The way the third-party cookie crumbles: Part 2 – Shifting industry practices and alternatives to third-party cookies

The first part of this series examined the legal and regulatory developments affecting third-party cookies in Europe. This second and final installment explores the advertising technology industry’s ongoing shift away from third-party cookies and the various alternatives available to companies.

The third-party 'cookie apocalypse'

The ad-supported digital economy is undergoing a fundamental shift. In light of the increased regulatory and social attention to the privacy concerns about how third-party cookies are used, adtech companies are proactively moving away from them. In 2019, Mozilla’s Firefox browser blocked third-party cookies by default. Apple’s Safari followed suit in 2020. Last April, Apple also launched its App Tracking Transparency framework for iPhone. Starting with the iOS 14.5 update, applications must “receive the user’s permission … to track them or access their device's advertising identifier.” Advertising identifiers are the mobile device equivalent to a web browser’s third-party cookies. Apple’s ATT framework is already making an impact with its new opt-in model. With only 25% (or less) of users opting in, ad revenues have dropped and companies are being forced to seek alternative advertising methods.

One of the more direct initiatives to phase out third-party cookies is Google’s Privacy Sandbox. In 2019, the company announced plans to eventually disable third-party cookies entirely in its Chrome browser and unveiled the “Privacy Sandbox” — an initiative to spark industry-wide collaboration to build a privacy-preserving system “that will render third-party cookies obsolete” while sustaining targeted ads. So far, around 30 proposals of new technologies to replace third-party cookies have been offered by Chrome and other industry members. This number would probably be higher if there were less skepticism and more industry support for the adtech giant’s novel proposition. Industry resistance, its ambitious two-year timeline and ongoing investigations by the EU and U.K. have caused Chrome to delay phasing out third-party cookies until late 2023.      

Stepping in a similar direction, Meta, the parent company of Facebook, Instagram and WhatsApp, announced that starting Jan. 19, 2022, “it will no longer let advertisers buy targeted ads for users based on sensitive information such as race, political affiliation, sexual orientation, religion or health.” According to Meta, the change is meant to address concerns from policymakers and civil rights experts about advertisers abusing the company’s current targeting options. The company also wants “to better match people’s evolving expectations of how advertisers may reach them” on its platforms. But the “sensitive” targeting options that will be removed do not include options based on users’ physical characteristics or personal attributes. Advertisers will still be able to target users based on location, content engagement and similar user characteristics.

Third-party cookies alternatives

Given these pending developments, it is crucial for companies to develop new marketing strategies that don’t rely on third-party cookies. Using a more privacy-centric marketing alternative can also provide a competitive advantage because privacy is increasingly demanded by consumers. Several alternatives to third-party cookies have been proposed, discussed below.

1. Cohort-based advertising.

Google Chrome’s front-runner to replace third-party cookies, known as Federated Learning of Cohorts, is premised on protecting user privacy by “clustering large groups of people with similar interests” to effectively hide them “in the crowd” while simultaneously enabling advertisers to reach appropriate audiences. According to Google, recent tests have shown that FLoC is “at least 95%” as effective as cookie-based advertising.   

Even so, many organizations and privacy groups disapprove of FLoC. Calling it “the opposite of privacy-preserving technology,” the Electronic Frontier Foundation argues FLoC will still reveal behavioral data and old privacy harms will merely be exchanged for new ones if implemented. Aside from Chrome, no browser vendor has plans to enable FLoC. Google’s statements imply it values industry-wide support. But since Chrome currently holds around 65% of the global browser market share, industry support is not exactly necessary to turn FLoC into a prevailing web standard. 

2. Micro-groupings.

In June 2020, Clickagy launched Privacy Clusters as a “cookieless” targeting solution. Privacy Clusters are micro-groupings of three to five users “mathematically bound together to act as a single, trackable and targetable entity.” Like third-party cookies, the technology allows companies to target users “based on observed behavioral data in real-time” — but the main difference is that Privacy Clusters provide greater anonymity because, according to Clickagy, “no personally identifiable information is used.”

3. First-party cookies.

Unlike third-party cookies, there is no indication that first-party cookies are dying, and companies are being advised to proactively harness this data as a fallback marketing option. First-party cookies are data packets created and stored directly by a website and they’re only available to that site. Primarily for the user’s benefit, they help “recognize the user and their preferences” by remembering user-provided data such as email addresses, phone numbers, purchase and support histories, and loyalty program information. Contrasted with third-party cookie data, first-party data is also valuable for its accuracy and relevance.

Companies can analyze their own first-party data to gain a better understanding of existing users to then structure their targeting more effectively. Although this data can provide accurate insights about past user behavior, it falls short when trying to predict consumer trends. Moreover, small- and medium-sized companies may not be able to compete with the wealth of first-party cookie data larger companies like Google and Amazon already have.  

4. Zero-party data.

While first- and third-party data involve cookies, zero-party data is “collected voluntarily and directly from customers.” By “solicit(ing) a direct interaction” from customers, collecting zero-party data provides an opportunity for companies to “build direct relationships with consumers, and, in turn, better personalize their marketing efforts.” It can also increase transparency and develop trust among users, which is something first-party data doesn’t necessarily provide.

Zero-party data can include customer interests, preferences, and purchase intentions that “offer insights into people’s motivations” and future intentions. However, companies “need to offer a value exchange” for this data — like incorporating rewards into questionnaires — to incentivize customer engagement and help overcome the growing uneasiness digital consumers feel about data collection.        

5. Universal identifiers

Some companies use identification providers instead of third-party cookies to universally identify online users. Here, a user gives permission to a site that then “shares the user’s consent with the ID provider, which creates an (or adds to an existing) ID for that user” that can be used across various websites. Companies can then personalize their marketing approach by buying ads that match the IDs. On Nov. 3, Google launched a feature allowing publishers to share publisher provided identifiers — “pseudonymized first-party identifiers that are created and controlled by publishers” — with partners in Google’s Ad Manager. Partners who participated in Google’s initial experiments for PPID saw “significant revenue improvements” by serving relevant ads to users where third-party cookies are unavailable. 

Email address-based identifiers, like Unified ID 2.0, are also being developed. A "UID 2.0" is an identifier based on “anonymized email addresses … gathered from a user logging into a website or app.” Consumers are told the reasoning behind creating the identifier during login and they can also manage their data-sharing preferences. To preserve privacy, a user’s UID 2.0 “regularly regenerates” and contains no real-world information to enable reverse engineering back to their email address. The UID 2.0 framework has appealed to many industry members and its recent deployment shows real promise for the cookie alternative.  

6. Fingerprinting

This technology can uniquely identify a user on a browser or mobile app by using the technical characteristics of the user’s device and browser. Fingerprinting “combine(s) certain attributes of a device — like what operating system it is on, the type and version of web browser being used, the browser’s language setting and the device’s IP address.” The aggregate of seemingly miniscule data points provides an accurate “fingerprint” to identify and track users across browsers and devices. Once tracked, compiled user profiles can then be sold to data brokers to bolster profiles with offline data, which may then be sold to companies for more effective targeting.

But fingerprinting has already been opposed by Apple, Mozilla, and Google because users have even less awareness and control than third-party cookies. For instance, European laws require websites to notify users of their use of cookies, but fingerprinting is not similarly regulated. And unlike cookies, users cannot clear their fingerprints. An “important long-term goal” of Google’s Privacy Sandbox is “to help prevent fingerprinting.” Chrome proposed implementing a “privacy budget” to “limit … how much information a site can access” for fingerprinting purposes, as well as a proposal to mask IP addresses.

7. Conversion measurement.

Within the Privacy Sandbox, Chrome also proposed various technologies for marketers “to measure campaign performance without third-party cookies.” Its proposed application programming interfaces “report conversions in a way that protects user privacy” while also supporting advertiser requirements by using techniques like “aggregating information, adding noise, and limiting the amount of data that gets sent from the device.” The Attribution Reporting API, which is intended “to report that an event may have been caused by another cross-site event,” proposes to limit the amount of data transferred between sites so “the sites can’t use them to track individual users.” For specifically measuring and reporting click-through conversions (which is currently being experimented in Chrome), data limits and noise work to protect privacy.

8. Contextual targeting.

Rather than relying on user data to display relevant advertisements, contextual targeting relies on the content of the website a user is visiting. For instance, a user reading an online article about coffee may be shown ads for coffee or coffee makers on that same site. Because contextual targeting serves ads based on a website’s key words, phrases and general theme, it is most effective on websites with “highly themed content that attract users with a specific interest” and for advertisers with narrow audiences.

Initially widely used for print advertising, contextual targeting is gaining traction in the digital space now that third-party cookies are going away. An October 2021 report prepared by the Irish Council for Civil Liberties (at the request of Members of Parliament) provides evidence of increased revenue for those that switched from tracking-based ads to contextual targeting. Dutch publisher NPO Group saw a 149% ad revenue increase after replacing tracking-based ads with contextual targeting. Furthermore, between July 2020 and May 2021, “websites operated by a Norwegian news publishing group earned an average of 391% more for contextual ads than tracking-based ads.” Briefly put, the ICCL argues that “practical evidence from European publishers now shows that publishers’ ad revenue can increase when tracking-based advertising is switched off.”

The Tracking-Free Ads Coalition also supports contextual targeting as a viable alternative to third-party cookies. In an Oct. 18 letter urging Europe’s 100 largest advertisers to stop using tracking ads, MEPs used the contextual targeting approach of search engine DuckDuckGo as an example of a profitable alternative.   

What’s next?

Even though the transition won’t be easy, some industry members welcome the phase-out of third-party cookies, seeing it as an opportunity to do better for the industry and society as a whole by putting “an end to lazy marketing.” Moreover, the recent advances in privacy-preserving technologies “points to a future where there is no need to sacrifice relevant advertising and monetization in order to deliver a private and secure experience,” said Google’s Director of Product Management, Ads Privacy and Trust David Temkin.

Google Chrome may be successful in phasing out third-party cookies by late 2023, but the big question is whether the alternatives will be better for privacy. Google’s Privacy Sandbox solutions, universal identifiers and contextual targeting are promising third-party cookies alternatives. And companies will probably need to be prepared for a version of Chrome’s FLoC to be rolled out once Google receives implementable feedback from regulators, industry and civil society. The continuing developments of these alternatives have yet to reveal a definite ‘winner,’ but it’s clear that companies should start experimenting with these alternatives sooner than later. It is also clear that, regardless of which third-party cookie alternatives are used, they will continue to be scrutinized for compliance with existing laws by data protection authorities in both the EU and U.K.

Photo by Campaign Creators on Unsplash