A slew of questions. An abundance of potential answers. And no clear path forward. That's what the future currently holds for the advertising technology space as far as privacy goes.
Between Google's phasing out of third-party cookies and Apple's iOS 14 privacy updates, there's a lot on adtech companies' plates and necessary adjustments are imminent. Both changes will call for organizations to rethink their ad tracking practices in a way that balances consumer privacy and business results.
This is easier said than done, according to IAB Tech Lab Senior Director of Product Management Alex Cone. “We need to do more as an industry on giving users real transparency and, more importantly, real control around how data is used,” Cone said. “Obviously, that takes on different forms in different places. The norms, market landscape and laws are different everywhere you go.” Cone also said IAB Tech Lab has been engaging hundreds of members on adtech privacy since the EU General Data Protection took force in 2018.
Broadening controls and transparency for users is one piece to the puzzle, but the other is developing the means to ensure those controls and transparency are stood up and maintained. "It comes down to building technically demonstrable accountability systems that can show and demonstrate continuously that these transparency and control signals are being conformed with."
Google, Apple changing the game
It has been more than a year since Google announced its plan to move away from the use of third-party cookies by the start of 2022. The effects of dropping cookies are pretty straightforward, with advertisers losing a long-used tool to track users across multiple websites and serve them ads at each stop.
"This is all just part of the trend away from generally available third-party persistent identifiers," Electronic Frontier Foundation Staff Technologist Bennett Cyphers said. "I think we're seeing it first on the web because it's the oldest and most mature technology, and there's been the most sustained attention to the privacy issues to the tech on the web. It's just a variety of factors that have pushed Google into this decision to leave it all behind and invent a new system."
On the mobile side, iOS 14 changes and Apple's App Tracking Transparency framework are on track to roll out in the coming months. Developers will be required to obtain opt-in consent prior to serving targeted advertising via Apple's Identifier for Advertisers. Users will be presented with a one-time prompt regarding tracking preferences and then have autonomy over permissions for individual apps.
While the respective changes by Google and Apple may not immediately correlate on the surface, Davis & Gilbert Partner Gary Kibel, CIPP/US, says they're certainly tied to one another.
"They really go hand in hand because everyone does cross-device tracking these days," Kibel said. "You're tracking from the cookie-based web to the mobile space. If you lose one or the other, it affects the equation. When you're losing both, it eliminates the ability, without new solutions, to match up for retargeting."
Cone sees the good faith behind efforts by Google, Apple and other platforms to increase privacy, but a lack of consensus and uniformity on how to address privacy standards has created "fragmented user experiences" as companies "go their own way on privacy."
"On the iOS side, you've got companies building to their conversion and click-tracking solutions, which are very different from the solutions on the web. None of them are harder than the others to deal with, but they're all incredibly frustrating," Cone said. "Apple's out in the market talking about how they're the best on privacy, and what they're saying is resonating with people, but it ignores the fact that they think their experience is the best one and doesn't matter that everywhere else the user is going to have different experiences."
A shift to first-party reliance?
A common response on how to face the "cookies conundrum" is to simply shift the focus to first-party data. It sounds simple enough to take direct data and insights collected from a company's audience. What's forgotten is how far first-party data extends for some companies while not so far for others.
"The term first-party data has been stretched to and past its breaking point by these giant tech monopolies," Cyphers said. "What Google will call first-party data is the data they collect from Android, Chrome, searches, YouTube and so on. Like 90% of the time when I'm using anything on the internet, I'm doing through a Google product or service."
This is where a lack of uniformity or a silver-bullet solution proves challenging.
Big Tech companies can very easily turn to their first-party data, while many small- and medium-sized companies will either seek alternative responses or try to match the large troves of data. Maropost Chief Privacy Officer Dennis Dayman, CIPP/E, CIPP/US, CIPT, FIP, expects the latter scenario to become the trend initially.
"We're going to see some of these bigger brands get bigger," Dayman said. "Like L'Oréal has 35 or 40 different brands. I think you'll see those types of companies continue to buy some of these small brands that are really hot demographics-wise. I think we'll see them become bigger behemoths, not because of privacy, but because they're realizing how strong it is to make their own ecosystem and use the existing data they already hold."
An industry-wide shift to first-party data would prove disastrous for small- and medium-sized businesses, according to Kibel.
"It's what's lost in this privacy debate because there's this thought to protecting and helping the consumer, but you're helping the big companies, not the SMEs" Kibel said. "If you're an SME, you need to do retargeting, buy segments, get out there on these platforms and track people to give these targeted ads to the right people. First-party data just won't work well, and relying on everyone to get consent for ads to get there will just reduce the audience. Those trends would make it hard for the little guy to compete."
Dayman outlined a potential scenario for SMEs that would promote partnerships driven by data sharing. Working under "some form of a model clause," Dayman envisions small groups of companies coming together to develop "a walled garden around a specific industry" rather than having an industry leader gobble up its competitors or dip into other industries.
Other tracking alternatives
First-party solutions, like those put forth by Verizon Media and Nielsen, are just one option in a line of alternatives that have popped up in recent years.
With a common goal of enhancing consumer privacy in mind, many new ad-tracking options steer clear of using personally identifiable data; however, some are taking a first-party data approach. The Trade Desk and Experian-owned Tapad are among a group of partnering companies that have banded together with their cookieless identification solutions, which essentially allows for data sharing across different brands. Then there are outliers like Clickagy, which has a standalone alternative that focuses on real-time behavioral data.
"Everyone is kind of coming up with one," Kibel said. "The beauty of the third-party cookie world right now is that you can mix and match and trade data between everybody. If everyone has their siloed solutions then you can retarget within the various solution worlds. It doesn't help the problem."
With Google's efforts to replace its own standard, there's still a lot of unknowns. The company claims to have many alternative solutions in development. Most recently, Google used its Privacy Sandbox to trial its Federated Learning of Cohorts scheme, which groups people based on their common browsing behavior via machine learning. The results of FLoC's sandbox tests showed they were 95% as effective as cookies, according to Google, which did not disclose data regarding the tests.
"They're just saying, 'Trust us, it's really good,'" Kibel said. "What are we supposed to say to that? They're telling us this is 90% as effective and then won't show any of the data to give us insights. When they roll it out, it's like use it and cross your fingers. There's no way to know if it's really good."
IAB's 'Project Rearc'
Cone is convinced there will never be a "one-for-one replacement" for cookies, and access to Apple's IDFA will change drastically with its iOS 14 consent-driven changes. Those factors make IAB Tech Lab's "Project Rearc" an important initiative.
The lab announced February 2020 it intended to explore a reestablishment of how online advertisers use data for targeted advertising through the project. The vision for Rearc was to address both privacy regulations and cookies' demise through the launch of a universal login that consumers could use to manage privacy preferences and allow targeted ads.
Cone said Rearc was broken up into addressability and accountability working groups, while a third group on global privacy, which isn't directly branded under Rearc, is "focused on expanding the footprint of privacy signaling."
"We kind of kicked off in earnest with those groups in April 2020 after making sure people were aligned on the problems we were solving, the reasons they were being addressed and what the constraints were," Cone said, noting proposals were considered last fall. "We're now within a handful of weeks of being to a point of readiness for several draft standards and guidelines to go into public comment."
There's no hard date for when those public comment periods would officially open, but Cone indicated further announcements may come "in the not-so-distant future." He also went further into how Rearc evolved from a silver bullet concept to what's now a multi-option proposal.
"It's a portfolio of solutions and a combination of things we're really hoping to get strong feedback on," Cone said. "This a hard topic and it's a massive disruption. … A lot of people fixated on a few things that leaked out of the process or have been announced. Those are pieces, but we think it's a portfolio that really sets our industry up for sustainable, accountable, user-centered addressability forms going forward."
Another way forward?
Aside from technical fixes, Cyphers could see the adtech industry reconcile on privacy through regulation and more awareness as it relates to competition. Specifically, with regulation, Cyphers indicates that it might be "hard to do right," but it's not impossible.
"I think the GDPR has a lot of good language, but it has to be enforced the right way," Cyphers said. "I think that's changing over time. We're starting to see decisions where companies can't just put a cookie banner on the bottom of a wall of text and six different checked boxes and then count that as consent. There's starting to be more enforcement about what's a coercive pattern and when is consent actually meaningful."
Cyphers admits that that regulation won't work on Big Tech companies that "don't share data with marketers, at least according to the law." Those companies have amassed enough data from their subsidiaries over time to work within their own walls.
"Chipping away at these giant conglomerates could help privacy laws work better," Cyphers said. "If you had Facebook's ad business be separate from its publishing or social networking business, then it would have to share data from one to another in the same way that a company like The New York Times shares with its advertisers."
Photo by Stephen Phillips - Hostreviews.co.uk on Unsplash