Beware of the cookie! Accept all cookies. Functional or necessary cookies? Toggle analytics cookies. Death of the third-party cookie.
Privacy professionals have been inundated with advice about cookie-based advertising and the impending "cookiepocalypse" but, if they are outside of the adtech world, they may not know where to start with understanding other tracking technologies. Cookies are a digital advertising mainstay. However, cookies are not the only common technologies used in adtech. Recent enforcement actions from the U.S. Federal Trade Commission and new developments from large platforms give us a glimpse into our cookieless future, even as they illustrate how privacy scrutiny in adtech is shifting.
Web tracking technologies
To understand why adtech and privacy are often portrayed at cross purposes, it is important to understand what adtech is and identify the web tracking technologies used in the industry. Adtech is an amalgamation of advertising and technology, describing an industry of marketing operations, data analytics organizations and data brokers that together deliver tailored advertising to consumers in digital spaces. In its most basic form, the goal of online advertisers is to direct consumer clicks to a business' website and, from there, get the consumer to purchase the business' product or service. This goal is realized more often when the advertisements shown to consumers are attuned to their wants or needs, which can be determined through their online behaviors, such as clicks, time spent on a certain page or part of a page, and other factors. Enter web tracking technologies that empower behavioral advertising.
Cookies are small text files, stored locally on a user's device by the websites they visit, that enable the websites — and sometimes other sites — to recognize the user across pages and visits. Cookies are usually used to track a user's previous preferences on a site, usage of a site, login info, and even activities across websites and devices. A first-party cookie is implemented by the site the user visits, while a third-party cookie is implemented by another business, like a data analytics company. Publishers use first-party cookies to calculate page views, monitor sessions, deliver essential functions and analyze other activities to better optimize their site and user experience. Publishers can also share data from first-party cookies with advertisers for ad targeting. Third-party cookies can be used for web analytics, social media integration and cross-site authentication, but they are most often associated with uses that power behavioral advertising.
The cookies users typically see in consent banners online are functional, necessary, and analytics cookies. These are used to remember the user's site preferences, like language choice and use of location data on a weather site, to provide basic functions, like allowing a user to proceed to a secured area of a site upon log in rather than redirecting them to the homepage, and to track how users navigate and interact with a site for statistical purposes, respectively.
The passage of the EU General Data Protection Regulation and the California Consumer Privacy Act required publishers to become more cognizant of consent requirements. Under the GDPR, covered entities must obtain freely given, specific, informed, unambiguous and revocable consent to process a user's personal data, unless such processing meets one of the other six legal bases. Under the CCPA, covered entities must allow users to opt out of the sale of their personal data and must obtain consent from users under 16 years of age, or from the user's parent or guardian if they are under 13, to sell the user's personal data. The related additions to the cookie banners required by the EU ePrivacy Directive led to the awareness of cookie banner-induced consent fatigue.
Pixels and web beacons
Tracking pixels, also interchangeable with web beacons, are single-pixel sized images placed on websites that are typically used to target ads to consumers and track consumer behavior like page views, clicks and ad interactions. Users that utilize ad-blocking software or browser plug-ins cannot directly remove pixels, but they can use blacklists to prevent the call a pixel makes to another site in the same way the software prevents ads from loading. Some pixel providers hash identifiable information aggregated from pixels, like names and email addresses, but hashes can be used to link data.
A referrer is a website that sends users to another site using a link. Advertisers and site owners use referrer URLs to track how users got to a website. For example, if a user clicks on a link from an influencer's blog to purchase a sweater that influencer wore, the user's URL on the sweater purchase page will show an added block of text letting the site that the user was redirected to know the user came from the influencer's blog. Referrer URLs are logged by web analytics programs to help site owners and advertisers get insight on their web traffic.
There are two main types of fingerprinting. In device fingerprinting, a user's device sends system information to a site, ensuring site functionality on the device and, in essence, forming a "fingerprint" of the device. This process is important to ensure that a news site, for example, loads images and text in a readable and appropriate manner for the respective device, whether it is an older generation smartphone or the newest tablet. Browser fingerprinting involves the same process, but for the user's browser. When a user clicks on a link to visit a site, the site sends a request to the server along with information necessary to receive the requested content like IP address, browser type and version, and other information like time zone, battery level and CPU usage. A browser or device does not send out personal information about a user but, since most fingerprinting is performed via a third-party tracker, the third-party can track an individual across multiple sites and form a profile about them. Some browsers offer the capability to block fingerprinting from third parties known to do so.
Mobile advertising does not include web tracking technologies like cookies, but it does involve ad IDs. Mobile advertising IDs are shared by the mobile device's operating system with servers of apps that the user is using. These identifiers are provided by Apple in the form of Identifiers for Advertisers, now in conjunction with Apple's SKAdNetwork, and by Android as AdID. Developers and marketers use MAIDs similar to the way they use web tracking technologies: to track user activity for advertising purposes, e.g., remarketing, frequency capping and conversion tracking, and to fine-tune existing ads to make them more relevant to mobile users.
The new normal in adtech
As a byproduct of consumer self-help products like ad-blockers, web tracking technologies are constantly evolving. After the "cookiepocalypse" brought on by Google's announcement that third-party cookies would be phased out on Chrome — and its two subsequent delays — came Apple's notice about changes to its IDFA on iOS. Privacy pros on both the publisher and advertiser sides are aware there was cause for concern when those announcements were made. In fact, a 2020 study found 80% of advertisers rely on third-party cookies.
Banning third-party cookies effectively means removing the tracking technology that has generated a sizeable portion of the collected data that has grown to be essential for modern day digital advertising. At the same time, changes by platforms are moving the mobile adtech ecosystem away from reliance on MAIDs, as the shift to an opt-in model significantly reduced the percentage of consumers who participate.
Google's Privacy Sandbox was built to be a privacy-preserving system that removes third-party cookies, limits fingerprinting and operates without MAIDs, while sustaining targeted ads on the Chrome browser on laptops and Android devices. The tool initially relied on Federated Learning of Cohorts, a type of web tracking that groups users into cohorts based on their browsing history, i.e., runners, museumgoers, millennials with dogs. Last year, the FLoC-based system was replaced with Topics. In this new system, Chrome determines the topics a user is interested in based on their browsing activity and shares them with advertising partners to serve relevant ads to user groups categorized by topics. In the current concept, users can review and remove topics from their lists and turn off Topics application programming interfaces as a whole. Cookies are replaced by APIs that receive aggregated data about metrics like conversion and attribution, so advertisers and publishers still receive the data they need. This increases the value of first-party data, which in turn decreases the value of third-party data and, over time, the need for data brokers.
If these outcomes make you wonder where the regulators stand, you are not the only one. Google extended its deadline on the Privacy Sandbox for a few reasons. The first reason for the delay was the U.K. Competition and Markets Authority investigation into the Privacy Sandbox's approach to replacing cookies that determined the company's technical measures were not more anticompetitive than beneficial to consumers. The second reason for the delay was the concern for consumer trust in the U.S., as regulators are on high alert after recent charges for privacy violations. Similarly, the third known reason for the delay was the concern voiced by EU regulators regarding Google's intention to focus on a privacy-first tool given its record-holding GDPR fine.
Apple innovated in a similar direction with its changes to the IDFA and introduction of the SKAdNetwork. An IDFA is a unique, random, resettable device identifier assigned to a user's iOS device and designed to give advertisers and app owners the ability to identify a device and collect usage information. Two years ago, Apple introduced App Tracking Transparency with iOS 14.5 to change how IDFA works. This privacy framework includes an alert prompting the user to affirmatively opt in to tracking across apps and sites to provide the user personalized ads. If a user opts out, advertisers can use Apple's SKAdNetwork. First introduced in 2018, the SKAdNetwork is an attribution and measurement API that allows advertisers to continue to receive statistics and insights on mobile users without relying on IDFA. It was built as a privacy-first tool that relays aggregated user data from an iOS device to Apple, and then to ad networks, developers and mobile measurement partners, so no individual user data is shared. While the SKAdNetwork was initially an optional tool, it evolved into the only method for advertisers to access iOS user data, if the user opted out of cross-app tracking.
In addition to the deprecation of third-party cookies, the adtech industry has witnessed another shift in tracking norms. Pixels in particular have been at the center of several privacy enforcement actions recently. The FTC recently initiated enforcement actions against GoodRx and BetterHelp for sharing user health data with third parties to facilitate retargeting for the first party site via third-party tracking pixels, among other things. While pixels are an industry standard tool, the agency noted they can be used to reveal sensitive data. Both organizations were required to implement limits on whether and how certain user information may be used or disclosed for advertising and were forbidden from sharing health information for any advertising purpose. BetterHelp was specifically ordered not to disclose personal information for retargeting, another standard practice in online advertising.
Across the pond, the Court of Justice of the European Union ruled that Meta is no longer allowed to combine user data across its apps — WhatsApp, Instagram and Facebook — with data obtained via cross-site tracking to provide personalized ads, and narrowed the legal bases allowed for behavioral advertising powered by such tracking technologies. Additionally, France's data protection authority, the Commission nationale de l'informatique et des libertés fined advertising company Criteo 40 million euros for GDPR violations, including failing to verify consent from individuals before processing their data. Under GDPR Article 7, an organization is not allowed to place data-collecting trackers on the user's terminal without their consent. Although it was the responsibility of Criteo's partner sites to collect consent from their direct site users, Criteo is still required to demonstrate that the users gave consent for the cookies placed on partner sites and must incorporate a new clause on proof of consent in its future contracts. This increased focus on known common advertising practices indicates the need for a solution for auditing and accountability purposes to stay aligned with global regulators.
Since the initial announcement of the death of third-party cookies, the adtech industry has turned to third-party cookie alternatives like cohorts, zero-party data collection, probabilistic identifiers, universal identifiers, advertising supported by privacy-enhancing technologies and partitioned cookies. Google's Privacy Sandbox utilizes cohorts, but critics in the industry noted, in order to be an effective third-party cookie replacement, the anonymity provided by the web tracking technology is not feasible. To deliver a relevant ad to user one of cohort four, advertisers either end up showing the ad to the entirety of cohort four, most of whom will deem the ad irrelevant, or revert to using a third-party cookie to specifically show the ad to user one, removing the point of using cohorts.
Similarly, professionals in the industry are split on the Interactive Advertising Bureau's efforts to maintain a self-regulatory group for the adtech ecosystem while integrating more privacy-preserving mechanisms. The IAB created the Transparency and Consent Framework in response to the needs of EU regulators and has continued to develop new versions of the tool. The Network Advertising Initiative, another prominent self-regulatory advertising group, is updating its compliance program to help its member organizations adjust to the now twelve comprehensive state privacy laws, as well as other sectoral laws. Part of its revamped toolkit and code of conduct will include assessment templates, standardized definitions and requirements, and member guidance for such things like obtaining opt-in consent before collecting any sensitive data. On the consumer end, inroads have been made in the development of universal opt-out mechanisms, like the Global Privacy Control, which is mandated in California, Colorado, Delaware and Montana, and recognized in Texas. The European Commission even began an initiative on the voluntary phasing out of third-party cookies.
History has shown the advertising industry will continue to innovate through legal and technical pivots. It is just a matter of continuing to innovate with privacy as a goal.
France's data protection authority, the Commission nationale de l'informatique et des libertés, published recommendations and considerations for Google's Privacy Sandbox. The CNIL detailed the basic purpose and use cases for the sandbox, which the regulator said will be available to all parties in Q...