Driven by both consumer awareness and regulatory change, the free movement of personal data through the adtech ecosystem has come under review and criticism over the last few years. But it’s important to understand why cookies were created in the first place and remember that some cookies are designed to simply make people’s web experience easier.
To coin a phrase, cookies don’t track people, people track people.
Cookies are saved to a users browser and can store helpful information to remember a users login details, or what they had in their shopping basket. These are typically first-party cookies, meaning they are tied to that website’s domain and can only be read by the owner of that site.
Cookies can also be used to track user behaviour as they move from website to website, these are typically a third-party cookie, meaning they sit in the domain of the company dropping them, for example, a DMP cookie is tied to their domain, dmp.com.
How are third-party cookies used to power adtech?
Due to the fact that third-party cookies are tied to a third-party domain, they can be read by that third-party and used to track individuals across multiple sites. If we continue the above example and assume that the same DMP has dropped third-party cookies on multiple websites, they are able to build up detailed user-profiles and are able to identify and track those individuals across all those sites.
Additionally, cookie syncing has long been used to share identities between companies (for example, between a DMP and a DSP), to increase the level of cross-site tracking and targeting that cookies provide. Back in 2014, Steven Englehardt provided a fantastic summary of how cookie syncing works and potential data privacy issues.
The short version is that when a user visits a website third-party cookies are dropped by a number of ad vendors, for example, a DSP. When it creates this third-party cookie, it also triggers a number of other vendors cookie to be dropped for matching purposes, for example, for a DMP - this is known as piggybacking. Because the DSP has triggered this, they receive not only their own cookie ID but also the DMP’s cookie ID, which gets stored in a cookie table.
In many cases, the same DMP also fires their own third-party cookie independent of the above and triggers a third-party cookie of the DSP to be dropped. Meaning now both the DSP and the DMP can create a table that associates the two IDs.
This process happens automatically once a user clicks the “Accept” button on the consent banner that now appears on most websites, and unfortunately, often before acceptance is given. It is therefore invisible to the general user, who is unlikely to read the full list of cookies being dropped.
Data privacy issues with third-party cookies
The ICO has made it very clear that they believe all cookies to be personal data, as they could be used to identify an individual, and therefore the use of the data collected by third-party cookies is subject to the compliance rigours of GDPR.
“Cookie compliance will be an increasing regulatory priority for the ICO in the future.”
While regulations around the use of third-party cookies are brewing, with the ICO continuing to warn of their use, two of the largest browser providers have already taken steps to block their use. Previously, users had to take proactive steps (and navigate quite complicated instruction pages) to block third-party cookies being stored on their browser. Now, however, both Apple’s Safari and Mozilla’s Firefox browsers block third-party cookies by default.
This has had a significant impact on the adtech industry, as the blocking of cookies in these browsers means the users using them can no longer be tracked and targeted with personalised advertising, This has seen the advertising rates paid for targeting users of Safari plummeting by 60% over the last two years.
The future of cookies
Google has now confirmed its intentions to phase our support for third-party cookies by 2022. Essentially setting an expiration date for third-party cookies.
With their downfall, it will be natural for the adtech industry to look for workarounds that utilise first-party cookies to pass data. But as Ciaran O'Kane put in his 2020 predictions:
“Now we have the opportunity to re-imagine what digital advertising could look like. There are so many great companies building the next generation of ad tech that puts users and privacy first.
Why we need a solution
Outside of the adtech industry, it can be perceived that an ideal solution would be to stop tracking users across sites, and therefore remove the ability for advertisers to target consumers. However, it is important to remember why we, as consumers, have access to such a wide array of free content online. It is because media and content owners can earn revenue from their advertising inventory, rather than from charging consumers.
It is therefore vital that we find a solution that works for consumers, media owners and brands wishing to advertise. InfoSum believes this solution is in the privacy-safe, consented use of personal data to connect identities and drive cookie-free advertising. Our platform uses a federated architecture to ensure that data is never shared between the various parties in the adtech ecosystem, and our use of differential privacy techniques ensures individual identities are never exposed.
By adopting an approach that relies on data provided by a consumer's consent, we can continue to provide targeted and personalised advertising, while respecting consumer privacy.