rates and above average profit margins).

Another good strategy to increase engagement when you can’t do personalization based on historical data is to deploy “self-segmenting” capabilities on a given website. What this means is that a brand can outright ask for a shopper’s interests, which can then be used both for personalisation and as an evergreen asset of getting the shopper to register an account. And when shoppers login, their past history on the site can be retrieved.

For the group of shoppers who fully opt-out, they can still be delivered Nosto features, it just won’t be based on their own behavior and data and is thus more limited. For instance, ‘best-sellers’ and ‘most viewed’ products are based on “trend and anonymous order data”, and cross-sellers on product detail pages can be shown to shoppers without personalization data. The merchant can achieve this by referring to Nosto’s technical documentation here which creates a way for shoppers to opt out of session tracking (note that this is not the same thing as not loading the Nosto script at all).

When implemented, shoppers are effectively not tracked anymore, but the setup still allows Nosto to use the anonymous data available on a specific page to deliver personalization functionalities. For example, the merchant can still show the opt-out group features like customers who viewed this product also bought these and the aforementioned best-sellers and trending products. In terms of category merchandising, product performance-based experiences such as highlighting high-converting products with high CTR would also work with shoppers who opted out from tracking.

Remember that these will not track or use the data of a given shopper from any prior visits to the site, but rather, use insights taken from the site performance as a whole to push products that could be the most relevant to a shopper.

The most notable limitation on the Nosto side with the opt-out group is that browsing history and segment-based experiences—which rely on the capability of tracking a shopper between page loads and visits—are not available.