From Apple’s Intelligent Tracking Prevention (ITP) in Safari to Mozilla’s Enhanced Tracking Protection (ETP) in Firefox, cookies, the primary means through which marketers track consumers on the web, are under attack.
The bad news: right now, it appears that what comes next isn’t likely to look anything like what marketers have become accustomed to. Specifically, most marketers will find it very difficult if not impossible to reliably and consistently track users as they traverse the web, hampering their ability to target them.
Or will they?
If the IAB Tech Lab has its way, the death of cookie-based tracking won’t be the death of tracking. This week, the organization proposed the creation of a neutral, standardized identifier that is tied to standardized privacy settings and controls. Described by the IAB Tech Lab as an “improved mechanism for audience recognition and personalization”, the standardized identifier would allow information about individual consumers to “travel with the consumer and be broadcast throughout the digital supply chain, so that it may be reliably honored, respected, and propagated.”
Companies wanting to access standardized identifiers for consumers would need to demonstrate compliance with their privacy preferences as detailed in their standard identifiers. To ensure compliance, the IAB Tech Lab proposes a joint accountability system that relies on software protocols and a “standardized, controlled container for ad delivery to limit the execution of client-side code in order to reduce security, performance, and tracking concerns.”
The IAB Tech Lab suggests that the standards be set up like public utilities with oversight provided by government entities, and with marketing and media companies working with browser makers to govern the standards.
Too much, too late?
The proposal is bold and reflects just how dire the assault on cookies looks to be to the digital advertising industry. According to Jordan Mitchell, the IAB Tech Lab’s SVP of membership and operations, “Eliminating cookies today without an adequate, planned transition to a new, publicly owned mechanism for recording and honoring consumer preferences will disenfranchise millions of independent businesses, entrepreneurs, influencers, and individual communicators, and concentrate control of the internet with four or five giant technology companies.”
Mitchell might be right that the cookie-pocalyse will only increase the control of a handful of companies including Google and Facebook, but selling the public on a standardized identifier that helps advertisers track them won’t be easy.
“Who’re they kidding? A single ‘token’ will uniquely identify you & be linked to your name & personal data in a trice among sites sharing info w/ their 3rd parties,” Brendan Eich, the CEO of privacy-focused browser Brave, tweeted.
Eich’s comment is particularly interesting in light of the fact that research commissioned by his company is currently making headlines. According to that research, Google’s real-time bidding (RTB) system violates the GDPR. Specifically, Brave alleges that Google, after eliminating unique IDs after the GDPR went into effect, developed a mechanism called Push Pages which “appear[s] to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.”
Brave had previously lodged a formal GDPR complaint with the Irish Data Protection Commission over Google’s DoubleClick/Authorized Buyers advertising system, claiming that it leaks “intimate data” about the consumers who visit the more than 8m websites that are part of the system.
Now, the company says its new evidence, the alleged sharing of personal information belonging to Brave’s chief policy & industry relations officer, Dr. Johnny Ryan, with an unknown number of companies, is “concrete proof” that the GDPR is being violated in a massive way.
“One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection,” Dr. Ryan stated.
And therein lies the rub with the IAB Tech Lab’s standard identifier proposal: it’s questionable as to whether the public will trust anything created by the industry. A common narrative today is that for years, companies in the digital advertising ecosystem, including advertisers, publishers, ad tech firms and data brokers, have basically done with consumer data whatever they want, sometimes acting in ethically and legally questionable ways to maximize their profits.
Now that consumers are gaining a greater ability to fight back thanks to laws like the GDPR and the ongoing crackdown on cookies, the notion that they’re going to eagerly buy into an audacious new proposal that would basically give the ad industry a second chance at tracking them, this time more respectfully, seems far-fetched.
Of course, this proposal probably doesn’t need consumer buy-in. What it needs is buy-in from the industry and regulators. Neither seems likely either however. There are already a number of competing proposals for standardized identifiers and no sign that the industry is ready to line up behind one of them.
There is also no reason to believe that regulators around the world are going to be able to agree on a set of common regulations, something that is seemingly required for the kind of public utility the IAB Tech Lab envisions. Instead, it appears far more likely that regulators in different parts of the world will continue to craft their own privacy and data protection laws, such as the CCPA in California, creating an increasingly complex compliance situation.
While none of the significant challenges mean that the standard identifier concept is dead on arrival, for perhaps the first time ever, the digital ad industry looks very vulnerable. For that reason, companies would be wise to hedge their bets and prepare for a world without cookie tracking just in case it comes.