The long goodbye of third-party cookiesAmr Saafan
Third-party cookies have been doomed for a long time. Cookies have been the subject of debate since their inception in 1994, with concerns raised about their privacy implications and potential misuse. Nonetheless, they have persisted, unloved but indispensable. However, it appears that the death knell for third-party cookies has finally been rung, with both Apple and Google finally taking concrete steps to limit their use. But, given that third-party cookies and mobile Ad IDs continue to underpin a significant portion of the web and its economics, what will the future look like without them? And, more importantly, will it be a better future than the one that came before?
To find answers to these questions, we must first understand what is going on in the world of third-party cookies and Ad IDs. I don’t know about you, but it’s difficult to keep track of all the initiatives that tech companies are announcing, let alone understand what they might mean for users and businesses. As a result, this piece aims to demystify some of this. But first, let’s recap how we got into this mess with third-party cookies in the first place.
How did we get to where we are today?
Cookies have been an essential tool for advertisers and publishers since the early days of digital advertising. They assisted advertisers in tracking the number of people reached by their advertisements, and they assisted publishers in understanding their own audience. They also provided useful functionality such as frequency capping (which ensured that people did not see the same ad too frequently).
As the industry grew and developed in the 2000s, new intermediaries such as ad networks, exchanges, and sell/demand-side platforms began to emerge to efficiently connect ad supply to demand, for whom third-party cookies proved similarly useful.
For these intermediaries, the user data generated by these cookies, which included not only the ads they saw, but also the sites they visited, became a competitive differentiator, allowing ads to be sold based on the audience’s interests rather than the context in which they appeared. Bidding in real-time on ad inventory based on the individual who saw the ad became the norm — this is known as programmatic advertising. A complex ecosystem of companies providing services across this value chain grew up, and data became an important part of the industry, with companies like LiveRamp and Epsilon providing access to large pools of user data for ad targeting.
Meanwhile, Google and Facebook were constructing their own advertising ecosystems, utilizing the user data to which they had access. Google AdSense and Facebook Audience Network represent not only Google’s and Facebook’s first-party inventory, but also a large swath of third-party sites across the web, and enable highly targeted audience-based ad buying, all of which is enabled by third-party cookies.
As a result of this web of intermediaries, whenever you visit a website or use a mobile app, your data is passed (or potentially passed) to a large number of different companies, which frequently pass the data on to other third-parties, all in order to show you a slightly more relevant ad.
Until 2018, third-party tracking and data processing occurred largely behind the scenes, with sites not required to notify users or obtain consent; however, this changed in 2018 with the implementation of GDPR. GDPR requires organizations to obtain explicit consent from users before processing and passing on their data to third parties; however, because of all the participants in the ad ecosystem, obtaining this consent is unworkably complex.
As a result, Apple and Google have begun to take a much tougher stance on the third-party cookies and Ad IDs that power so much of this complex ecosystem. However, there are some significant differences in their approaches, reflecting the fact that Google is far more reliant on advertising revenue than Apple.
What’s Apple doing?
For several years, Apple has emphasized privacy as a differentiator for its products and services. It introduced Intelligent Tracking Prevention into WebKit (the underlying browser technology for Safari) in 2017, which limits the ability of sites to send or request data from third-party sites, a practice known as cross-site tracking.
The privacy issue addressed by ITP is that a third-party ad service (such as a demand-side platform) that serves many advertisers and publishers can amass a large amount of information about users’ interests and behaviors — so-called “cookie pools.”
A simple way to prevent this type of data collection would be to block all cross-site calls (and, with them, third-party cookies); however, this would interfere with many legitimate uses of this technique, such as Content Delivery Networks or federated login. As a result, the Apple ITP feature employs machine learning to determine which websites are being used for cross-site tracking.
In 2020, Apple tightened ITP even more, blocking all third-party cookies. Sites can still use a Safari feature called the Storage Access API to request a specific opt-in from a user, but given that the user must have a good reason to agree to the third-party storage, this effectively means that third-party cookies are no longer supported on Safari.
Apple ID for Advertising (IDFA) restrictions
In 2012, Apple introduced “ID for Advertising” (IDFA) as a way to persistently identify the device on which an app is installed. Any iOS app can access the IDFA and send it to an internet service (such as an ad network). Because the IDFA is the same across apps, it functions similarly to a third-party cookie: if App A sends the device’s IDFA to a third-party service and then App B sends the same ID, the third-party service knows that the user is using both apps.
Since its inception, the IDFA has proven to be extremely beneficial to Mobile Ad Networks, app publishers, and measurement platforms in terms of measurement and targeting. Facebook, for example, uses IDFA to enable ad targeting in third-party apps in its Audience Network. If a user interacts with a lot of gardening content in the Facebook app, for example, a third-party app that uses Audience Network can use the IDFA to deliver gardening ads to the user.
Although the IDFA is anonymous and can be disabled, its use contributes to the unsettling feeling that users have that their phones are listening in on their conversations. This is due to the fact that an interaction in one app can result in ad targeting in another app that the user does not associate with that interaction.
Apple released iOS 14.5, which changes the use of the IDFA to opt-in – apps that want to capture and share the value must first ask permission. Facebook has made a big deal out of it, even going so far as to create a dedicated website touting the benefits of targeted ads and serving pop-ups in the Facebook and Instagram mobile apps to encourage people to opt in:
Despite these efforts, it appears that opt-in rates for third-party IDFA sharing are quite low — according to a recent Flurry study, a whopping 96 percent of iPhone users in the US choose not to share their IDFA with third-parties.
What’s Google doing?
Because Google relies on advertising as a major revenue source, it has a much more complicated relationship with data and privacy than Apple, and it has been much slower to introduce privacy features into its Chrome browser or Android mobile OS.
With Apple making such a big deal about privacy, Google couldn’t just sit back and do nothing. So, in January 2020, it announced that third-party cookies in Chrome would be phased out within two years. In their place, Google is launching Privacy Sandbox, an open-source initiative as part of the Chromium project. The Privacy Sandbox is a collection of technologies that enable advertisers to avoid using third-party cookies while not encouraging them to use equally intrusive (and less transparent) alternatives such as device fingerprinting. The Privacy Sandbox is already available in the most recent versions of Chrome, but it is largely disabled in Europe.
The Privacy Sandbox project is one of several initiatives being pursued by members of the W3C’s Improving Web Advertising Business Group, all of which have bird-themed names like TURTLEDOVE (from Google), PARRROT (from Magnite), SPARROW (from Criteo), and PARAKEET (from Criteo) (from Microsoft).
FLoC and FLEDGE
Federated Learning of Cohorts (FLoC), the most advanced and high-profile Privacy Sandbox project, aims to enable advertisers to deliver behavioral targeting without building cookie pools. Using a machine learning algorithm, FLoC parses the sites (and site content) that a user visits in order to place them in one or more interest-based groups (or ‘cohorts’). A website can then use the FLoC API to determine whether the user belongs to a specific cohort and deliver targeted content. Because the profiling occurs within the user’s browser, no user-level information is sent to the internet, so third-party sites cannot build cookie pools or directly access the information. FLoC aims to reduce the risk of reverse-engineering of user information through careful design of the segmentation algorithm.
Google’s FLEDGE project aims to enable publishers to create their own interest segments and then hold auctions for advertisers to reach those segments while not passing user-level data. It’s difficult to replicate all of the ad ecosystem’s current targeting capabilities without passing any user/device data; indeed, in the most recent iteration of FLEDGE (the aforementioned TURTLEDOVE), Google relies on a “trusted third-party service” to handle some of the real-time auction mechanics.
Before Google is likely to disable third-party cookies in Chrome, Google’s Privacy Sandbox, FLoC, and FLEDGE must all be properly implemented and accepted by the web community and advertising industry. Perhaps as a result of this, Google recently announced that it would postpone the shutdown until 2023.
Google hopes that other browser makers who use the open-source Chromium engine (such as Microsoft’s Edge browser and Opera) will adopt the Privacy Sandbox features and implement their own versions of the algorithm; however, enthusiasm is low, with none of the major browser makers signing on. Brave, Microsoft, Vivaldi, and Mozilla have all spoken out against FLoC and disabled it in their Chromium-based browsers. The reaction from regulators and other industry groups has been less than positive: the Electronic Frontier Foundation published an article titled “Google’s FLoC is a Terrible Idea” in response to the news about FLoC.
Criticism of FLoC centers around two major areas of concern:
FLoC does not actually improve privacy because it replaces one set of poorly understood tracking technologies (cookies) with another (the FLoC algorithm and the data it stores in the browser). Furthermore, because the operation of FLoC requires the processing of personal data, European data regulators are debating whether user consent for the feature is required to comply with GDPR. Because of these concerns, Google has yet to enable FLoC in Chrome in GDPR countries.
FLoC will increase its advertising power with Google: The combination of Chrome’s dominance in the browser market and Google’s 31% share of digital advertising raises the real risk that Google will use the information gathered by FLoC to give its own advertising network an unfair advantage. In the United Kingdom, the Competition and Markets Authority has launched an investigation to determine whether FLoC represents an unacceptable concentration of power in Google’s advertising ecosystem.
Google’s Android Advertising ID
Android also creates an Advertiser ID, known as the Android Advertiser ID (AAID), which users can opt out of; however, Google has not announced any plans to implement a similar opt-in control, as Apple has. Max Schrems, a privacy advocate known for giving Facebook a bloody nose on privacy issues, has filed a complaint with France’s Data Protection Authority, CNIL, claiming that the AAID’s behavior violates GDPR. As a result, Google may be forced to implement a consent mechanism similar to Apple’s, at least in Europe.
Impact to the Digital Advertising ecosystem
If you weren’t perplexed when you started reading this article about all the changes in the world of third-party cookies and Ad IDs, you are probably perplexed now. If it’s any consolation, the rest of the analytics and advertising community is equally perplexed. However, given Apple’s actions and Google’s stated intent, it is reasonable to conclude that cookies and Ad IDs are on their way out. Will this, however, benefit or harm publishers, advertisers, and consumers?
According to a Google study, publishers can expect a 52 percent drop in revenue due to the loss of user-targeted ads. Another independent study, on the other hand, predicted only a 4% drop in revenue. The true revenue impact is likely to fall somewhere in the middle of these two estimates, but publishers will adjust their monetization strategies to mitigate the impact of losing user-targeted inventory, making it difficult to predict the true impact on content publishing businesses.
The trials and tribulations of the print media industry over the last 20 years, with advertising revenues plummeting as they moved online, are well-documented. However, some of the industry’s adaptations, such as its heavy emphasis on user-targeted ads, have not served it well, resulting in ‘click-bait’ headlines that exist solely to draw traffic to the site in the hope that it will monetize (probably through a low-quality retargeting ad) once there. With fewer opportunities to make a ‘easy’ buck in this manner, publishers will need to focus more on generating genuine engagement with their content, which may be beneficial to the consumer.
Networks and “The Big 3”
As we previously reported, Facebook made a lot of noise in the run-up to the IDFA opt-in change in iOS – but, interestingly, Mark Zuckerberg later changed his tune, admitting that the change could actually help Facebook by causing people to spend more time (and money) inside the company’s first-party apps. Because of Facebook’s massive collection of first-party data, any revenue it loses through its third-party network may be more than offset by revenue generated by its own apps.
Google isn’t in quite the same position as Facebook, but it still manages a very strong set of first-party data through Google Search, Gmail, and other ecosystem apps, and it can leverage its control over the world’s most popular browser. Even if only Google’s ad network supports the technologies in Privacy Sandbox, Google may be able to take business away from independent platforms such as Criteo and Taboola.
Amazon, which is sitting on a lot of very rich first-party data, is another company in this enviable position of sitting on a lot of very rich first-party data. Amazon’s advertising business is now nipping at the heels of Facebook’s and Google’s. Many users who want to buy something now go straight to Amazon to search for that item rather than doing a web search first, and Amazon can also offer advertisers end-to-end measurement and attribution, which its competitors cannot.
The emergence of Google, Facebook, and Amazon as digital ad behemoths has already hollowed out many larger advertisers’ media plans, often consisting of little more than a few branded run-of-site/sponsorship efforts for brand recognition, paired with audience-based buys on Facebook, Google, and a programmatic platform like Criteo. A further concentration of audience reach and engagement in the hands of these companies could distort the picture even more, leaving advertisers at their mercy.
Smaller advertisers (particularly B2C advertisers) will, on the other hand, become almost completely reliant on the “Big 3,” and thus on their algorithms for pricing and displaying ads. The presence of three major competitors for ad dollars may provide some protection from price gouging, but any significant threat to this near-triopoly is difficult to imagine.
Last but not least, will these changes benefit consumers? This is a more difficult question to answer.
On the one hand, making it more difficult for organizations to silently track individuals’ online behaviors is a good thing for consumers, because when given the option of sharing this data, they overwhelmingly opt out (as the Flurry study mentioned above shows).
On the other hand, there is a real danger that the end of third-party tracking will concentrate even more power in the hands of Amazon, Google, and Facebook. This is unlikely to provide much benefit to consumers: it will reduce choice without significantly improving transparency around the use of their data, and anyone who wishes to opt out will likely be unable to use these services meaningfully. Furthermore, it is unclear whether the technologies proposed to replace the functionality of third-party cookies will be any better for consumers: they may be more difficult to manage and opt into/out of.
As the last few thousand words of this post have shown, the world of privacy and user data management is becoming more complicated, not less. Consumers may be becoming more privacy-conscious, but if the tools available to them to manage their personal data are overly complex, they will be underserved, and we will be back at square one.