Many things have been said since Google announced it plans to shut off support for third-party cookies by 2022, from “cookies are dead” to “attribution modeling has no future”.
Well, in part one of our three-part blog post series, we aim to shed some light on this topic and look at therole third-party cookies have played in attribution, the recent changes to them in web browsers, and how the privacy fallacy is leading to their demise.
Beyond attribution we will focus on what happens under the surface by looking at what the characteristics and technical requirements of an attribution model are and why these areas make attribution susceptible to changes with third-party cookies.
What can you expect from this blog post series?
This is a dense and broad topic, so we’ve decided to split it up into three parts to make it more digestible and give you a better understanding of the situation.
Here’s an overview of what we’ll be covering in the 3 articles:
- The past: We’ll look at the role third-party cookies have played in attribution, the recent changes to them in web browsers, and how the privacy fallacy is leading to their demise.
- The present: We’ll explain how attribution in digital advertising works, what the current attribution models are, and the role first-party and third-party cookies play in attribution.
- The future: We’ll explore how the walled gardens of Google and Apple are shaping the future of attribution and the possible alternatives to third-party tracking.
This first part (the past) is all about the context.
Let’s dive in!
The Origins of Cross-Site Tracking and Third-Party Cookies
For over a decade, online advertising companies have been using web cookies, primarily third-party cookies (aka third-party trackers), to identify Internet users across different websites, a practice known as cross-site tracking.
The purpose of identification is to run behaviorally targeted advertising based on a user’s web-browsing history, conduct frequency capping (i.e. avoid showing the same user the same ad multiple times over a given period of time), measure the performance of ad campaigns, and attribute ad views (impressions) and clicks to conversions.
In the early days, cross-site tracking was a process that happened behind the scenes; in the background as the websites loaded.
But it didn’t take web users, the media, and lawmakers long to discover that these web cookies were being used to “identify individuals” across the Internet and build profiles containing information about their interests and behavior.
Combine all that with the data collection practices of Google and Facebook and you’ve got yourself a pretty interesting situation. We won’t be addressing whether these data collection practices are harmful, scary or simply way too much in this post, but it was worth a mention.
One important thing to bear in mind is that data breaches and leakages (i.e. mass data sharing between companies or access to data due to security issues) have been one of the biggest reasons for the growing concern.
This, combined with the Facebook and Cambridge Analytica scandal around influencing voters in the US elections and UK’s Brexit, has caused data privacy to be at its highest point of interest since the beginning of the Internet.
Yet, its relevance for most users does not really seem to be that big.
The following graphs illustrate the trends for searches related to data privacy. In the first graph the upwards tendency is evident, but when compared and relativized with random searches like “white sneakers” or “avocado” its relative importance decreases drastically.
Data privacy vs random searches – US past 5 years
This right here is what has left the door open for companies like Apple or Google to become advocates for privacy.
A More Private Web: The Privacy Fallacy
A more private web. That is the message behind most of the recent changes web browsers have made to limit third-party cookies and similar storage methods, with the goal of preventing users from being tracked across the Internet.
Although ad-blocking plugins like AdBlock Plus had been around and gaining popularity since the mid 2000s, the first privacy move from a web browser came in 2015 when Apple allowed users to install content blockers with the release of iOS 9.
The content blockers would prevent certain elements and scripts from loading in the Safari web browser on iOS devices (e.g. iPhones and iPads). The goal of content blockers was two fold; improve page load time in Safari in iOS and stop third-party trackers from collecting data.
The privacy topic got very real with Safari when Apple introduced ITP 2.0 (Intelligent Tracking Prevention) back in 2017. This privacy-centric path was shortly followed by the other browsers like Firefox.
Here’s an overview of the privacy settings in popular web browsers:
Safari’s Intelligent Tracking Prevention (ITP): Blocks third-party cookies by default, restricts the lifespan of certain first-party cookies, and deletes data stored in local storage after 7 days.
Firefox’s Enhanced Tracking Protection (ETP): Blocks social media trackers, third-party cookies, and device fingerprints by default. The level of privacy protection can be strengthened by changing the settings.
Google Chrome’s Privacy Sandbox: A set of new privacy-centric standards that will replace the main advertising processes currently underpinned by third-party cookies, such as ad targeting, retargeting, measurement, and attribution.
Additionally, Google has already rolled out changes to third-party cookies with the release of Chrome 80:
Google Chrome’s SameSite
On Wednesday, October 23, 2019, Google Chrome released a detailed blog post explaining how cookies would be handled in the future.
To allow users to delete third-party cookies but keep first-party cookies alive, website developers will have to make changes to how cookies on their website are set.
In short, they’ll have to include a new “SameSite” attribute (specifically, SameSite=None) when setting a cookie to tell Chrome which cookies are to be used only by the current site or current URL that the user is on, and which ones are cross-site cookies.
If you are wondering what exactly it is that you need to do, know that if you use a tag management system like TealiumIQ, the first-party cookies you create in there already contain this parameter.
Additionally, if you’re a publisher or advertiser, then your part in this is pretty limited. These changes must be set within the code that creates the cookie and they must be applied by the developer of the platform you are using (Facebook, Google, Criteo, etc.).
Going back to the change, what this means from a digital advertising and marketing perspective is that users will have a bit more choice over whether third-party cookies are created or not.
So if the main web browsers are strengthening user privacy, then that must be a good thing, right? Where’s the fallacy in that?
Let us explain.
The Decision Is Not Really Made By The User Anymore…
Put simply, the privacy settings in web browsers such as Safari, Firefox, and Google Chrome are default configurations. Although their aim is to protect a user’s privacy by preventing companies from tracking them across websites, these privacy settings are a form of opt-out that is not really initiated or chosen by the user.
This differs considerably from users installing ad blockers to protect their privacy and block intrusive ads as this is a decision initiated by users, not an external company.
In any case, in line with the privacy advocacy that these companies have been promoting, the changes they’ve made to third-party cookies and other identification methods do make it much harder for advertisers to access user-level data.
But when it comes to Google and Apple, they’ve proposed alternatives to accessing some of this data via Chrome’s Privacy Sandbox and Apple’s Privacy Persevering Ad Click Attribution.
This is exactly what brings us to the idea of a privacy fallacy.
With all these privacy changes, the web will be a bit more private to a certain extent, but having the possibility of accessing the data just makes it sound very distant from a truly private web. The data will still likely be collected at the most granular level by companies like Google as they do now, but they won’t be sharing this data with marketers.
While Apple’s moves towards a more private web seem to align with its mission, there are a lot of questions around what Google’s motives are, considering the dominant position its ad platforms have in the programmatic advertising industry.
Could Google be introducing these privacy changes and limiting the amount of data independent AdTech companies can collect only to continue collecting and using all this user-level data for their own tech?
This is a question that many folks in the digital advertising and marketing industries have asked.
I suppose we’ll know the answer soon enough.
The Size and The Magnitude Of The Issue Has Grown Since 2015
Although these privacy changes to web browsers date back to 2015 when it was just Safari flying solo and trying to change the rules of the game, a lot of things have changed since then.
Today, Safari has a market share of around 17% globally, though these figures vary much depending on the market and device. The most recent data on this topic can be found here.
Even when Firefox joined Safari and introduced very similar changes that block third-party cookies and prevent other types of identification like device fingerprinting, the market share of those two together was not enough to make the AdTech world shake.
Fast forward a couple of years and Google has decided to be part of the privacy movement.
In January 2020, the big news came out: Google Chrome will kill third-party cookies by 2022.
With all the work that needs to be done before Chrome can shut off third-party cookies and implement Privacy Sandbox, plus the disruptions caused by COVID19, it seems unlikely that it will happen before 2022, but it’s still somewhere on the horizon.
Google Chrome has the largest share in the web browser market (around 60%-70%), so when the news came out, an avalanche of articles and comments related to the end of cookies and its effects in certain platforms started flowing in.
Now that Chrome has joined the game, the AdTech and MarTech platforms that rely on third-party cookies to do their magic (e.g. programmatic and RTB platforms, DMPs, multi-touch attribution models, among others) will see the availability of third-party cookies decrease significantly, along with their capabilities to collect, modelize and activate data.
It sounds rather dramatic, but we’d like to recall something mentioned at the beginning. Ever since Google made the announcement, one common misconception that’s been floating around is that cookies are dead.
In fact, we’ve been talking about third-party cookies all this time. This simply means that cookies aren’t dead. First-party cookies will remain almost intact, at least for now.
Apart from that, it’s important to mention that using third-party cookies is the main line of business for many of these companies. So even though the scenario is way more challenging, many of them have been working on cookieless solutions that will allow them to remain relevant when the change is implemented.
If you want to read about the difference between first-party and third-party cookies, then have a look at this previous article.
The Role Data Plays in Digital Advertising and Marketing
Companies collect data and use it for a number of activities, such as personalizing the on-site customer experience, keeping users logged in on the site, and discovering possible friction points users have on the site through web analytics.
But it can also be used for other cases that require a broader view of how users interact with a brand in the digital world.
The data that ends up being shared with third-parties has various purposes, but the main ones would be:
- Cross-site ad targeting.
- Measurement and attribution.
- Audience segmentation and activation.
- Frequency capping.
Some of the most common third parties involved in the digital marketing arena right now are Salesforce with its DMP, Criteo and its retargeting platform, Nielsen with its multi-touch attribution model, and Google with its many digital advertising and marketing platforms.
To achieve all this, cookies come in extremely handy. They collect important pieces of information, mostly in the shape of identifiers that afterwards help companies connect the dots of all the different interactions users have had with their digital assets.
As we mentioned at the beginning, we’ll now be covering in detail what happens specifically with attribution modeling in this new scenario when third-party cookies are no longer available.
Attribution Modeling: The Optimization Ally Of Data-Driven Marketers
Let’s face it, the good old days when people would buy the first product offered to them are long gone. Current users are actively searching and instructing themselves to make the best possible decision before buying a product.
In fact, based on Nielsen’s data, over 50% of customer journeys are composed of 2 or more touchpoints. This requires companies to be present on a whole bunch of different channels and activate different communication strategies so that they are front of mind when their prospects and clients show interest in the products and services they sell.
Companies have teams creating product pages and writing articles to show up in Google Searches, posting blog posts and videos on social media, sending out emails and newsletters, and running display and retargeted ads on different websites.
The scenario is quite complex: too much data and too many interactions with the user.
Luckily, there’s attribution modeling, which helps companies identify which touchpoints contributed to a sale, helping them understand which channels, campaigns and creatives are generating the most revenue for the company.
Specifically, attribution can help companies answer the following questions:
- Which touchpoints was a customer exposed to before they converted (i.e. completed a goal such as a purchase or download)?
- How did each touchpoint contribute to the generation of revenue? Whether in a direct or an assisted way?
- Which touchpoints are delivering the most and least number of conversions and revenue?
In part 2 of this series, we’ll look at the role of attribution modeling in digital marketing.
But before concluding the first part of the article, we would like to briefly touch on the points covered so far:
- Popular web browsers like Safari and Firefox have implemented changes to their privacy settings to prevent users from being recognized across different sites (e.g. blocking third-party cookies).
- Google Chrome has also made changes to how it handles third-party cookies (via SameSite) and announced that it will be shutting off support for third-party cookies in the next couple of years. Chrome has also proposed a new way to run targeted advertising and measure and attribution marketing campaigns called Privacy Sandbox.
- “A more private web” is the message behind all these changes, yet it’s unclear whether Google’s AdTech platforms will be impacted in the same way as independent AdTech companies.
- Users don’t get to make decisions anymore on whether they want to accept third-party cookies or not because they are blocked by default in their browser.
- Multi-touch attribution models, DMPs, ad servers, retargeting ads will be affected by the changes to third-party cookies.