Part I: What Are Third-Party Cookies and Why They Are Important
Part II: Privacy Laws and Third-Party Cookies
Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile
— PART III —
The Big Tech Phase-Out
Welcome to the third installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into third-party cookies for a baseline understanding of the technology and the oversized impact of their phase-out on the adtech ecosystem. In our second post, we surveyed the current privacy legal landscape regulating the use of third-party cookies to collect, track and share personal information. In this post, we will discuss big tech’s – and in particular Google’s and Apple’s – role in ushering the phase-out of the third-party cookie and the potential post-cookie alternatives being developed by these two tech giants for the widely adopted Google Chrome browser and Apple iPhone operating system.
As discussed in our first post, for the past two decades, advertisers have been using third-party cookies to track consumers and collect data to target digital advertisements and build consumer profiles. For many consumers, consumer rights organizations and government regulators, the online tracking and targeting of consumers became seen as a pervasive invasion of privacy, which led to the passage of privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act that, among other things, regulate the use of third-party cookies. But regulation is not the only force pushing the third-party cookie into the technological dustbin. Just as integral to the demise of the third-party cookie – if not more so – is the big tech industry phase-out of third-party cookies that has been underway for the past several years and will likely complete by 2023.
Starting in 2017, Apple’s Safari and Mozilla’s Firefox browsers announced that they would no longer be enabling third-party cookies. By the end of 2022, they are scheduled to eliminate third-party cookies completely. However, the tectonic plates of the phase-out did not begin to shift until Google announced in 2020 that its Chrome browser (by far the most widely used globally) would no longer support third-party cookies by the end of 2022. Google has since decided to postpone the start of its phase-out until mid-2023 and to end it in late 2023 as it continues to workshop feasible third-party cookie alternatives through its Privacy Sandbox initiatives. More on those below.
Perhaps just as impactful as Google’s decision to disable third-party cookies on its browser was Apple’s determination earlier this year to require apps running on its devices to obtain opt-in consumer consent before tracking consumer activity on other apps and websites. This position was consistent with Apple’s decision to remove third-party cookies from its Safari browser and was tied to Apple’s release of iOS 14.5’s privacy feature: App Tracking Transparency (ATT). When opening an app, iOS 14.5 users now receive pop-up boxes that ask consumers whether they “allow [insert app] to track [them] across other companies’ apps and websites.” The user is given two options: “Ask App Not to Track” and “Allow.” If the user decides not to allow an app to track, the developer will lose access to the Identifier for Advertisers, which is a method used by developers to track user activity across other apps. Additionally, a signal sent to the application informs the business that the user has requested not to be tracked in other ways, including by their email address.
Until recently, like the rest of you, we were finally starting to wrap our heads around one element of Google’s Privacy Sandbox proposal for third-party cookie replacements – the Federated Learning of Cohorts (FloC). But after brief testing of the FLoC API last year, at the end of January, Google announced that it was scrapping the initiative and replacing it with a new interest-based advertising targeting system called Topics. FLoC was one of the Privacy Sandbox proposals that had garnered the most attention, as it was Google’s post-cookie interest-based ad targeting solution. But FLoC proved to be somewhat controversial from the start, with privacy advocates concerned over the potential for reverse engineering, or “fingerprinting,” enabling the potential for users to be tracked and categorized based on sensitive audience categories such as ethnicity, political affiliation, sexual preference, etc., and questioning FLoC’s regulatory compliance with the GDPR.
Unlike FLoC, Topics does not group users into cohorts and uses fewer categories, purportedly relieving user privacy concerns such as the fingerprinting of users through detailed tracking and the use of cohort identifiers. Google also claims Topics will avoid assigning “sensitive categories” to users, such as grouping them by race or gender, but makes clear that it is possible for websites to correlate certain topics to sensitive information.
Details are still emerging on what Topics is, how it works and its impact on advertisers. What we do know is that Topics analyzes a user’s local browser history on Topics-enabled sites, also known as participating sites, and tracks the categories of topics as you move around the web. These topics include categories such as fitness, travel and transportation, and books and literature. Currently, the topic taxonomy includes approximately 350 topics, but Google has stated its eventual goal to increase this number (and later to outsource the taxonomy to an external party). For reference, the IAB Tech Lab’s Audience Taxonomy contains approximately 1,500 audience segments.
The Topics API will record the categories users visit the most. Then, each week, a user’s five most popular categories plus a sixth random topic will be gathered on their device. These six categories are then shared with the websites visited and are used to target the ads the user is shown. The Topics are kept for a total of three weeks, after which “old” topics are deleted.
According to Google, topics are selected on the user’s device without the involvement of outside servers (even Google’s own servers) and are used to supplement contextual signals from the page. When users visit a participating site, Topics identifies three topics, one from each of the preceding three weeks, and shares them with the participating site and its participating advertising partners. If a site does not opt into Topics, then it neither provides nor receives a topic, as no topics are communicated to the site from the user’s browsing history. Users can also view and delete topics as well as disable them altogether. Although this functionality may ease some privacy advocates’ concerns, advertisers are already expressing frustration that this, along with the limited list of topics and the limitations on frequency reporting, makes Topics a less attractive model for interest-based targeted advertising.
Big picture, it is important to note that not everyone is ready to embrace the Privacy Sandbox generally, and the jury is definitely still out on Topics specifically. In the fall of 2021, a coalition of tech companies, advertisers and publishers established Movement for an Open Web to address the potential anticompetitive nature of the Privacy Sandbox. An antitrust investigation from the United Kingdom’s Competition and Markets Authority (CMA) (conducted prior to FLoC’s replacement) prompted Google to agree to an expanded set of commitments, recently approved by the CMA, to assuage concerns of unfair competition. Google is also facing antitrust scrutiny in the EU, by the European Publishers Council, and in the U.S. in several ongoing lawsuits related to competition in the adtech space, notably in one by a Texas-led coalition of 16 states and Puerto Rico. The coalition’s complaint alleges that the Privacy Sandbox stifles competition by excluding advertising space from customers who do not use the Chrome browser, effectively raising barriers of entry and thus excluding competitors from participating in the Privacy Sandbox system. Google contends that the Privacy Sandbox merely responds to the evolving consumer privacy concerns that led to the third-party cookie’s phase-out. While the litigation is in its early stages, a legal decision in this case has the potential to impact the entire adtech industry and the adoption of various post-cookie tracking solutions, including Topics. We will be monitoring this case closely and reporting on significant developments in future blog posts.
With Apple’s new ATT framework making it significantly more difficult to track Apple device owners at scale, Apple is providing advertisers with an alternative to attribute impressions and clicks to app installs on iOS apps: the SKAdNetwork. The SKAdNetwork works like a mini walled garden. It shares conversion data with advertisers without revealing any user-level or device-level data as it engages multiple advertisers to bid on ad space simultaneously. Ad networks are required to register with Apple and developers must configure apps to work with ad networks. The SKAdNetwork’s attribution process happens within the App Store before being verified on Apple’s servers. Data is then cleansed of anything that could compromise a person’s identity before being shared with the ad network or platform.
Apple’s ATT framework definition of “tracking” is fairly expansive and covers a wide variety of use cases. The ATT framework defines tracking as the act of linking user or device data collected from one app with user or device data collected from other companies’ apps, websites or offline properties for targeted advertising. This includes (1) sharing device location data or email lists with a data broker; (2) sharing a list of emails, advertising IDs or other IDs with a third-party ad network; and (3) placing a third-party software development kit in an app that combines user data from the company’s app with user data from other developers’ apps to target advertising.
Google’s Privacy Sandbox and Topics and Apple’s SKAdNetwork may be important elements of the emerging post-cookie industry landscape, but they are not the only ones. Indeed, there is currently no industry consensus on any one alternative to third-party cookies. It is just too early to tell. But it is beginning to appear that the lack of consensus is a preview of what the post-cookie landscape may actually look like. The “one cookie to rule them all” approach will instead be eclipsed by a variety of different approaches and alternative identifiers. However, almost every player in the adtech ecosystem agrees that first-party data will be an integral component of whatever the holistic post-cookie stack will look like. In our next installment, we will take a deep dive into the all-important first step of prioritizing first-party data.