Cookies, the cornerstone of persistent tracking of users across the web, have been under attack for some time now. Often, the function of cookies, privacy legislation, and the way modern users expect the web to work can be at odds with each other. Fundamentally, there are two independent parties working on user privacy initiatives currently that are both advancing at the same time and changing the face of the current web as we know it: legislative (GDPR, CCPA etc.) and technical (ITP, ETP etc.) .
Before we dive into the topic of cookies, it’s important to note that not all cookies are created equal. You will likely read many headlines over the next few months suggesting “the cookie is dead” without an understanding of what exactly is happening. Specifically, there are two distinct types of cookie: first party and third party. Just like their names imply, first party are stored by the domain you are currently on (e.g. wpromote.com) and third party are created by other domains (e.g. 3rdpartytracker.com). See further reading on the topic from Clear Code.
One of the leading voices in the technical privacy camp is John Wilander, the Webkit Engineer behind Intelligent Tracking Prevention (ITP), who has been making waves with Safari over the past few years. In 2019, we also saw Firefox launch Enhanced Tracking Protection (ETP). With every update, new privacy guidelines (read: data collection limitations) are put in place, some of which may have unintended impact on user experience. These companies aren’t just making these changes for fun though–in an age where users have never had more information online and less control over their data, privacy is good for business. In particular, the WebKit team cited platforms ignoring “Do Not Track” signals as a central reason why they needed to develop such a powerful, overreaching solution.
Considering all these browser changes, how many web users have actually been impacted (and by proxy, how much digital advertising is impacted)? Often, especially in digital marketing circles, I find there is a bias toward believing Chrome to be the outright favorite browser for both the US and the world. Looking at US browser use trends for the past 12 months via StatCounter, we see that, while Chrome still has the lion’s share of users across all devices.
It’s actually Safari that is winning the mobile wars, due to the proliferation of iPhone users in the US (despite Android’s global domination).
Why is this important? Apple is now in a strong position to set the tone for how we look at user privacy, and how other browsers need to react to avoid going the way of Internet Explorer.
Of course, it’s easy for companies that don’t make money via advertising to take the moral high ground here, regardless of how much this may hurt publishers or even consumers with poor digital experiences. Google has now been forced to move, and the Chromium team made their big announcement for their plans on January 14th, 2020. The Chromium team has stated that they are developing a solution that will allow for the depreciation of third party cookies entirely by 2022. As stated in their announcement:
“After initial dialogue with the web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete.”
They also didn’t hold back in their disdain for the way WebKit has handled third party cookies by blocking them outright.
“Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem. By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better.”
The unintended consequences referenced may range from issues logging in or persisting a login state on websites with third party login providers, to dropping valuable information between sessions such as products in a cart.
What Does This Mean For Marketers?
Since ITP and ETP launched, there have been a wide range of reports regarding the impact of these solutions, including (later redacted and updated) that Firefox would block Google Analytics from tracking. It’s important that we look to take a measured, responsible approach to adapting to these changes. As previously noted, some of the motivation behind ITP was because “Do Not Track” signals were being ignored.
As marketers, we need to take privacy seriously, and now is not the time to be looking for quick fixes to preserve your data for another few months in defiance of browser standards that will only continue to push back harder. Solutions like CookieSaver will ultimately become obsolete (claiming to mitigate the impact of ITP), but it would appear Google is taking a more balanced approach by not throwing out the baby with the bath water (obviously with their own self interest in mind). In general, there are a few key issues facing marketers as the use of the cookie changes:
- Ad Platform Tracking & Attribution – Cross-site tracking will be limited by these cookie changes. While we do not know exact windows for data persistence, if it’s anything like Safari it could go down to a day or less. It’s unlikely that Google will do anything that will impact GoogleAds or DoubleClick tracking conversions, however they will most certainly take issue with third party advertisers. We have already seen SA360 and GMP use probabilistic modeling for conversion tracking since August of 2019 in response to ITP. Depending on the amount of traffic your site currently receives from Safari, it’s likely you have been missing attribution for extended user journeys (longer than 24 hours) for some time now.
- Audience Identity for Remarketing and Reach + Frequency – By limiting third party cookies, other signals will need to be used for both targeting and understanding reach and frequency. The reach and frequency problem is much larger, as, even if you can identify an in-market individual, how will we know they are unique vs. having already seen 100 ads from a certain company? Google is working on a probabilistic approach to this problem as well and it’s likely we will see more probabilistic data moving forward, which will likely create increased data skepticism and confusion around what is true and what isn’t when determining the impact of marketing campaigns.
- Impact on Programmatic Advertising Platforms – While the current state of the stock market is very reactionary, the long-term outlook for organizations that rely so heavily on third party cookies, like Criteo or The Trade Desk, is not looking good. Indeed, it’s likely the duopoly of Google and Facebook will actually strengthen as a result of these privacy changes.
Beyond The Cookie
Cookies are not the be-all, end-all of digital advertising. After all, they were originally invented in 1994, and although they have evolved significantly since then, there are other web tracking solutions available. Of note, this includes:
- Fingerprinting – Using the user agent string (originally designed to help web browsers render websites correctly for specific user settings), many platforms have used this to uniquely identify user browsers using a technique known as fingerprinting. In addition to the cookie updates pushed by Google, they announced they will depreciate Chrome’s user agent string too. Fingerprinting is something that is actively being pushed back upon currently from both a technical and legislative perspective across the board.
- Mobile Advertising ID (MAID): MAIDs have been around for several years as a way to track users within apps where cookies are not available. Indeed, our modern lives are mobile first, where our mobile devices unify our experiences wherever we are. Created with advertising in mind, there are already specific policies in place around MAID users, including: 1) companies are prohibited from making permanent connections between users and MAIDs, 2) users can reset their MAIDs, and 3) if a MAID is deleted, the data must be deleted. You’ll likely hear a lot more about MAIDs in the future and their evolving role in the digital advertising ecosystem.
- Other data management solutions, like Local Storage: With the first few iterations of ITP, many suggested the solution of using local storage. This is going away though as many browsers limit script writable storage, and is not a path we would recommend pursuing.
Looking Ahead
While this statement from the Chromium team has not provided a definitive “this is next” in terms of actual web technology, the fact that they are approaching this head-on will likely be a smart business move. Many digital marketing practitioners believe that ITP swung the pendulum too far (even with their first party cookie limitations), but, perhaps that was necessary to reset the conversation. As marketers, we need to act as both marketers and consumers and understand that just because we can do something, doesn’t necessarily mean we should.
It’s likely that we will see the pendulum come back to the middle. Without all of the services that run on ads (Instagram, TVE Apps etc.), our devices really aren’t that useful. While Apple makes great phones, they do not make great social networks or TV platforms, so they still need to come to the table with advertisers that ultimately fuel all of the free and available content on the internet.
In order to intelligently prepare for the future, we recommend approaching the subject of privacy directly with your consumers, and collecting their information ethically. By earning trust and respect, it will be easier to mitigate future technical changes. Additionally, focus your advertising investment in the biggest pools (Google and Facebook) that will be the most resilient in times of tracking limitations and best able to effectively measure performance.