On Tuesday, 14th January 2020, Google announced that it intends to end support for third-party cookies in its Chrome browser. In a following statement, on 3rd March 2021, Google reiterated their initial announcement, and additionally stated that alternative user-based identifiers to recognise individuals will not be built nor used with their products. Instead, as part of Chrome’s Privacy Sandbox proposals, different APIs will be used for different use cases. FLoC (Interest-based targeting), Fledge (Remarketing), and Conversions API (Measurement use cases) are three out of the nine APIs that will be available. All data will be aggregated and no longer used to recognise and reach users at the individual user level.
Google recently announced that it will delay the phase-out of third-party cookies in its Chrome browser until 2024. While there is a momentary collective sigh of relief across a wide swath of MadTech advertisers and platform providers, it is important that we continue to push forward with strategies that do not depend on third-party cookies. Though the deadline has been pushed out, the sense of urgency needs to stay high. Delaying the inevitable does not make it go away.
What follows is Acxiom’s assessment of the situation and guidance related to Google’s decision about third-party cookies, which are critical to much of the digital advertising ecosystem.
It is important to understand what Google announced—that third-party cookies will no longer be supported by the Chrome browser by the end of 2024. This is a similar action to what Apple took with its Safari browser in 2018. Google’s Chrome and Apple’s Safari own most browser traffic, so this does create a tipping point in the industry regarding how to acquire and manage data supplied by cookies. As the Interactive Advertising Bureau (IAB) stated in a post about its newly announced Project Rearc, this move by Google means the “default future state of digital media will be 100% anonymous, non-addressable to third-party vendors that support advertising-funded media and services today.”.
This will have the greatest impact on digital channels that rely on reach as a key benchmark for targeting audiences. Third-party cookies are what allows marketers to target in an anonymised state across digital channels. So, without them, we will see less advertising personalisation, decreased ability to retarget, reduced conversion insights and a need to increase focus on identified matching and reach in digital channels. This also makes onboarding offline data to online more challenging, as advertisers will now need improved identity management to scale audiences in a post-cookie world. Those impacted the most will be demanding side platforms (DSPs) and platforms that depend on third-party cookie syncs to identify individuals across sites. So, without third-party cookies, we will be forced back to originating match and reach based on personally identifiable information (PII).
IAB Tech Lab’s Senior Vice-President
“Without third-party cookies, we are only left with per-domain identifiers using first-party cookies, and it becomes impossible for third parties to set or recognise any form of shared or universal ID across domains—for any purpose
”
This is an industry-wide challenge. The MarTech and AdTech space is committed to increased people privacy without sacrificing commerce or access to content. We expect to see significant changes to support that commitment over the next few years. There will be an increased need for advertisers to develop more robust identity and data management solutions to achieve the marketing performance they were able to achieve prior to a cookie-less world. Acxiom is well poised to lead our clients through these confusing and changing times since we are experts at identity management and PII-based matching in privacy-conscious ways both online and offline.
More and more experts in the industry are referring to the “cookie apocalypse,” calling this looming event the end of digital advertising as we know it. It’s important to understand that the death of third-party cookies is not the end of the digital marketing world, but rather the beginning of a new phase. Change is inevitable for brands, publishers, and platforms as the fallout from this change becomes clearer.
Many will contend that a cookie-less ecosystem will increase people privacy and ensure digital privacy. While this is true, it will also strengthen the grip of the “walled gardens” on the digital advertising market. Two of the largest and most influential walled gardens are Google and Facebook. With their global reach, authenticated user traffic and closed advertising stacks they have an outsized advantage.
As mentioned, Google is in a dominant position in terms of internet traffic with 81% of the search engine market and 60% of browser penetration. Since the search engine is the gateway to the internet for a vast majority of users, this puts lots of power and influence in Google’s hands.
Similarly, Facebook has a broad reach to more than 70% of U.S. adults, and more than 35% of the world’s population. These statistics are evidence that the current ecosystem has created a “walled garden duopoly” between the two platforms. The sheer reach and control of their platforms give the duopoly a huge advantage in reaching people and capturing their behaviours, intents, and attention. This puts them in the lead position for capturing ad spend. In a perfect world, brands would have complete transparency between both publishers. However, Google and Facebook can calculate and display ad performance statistics as they wish, with limited accountability. Despite Google’s stated intent to increase people privacy by eliminating internet behaviour tracking through cookies, the duopoly of Facebook and Google has a lot of economic interests at play. Google and Facebook do not depend on third-party cookies; however, the rest of the internet relies on the technology to recognise users across sites. Eliminating third-party cookies further solidifies Google’s and Facebook’s control of the ad spend market, which was valued in excess of $129 billion in 2019, of which they already capture 60% (source: eMarketer, “U.S. Digital Ad Spending 2019”).
| FIRST-PARTY COOKIES | THIRD-PARTY COOKIES | |
| What’s the Difference? | First-party cookies are set by or on behalf of the website the user is on. For example, if you are on Brand.com, first-party cookies are set by Brand.com. First-party cookies have traditionally been safe from automatic blocking or removal, as they are responsible for providing a convenient and seamless user experience. For example, first-party cookies are useful for storing:
• User login status, which can be used to keep you logged in to websites and applications • Which products were added to shopping carts • Website settings, such as which language version was chosen • Favourite teams, sections, newsletters • Values entered in forms (e.g., name, email address, and company on a white paper download form) |
Third-party cookies are set by domains other than the one being visited directly, hence the name. Third-party cookies are more frequently deleted by users, and more methods that block third-party cookie tracking are now being implemented. There are also increasing requirements for third-party cookies for privacy-centred regulations, such as the GDPR and CCPA. Third-party cookies are useful for:
• Ad retargeting services (Double Click, Criteo, Ad-roll) • Addressable ad buying • Cross-site tracking • Data sharing between third parties (cookie sync to share IDs and/or data) • Social share buttons • Customer service pop-up windows • Collecting website behavioural data for use in ad reach • Measuring campaign performance by recognising which cookies were exposed to an online campaign |
| The Limitations | First-party cookies can only be read when a user is visiting the domain of the website/publisher.
• Cross-site tracking is not possible • Advertising on other sites based on behaviour on the advertiser’s own site is not possible • Retargeting is not possible |
According to a recent report, 64% of cookies will be rejected. Rejection occurs when a browser either blocks a cookie from being placed at the time of the ad impression/site visit or deletes the cookie after the fact. Data leakage is also a concern with third-party cookies.
• Many third-party cookies get blocked, as browsers can mistake them for spam • Measurement relying on cookies is incomplete due to blocking and deleting • A cookie’s information can be stolen if the session is unencrypted, so it’s important to limit what is stored in them • There could be other tracking options and/or data that a third-party company is collecting and adding to the cookie that you are not aware of • Anti-spyware programs often delete this type of cookie |
| Solutions Enabled | Personalisation, preference management, shopping carts, customer personas, conversion tracking | Anonymous visitor recognition, addressable ad buying, ad targeting, ad retargeting, behavioural ad targeting, behavioural analytics, measurement, behavioural data |
| Data Being Produced | Captures login data or web form data, behavioural data such as pages visited on the domain/website, browser/device setting information, time of use | Behavioural data across the internet, personal data (if readable), websites visited, time spent on websites |
Apple’s Safari crusade against cookies starts with Intelligent Tracking Prevention (ITP).
From June 2019 FireFox blocks ALL third-party cookies and first-party cookies by default.
Apple Safari blocks third-party cookies by default as of 2020.
Google will begin ending support of third-party cookie tracking.
Google’s Chrome browser will phase out third-party cookies by 2024, according to its recent announcement. Google Chrome is betting that its Privacy Sandbox—the privacy-preserving API unveiled in August—will build functionality that replaces third-party cookies.
Director of Chrome Engineering
“We are confident … mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete,
”
While this announcement was specific to Google, the implications are industry wide. Google is not the first to kill third-party cookie access. Previous versions of Apple’s ITP (Intelligent Tracking Prevention) (1.0 and 1.1) allowed cookies to be read and used in a “third-party context,” provided the user accessed the domain directly in the first 24 hours. That gave an unfair advantage to Facebook and Google, as the 24-hour purge did not have the same effect on them as on other sites because users visit these websites regularly and rarely log out.
In Apple’s newest version, ITP 2.0, the Safari browser detects cross-site tracking and partitions (or isolates) first-party cookies, making it impossible to use them in a third-party context for tracking or analytics. Some experts say that by introducing such strict rules to deal with third-party cookies, Apple sabotages the current economic model of the internet. With Google following suit, it is inevitable that either the economics of the ad-supported internet model are radically changing, or new and emerging solutions must come to the forefront.
Google’s dominance and control of the ad spend market is based on its full vertical integration across core platforms and systems. Google’s services and products stretch all the way from device manufacturing to operating system and browser development as well as foundational AdTech capabilities like its own DSP, ad server and massive-scale content platforms. As noted by Keach Hagey and Rob Copeland of The Wall Street Journal, “Google’s ad-tech business consists of software used to buy and sell ads on sites across the web. The company owns the dominant tool at every link in the complex chain between online publishers and advertisers, giving it unique power over the monetisation of digital content. Many publishers and advertising rivals have charged that it has tied these tools together—and to its owned-and-operated properties like search and YouTube—in anticompetitive ways.” This integration allows Google to deploy its own “walled garden” that does not leverage third-party cookies.
Achieving scale and adoption across the stack is paramount to capturing ad spend and customer influence. While Facebook does not have the browser, it has the most popular applications (e.g., Facebook, Instagram) on the internet and has the most organic reach of any platform.
Explore how the market is evolving away from third-party cookies and give you the best alternatives and actions you can be taking now to set yourself up on the right path.
Acxiom is well positioned to help agencies and brands manage the impending changes. We work with a wide swath of platforms and providers across the MarTech/AdTech ecosystem and have the necessary influence and connections. Whether integrating new technologies, utilising platform relationships or working with industry-wide consortiums, we can tailor our solutions to meet the changing requirements. In addition, Acxiom has long been a privacy leader and advocate. We are following and participating in a growing number of possible innovations to support both the improved privacy and control by users while not unduly hindering commerce. Here are some of the active efforts and ideas:
The 5th Cookie Initiative is a joint initiative of the IAF, Anonos and Acxiom. The term “5th Cookie” is a metaphor that encapsulates the goal of utilising GDPR-compliant pseudonymisation to bridge “consent gaps” when consent by itself is no longer enough. “Demonstrable accountability” utilising auditable and documented technical safeguards is necessary to balance data innovation and the assurance of the full range of individual rights.
Under GDPR, compliant pseudonymisation requires that re-linking/re-identifying should not be possible without access to additional information kept separately and used only for authorised purposes (Article 4(5)). This enables the achievement of the principle known as “Aristotle’s Golden Mean”, which says that on a spectrum, an excess of behaviour sits at one end and a deficiency of behaviour sits at the other. But somewhere in the middle is a perfectly balanced behaviour: the golden mean. To achieve this balance, GDPR-compliant pseudonymisation bridges the “consent gaps” so both privacy and utility can be fully maximised.
Under GDPR, encryption is state of the art for protecting data when at rest and in transit (Article 32). Similarly, pseudonymisation—as newly defined in GDPR—is state of the art for protecting data when in use (Article 25). GDPR-compliant technical and organisational safeguards in the form of digitally enforced pseudonymisation controls can be embedded in and flow with the data. This helps enforce risk-based data protection policies, which resolves conflicts between maximising data value and protecting fundamental personal rights to privacy.
Aggregated and Obfuscated User Segments
Google has proposed the implementation of an API call to a browser-based privacy sandbox which stores individual user-level information but exposes personalisation and measurement data without violating user privacy. Similar to Google’s ads data hub (ADH), this solution maintains privacy while supporting brands needs for targeted marketing. In 2024, Google will cut off access to DoubleClick IDs which are currently the only way to analyse user-level information in campaigns within ADH.
Google plans to begin trials for click-based conversion measurement without the use of third-party cookies. Since the conversions will be recognised within the browser, advertisers will be able to call an API that will send the conversion value from the browser. This allows AdTech providers a means to target aggregated cohorts, or groups, of site visitors without the granular targeting of specific individuals, thus maintaining privacy regulation compliance.
OEM-Driven Identification
Cookies are browser-based technology. One alternative is for key OEM providers to provide more organic and standardised identity solutions. Due to the limited number of OEM providers, it is feasible that an industry standard could be employed to create a consistent identifier. However, in many ways this puts the identity fabric into the hands of a few large providers and risks furthering a monopolistic culture.
The same is true for the browser developers. If Google, Apple, Microsoft and Mozilla were to standardise on a solution and create a ubiquitous browser ID then the need for third-party cookies would be circumvented. Unfortunately, this would only raise the walls on a few walled gardens and put the open internet at risk.
create a device ID applied to desktop or laptop computers; a browser on a phone or laptop would integrate with OEM manufacturer
new browser ID, isolated to Chrome and not integrated with the phone or computer manufacturer
It takes a village.
Epsilon-Conversant believes an “exchange-based solution” is the answer. With an inventory of more than 2,000 advertisers and publishers, it utilises what it calls “header bidding” via a server-side API. By collecting privacy-compliant user information across a large client base, it can deliver relevant ads to in-network visitors while maintaining the proper level of anonymity.
Similarly, it is important to note the recent announcement of Merkury, “an identifier designed to allow marketers to continue reaching audiences online without using third-party cookies” (source AdExchanger, “Merkle Launches an Identity Solution as The Industry Weans Off Cookies” by Alison Weissbrot).
“Consumer privacy and the death of the third-party cookie are changing the rules for digital and cross-channel marketing”, said John Lee, President of Merkury. “Going forward, both marketers and publishers will begin with their first-party relationships to create owned, private identity graphs that generate addressability while maintaining their own intellectual property. These brands will be able to network their private graphs with partners and publishers to increase addressability for all in a privacy-conscious way. Merkury’s mission is to serve as a neutral technology enabler of the private graph, supporting seamless interoperability between brands, publishers, and technology platforms.”
While this is a legitimate solution if achievable at scale, there are plenty of challenges to this model as there are already a growing number of competing exchanges and architectures.
Focusing on Contextual Marketing vs. Behavioural
Some activists and organisations are pushing for a complete elimination of cross-device and cross-site personalisation for non-authenticated users. This is the most conservative approach as it would only allow brands to retarget site visitors who make themselves “known” on one of their owned websites. Brands would move back to focusing on contextual marketing and reduce models and strategies relating to behavioural analytics.
Establishing technical standards for companies’ first-party solutions
The Interactive Advertising Bureau (“IAB”) Tech Lab, in its Project Rearc proposal, introduced a plan to develop rigorous technical standards and guidelines that inform how companies collect and use a user-provided, consented identifier tied to privacy preferences. Users would be in control of the use of the ID and any related data. Businesses would strictly adhere to any privacy preferences attached to the identifier and the identifier would be sufficiently encrypted so that it couldn’t be reverse-engineered to identify the person. Any third-party vendor tracking would only be done with explicit user consent, and only on behalf of the trusted first parties. The IAB, however, is not providing a specific identifier product or service like others have launched, but rather providing technical standards for companies to apply to their own first-party solutions.
If you can’t beat them, join them.
Following the footsteps of Google, Facebook and Amazon, the last possibility we will include is the concept of brands building their own walled gardens. This is only feasible for a handful of global brands that have the number of site visitors and the content necessary to keep and maintain a first-party cookie pool of significant scale. However, it is feasible that a few bigbrand walled gardens could build their own site network and monetise their authenticated traffic.
Acxiom is at the forefront of the marketers’ fight against third-party cookie depreciation. By providing a wide array of products and services, Acxiom is helping marketers to make the most out of their data assets. At Acxiom we offer robust solutions for identity management, data governance, and cross-device tracking, as well as powerful tools like data cleansing and data activation that can change the way marketers look at data today. Additionally, marketers can also take advantage of technologies such as device graph, cookie-less tracking, fingerprinting and zero-party data which are essential for marketers to stay ahead in an ever-changing online landscape. This means that marketers no longer have to rely solely on third-party cookies; thanks to Acxiom, even large brands and companies can use first- and second-party data to track customer journeys without interruption.
