Author: Alwin Viereck, Head of Programmatic Advertising and Ad Management, United Internet Media
The king is dead, long live the king! What could be a better summary of the status of cookies and the adoption of post cookie technologies within the programmatic value chain? For some time now, the industry has been talking about the creeping exitus of cookies and the alternatives needed. So what has actually happened so far? And why is it now critical to discuss the alternatives out there? The following post provides insights into the reality of identity that we rely on in programmatic advertising and proposes solutions to move on to the next level.
The causal chain of identity
There is a very simple reason as to why everybody involved in programmatic advertising should care about the post cookie era, being it forced by regulation or browsers as gatekeepers: without cookies, there is no identity. Without identity, there is no data (targeting). Without targeting, there is no demand or at least, very low yield. Without demand, there is of course… no revenue.
The identifier and why it matters
A unique identifier (ID) exists in many forms – especially if you look at what is meant by the “uniqueness” of it. Generally speaking, an identifier is just a series of unique numbers, letters or symbols which marks an object unique. In databases it was typically a long number, nowadays in digital advertising systems, IDs are without symbolic meaning and typically come in a hashed form (e.g. CE06AC1ED1EA6E7B3254F14F19F515AD77E05871).
In a classic cookie-based web browser world, an ID was generated for a given device and per browser being used and stored in a (1st or 3rd party) cookie or local storage.
The ID itself is useless, unless data of any kind, e.g. targeting profile data for a user; capping or in case of compliance also consent is associated to it, which itself is not necessarily stored within a cookie but most of the time held on the server side.
Therefore it is key to be able to write an ID to a (more or less persistent) browser storage, associate data to it and read the ID whenever a user should be identified and decisions are taken based on associated data (e.g. user evaluation during bid pricing).
Further, it is key to define how an (unique) identifier relates to an identity – typically the latter is pseudonymously associated with a person. The average amount of devices being used per person today is around four[1]. So, having in mind the given cookie logic, at least four identifiers need to be associated in a graph to deliver your pseudonymous identity.
What are the challenges?
As may be obvious, the way/where IDs are stored in a cookie-based world (on a per device and browser bases) and how long the IDs are held (probability of deletion) in that storage, dramatically influences its entropy and accuracy of identity.
Based on data we see, more than 20% of all cookies in a desktop environment do not live longer than a day and a further 15-20% do not survive a month. For vendors in a third party context (which are typically all participants of the programmatic ecosystem), the problem might even be worse. That means, that most of the current cookie-based identification is based on only partial information, since the collecting of data needs to be restarted as soon as identifiers (stored in a cookie) gets lost. This is not it in terms of challenges; cookies are not available on mobile devices where much of consumer browsing time is now spent.
Mobile device dominated world
Cookies were a perfect deterministic solution in a desktop-browser only world. From a privacy perspective it was also easy to delete them or prohibit their creation on a device. This time is over since October 2016 latest, where 51.3% of internet usage worldwide[2] is generated by mobile devices.
In a mobile-device-dominated world, cookies are an aged solution unable to represent a full identity, since native apps do not allow reading/writing cookies. On mobile devices the cookie was superseded by device (ad) identifiers such as the IDFA (iOS: “Identifier for Advertising”), AAID (Android: “Android Advertising ID”) or Windows ID for (Windows Phone OS).
The two worlds also cannot easily be bridged, since browsers somehow never introduced this kind of mobile device ad identifiers in mobile browsers. A pity in my perspective, since it led to the development of fingerprinting and in some cases probabilistic voodoo (sorry, statistical methods) which are far from being as precise (=false positives/negatives) as pledged to build a multi-device profile.
Direct / indirect ad blocking
In the last few years about 25% of direct (adblock plus, ghostery, uBlock, AdGuard, Disconnect.me etc.) and about 5-10% indirect (typically anti-virus software which incorporates browser plugin features for ad blocking) of ad blockers are being used by consumers. So, a quarter of the cake is eaten before we are able to sit at the table.
Browsers as the gatekeeper
Aside from the rapid development of ad blocking, a further black hole for ad revenues in a programmatic first world arises. The browser vendors themselves push into the privacy gatekeeper position in parallel to the upcoming sanctions on GDPR – whether for own interest, anticipatory obedience to regulation or social responsibility should be better judged by others than me.
Safari started back in June 2017 with the introduction of Intelligent Tracking Prevention (ITP), a mechanism which through its evolving versions, led to a complete blocking of third party cookies. The blocking of first party cookies is upcoming.
Mozilla introduced of the Enhanced Tracking Prevention feature for Firefox in June 2019. The mechanism blocks third party cookies for advertising/tracking domains based on the disconnect.me list available on github.
Microsoft has just integrated a beta of its own tracking prevention in Edge which is not yet activated by default due to potential changes to it in the upcoming versions. Edge is based on Chromium since last year, therefore it will be interesting to see how Microsoft adapts changes introduced to Chromium by Google.
Last but not least, Google announced its latest privacy and security feature development plans for the Chrome browser (respectively Chromium[3]) during its Google I/O developer conference back in May 2019. Consisting of a same-site cookie[4] attribute (see IETF specifications, it describes a new attribute that can be set inside HTTP headers called "SameSite”. A SameSite attribute of "strict" will mean that a cookie can only be loaded on the “same site”, equals no reading of third party cookies with that attribute value. All old cookies will be considered cross-site), an anti-fingerprinting protection as well as a user interface component gives users a better choice of privacy settings. At the same time, Google announced its Chromium planning document manifest v3 change, which reduces the features of its webRequest API, plugins used to execute ad- or tracking blocking which means basically the death of external plugins of this kind.
GDPR changes the way we work
Nearly everything has been said or written during the last 12 months about the EU general data protection regulation[5] (GDPR) which took effect in May 2018. Notwithstanding that, I cannot spare a few sentences on how I think this will impact programmatic and especially identity handling in the future, not even talking about upcoming ePrivacy Regulation[6].
GDPRs lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Programmatic advertising deals in many ways with the collection, usage/transformation and transfer of personal data, as defined by GDPR, for better results in bidding (pricing), ad delivery and user experience. At the same time, a lot of disparity exists in the handling of regulation due to many reasons.
A key area of work for the programmatic advertising stakeholders will be the argumentation of lawfulness of processing (article 6) mainly divided by (a) consent, (b) performance of contract or (f) legitimate interest.
The upcoming release of IAB Europe’s Transparency and Consent Framework v2.0 in mind, standardised purposes and features of processing such as:
will play a key role in this discussion along the given bases.
[1] https://www.statista.com/statistics/678739/forecast-on-connected-devices-per-person/
[2] https://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide
[3] https://en.wikipedia.org/wiki/Chromium_(web_browser)
[4] https://web.dev/samesite-cookies-explained/
[6] https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation