Expand my Community achievements bar.

The Impact of Third-Party Cookie Deprecation on Adobe Target (at.js)

Avatar

Employee

3/21/24

By @chrismdavis & @surebee 

Introduction

With the deprecation of third-party cookies upon us (Google is promising they will be unsupported in Chrome beginning later in 2024), it is a great opportunity to discuss what this means for Target. In addition to this, we'll also give an overview of what cookies Target uses, and how they can be examined by you, the high-tech marketer, with your head full of dreams and eyes full of stars.

Cookies Set by Experience Cloud Identity (ECID) Service

Here is a handy quick reference for the various cookies the ECID Service sets and whether or not they are used by Target.

Cookie NameFirst-PartyThird-PartyUsage
AMCV_IMSOrgIdUsed by the Visitor.getInstance function of the ID Service, enables cross-solution data sharing.
AMCVS_IMSOrgIdServes as a flag indicating that the session has been initialized.
demdex
Contains a Demdex ID that persists across different domains.

Cookies Set By Target

Here is a handy quick reference for the various cookies that Adobe Target sets.

Cookie NameFirst-PartyThird-PartyUsage
mboxStores anonymous identifiers for the visitor, needed for at.js to function properly.
at_checkTemporary cookie to denote if the browser has reading/writing of cookies enabled, used to determine if the mbox cookie can be created.
mboxEdgeClusterOnly present when overrideMboxEdgeServer setting is set to true in the targetGlobalSettings object.
customerclientcode!mboxPCThis cookie is only present if cross-domain is enabled for the Target instance.
customerclientcode!mboxSessionThis cookie is only present if cross-domain is enabled for the Target instance.

Breakdowns of Each Cookie

Now let's take a look at what each cookie's values should look like & how you can validate their values before putting this all together with the implications of third-party cookie deprecation.

Where to View Cookies In Your Browser

You can view Target cookies set on your machine by opening your browser's developer console on a page running Target and navigating to Application > Cookies (dropdown menu) > yourdomain.com(AMCV, AMCVS, mbox, and at_check, potentially along with: mboxEdgeCluster, customerclientcode!mboxPC, and customerclientcode!mboxSession depending on your implementation) or clientcode.demdex.net (demdex):

First-party cookies, filtered to cookies containing mbox in the nameFirst-party cookies, filtered to cookies containing mbox in the name
 

Demdex cookie used by TargetDemdex cookie used by Target

ECID Service Cookies

Cookie Name

First-PartyThird-PartySample ValueExplanation of Value

AMCV_IMSOrgId

MCMID|20265673158980419722735089753036633573

Contains ECID for use in calls made by Adobe solutions

AMCVS_IMSOrgId

1

The presence of this cookie acts a flag, the value will always be 1 when this cookie is set

demdex

79773591524217492541286261523230646419

A Demdex ID, to enable the use of Audience Manager segments with Target activities

Target Cookies

Cookie NameFirst-PartyThird-PartySample ValueExplanation of Value
mboxPC#2301af30589147f08f804c97232d5a73.34_0#1770575577 |session#254168dac83446f599804c0884ec811a#1707332637Contains the PCID & Session ID anonymous identifiers
at_checktrue"true" indicates that the browser has reading/writing of cookies enabled.
mboxEdgeCluster34Indicates which edge server requests should be sent to when overriding defaults, you can find more info about Edge Nodes here.
customerclientcode!mboxPC
ad8e6155f6164e7d9736343ff7a059c0.34_0Target anonymous profiled identifier concatenated with Edge Node that the session is living on.
customerclientcode!mboxSessionad8e6155f6164e7d9736343ff7a059c0The Session ID associated with the current Target session, sessions live for about 30 minutes on Edge Nodes before being fully resolved with the backend. Maintaining Session ID is important for avoiding unexpected changes to a Visitor Profile.

Target Without Third-Party Cookies

Now that we have a good understanding of which cookies Target uses & why, lets talk about what happens when we lose third-party cookies and what alternatives we have.

What Is Impacted

Target relies on third-party cookies for the following functionality:

  • Use of Experience Cloud segments (segments shared from Analytics & Audience Manager) that cross domains in Target activities will no longer be possible, as the demdex cookie is used as part of a seed to generate the same ECID across multiple domains under the same IMS Org.
  • Cross-domain session & profile sharing relies on third-party cookies for carrying mboxPC & mboxSession from one domain to another. This functionality will also be impacted by the deprecation of third-party cookies. Profile sharing could still be achieved using a Customer ID as long as sessions are expired before crossing domains. (see section below).

What Can Be Done About This?

While these are not 1-for-1 replacements for the functionality lost by the deprecation of third-party cookies, there are a few things you can do to supplement data available to Target for targeting:

  • Implementing a first-party Customer ID for Target requests so that multiple ECIDs for a visitor can be tied to one first-party ID.
    • You can read more about setting Customer IDs in Target here
    • Setting the same Customer ID across domains will enable sharing of the Target Visitor profile across domains so long as session on the original domain has expired, sessions cannot be shared across domains & it is important to never have concurrent session for the same Visitor Profile.
    • You can pass an mbox session as a URL parameter, make sure you have a solid understanding of how Target sessions work (see info about mbox cookie for high-level details), and then talk to your Account Representative about this.
  • Enrichment of the Target Visitor Profile (which is pseudonymous) is another course of action that could be considered; by passing information into Target as page or profile parameters, you can make it easier to Target individuals on subsequest visits where they may or may not have a first-party identifier present in their session. You can add extra context to Target calls through page & profile parameters, as well as through server-run profile scripts, read more about these here:
    • Page Parameters - for sending information about the current request
    • Profile Parameters - for sending information that should be appended to the Target Visitor Profile
    • Profile Scripts - for the ability to work with page & profile parameters in a more programmatic way (scripts very closely resemble JS, but are written in Rhino, a backend JS engine written in Java)

Apple Specific Considerations

Apple has taken several measures to restrict cookie lifetime and prevent cross site tracking using their Intelligent Tracking Prevention (ITP) technology. Below are the considerations pertaining to Target cookies and how they might impact your implementation.

First and Third-Party Cookie Support and Lifetime

Cookie TypeCookie SourceSupported?Cookie LifetimeNotes
Third-Party
First-Partydocument.cookie7 DaysIncludes sites with CNAME implementation (see section below). If a visitor returns to the site within a week of the first visit, the expiration date extends by another 7 days.
First-Partydocument.cookie AND BOTH conditions in Notes are met1 Day

1. A domain classified with cross-site tracking capabilities was responsible for navigating the user to the current webpage, AND

2. The final URL of the navigation mentioned above has a query string and/or a fragment identifier. Apple has not made it clear how exactly these domains are classified, or how a domain can determine ....

What is CNAME in relation to Target implementations?

When implemented, Canonical Name (CNAME) support with Adobe Target, calls are made to a domain owned by the customer (target.example.com) rather than a domain owned by Adobe (clientcode.tt.omtrdc.net). CNAME allows you to handle ad-blocking issues on your site.

CNAME and relevance to ITP

With ITP 2.3 (dated 2020), Apple released a CNAME-cloaking defence feature. As a result, all first-party cookies set using CNAME cloaking will be set to expire in 7 days. Prior to ITP 2.3, CNAME was used as a method to circumvent the 7-day cookie lifetime restriction.

How is my Target implementation impacted for Safari Visitors due to ITP tracking changes?

Affected FunctionalityImpactNotes
mbox Cookie LifetimeShortened Lifetime

7 days

Exception:

If the cookie is set by a tracking domain (as identified by Apple) AND uses link decoration, lifetime = 1 day

ReportingIncreased Unique Visitor CountsIf visitors revisit your site after 7 days, Target will be forced to set a new mbox cookie in place of the expired one, resulting in incremented Visitor count
Visitor Profile and Activity MembershipDecreased Lookback Period

Profile data is erased when the first-party cookie expires.

Activity membership is erased when the first-party cookie expires.

Target does not function in Safari for sites using a third-party cookie implementation or a first- and third-party cookie implementation.

Opt-Out SupportNo Longer FunctionalSince Target uses a third-party cookie in the clientcode.tt.omtrdc.net domain to support opt-out, the functionality is no longer available

Conclusion

We hope this guide helped you to better understand the cookies used by at.js Target implementations. If you are still unsure of any information covered in this guide, you can browse documentation on Experience League, check out the Experience League Forums, or contact your Account Representative.

2 Comments

Avatar

Level 3

4/18/24

What Adobe thinks that in VEC it will be impossible to login to a website that was loaded within VEC iframe and that the user session cookies that a website tries to save are considered as 3rd-party cookies in relation to parent (Adobe) domain? Currently it is possible to do it, but not in 100% of cases.

Avatar

Community Advisor

4/23/24

Hi @surebee  This is really informative.

Hi @All, do we have any similar assessment for Adobe Analytics also?