Ever since Google Chrome announced in January 2020 that it’ll be shutting off support for third-party cookies in the next few years, companies operating in the programmatic advertising industry have been scrambling to find reliable and effective alternatives to continue operating.
But the fact is that third-party cookies have been unable for some time already — both Safari and Firefox already block third-party cookies by default and have placed restrictions on other types of identification methods to prevent cross-site tracking, which is the main purpose of third-party cookies in programmatic advertising.
More recently, Apple has also introduced changes to its mobile advertising identifier (IDFA) to strengthen user privacy for its iOS, iPadOS and tvOS users. It looks like Google will also be restricting access to its advertising ID in Android, GAID, as well.
In this article, we’ll explain the role third-party cookies and mobile advertising IDs play in programmatic advertising, outline the privacy changes that have been introduced over the past few years and their impact on the industry, and list the main alternatives to third-party cookies and mobile advertising IDs.
- Third-party cookies are a storage mechanism in web browsers. When third-party cookies are created, they can store different types of information, but for programmatic advertising purposes, most of the time third-party cookies contain a unique identifier (ID).
- Mobile IDs are used on mobile devices to identify individuals inside mobile apps.
- Both IDs in third-party cookies and mobile IDs are used to identify individuals as they visit different websites and mobile apps.
- If an AdTech company can identify a user, then they can use the ID in the cookie to power key advertising processes, including behavioral targeting, audience targeting, retargeting, frequency capping, measurement and attribution.
- Over the years, various privacy laws from governments and policy changes from tech companies like Google and Apple have meant that creating and using third-party cookies and mobile IDs for identification has become a lot harder.
Understanding the Context Around Third-Party Cookies and Mobile Advertising IDs in Programmatic Advertising
What Are Third-Party Cookies and What Role Do They Play in AdTech and Programmatic Advertising?
Third-party cookies are a storage mechanism in web browsers. When third-party cookies are created, they can store different types of information, but for programmatic advertising purposes, most of the time third-party cookies contain a unique identifier (ID).
This ID is then used to identify individuals as they visit different websites across the Internet.
It’s important to note that there are two main types of cookies: First-party cookies and third-party cookies.
First-party cookies are created by the website that the user is visiting.
Third-party cookies are created by websites other than the one the user is visiting.
From a purely technical perspective, both first-party and third-party cookies are the same — the only difference is the relationship between them and the user.
Third-party cookies have been the backbone of programmatic advertising for over a decade.
Typically, an AdTech company, such as a supply-side platform (SSP) or demand-side platform (DSP), will create a third-party cookie either by placing their code on a website or via a process called piggybacking.
Once the AdTech company has created a cookie for that user, they’ll be able to recognize that same user if they visit another website containing their code, or again, via the piggybacking process.
If an AdTech company can identify a user, then they can use the ID in the cookie to power key advertising processes, including:
- Behavioral targeting
- Audience targeting
- Frequency capping
What’s Happening With Third-Party Cookies?
Although third-party cookies power key programmatic advertising processes and enable advertisers to reach their target audiences and publishers to earn ad revenue, they raise a number of privacy concerns.
When AdTech companies started using third-party cookies in the 2000s, the process of creating and sharing cookie IDs went largely unnoticed.
It wasn’t until mainstream media picked up on this process of collecting mass amounts of user data and tracking people across the Internet that Internet users, privacy advocates and governments started to take notice.
Certain governments started to discuss how to address this issue, but the first government to actually introduce laws to strengthen user privacy on the Internet was the European Union.
In 2009, the EU amended its 2002 ePrivacy Directive that has since been referred to as the cookie law.
One of the main features of the cookie law was that websites had to display a banner to inform its visitors that they would create a cookie during the visitor’s session on the website.
Since then, various laws have been introduced to strengthen privacy for Internet users.
In addition to privacy laws, various tech companies have made changes to their products and devices to strengthen user privacy.
Both privacy laws and technical changes have caused the availability of third-party cookies to decrease.
The reason for this is simple: the easiest way to increase user privacy on the Internet is to make it harder for companies to identify individuals.
And as we explained above, the main purpose of third-party cookies is to identify individuals across different websites.
Here’s an overview of the main changes that impacted the availability of third-party cookies over the past couple of decades:
1994: Lou Montulli and John Giannandrea invent cookies while working at Netscape.
2006: Popular ad-blocking software, Adblock Plus, launches.
2016: The European Union publishes its General Data Protection Regulation (GDPR), setting off a two-year countdown to its enforcement.
2017: Apple releases its Intelligent Tracking Prevention (ITP) feature.
2018: The EU’s GDPR goes into force on May 25, 2018.
2019: Firefox releases its Enhanced Tracking Prevention (ETP) features.
2020: Google Chrome announced that it will depreciate third-party cookies by 2022.
2021: Google Chrome announced that it will delay shutting off support for third-party cookies to 2023.
2022: Google Chrome announced that it will delay shutting off support for third-party cookies to 2024.
Read more about the history of programmatic advertising and AdTech in our AdTech Book (free to read, no registration required).
What Are Mobile IDs?
Mobile IDs, also known as mobile advertising IDs, are IDs that are associated with a user’s mobile device, e.g. smartphone and tablet. Because practically every mobile device has a mobile ID, they are more persistent than web cookies. Even though users can’t disable or remove these IDs like they can with cookies, they can easily reset them.
What’s Happening With Mobile IDs?
Most of the attention over the past few years has been on third-party cookies, however, this attention is now turning to mobile IDs.
At its annual Worldwide Developers Conference (WWDC) in June 2020, Apple announced that it would be introducing changes to how app developers and AdTech companies can access an iOS user’s mobile ID — known as ID for advertising (IDFA).
These changes require app developers to obtain opt-in consent from users before they can access the IDFA for that device.
To facilitate this process, Apple introduced its AppTrackingTransparency (ATT) framework.
These changes have had a significant impact on app developers and their ad revenue, as it is now much harder to identify individual iOS users and show them personalized ads. For advertisers, it means it’s harder to reach their target audiences and measure the performance of their in-app mobile ad campaigns.
Google has also introduced some changes to how its Google Advertising ID (GAID) can be accessed on Android devices. Essentially, if an Android user has opted out of personalized advertising, then their GAID won’t be passed to the app developer. This, of course, hasn’t produced the same impact as Apple’s changes to its IDFA as users actually have to change this setting themselves.
Google has also hinted that there will be more changes to its GAID in the future as it plans to introduce its Privacy Sandbox standard in its Android-powered devices.
So What Does This All Mean?
When third-party cookies and mobile IDs are not available, it’s much harder for companies to identify individuals. This means it’s harder to show them relevant ads, measure the performance of advertising campaigns and attribute ad views to conversions.
For advertisers, this means their ads don’t perform as well, meaning they waste money on advertising and see a lower ROI.
For publishers, it means they see a decrease in their ad revenue.
This has led to the search for alternative solutions that can power the key programmatic advertising processes.
6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech and Programmatic Advertising
1. Universal IDs and Device Graphs
A universal ID is a unique ID that allows AdTech companies to identify users across different websites and devices. Universal IDs are created using probabilistic data (e.g. IP address, browser type and model, and user-agent string) or deterministic data (e.g. an email address or phone number), or both, to produce an ID.
Some universal IDs operate within one environment, such as web browsers, while others aim to identify users across different environments, such web browsers and mobile devices. For the latter, device graphs are often used to match together the IDs generated in web browsers with the ones generated in other devices, e.g. mobile IDs in smartphones.
Universal IDs have emerged in response to the end of third-party cookies in major web browsers like Safari and Firefox, and the planned end of third-party cookies in Google Chrome in 2023. These universal IDs perform the same functions as third-party cookies, but the difference is in how they are created.
Many universal ID solutions will also offer a user ID or device ID graph.
These graphs work by combining IDs and attributes collected from a range of different sources, e.g. web browsers and mobile devices, which can then help power the ID resolution service.
2. Data Clean Rooms
A data clean room is a piece of software that allows two companies, e.g. a publisher and an advertiser, to match their data together without either party gaining access to it. This type of secure data collaboration can power many programmatic advertising processes, such as ad targeting and measurement.
There are essentially two main types of data clean rooms: centralized and decentralized data clean rooms.
Centralized data clean rooms store the data in one location, whereas decentralized data clean rooms store the data in separate locations (e.g. different servers).
Here’s the basic flow of how a decentralized data clean room works:
- The two parties, e.g., a publisher and an advertiser, encrypt their first-party data and upload it to the data clean room.
- The data clean room looks for similarities between the two data sets, e.g. hashed email addresses, hashed phone numbers and hashed mobile IDs, and matches them together.
- The matched data can then be used for ad targeting, measurement and analysis.
Unlike other types of data partnerships whereby companies directly exchange user-level data, such as cookie IDs, device IDs, and IDs created from hashed email addresses, data clean rooms match the first-party data provided by brands and advertisers together but prevent any user-level data from being accessed outside of the data clean room.
To ensure privacy and data security, the data is first encrypted and then added to the data clean room. Also, all of the first-party data stays within the data clean room and isn’t shared with anyone else.
3. Google Chrome’s Privacy Sandbox
Google Chrome’s Privacy Sandbox, which was first revealed on August 22, 2019, is a set of open standards aiming to improve user privacy and maintain an ad-supported web.
Just like with other sandboxes used in computer security, Chrome’s Privacy Sandbox will execute advertising processes in a restricted environment, which is in stark contrast to how these processes are carried out today.
There are three parts to Privacy Sandbox:
- Replacing cross-site tracking processes — i.e., the ones currently powered by third-party cookies.
- Phasing out third-party cookies by separating first-party and third-party cookies via the SameSite attribute and turning off support for third-party cookies.
- Mitigating workarounds such as fingerprinting.
The main standards being worked on in Privacy Sandbox include:
- Topics API — for running personalized advertising campaigns based on the topics a user is interested in based on their web-browsing history.
- FLEDGE — for running retargeting and audience-targeting ad campaigns.
- Attribution Reporting API — for measuring the performance of ad campaigns, e.g. attributing ad views and clicks to conversions.
The standards are being discussed and worked on between AdTech companies, agencies, publishers, Google Chrome and Google’s ad teams via the W3C Improving Web Advertising Business Group.
Although it’s still in development, Privacy Sandbox puts forward a completely new way of how online advertising works.
4. The IAB Tech Lab’s Seller Defined Audiences (SDA)
On February 24, 2022, the IAB Tech Lab released its first addressability specification from the Project Rearc initiative: Seller Defined Audiences (SDA).
This new standard is designed to help publishers monetize their first-party data by creating audience cohorts that can then be passed on to demand partners (i.e. DSPs) via the OpenRTB protocol and Prebid.
SDA leverages other IAB Tech Lab standards, notably Audience Taxonomy, IAB Tech Lab Data Transparency Standard, and IAB Tech Lab’s Transparency Center.
The IAB Tech Lab has designed the SDA specification to work with existing media-buying processes and standards — notably the OpenRTB protocol and Prebid.
The procedure for utilizing SDA is as follows:
- The publisher creates audience segments based on their first-party data.
- The publisher passes the SDA IDs to DSPs via OpenRTB
- The DSPs examine the segment IDs and decide whether to bid on the impression or not.
5. Self-Serve Ad Platforms
One of the main outcomes of the increased privacy laws and changes is that publishers have once again gained control over their audiences.
For publishers, collecting and using their valuable first-party data will allow them to continue to monetize their websites even when third-party cookies disappear from Google Chrome.
While publishers can use universal IDs and Seller Defined Audiences to activate their first-party data, they can also give advertisers direct access to their audiences by using or building a self-serve ad platform.
Compared to selling their inventory via their ad server or supply-side platform (SSP), publishers can use a self-serve ad platform to enable advertisers to create ad campaigns directly on their websites.
The self-serve ad platform would typically integrate with data platforms, like a DMP or CDP, to allow advertisers to create audiences, and with an AdTech platform, such as an ad server, to power ad delivery and targeting.
The benefit for publishers is that they don’t have to share any data about their audiences with advertisers, as they do with real-time bidding (RTB) auctions.
The benefit for advertisers and ad agencies is that they can directly reach their target audiences, without having to worry about whether their ads are being shown on websites whose audiences don’t match the advertiser’s targeting criteria.
6. Contextual Targeting
Contextual targeting allows advertisers to display relevant ads based on the website’s content rather than using the data about the visitor.
The idea is not completely new; before the advent of the Internet, contextual targeting was widely used in magazine and newspaper ads.
Remember the full-page or half-page ad of an SUV sneakily placed next to a feature on 4×4 cars? That was it.
Contextual ads in print, along with topical advertising and interactive print ads, gave incredible creative freedom and served as an outlet for some very original ideas in the seemingly outdated print medium.
Over the years, the growing popularity of the Internet and emerging advertising technologies have enabled advertisers to segment audiences and target them based on their behavior and interests (i.e. behavioral targeting).
However, today many print publishers still take advantage of contextual targeting simply because it’s very effective for specific kinds of content.
Although less elaborate than other techniques, contextual targeting is also gaining traction again due to smaller reliance on personal data.