In the announcement, Google clearly stated its intention to “phase out support for third-party cookies in Chrome”. While the development came as a surprise to some, others saw the writing on the wall last August when Google announced the privacy sandbox. Historically, third-party cookies have been an essential tool for advertisers to track users and tailor their targeted messages. However, the industry – in the face of pressure from legislators and consumers – has been moving away from them for some time, and other browsers like Microsoft Edge are already following in Google’s footsteps.
Last year, Apple continued to strengthen the Intelligent Tracking Prevention (ITP) function in its Safari web browser, leading to a decline in AdTech share prices, as Safari holds an 18% share in the worldwide browser market. In the midst of these changes – and following similar anti-tracking technology in the latest version of Firefox – publishers have reported a decline in ad revenue that raises concerns about the viability of a cookieless future. Fortunately, Google has taken a strategic route ahead of its changes, giving publishers plenty of time to prepare.
Moving forward – and by the end of 2022 – Google hopes that ad targeting, measurement and fraud prevention will follow the standards put forward by its Privacy Sandbox. Although the Sandbox does not contain any tools as of yet, it does offer five Application Programming Interfaces (APIs) to replace functions that cookies previously served. After future trials have clarified the way these APIs will work, advertisers will use them to request data on conversion, attribution and other indicators of an ad’s success.
Most importantly, the Privacy Sandbox is what it claims to be: private. Instead of identifying individual users, advertisers will receive anonymized signals from a user’s browser where all their information and browsing habits will be stored. In theory, this will put an end to retargeting, Data Management Platforms (DMPs) and any service based on third-party user data. As Google holds 66% of the digital advertising market, third-party data will no longer constitute a viable path for user targeting.
Google is facing twin streams of pressure that have influenced its decision. In the first place, user tracking has come under scrutiny by emerging data privacy legislation in the U.S (CCPA) and abroad (GDPR). At the same time, legislators in the U.S have accused the company of violating anti-trust laws. Because advertising constitutes a significant portion of its revenue stream, the company must respond to changes in AdTech; at the same time, removing third-party functionality from its browser has already inspired accusations of anti-competitive behavior.
To fend them off, Google has worn a collaborative face, inviting publishers and other AdTech leaders to develop new standards that meet the criteria of Privacy Sandbox. While control over the digital ecosystem remains in the company’s hands, there are many paths towards a cookieless future that remain to be decided. Rather than shape the future of AdTech, Google has instead condemned certain technologies and services to obsoletion. While some – like DMPs – have already been preparing for this move, the initial impact will be felt by those who have not.
In the context of Google’s update, the term “cookieless” can be misleading since first-party cookies will remain a viable way for publishers to target their own audience. Likewise, it will signal a shift to more direct relationships between advertisers and publishers that may generate a market for second-party data. Initially advertisers will struggle to switch from the ultra-targeted, one-to-one mindset of programmatic advertising. Over time, they will realize the benefits of one-to-many advertising which involves cultivating a targeted group of audiences over individuals.
AdTech has relied on third-party data for so long that – in the minds of some advertisers – user tracking is synonymous with third-party cookies. While it’s true that targeting and measuring will become less central to advertising, it will live on in a simpler form as advertisers shift to click-based user tracking and conversion measurement. To this end, first-party cookies are not the only path forward for cookieless advertising.
Google’s announcement has generated, for instance, a renewed interest in Universal ID. Under this system, advertisers would be able to track and target through a system of user identification based on deterministic (as opposed to probabilistic) matching. Universal ID is arguable just as powerful as third-party data, and there are already many open-source standards, including DigiTrust and Unified ID. Any viable standard – however – would require widespread adoption among Internet publishers to be useful, and so far this has not emerged.
More controversially, various forms of “fingerprinting” can be used to track users between browsers and devices, and many – from Amazon to DMPs on the cutting edge – have already invested in it. While it is arguably more invasive than third-party tracking – and shows that even a “cookieless” future cannot fully protect user privacy – it is also difficult to prevent, and Alexa 500 publishers have already adopted it as an alternative.
On the scale of changes that impact the advertising ecosystem, it’s fair to compare Google’s cookieless update with the release of GDPR. Now – like then – a major change in function was imposed on advertisers and publishers. Then – like now – the technology to facilitate this change already existed, and all parties were given time to prepare. Looking back, we can derive both an optimistic prognosis and a warning.
The good news is that the world is ready for cookieless advertising, and those who prepare will be minimally affected by it. For some – like DMPs and SSPs - preparing will require a radical change in business model, and investment in new technologies. For others – like Ad Exchangers – the cookieless future will arrive uneventfully. For most, however, it will simply require involvement in the conversation initiated by Google and a watchful eye for developments to the Privacy Sandbox.
Fortunately, Google’s move to appease AdTech and publishers is not simply for show. Although it is moving towards the consumer market, its business remains centered around advertisers, as it depends on them for revenue. The Privacy Sandbox – like WordPress, Mozilla and other open-source standards before it – is an opportunity to define the rules that Google will hold its partners to and push for a system that fairly represents them.
On the other hand, a decline in revenue will be the inevitable result of Google’s update for almost everyone. Although we expect ad placement, fulfillment, conversion and other measurements of success to stabilize within two years of its initial release, those who fail to prepare ahead of time will be the most adversely affected.
by CORY SCHNURR
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.