Corbin Bridge is MMi's Director, Digital Operations. Les Hostetler, Paid Search Insights Lead, contributed to this column.

As the demise of the 3rd party cookie approaches, a host of tech companies are now proposing alternative data collection schemes that purport to preserve user privacy while still allowing data to be captured and used for effective ad targeting. Most of these schemes are collectively discussed under the general term of a “Universal ID”.  Before we get there, though, it’s worth spending a quick primer on the current prevalent method for targeting individuals (or their web browsers and devices) … the cookie.  If you already know this part, great!  Feel free to skip ahead.

Types of Cookies, How They’re Used, and Why Some Are Going Away

In digital terms, a cookie is a small text file containing pieces of data and stored on a user’s device to recognize your device or browser, and often to keep a record of what sites you visit and even what you do on them.

1st party cookies are widely used, often for storing user credentials or remembering items in a shopping cart. These are stored by most individual websites (or domains), that you visit. Those notifications to accept cookies when you visit a website? Those are 1st party cookies, which collect data that is relayed to the owner of the web domain. These cookies help websites function more seamlessly, and they are not at risk within the current privacy laws being enacted.

3rd party cookies, however, are another story. These cookies come from domains separate from the one you are visiting.  They are most often used to track the activity of a user (or the user’s device) and to target him or her with ads.  A 3rd party cookie is set by an ad server and allows the ad tech company that set it to track users across multiple sites.

Let’s look at a fictitious example to better understand how this works.

Bob visits a website, foo.com, to read reviews on a widget he wants to buy. Later, Bob goes to bar.com to research a birthday gift for his wife, Alice. While on bar.com, Bob notices an ad for the widget he viewed earlier on foo.com.

While he may not have realized it, foo.com had placed cookies in Bob’s browser when he first landed on the site. The 1st-party cookies were created by foo.com and are used to improve Bob’s browsing experience. The 3rd party cookies were placed by a third party, such as an ad server, to track his behavior.

The ad server, reading the 3rd party cookie, knows that Bob is interested in a particular widget. Ads showcasing this widget will “magically” follow Bob around when he visits bar.com and other websites.

The 3rd party cookie that enables the widget to follow Bob around the internet is being eliminated, in reaction to consumer privacy pushback as well as actual legislation prohibiting this practice in certain regions.  In response, tech giants such as Google and Apple (itself already long a proponent of user privacy) will no longer allow the practice.  

This has created much consternation for the advertising community and the ad tech ecosystem built to support the targeting of individual browsers and devices based on their past activity on the web.  For advertisers now used to being able to target individuals based on very specific data about them, this seems like a giant step backward.  As a result, the industry has been scrambling for solutions that satisfy the letter of these new privacy requirements while still allowing advertisers to target the best prospects in a data-driven fashion.

Meet the Leading Candidates:  Universal ID 2.0 and FLoC

In response to this situation, most ad tech firms have promoted some variant of a universal ID as a solution. LiveRamp (once Acxiom, a holding company that acquired and merged a variety of data management, storage, and marketing companies in the 2000s) in 2016 invented IdentityLink, a technology that anonymously connected user’s online behavior and user identity data (often referred to as identity graphing). Initially, IdentityLink used both 3rd party and 1st party data, but it became the core for later developments in anonymized user identification and segmentation by others in the ad tech field, including The Trade Desk, Brightpool and Criteo. IdentityLink was largely the model upon which universal ID was predicated.

A universal ID solution that has garnered much publicity is Unified ID 2.0 (“UID 2.0”). At its simplest, UID 2.0 is a framework introduced by programmatic demand side platform (DSP) The Trade Desk with the objective of replacing 3rd party cookies. UID 2.0 proposes using 1st party data (collected legitimately from users on owned digital properties) and better cookie-syncing (so less information is lost, and duplication is minimized) to collect data on users for the purpose of ad targeting.  With the UID 2.0 initiative, a consortium of publishers, buyers and ad tech vendors have presented a potential solution which they position as being both privacy-friendly and an improvement over previous user ID efforts.

Of course, there’s precious little actual privacy going on here – simply rearranging the process of data collection so that it complies with the letter of the proposed laws (which themselves are largely underwhelming due to lawmakers’ inability to understand how personal data is collected and used) and avoids punishment (which is lackluster even when applied). 3rd party cookies are going away, but there is an entire industry that has become dependent on targeting specific users (or their behaviors), and it is not going to just close up shop.

Up until March of this year, various Universal ID proposals such as UID 2.0 seemed fast-tracked to be the dominant method by which privacy and targeting could be reconciled. And then they weren’t.  What changed? Google announced in March that it would not be participating in UID 2.0 or any similar solution, but instead had come up with its own approach to privacy laws: the FLoC, which stands for “Federated Learning of Cohorts.”

Google’s announcement roiled the digital advertising industry and has drawn hundreds of articles – a lot of them negative - since. Google is, after all, the single largest purveyor of digital advertising in the world, commands by far the largest market share for search (Microsoft’s Bing is a very distant second), and has in Chrome the world’s most popular web browser (64% of global market share, 3x the next competitor, Apple’s mobile-dominant browser Safari). The bulk of Google’s revenue comes from advertising, so sorting out the loss of 3rd party cookies in a way that preserves their business models remains of utmost importance. And if they can hamper competitors in the process, critics say, hey why not?

Google’s FloC does both, and works like this: as a user goes about his or her activities across the web using the Chrome browser, an algorithm tracks those activities and sorts the user into a “cohort” containing other users who exhibit similar characteristics and behaviors. To preserve privacy Google has stated that cohorts will contain at least 1,000 users each. A specific user is then, if not completely anonymous (Google still knows everything about you, even as they claim your browser history will remain private), at least semi-anonymous, a faceless member of a large group of similar people. When a user visits a website, Chrome tells the site that user’s cohort and the appropriate ad is served.

Google’s announcement created a great deal of consternation. Much had already been invested in UID 2.0, and there are still many companies at work developing it. Google’s participation, expertise, and market dominance could have moved that process forward substantially, but instead they decided to build their own solution – a solution that organizations that aren’t Google say will only solidify its status as a so-called walled garden.

This creates a pair of dominant competing models for addressing privacy concerns and forces publishers to choose – Google’s FloCs, or UID 2.0. Competing browser Firefox has announced that won’t use FloCs; the Electronic Frontier Foundation has denounced them; WordPress calls FloCs a “security concern”; alternately, the New York Times will test FloCs and will not use UID 2.0.

What Can Advertisers Do?

What does this mean for advertisers? For those that invest a lot with Google … perhaps not much. Google’s FLoCs protect Google’s 1st party data as well as protecting Google’s ability to leverage that data on behalf of their advertisers for targeting. Keyword search marketing itself, $172B worldwide this year, is unaffected.

For those publishers that have sufficient traffic to their sites, 1st party data will remain available and (with user consent) collectible. The breakdown comes with ad tech for programmatic advertising, which has become an enormous component of the digital ad ecosystem. Formerly, ad tech firms could collect and provide 3rd party data to advertisers looking to enhance or expand their targeting, and UID 2.0 would replace some of that. And that makes this controversy, for sophisticated advertisers who have their own data collection in place, something of a moot point.

Google and these ad tech firms, faced with losing their ability to harvest data and monetize it for advertisers, are arguing in large part about how to protect their own revenue streams in the face of increasing calls for privacy legislation. It may take some time for the dust to settle.  What can advertisers do in the meantime?

  • If you’re not collecting your own 1st party data, start. It’s always valuable and entirely legal to capture (with user consent).  It can form the core of your future targeting efforts.
  • Talk with your digital agency about how they’re planning to address targeting in a cookie-less world.  
  • Review your current digital marketing efforts to see how invested you are in using 3rd party data, and begin thinking about alternatives. Review what will be lost, try to determine how much these changes will affect performance, and evaluate strategies to recoup those losses.
  • Explore publisher direct partnerships. Many publishers are developing unique audience and targeting solutions leveraging their 1st party data, such as Zeus by The Washington Post.
  • Understand how performance will be evaluated, validated, and reported.  Transparency and 3rd party validation (wherever possible) are crucial.

3rd party data collection has been a huge factor in digital advertising, and privacy legislation will take that off the table. Thinking seriously now about the ramifications and developing strategies to ameliorate any negative outcomes will save a lot of time and performance downturns in the future.

If you enjoyed this post, you might also like "Annual Digital Advertising Benchmark Trends: 2020 vs. 2019"

Photo Credit: © Michalzak | Dreamstime