Post-cookie targeting & addressability

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition and advertising for decades and I’m now writing for The Monopoly Report. If you have a tip to share in confidence, ping me at my last name at Gmail or find me on Bluesky. If you enjoy this article, PLEASE take a minute to share on social media using the share icon on the left.

Our latest Monopoly Report podcast is out with David LeDuc - VP of Public Policy at the Network Advertising Initiative (NAI).

What’s left for ad tech in a post-cookie world?

Google first announced that cookies would be deprecated in Chrome in August of 2019. As such, the ad tech community has had over FIVE YEARS to move towards a non-TPC world. To state the obvious, five+ years is a heck of a long time. More than a quarter of the time I’ve been practicing law has been under the threat of cookie deprecation in Chrome.

What have we collectively done with all that time?

In fairness to the ad tech community, the Privacy Sandbox has dominated a good deal of the post-cookie discourse. I’m not saying that Sandbox discussions have been a complete waste of time. But I think it’s fair to say that progress has been limited by the fact that everyone is spending more time reacting to what Google wants and less time innovating independently. Those types of resource drains forced by a dominant company rarely get mentioned in connection with antitrust cases, but nonetheless place a huge competitive burden on the marketplace.

Where are we at this point? There’s really no great answer to that question. And what’s worse, I suspect that a fair percentage of the industry has interpreted Google’s July announcement to mean that the heat is off - which hasn’t really helped move things forward on finding alternative solutions.

This isn’t meant as a concession to whatever direction the Google influenced CMA Ouija Board takes us. Regardless of how that process plays out, I think it’s time for a sober assessment of where things stand and what we can all do to move our industry forward. At risk of giving away my conclusion on the front end, I’m not confident that there’s alignment across the ads space regarding the problems were trying to solve for in a post-cookie world. And its difficult to move things forward unless we can agree on a direction.

As a first step, I wanted to list out the post-cookie alternatives, tactics and techniques - with a larger goal of building a framework for evaluating each. I’ll also provide a quick take on each, but will note that I’m open to having my mind changed. So PLEASE reach out if you think I’m full of it. Much of what I’ve written below has been covered well elsewhere. But I continue to suspect these techniques aren’t always clearly understood by privacy and legal teams.

What are the ad targeting / addressability options?

• HEMs / Universal IDs – Typified by TTD UID2.0 and LiveRamp but increasingly used in retail media as well, these involve hashing an email address into a persistent ID. Some HEM solutions rely on the publisher to collect the email (and presumably secure any necessary consents and notices). One thing I’ve noticed about the process toward obtaining these types of IDs is that some pubs will imply that you’ll get access to content when you provide an email - but that’s not always the case.

• Platform UIDs – This would include a mobile carrier UID as well as the major CTV platform ad UIDs. Many of these IDs are able force controls (and not just contractual controls) on how the UID is presented, how long the UID is retained and certain other privacy and personalization controls.

• Probabilistic – Yeah, some call this fingerprinting. There’s a longer back story here which I’ll write more about at some point. But for now, I’ll note that the negative connotations around the term “fingerprinting” are part of a narrative created by a few companies including Google (who by the way, was prevented from pulling certain types of data from a browser as part of an FTC settlement).

• Contextual - This ain’t your grandparent’s contextual advertising. Lots of data out there about the audience that visits a particular URL or other digital property and keywords on a particular page. Not all content lends itself to contextual, however. And then there’s the issue with trying to measure the impact of these ads without an ID. (Although I’m finding similar challenges with many of these techniques).

• ID-Less – The IAB TL just came out with a great overview. There are some really cool solutions out there which rely on the establishment of neural networks and AI to identify patterns and make predictions regarding which sites are more likely to be visited by users that are interested in a particular product. But ID-less is a really broad category that could probably be further split up (beyond contextual and SDAs) into sub-categories. Like contextual, these may not rely on a UID for targeting, but probably would need one for measurement. Like contextual, most of these involve tradeoffs in terms of utility - but I’m pretty sure you can say that for just about all of the post-TPC techniques.

• IAB Seller Defined Audiences – This approach also does not require the exchange of user identifiers; but enables the publisher to pass certain targeting criteria pertaining to a pub ad slot downstream to the buy-side via RTB specs. SDA’s apparently fit within the geshtudnik of the latest curation trend, which is nice. SDAs also seem to have a clearer path to scale than some of the other ID-less solutions, but like most of them… uptake won’t be robust until other options are off the table.

• PAIR – PAIR is sort of a Google hybrid of HEMs and cleans rooms that enables a publisher and an advertiser to share an encrypted UID that is essentially a hashed email. One thing that makes PAIR distinct from UID2 and similar solutions is that ONLY the advertiser and publisher are able to use a particular encrypted ID (although that’s also true to varying degrees with other solutions). The data use limitations are significant enough that they don’t meet Google’s definition of tracking. And that’s really important to keep in mind as you think through Google’s long-term approach here. Perhaps if you have an individual relationship with nearly every advertiser and publisher, you don’t need to track the way just about everyone else does.

• Data Clean Room – Clean rooms are platforms that enable one or more parties to share their data in order to match disparate data sets and draw insights from such data sets without revealing the entirety of the data set or enabling the identification of any user. Some DCRs do a great job of securing data (you know who you are). One area that’s always been a bit confusing to me is whether providing personal data to a DCR counts as a sell or share of data under some U.S. laws. And then there’s a similar issue as PAIR where you’re sort of trusting that data is getting processed as advertised (although I guess that’s an endemic issue in this space).

• Browser Based Ad Tools – I’m including the Privacy Sandbox as well as the Mozilla Anonym solution in the category - both of which I’ve covered pretty extensively on these pages. Ironically, it was a Google rep who originally noted back in 2012 that browser client side ad solutions don’t scale and offer no meaningful privacy / security benefit. After all this time, the browsers still seem to be struggling to overcome those issues.

Did I miss anything? Pls share on LinkedIn or in the comments below.

What’s next?

Next week, I’ll focus on the pro’s and cons of each of the above techniques. I’ll do this mostly from a privacy lens, but also in terms of competition. Eventually, I’ll discuss viability of each - and brace while many of you emphatically tell me where I went wrong…

But at some point, we need alignment on where we’re going so that our attention and investment are apportioned accordingly.

Alan’s Hot Takes…

Here are a few additional stories that hit me over the past week:

• TikTok loses appeal – On December 6, a U.S. federal appeals court ruled in favor of upholding a law requiring China-based ByteDance to divest TikTok in the U.S. by January 19 or face a ban. The fact that they lost the appeal wasn’t a surprise to anyone paying attention. TikTok will no doubt appeal to the Supreme Court, but I don’t love their chances there either. I still think think there’s a fair chance that a solution will be worked out, but it’ll almost certainly involve some funky legal math. The saga taking place in Romania is not helping TikTok (or any of the other social platforms).

• Trump picks Gale Slater to run DOJ Antitrust Division – Gale Slater could be viewed as the first significant indicator that the Trump Administration intends to continue the anti-trust work of Jonathan Kanter and Lina Kahn. But keep in mind, she was also the general counsel for the Internet Association - the lobbying group founded by big tech.

• Privacy class-actions coming to Europe? - As if Europe could possibly become more thorny for the ads space. Advocacy group NOYB (group led by Max Schrems) has been approved as a “Qualified Entity” to bring collective redress actions in courts throughout the EU. That potentially means some EU-style class-actions lawsuits are coming our way.

• CNIL issues 50M Euro Fine - The French regulator fined telco Orange 50M euros for (1) displaying advertising that resemble email messages in its email service without user consent and (2) continuing to read cookies after consent for such was withdrawn. I need to take a closer look so as to understand if the consent would also apply to banner ads that do not look like email messages.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.