Published: July 2023

Navigate by topic

Beware of the cookie! Accept all cookies. Functional or necessary cookies? Toggle analytics cookies. Death of the third-party cookie.

Privacy professionals have been inundated with advice about cookie-based advertising and the impending "cookiepocalypse" but, if they are outside of the adtech world, they may not know where to start with understanding other tracking technologies. Cookies are a digital advertising mainstay. However, cookies are not the only common technologies used in adtech. Recent enforcement actions from the U.S. Federal Trade Commission and new developments from large platforms give us a glimpse into our cookieless future, even as they illustrate how privacy scrutiny in adtech is shifting.

Web tracking technologies

To understand why adtech and privacy are often portrayed at cross purposes, it is important to understand what adtech is and identify the web tracking technologies used in the industry. Adtech is an amalgamation of advertising and technology, describing an industry of marketing operations, data analytics organizations and data brokers that together deliver tailored advertising to consumers in digital spaces. In its most basic form, the goal of online advertisers is to direct consumer clicks to a business' website and, from there, get the consumer to purchase the business' product or service. This goal is realized more often when the advertisements shown to consumers are attuned to their wants or needs, which can be determined through their online behaviors, such as clicks, time spent on a certain page or part of a page, and other factors. Enter web tracking technologies that empower behavioral advertising.

  • expand_more


  • expand_more

    Pixels and web beacons

  • expand_more


  • expand_more


  • expand_more

    AD IDs

The new normal in adtech

As a byproduct of consumer self-help products like ad-blockers, web tracking technologies are constantly evolving. After the "cookiepocalypse" brought on by Google's announcement that third-party cookies would be phased out on Chrome — and its two subsequent delays — came Apple's notice about changes to its IDFA on iOS. Privacy pros on both the publisher and advertiser sides are aware there was cause for concern when those announcements were made. In fact, a 2020 study found 80% of advertisers rely on third-party cookies.

Banning third-party cookies effectively means removing the tracking technology that has generated a sizeable portion of the collected data that has grown to be essential for modern day digital advertising. At the same time, changes by platforms are moving the mobile adtech ecosystem away from reliance on MAIDs, as the shift to an opt-in model significantly reduced the percentage of consumers who participate.

  • expand_more

    Google's developments

  • expand_more

    Apple's developments

In addition to the deprecation of third-party cookies, the adtech industry has witnessed another shift in tracking norms. Pixels in particular have been at the center of several privacy enforcement actions recently. The FTC recently initiated enforcement actions against GoodRx and BetterHelp for sharing user health data with third parties to facilitate retargeting for the first party site via third-party tracking pixels, among other things. While pixels are an industry standard tool, the agency noted they can be used to reveal sensitive data. Both organizations were required to implement limits on whether and how certain user information may be used or disclosed for advertising and were forbidden from sharing health information for any advertising purpose. BetterHelp was specifically ordered not to disclose personal information for retargeting, another standard practice in online advertising.

Across the pond, the Court of Justice of the European Union ruled that Meta is no longer allowed to combine user data across its apps — WhatsApp, Instagram and Facebook — with data obtained via cross-site tracking to provide personalized ads, and narrowed the legal bases allowed for behavioral advertising powered by such tracking technologies. Additionally, France's data protection authority, the Commission nationale de l'informatique et des libertés fined advertising company Criteo 40 million euros for GDPR violations, including failing to verify consent from individuals before processing their data. Under GDPR Article 7, an organization is not allowed to place data-collecting trackers on the user's terminal without their consent. Although it was the responsibility of Criteo's partner sites to collect consent from their direct site users, Criteo is still required to demonstrate that the users gave consent for the cookies placed on partner sites and must incorporate a new clause on proof of consent in its future contracts. This increased focus on known common advertising practices indicates the need for a solution for auditing and accountability purposes to stay aligned with global regulators.

Now what?

Since the initial announcement of the death of third-party cookies, the adtech industry has turned to third-party cookie alternatives like cohorts, zero-party data collection, probabilistic identifiers, universal identifiers, advertising supported by privacy-enhancing technologies and partitioned cookies. Google's Privacy Sandbox utilizes cohorts, but critics in the industry noted, in order to be an effective third-party cookie replacement, the anonymity provided by the web tracking technology is not feasible. To deliver a relevant ad to user one of cohort four, advertisers either end up showing the ad to the entirety of cohort four, most of whom will deem the ad irrelevant, or revert to using a third-party cookie to specifically show the ad to user one, removing the point of using cohorts.

Similarly, professionals in the industry are split on the Interactive Advertising Bureau's efforts to maintain a self-regulatory group for the adtech ecosystem while integrating more privacy-preserving mechanisms. The IAB created the Transparency and Consent Framework in response to the needs of EU regulators and has continued to develop new versions of the tool. The Network Advertising Initiative, another prominent self-regulatory advertising group, is updating its compliance program to help its member organizations adjust to the now twelve comprehensive state privacy laws, as well as other sectoral laws. Part of its revamped toolkit and code of conduct will include assessment templates, standardized definitions and requirements, and member guidance for such things like obtaining opt-in consent before collecting any sensitive data. On the consumer end, inroads have been made in the development of universal opt-out mechanisms, like the Global Privacy Control, which is mandated in California, Colorado, Delaware and Montana, and recognized in Texas. The European Commission even began an initiative on the voluntary phasing out of third-party cookies.

History has shown the advertising industry will continue to innovate through legal and technical pivots. It is just a matter of continuing to innovate with privacy as a goal.

Additional resources

Credits: 2

Submit for CPEs