The Changing Ad Tech Landscape: Third-Party Cookies
Google shook the ad tech industry with its original January 2020 announcement to phase out third-party cookies from its Chrome browser and move towards fundamentally private browser functionality. As part of this plan, Google announced in March 2021 that it will be rolling out a Chrome browser version in April 2021 that eliminates third-party cookies and introduces the initial version of the Privacy sandbox controls. There is some confusion in the digital advertising world that currently relies heavily on third-party cookies. These developments also signal to the marketing industry that major changes around privacy are inevitable as AI, ML, and other technological innovations gain more traction.
Companies have already been revising their digital marketing efforts to be compliant with the recent data and privacy legislations. The Chrome browser changes will require companies to further revamp their advertising strategy while also trying to keep their customer base engaged. The end of third-party cookies will change the way user data is collected and used. Though several privacy regulators have hailed the tech giant’s announcement, the digital marketing community is still unsure on how to navigate these changes.
This article attempts to look at these changes in digital marketing from the perspective of information governance and privacy professionals. How will these changes impact marketing efforts within your organizations? Are you familiar with these changes and their implications to be able to provide sound guidance to your marketing teams to adjust their data collection and marketing strategies? Are these changes a step in the right direction for privacy? In this article, we want to provide the context and background to understand the issues better. We will continue to discuss these questions and related issues further in future articles
A strong and robust Information Governance (IG) and Privacy program can ensure that your business is able to comply with evolving regulatory landscape and manage the changes being rolled out in the technology landscape. Digital marketing associations have begun to discuss the privacy implications of these changes also. Most recently, IAB Europe published guidance on how to conduct legitimate interests assessment for digital advertising. They discuss options to evaluate the privacy impact of different types of data they collect via digital advertising.
How do Third-Party Cookies Work?
Web cookies are a fundamental part of the digital marketing efforts. Cookies are basically files that store some information about you in the browsers that you use. First-party cookies are set by the domain a user is currently visiting, while third-party cookies are set by a different domain than the one you are currently viewing. Both types of cookies collect user data, but third-party cookies have become more problematic from a privacy perspective. These cookies can track your online activity and browsing history across domains and share this information with advertising networks.
For instance, when you look up a product on Google, you are bombarded by ads for that product on almost every site you visit after that. This is achieved using third-party cookies – they observe a user’s online behavior on one site and provide targeted advertisements of products/services on other sites based on this data. Third-party cookies enable advertisers to offer personalized ads based on the sites you visit, your interests, and purchases. They also allow marketers to check who clicked on an ad and made a purchase, enabling campaign optimization for those ads. It is apparent that third-party cookies serve the marketing industry in numerous ways, but they have put privacy at some risk. However, they have recently caught the eye ore defined as personal information by the EU’s General Data Protection Regulation (GDPR). There have also been several instances where the personal information of users in the form of cookies etc., has been breached and exposed online. This has led to a growing advocacy for more transparency, consent, and information about how this type of personal data is used.
Alternatives to Third-Party Cookies
Marketing gurus had anticipated the end of third-party cookies sooner or later – Apple’s Safari and Mozilla’s Firefox browser already block third-party cookies by default. Several potential alternatives are being looked at for replacing third-party cookies. The end of third-party cookies can also lead to potentially more invasive techniques like device fingerprinting, DNS records, deep packet inspections (DPIs), etc.
Google has already announced the development of its “privacy-preserving” alternative called Privacy Sandbox to replace third-party cookies. The company claims the Privacy Sandbox will help publishers reach the right audience while also maintaining user privacy. It is also expected to “protect people from opaque techniques that share user data and allow them to be tracked in a covert manner”1.
How can you be prepared?
Though it is too early to determine which system will gain prominence in the long run, organizations must develop the expertise to be prepared for changes to the marketing landscape and keeping privacy as a key focus. In addition to regulatory pressures, individual users are also becoming increasingly concerned about their privacy. Organizations will need to remain current with the evolving privacy regulations.
The GDPR mandates that the user should be informed about cookies and trackers, along with their purpose and provider. Consent has become a fundamental part of data privacy laws across other parts of the world, including the Protection of Personal Information Act (POPIA) in South Africa, General Personal Data Protection Law (Portuguese: Lei Geral de Proteção de Dados Pessoais, LGPD) in Brazil, and the Personal Data Protection Act 2012 (PDPA) in Singapore.
Organizations require a clear understanding of what data is collected through cookies, how the collected data is processed, who it is shared with, and for how long it is stored. It is important to ensure there is adequate disclosure, consent, and the legal basis for processing cookies. The security impact of storing this data for a long time also needs to be considered. This is a developing area from both the legal and technical changes and will be discussed more in the future.