Cookie Life - Part 1: Status Quo

Google announced at the beginning of July that it will postpone the launch of the Privacy Sandbox solution in Chrome to the “end of 2023” hence maintaining the support to third-party cookies. It gives the industry some air to implement their new strategies and arbitrage for future open-web campaigns. Let’s use this time to understand what is at stake.

Why is scraping third-party cookies from Chrome bringing so much trouble to the advertising industry?

1. Because Chrome represents 65% of all web navigation (cf. Gartner) and 75% of mobile ones (cf Visual capitalist).
2. Google alone attracted almost 31% of the total US ad revenue in 2019 (eMarketer)  (2020 being disturbed by Corona) across all formats (display, search, video- desktop, and mobile) and the revenue is growing.

Data collection and capacity to leverage it is becoming concentrated in the hands of a very few actors (such as Google, Facebook Group, and Amazon) due to the limitations that various data protection laws have triggered in the western world.

To set the scene, let’s double-click on the context:

• What is Data Privacy Protection?

• What is classified as Personal Data?

• What are advertising Cookies?

• What is changing after the Elimination of Cookies?

• What are the Alternatives to Cookies?

What is Data privacy protection?

Multiple examples of privacy laws around the world (non-exhaustive list):

• The European Union General Data Protection Regulation (GDPR) in 2016
• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada in 2018
• The General Data Protection Act (LGPD) in Brazil in 2018
• The Data Protection Act in the United Kingdom in 2018
• The Personal Data Protection Bill in India in 2019
• The California Consumer Privacy Act (CCPA) in California (US) in 2019
  
• The Protection of Personal Information Act (POPI) in South Africa in 2020
  
• The Data Security Law in China in 2021
  
• Various privacy laws in effect in Australia

Something all these laws have in common is that:

1. There are sensitive personal data that should be protected
2. Businesses can be held financially liable for the mishandling of data at different pipeline stages including secure processing, storage, and transfer (free or at a cost)

What is classified as Personal Data?

Definitions vary from country to country, for example in Europe it says that personal data is any information that relates to an identified or identifiable living individual:

• Name and surname
• Home address
• Email address
• Identification card number
• IP address
• Advertising identifier of your phone
• Health data which could be a symbol that uniquely identifies a person
• Cookie-ID or location identifier

What are Cookies?

The identification cookies are files created by the websites you visit. They make your online experience easier by saving browsing information (the name or address of the site you visited, your ID, and timestamp).

There are two types of cookies:

1. First-party cookies are created when one visits a website. They are set by the site shown in the address bar.
2. Third-party cookies are created by other sites that own ads or images on the visited website.

With technical cookies, sites can keep you signed in, remember your site preferences, and give you locally relevant content; such cookies do not require the user’s consent.

Third-party cookies provide support to advertising targeting: they enable the selection of ads according to behavior as well as historical partners identifying user's interests and potential needs.

First things first, let’s clarify what has happened to data collection via cookies:

Advertisers rely on cookies to track behaviors across the open web. Cookies help follow users from one site to another to serve them with ads that are coherent with their actions. At the same time, cookies record what the users have already seen for future reference (for example, for retargeting purposes).

Here is a timeline of the milestones on the path towards cookie eradication:

What is changing after the Elimination of Cookies?

The elimination of cookies compromises the measurement of campaigns on the web and cross-device attribution. We are turning to a consented information gathering: cookies will be saved in the browser and will get no access to the user’s history of actions prior to sending an ad. Campaigns will be running “blind” without any historical information on users.

This entails the following:

• It will incapacitate many actors involved in digital retargeting
• It will limit the ability to create lookalike and similar audiences based on collected first-party data
• Performance marketing activities, in general, are going to be handicapped
• Lookalike and enhanced targeting will be limited
• Digital attribution models outside of walled gardens and cross-device targeting are going to be extremely limited.

What are the Alternatives to Cookies?

The whole market is trying to find the most efficient solution to overcome this challenge, with or without leveraging Google’s new offer:

• First-party data, e.g. email addresses are back as the golden ticket to recognize users across devices and platforms and collect user data
• Walled gardens will keep offering the same level of granularity in targeting, thanks to the user consent upon login and personal data processing agreements. They have developed network outreach => advertising offers outside of their walls.
• Cookie alternatives like various technological solutions aiming to replace cookies are already either available or in development. We are planning to give you an overview of these in the next articles.
• More traditional targeting options including contextual advertising, geotargeting, seasonality, and timing can be leveraged to guarantee some sense of going back to classic tactics - brands can rely on the specialized websites and relevance of influencers to promote their brands to the users, pending on season, hours of the days and locations, thus limiting wastage.

To close up

The topic is ongoing - it is important to grasp the context to understand what is coming and build a customized solution for each individual business. There is no one-size-fits-all approach, as business needs and target group behaviors are genuinely different from one sector to another. This series of articles aims to help you navigate through the changes - MMT is here to help you build your #futureproof data solution.

Sources:

• Market share of mobile OS - https://www.visualcapitalist.com/personal-tech-market-2020/
• Personal data definition - https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
• DGPR Requirements - https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• Chrome - https://support.google.com/chrome/answer/95647?hl=en&co=GENIE.Platform%3DAndroid
• Mozilla - https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
• Regulations - https://www.delphix.com/sites/default/files/2021-05/delphix-ebook-regulations-000180.pdf
• Opportunities - https://www.gartner.com/en/webinars/4003053/will-your-advertising-strategy-survive-privacy-and-cookie-change?
• Sandbox announcement- https://blog.google/products/ads-commerce/a-more-privacy-first-web/
• Apple Tracking - https://clearcode.cc/blog/intelligent-tracking-prevention/#ITP4
• Timeline support - https://insights.marinsoftware.com/trends/apple-turns-the-screw-on-user-tracking-with-fresh-itp-changes/

Link to legislative documents:

• The European Union General Data Protection Regulation (GDPR) in 2016 - https://advisera.com/eugdpracademy/gdpr/
• The California Consumer Privacy Act (CCPA) in California (US) in 2019 - https://oag.ca.gov/privacy/ccpa
• The Protection of Personal Information Act (POPI) in South Africa in 2020 - https://popia.co.za
• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada in 2018 - https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
• LGPD, the General Data Protection Act in Brazil in 2018 - https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
• The Data Protection Act of 2018 in the United Kingdom - https://www.gov.uk/data-protection
• Data Security Law in China in 2021 - https://www.lexology.com/library/detail.aspx?g=d6879b96-5086-4fdd-8004-25556fbf44a6
• Personal Data Protection Bill 2019 in India - https://www.dlapiperdataprotection.com/index.html?t=law&c=IN
• Various privacy laws in effect in Australia - https://iclg.com/practice-areas/data-protection-laws-and-regulations/australia