The State of Cookieless

[Updated on June 30th 2021 to reflect the new estimated date for third-party cookies to be deprecated in Chrome browsers, as well as Apple’s privacy-enhancing plans for iOS 15.]

Given the amount of noise and confusion around the topic, and how much we may have contributed to it ourselves, here’s a little summary of the post-3P cookies*, post-ATT** situation as it affects the intersection of Marketing, Data, Technology, and Privacy. It should hopefully clarify things and help marketers plan for the months ahead.

Overview

The way things stand today, there is a common belief that first-party data will become the new holy grail, and that some sort of shared-identity solution (Unified ID having become the most popular) will allow advertisers and publishers to expand the current possibilities of programmatic advertising to all sorts of environments powered by a direct relationship with the audience or customer base.

As an answer to the obvious legal challenges of ID-based, cross-media deduplication (currently greater than those faced by 3P cookies), Google Chrome’s Privacy Sandbox, and its related W3C Working Group, provides a framework for advertisers and publishers to leverage a browser-level interest graph while preserving anonymity, through the use of aggregate data and minimum audience thresholds. As key drawbacks, there is little control on the consumer side, and local storage could result in data leaks when coexisting with either shared-identity, 3P cookies, and platform-specific IDs or walled gardens.

Simultaneously, advertisers are presented with an increasingly compelling case to rely on such walled gardens (Google, Facebook, Amazon, Apple) in order to guarantee addressability and mostly consistent campaign measurement tools.

Finally, Zero-Party Data solutions do not require any sort of personal data processing by either advertisers or publishers and, by putting consumers in full control of their preferences and choices, are also doing away with GDPR-related legal risks. All of it while facilitating the same data activation capabilities (campaign management) as walled gardens, and more powerful, up-to-date insights than first-party data environments.

While the soon-to-be-deprecated 3P cookies, shared-identity, and walled gardens (platform-specific IDs) are subject to valid consent requirements (as per the EU’s ePrivacy framework, under the thresholds defined in the GDPR for such valid consent) or opt-out requests (as per California’s and other State-level laws in the US), both the Privacy Sandbox and Zero-Party Data solutions fall out of that particular scope, and guarantee a much larger audience sample across different platforms. This is reinforced by the recent introduction of the App Tracking Transparency program in iOS devices.

The price of consent

Drilling-down further into the latter point, a legal requirement for valid consent takes a major toll in terms of sample sizes, as acceptance rates run directly counter to the level of risk that a particular brand or publisher is willing to bear.

On average, as per recent studies, (see chart footnotes) publishers and advertisers can expect to surpass a 40% consent rate through the adoption of basic “dark patterns”, while assuming what today amounts to a manageable legal risk across the UK and the European Union. Of course, engaging in such practices will have its own impact on consumer trust and brand equity, but that is beyond the scope of this update.

Applying this to what seem to be the most common first-party data strategies in the market (around Unified ID and other shared-identity solutions), we would expect advertisers and ad-supported media to subject consumers to an initial registration process, followed by as many consent-gathering hoops as parties are involved in a particular chain of custody. Under the assumption that the Android platform will soon emulate iOS’ App Tracking Transparency framework, it is highly unlikely that a majority of current customers or readers (even those most loyal, originating in a CRM database) makes it to the end of such a chain of custody.

Privacy Sandbox

On its part, Google has been hoping to count on other Chromium-based browsers to support the Privacy Sandbox initiatives (as summarized above, and mostly popularized through the FLoC and FLEDGE proposals), but only Microsoft (owners of the Chromium-based Edge) has explored its possibilities — through its PARAKEET proposal, currently under discussion.

Initial tests have met plenty of criticism on the part of privacy advocates, the Electronic Frontier Foundation, and even other Chromium-based browsers (such as Brave). Besides the data leak concerns mentioned above, comparisons are being made with Facebook look-alike audiences and other environments in which people have little control over the interests groups that their own browsers end up dumping them into.

The challenge in mobile

As explained, a major challenge to “addressability”, as a basic promise of Real Time Bidding and behavioral advertising, is the response that mobile operating systems are giving to privacy concerns and regulatory pressure. Targeted advertising will most likely make way for either contextual alternatives or asynchronous advertising. Which seems to be aligned with consumer demands (as recent studies -Farman, SAP Hybris, HubSpot, PageFair- show that audiences shun “creepy retargeting” and favor privacy over relevance).

Lastly, on the analytics side, the alternative measurement solutions provided by Apple (SKAdNetwork) provide a first glimpse of a future built on disparate, aggregate data sources, with decision-makers becoming more reliant on multiple correlations and less so on granular individual-level deduplication.

* Third-party cookies, to be deprecated for an estimated 64% of the audience by December 2023 (Chrome user base) and already disabled by default for most of the remainder.

** App Tracking Transparency program, as deployed by Apple on April 27th 2021 (iOS 14.5) and requiring a specific opt-in for the unique identification of mobile devices (Android is expected to follow suit in the coming months). This was followed by additional privacy-related initiatives on iOS 15 (Private Relay and Mail Privacy Protection, respectively hiding IP addresses and potentially discarding email addresses as a complementary means of user deduplication).