• Some of us are old enough to remember when almost everyone liked cookies.

    That was, of course, before the “cookie” became the name of a snippet of code that is deposited onto a user’s browser, and which serves as the marker for digital ad targeting and content personalization.

    It was also before cookies became known to consumers as one of the enemies of privacy. Browsers such as Chrome and Safari are constantly downgrading third-party cookies, the ones dropped on site visitors by vendors like ad providers.  

    First-party cookies, the ones deposited by sites themselves to consistently understand the interests of their own visitors, are faring better—as long as they don’t become cross-site tracking tools. 

    And the growing number of privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are putting increasingly high guardrails around the collection or use of consumer data that is stored in any cookie.

    Imagining a cookieless future

    All of this is enough to make a marketer wish there was sweeter news.

    So, sit back and munch on this: how will digital advertising work if third-party cookies crumble?

    One group actively contemplating what this future might look like is the Interactive Advertising Bureau (IAB)’s Tech Lab.

    The Tech Lab recently proposed that the industry come together to create a new user token which broadcasts a user’s privacy preferences to advertisers, data providers, and publishers but does not rely on third-party cookies.

    SVP Jordan Mitchell told RampUp that the particulars—such as whether the user token resides in the user’s browser and exactly how it might work—are to be determined by this proposed industry initiative. He noted that user privacy and consent would have to be built-in and browser makers would have to agree to any arrangement.

    An ad container

    The Tech Lab also proposes an ad container that could control the use of JavaScript, limit the number and kinds of calls to additional ad/data vendors in order to limit data leakage and page loading latency, and disallow any unauthorized user tracking. 

    The relationship of the ad container to the user token, like many other aspects of the IAB Tech Lab’s proposal, is still to be determined. One thing is clear, though: only “good actors” who abide by this initiative’s standards would be allowed access to the user token.   

    While the Tech Lab’s proposal envisions that this new user token mechanism would operate in a world where third-party cookies would be unnecessary and avoided, Mitchell sees first-party cookies as remaining viable. 

    In fact, he said, the Tech Lab’s DigiTrust Working Group has envisioned two other possible tracks for identity in a world without third-party cookies. And one of them, shared log-ins, would employ first-party cookies to maintain logged-in states.

    Similar to social log-ins

    A group of publishers, for instance, might set up a shared log-in system where a hashed email address is used among publishers’ or retailers’ sites.  

    In concept, it’s similar to the social log-ins managed by Gigya, Janrain, and others, where users employ their Facebook, Google, or other social network log-ins on sites not managed by those entities. With permission, their profiles on those social networks can also be made available to the sites.

    But, in this version envisioned by the Tech Lab, the log-in system would be independent of any one company.  

    You might log-in to the system in the morning, for instance, and, during the day, the Washington Post, Walmart, and your local movie theater’s site all recognize you as soon as you arrive because you’ve been there before and they read their own first-party cookies. Again, users would be able to set their preferences and control how much data is made available and for what uses.

    The other possible alternative identified by the Working Group is a device ID that would work on computers the way, say, the IDFA device ID for mobile apps works on iOS devices.

    Mitchell told RampUp that, if the user token proposal becomes reality, a shared log-in scheme would operate as a separate system from user tokens, whether or not the Tech Lab is involved. A computer device ID, however, might be available in the user token.

    Say no to device fingerprinting

    One identity mechanism, however, appears to be off-limits by those who are proposing ways to move beyond third-party cookies: device fingerprinting.

    It’s a technique where many small settings or versions in a user’s device—such as browser version, on-board fonts, hardware specifics, and so on—are used to create a unique configuration that serves as a profile. Like Google and Apple, the IAB Tech Lab is coming down hard against device fingerprinting, largely because it means data about a user’s presence is utilized without consent.

    Extending first-party cookies 

    Another alternative for cross-site identity without third-party cookies involves first-party cookies. In fact, LiveRamp recently announced one such system, called the Authenticated Traffic Solution (ATS). 

    It requires that a user log-in into Site A with an email address, which is then shared in an encrypted form with participating sites via the site’s header bidding wrapper. 

    Site A deposits a token into its first-party cookie identifying that email address, and other sites similarly drop tokens for that email address into their first-party cookies for that user. Since the email address has been shared, each site can identify when that user visits their site, and a shared cross-site behavioral record could be maintained on the outside.

    In ATS, the anonymized user identity eschews third-party cookies in favor of first-party cookies, but it is limited to those publishers or retailers who agree to share data, and it is run by an individual company.

    Travis Clinger, VP of Strategic Partnerships for LiveRamp, told RampUp that ATS is envisioned as a stop-gap measure. Like others, he said LiveRamp opposes device fingerprinting. While he spoke with RampUp prior to the IAB Tech Lab’s announcement of its user token proposal, he indicated that his company is supportive of an ID that avoids cookies altogether, and is working toward such a solution.

    Back to the contextual future

    Of course, there’s always “back to the future”—that is, a wider use of contextual ads. It’s a return to the days of advertising during a football game if you want to reach sports fans.

    Dan Fennell, VP of Publisher Development at contextual ad targeting platform GumGum, agreed that a car advertiser who places their ads on web pages containing articles about cars would reach readers interested in cars. And, these days, machine learning can determine to some extent which other topics readers who are interested in cars are likely to be interested in, without tracking their cross-site behavior.

    But, without some cross-site identity mechanism, the reach would be limited to that site. Sophisticated ad targeting, such as lookalike matching to find new customers or location-based targeting, could be severely hampered.

    Third-party cookies’ time has gone

    In any case, ad veterans are warning that something has to be done.

    Dr. Bill Simmons, Co-Founder and CTO of ad platform Dataxu, has written: “Simply stated, if you use technology systems that rely heavily on [third-party] cookies for data distribution, measurement, attribution, and analytics, your business will be disrupted.” 

    He pointed to such alternatives as BritePool. Launched this past April, BritePool is a Sonobi-spinoff startup headed by industry veterans, and it provides rewards to users who let brands use their data. With BritePool, users download a permission-based platform that alerts them to ads.

    “We’re working to create an environment where cookies are no longer used for targeting advertising,” David J. Moore, CEO of BritePool, told Beet.tv. He added that “the reason Google and Facebook and Amazon are so strong is because they don’t use cookies. They use [logged-in] identity.”

    This strength by the walled gardens and the growing aversion by browser makers and privacy advocates to cross-site cookie tracking is now creating a perfect storm for something to take the place of third-party cookies.

    In fact, Google itself has also recently proposed major new ways to avoid unconsented user tracking while still enabling ad targeting, such as its Privacy Sandbox. 

    One way or another, the industry appears to be settling on the idea that the third-party cookie is an idea whose time has gone.

    Subscribe to RampUp