cookie monster_featureWith all the hand-wringing over “death to the click-through rate,” the poor performance of display ads, and challenges of transferring desktop dollars to mobile, I’d say the ad tech industry has its hands full.

But there’s one creeping problem getting less attention, and it’s one that most players in the space have little control over: Cookies. There’s a quiet war being waged over the use of them, and if things keep going the way they have, many adtech startups may find their products are suddenly useless.

To provide a little oversimplified context: Websites “drop cookies” via your Web browser as a way to record that you’ve been there. It happens on just about any site you go to. Those cookies are then used by adtech companies to sell ads. A car advertiser might bid to serve me an ad on the New York Times website if a third party company tells them I’ve already been to their website, or any car-related one. J. Crew might bid to serve me an ad on Refinery29 after I’ve abandoned a loaded shopping cart on their site. It’s called retargeting. It’s how an ad seems to follow you around the Web no matter what site you’re on. These ads are far more effective than generic ads, and advertisers are willing to pay a lot for them.

They obviously don’t work when a person disables third-party cookies on their browser. But your average, non-paranoid Internet user doesn’t do this. They likely don’t even know what a cookie is or how and why to disable them. (If you think I’m being condescending, see Google’s man-on-the-street video.)

Users might even enjoy the cookie-fied ads, because they’re more relevant. I, for one, have noticed an increase in the quality of Facebook ads since it introduced retargeting from outside the site on its banner ads earlier this year. Rather than getting ads from online colleges and suspicious dentists, I see ads from sites I’ve actually visited. I hate pretty much all ads, but at least these are slightly less annoying.

It’s not actually the users that are threatening the future of cookies. It’s the browsers themselves.

Earlier this year Microsoft announced that Internet Explorer 10 will have “Disable cookies” in its default setting. The company reiterated that stance last week. The announcement was a shock to the ad world, and the Do Not Track working group Microsoft was a part of.

Depending on who you ask, Internet Explorer still dominates the browser wars, owning 36.7 percent of the market, according to Chitika Insights; over 50 percent according to Net Applications. Anyone upgrading to IE 10 will not be trackable by third party advertisers online as the default setting.

Meanwhile Apple’s Web browser, Safari, has never allowed cookies. Safari has 21 percent market share, according to Chitika. If that sounds high, it’s because this study takes mobile Web browsing into account, and Apple has a particularly high market share of Web browsing thanks to the dominance of the tablet and stronghold with the iPhone.

Apple does not care to spread the cookie love to third parties. Neither does Microsoft. It’s their way of thwarting their competitor, Google, which makes the bulk of its revenue in advertising and benefits greatly from the ability to collect targeting data.

It’s worth noting here that no war is without its nuances. Microsoft’s move might not be quite as bold as it appears to be. Having the “Do Not Track” switch automatically set to “on” in IE 10 does not technically stop websites from dropping a cookie. It only sends a message to the website that this user does not want to be tracked. The website can ignore it and drop a cookie anyways. Plenty of publishers, including Yahoo, have said that’s precisely what they plan to do.

The UK began requiring “consent before cookie” (my term, not theirs) earlier this year, and it’s most recent steps to enforce it have only led to confusion. “It is thought the majority of UK websites are breaking the law that dictates how users’ are tracked and logged, despite having more than a year to prepare for the changes,” ZDNet’s Zach Whittaker wrote back in May.

So how is it legal for US sites to blatantly ignore Do Not Track requests? Because the hope of any legal enforcement related to it is basically dead. For two years, groups from adtech and privacy advocates have wrestled over the issue, and they’ve made almost no progress. They can’t even agree on what the definition of the word “track” should be, let alone deciding what the key harms they are trying to solve might be.

But those choosing to heed the Do Not Track requests, should it ever actually become a law, will want an alternative to cookie-based targeting. Many in the industry believe cookies are a less-invasive way to advertise than the alternatives to cookies. Yes, cookies track your browsing, but they are anonymous, and they are tied to a browser, not an individual. You can review yours and clear them at any time, and they are not permanent. It may be a savvy minority that actually takes the time to review and clear browsing cookies, but they at least have the ability to do so.

That’s in contrast to the alternative options large companies may start to use if cookies ever go away, unique ID and PII (personally identifiable information). Third party ad-tech companies (ie, startups) won’t have access to this information the way they are able to get browsing data from cookies, but giant companies like Amazon, Apple, Google, and Facebook will. They have likely already gotten permission to collect it in the massive terms of service agreements we agree to. We have to consent to such terms when we boot up our new Macbooks, or when open iTunes, or when we turn on GPS for Google Maps, or when we sign up for Gmail, or when we agree to Facebook’s no-longer-democratic privacy policies, or when we put our credit card information into Amazon.

Microsoft and Safari may make life worse for Google with the war on cookies, but in doing so they also may make it worse on all of the rest of us.

[Illustration by Hallie Bateman]