The Cookie Apocalypse: Reshaping Privacy, Advertising and the Digital Landscape

Evolution of Targeting

Before the proliferation of data vendors tracking users across the internet, web publishers held a monopoly on their on-site audiences. Companies like Revenue Science (2007) aided publishers in boosting their ad revenue by providing technology to bundle advertising with on-site audience segments. The limited scale of these per-publisher audiences led to publishers pooling their audiences (e.g. AdAudience 2010) to provide more scale to advertisers.

With the rise of Real-Time Bidding, many nascent data vendors realized the opportunity to build large cross-publisher "buy-side" audiences based on web visits of consumers, as shared with potential buyers over RTB auctions. These audiences would be independent of any publisher and could be used in tandem with RTB media buys across large swaths of publishers, including those "long-tail" publishers that might be brand-safe but lack interesting audiences.  

These data vendors rely on their own cookies – generally third-party cookies when loaded on publisher websites – to identify and track users around the web for profiling and building audiences for future use.

But First Things First: What's a Third-Party Cookie?

A third-party cookie is a cookie set and visible under a domain name different from the domain name of the website currently being visited. For instance, if a web page is visited at example1.com and an image is loaded from anothersite.com, the anothersite.com server can read and set cookies under its anothersite.com domain. Later, when visiting a different website, example2.com, if that site includes an image from anothersite.com, anothersite.com will be able to read its cookies and identify the same user/browser that visited example1.com earlier.

Questions about publisher data "theft" or "leakage" were a frequent topic for some years until most publishers realized that Google and Facebook were also getting this data via search clicks, social "+1" buttons and widgets.

In any case, the ability to use non-publisher-specific audiences across a range of lower-cost publishers has depressed average CPMs (Cost-per-Mille) for publishers. The other factor here is the explosion of ad impression volume from blogosphere publishers focusing on maximizing page views and ad impressions per page view.  With AI-generated pages taking over search results¹, the challenge of brand safety and finding quality context to show consumers ads becomes more challenging.

What's Old is New Again…

Google Chrome has announced² that they will finally be blocking 3^rd party cookies. Firefox³ and Safari⁴ have already been doing this for years. However, Chrome holds approx. 65% market share⁵ for both desktop and mobile browsers, potentially serving as the final blow to the third-party cookie tracking free-for-all.

As Google's business is primarily driven by targeted advertising, it is challenging to believe the motives are purely altruistic. While the Privacy Sandbox⁶ in Chrome will support audience targeting, it will be controlled at a browser level. The idea, perhaps, is to provide consumers one point of control (in the browser) and eliminate those cookie pop-ups that cover the European, Californian and Canadian web – where the lack of consent means less ad revenue for Google.

Whether the Privacy Sandbox model will take off and be adopted by other browsers as a standard remains to be seen. Apple holds significant influence due to the substantial increase in mobile web traffic over desktop and the market share of iOS devices with Safari as the default browser.

For now, circling back to where we were over a decade ago: publisher audiences. 1^st party cookies (cookies set and visible only under the publisher's own domain name) aren't going anywhere. However, old problems resurface, particularly with audience-targeted campaigns becoming less scalable when relying on a variety of publisher-specific audiences. Even if publishers converge on a common audience taxonomy, the quality of audiences will still vary widely based on how they are constructed. Small long-tail publishers, as well as AI-generated and keyword-stuffing sites, may experience declines in ad revenue if the Privacy Sandbox doesn't take off.

Survival of the Fittest: What the Industry is Doing, While the Cookie Crumbles

Companies whose business currently relies on third-party cookies are trying to find ways to preserve the status quo for as long as possible, aiming to avoid disruptions to their revenue streams. They understand that industry change happens slowly – Google has been talking about phrasing out third-party cookies for years⁷, but it has not happened yet.

One approach leverages browser "fingerprinting" as a means to generate a consistent browser identification without cookies. Another approach uses first-party publisher cookies and profile linking, utilizing elements like hashed email addresses or other login credentials. A large increase in sites requiring "free accounts" in order to access content is expected, allowing them to uniquely identify users (e.g. by hashed email address) to advertising buyers.

Data "clean room" companies, such as Habu and InfoSum are dedicated to linking data sets for publishers and advertisers based on common user IDs, all without transferring data beyond the IDs between parties. This hinges on the premise that a hashed email is not personally identifiable information.

Hashed emails (or phone numbers or addresses) have long served as a method for "onboarding" offline/CRM type data into targetable profiles. Google, Meta and Amazon offer this functionality on their advertising platforms, while smaller companies like United Internet and Acxiom have provided similar onboarding services via hashed personal information for years. We will see whether the utilization of hashed PII as a common user identifier holds up under future privacy legislation.

The Elephant in the Room

Speaking of old being new again – before search, the internet (for most consumers) revolved around portals (AOL, MSN, Yahoo, etc). With advertising revenue dominating internet business models, publishers have an incentive to keep users on their platforms for as long as possible. This is evident with Google surfacing content directly in search results, ensuring users don't need to visit publishers. Social media platforms prefer hosted content (e.g. uploaded videos and posts) over external links and mobile apps default to opening links in a WebView frame controlled by the app rather than an independent browser.

So, in a way, going back to the portal days where Google, Meta, Amazon, TikTok and other platforms are where users spend the bulk of their online hours captive.

This is a reminder that some of the largest advertising companies are not just ad-tech companies or data companies – but also web/app publishers with first-party relationships to consumers. The disappearance of third-party cookies will not be a big problem for them – rather, it will consolidate their control over data, consumers and ad-spend relative to the long-tail of internet publishers and small ad-tech and data vendors.

Beyond the Cookie Era: Mobile Advertising

There is a reason so many publishers encourage users to utilize their app over the mobile web. Aside from aiming for a more enduring relationship with users through additional capabilities, such as pushing notifications to remind them to open the app, it is much easier to sell advertising.

On mobile, advertising IDs^8,9 are used instead of cookies. They are unique per device and can be turned off or reset. When enabled, they surpass cookies in power because the ID remains the same for all apps, simplifying the process of data matching between different systems.

On the positive side, the mobile advertising ID is easier to disable than fingerprinting and cookies on the browser side.

With mobile dominating more market share¹⁰ than desktop, this becomes an important privacy topic. Currently, Apple (iOS) and Google (Android) largely determine policy here, as this functionality is controlled at an operating system level. Not surprisingly, use of the advertising ID is opt-in on iOS and opt-out on Android.

Technically, as it stands, if an app is given any PII (i.e., email address for login) and also consents to the use of advertising ID, the app publisher can link the user’s profile with other app publishers and mobile/desktop web cookies (based on the email address). Once this link is established, a mobile advertising ID becomes directly tied to the personal profile. In-app advertising often includes geo-location in the sales auction – so mobile advertising IDs in an advertising bid stream become rich tracking data that can be used for geo-advertising features by companies like AdSquare or used for more nefarious purposes, such as warrantless location tracking by law enforcement¹¹.

The Future is All About Privacy

We have long thought that we need an approach with the following values:

•   Respect the spirit of privacy legislation rather than seeking workarounds.

•   Develop solutions that enable high-impact, premium advertising products without relying on tracking, profiling or cookies.

•   Support quality publishers by returning to the use of publisher data and signals to power data-driven creative at scale.

Today, adlicious has an in-house technical creative and design group dedicated to crafting bespoke, premium, data-driven creatives for brands.

These data-driven creatives are powered by our in-house data-integrations (non-user), recommendations, content delivery and creative toolkit technologies.

Per-impression creative customization stems solely from publisher signals (on media), eliminating the need for cookies, fingerprinting or any other anti-privacy technologies. Importantly, our system doesn't record user profiles or have unique user identifiers that can connect multiple data points together.

We've extended these concepts to programmatic Digital out of Home through our own DOOH-only DSP. This allows us to convert geo/time signals from a DOOH screen into much richer targeting data, incorporating weather, events and other types of data sets keyed from location and time.

Conclusion

In summary, adapting to the evolving landscape of privacy and advertising demands a collective effort to prioritize consumer privacy, develop ethical solutions, and support quality publishers. While the decline of third-party cookies presents challenges, it also opens doors for innovative approaches centered on user consent and data protection. Embracing transparency and collaboration can pave the way for a digital advertising landscape that respects privacy while fostering sustainable growth and innovation.

‍

References

1. https://www.businessinsider.com/ai-spam-google-ruin-internet-search-scams-chatgpt-2024-1
2. https://blog.google/products/chrome/privacy-sandbox-tracking-protection/
3. https://blog.mozilla.org/en/products/firefox/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/
4. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
5. https://gs.statcounter.com/browser-market-share
6. https://privacysandbox.com/
7. https://blog.google/products/chrome/building-a-more-private-web/
8. https://support.google.com/googleplay/android-developer/answer/6048248?hl=en
9. https://developer.apple.com/documentation/adsupport/asidentifiermanager/advertisingidentifier
10. https://gs.statcounter.com/platform-market-share/desktop-mobile-tablet
11. https://www.eff.org/deeplinks/2022/06/how-federal-government-buys-our-cell-phone-location-data