Disclaimer: as the founder of an ad tech company that sells a cookieless solution, I am not impartial. But I am also a lawyer and a privacy advocate and I wrote this post as a honest analysis of the digital advertising industry in this moment in time. Only the last paragraph describes our product: you can ignore that part and still find the rest useful.      

Almost three years ago the advertising industry began waking up to the fact that third-party cookies and mobile identifiers are going away. Since then, dozens of alternative ‘identity’ products were launched, hundreds of articles published, countless events organised, and a small army of self-professed experts have offered their views (like this one). And yet, we are no closer to a resolution: most cookieless technology is deeply inadequate, the market is still confused and there is a widespread sense of cookie fatigue. 

Today, the share of audiences ‘lost’ to missing cookies/mobile IDs, falling consent rates and ad blockers has probably climbed over 60% in Europe and the US. In two years, when Google joins the party and turns off the cookie, lights will go off on 100% of internet users. There is a a very short time to find credible alternatives, test them and scale them up before the open internet is swallowed up by the walled gardens. 

We are in this situation for many reasons. The problem is truly complex and profoundly boring; the change in mindset and practice required of marketers is huge; regulators have been rather slow at clarifying the legislation, and even slower at enforcing it – creating a false sense of security; and various ad tech companies have by and large engaged in various misinformation campaigns akin to the tactics of big tobacco and big oil. As a result, the industry is lost in a fog of manufactured confusion: instead of moving forward, it moves in circles, aimlessly looking for a way out. 

Visualising the destination

To begin the journey out of the fog, we need to know where we want to go. Cookieless advertising must satisfy two conflicting sets of requirements: commercial performance and legal compliance. 

Performance requirements: A successful cookieless solution must meet a multitude of requirements from advertisers and publishers. For the sake of simplicity, I will pick the top three commercial requirements that must be met to keep the open internet an attractive destination for advertisers. These are: the ability to reach audiences and inventory at scale (reach); high-quality, granular and reliable data about the audiences they are targeting, including an understanding of their interests and purchase intentions (data quality); and the ability to measure a campaign’s performance and optimise it as necessary (measurement). All of these three basic operations will become impossible without cookies/IDs, and must be addressed. Publishers have expectations too: more control over first-party data, more direct publisher-advertiser relationships (e.g. via private auctions) and CPM rates that reflect the quality of the inventory. These expectations are not directly caused by the end of third-party cookies, but the end of the cookie creates an opportunity to rebalance the industry and give publishers more control over their ad revenues. The shift to private auctions and first party data indicates that the industry is already moving in that direction.  

Compliance requirements: There are many different privacy regulations around the world, each with its own requirements and nonsenses, but all concerned with the way digital advertising treats consumer data. I will use the GDPR as a reference because it is the most developed regulation, has a healthy body of case law and is the de facto blueprint for future regulations. I picked three bundles of legal requirements which the regulation presents as individual rights of the data subject (me and you). The first bundle is what I call ‘control the consent’: the consumers’ right to provide free, prior and informed consent to the collection of her/his personal data, and the ability to easily withdraw that consent. This is what the TCF has focused on, with questionable success. The second bundle gives data subject the right to ‘control the data’: we must be able to easily access our personal data, rectify it, erase it and restrict the processing activities. The third bundle is the right to ‘control the controller’, that is: to be transparently informed about who has access to the data, have access to their identity and contact details, be informed about their processing activities and so on. The data controller then has the responsibility to ensure that all data processors also meet those requirements, and the data subject should know about them too.  Digital advertising was not designed with privacy requirements in mind, so being future-proof requires a lot more than just dropping the cookie. Are ‘cookieless’ solutions up to the task? 

Establishing the starting point

Now that we know where we want to be, we can more easily determine where we are right now. This is not an easy task, given the great number of cookieless products making grand statements. But despite their various claims of uniqueness, mainstream cookieless solutions can be grouped into five categories.

1. Authenticated audiences: solutions that collect email addresses from logged in users on a domain, encrypt them and pass them to other domains to identify the individual.  
2. Clean rooms: technologies that find ‘matching’ users across different databases by identifying common or overlapping data, then transfer the learnings across.
3. First-party data: solutions that leverage data owned by the publisher to create target audiences. 
4. Contextual: solutions targeting content (usually classified by category, entities and sentiment), not people.
5. Privacy Sandbox: Google’s browser-based technologies aimed at grouping users based on their high-level interests, and measure campaign performance. 

When measured against the six tests discussed above, all the mainstream cookieless solutions falls way short of expectations. 

The commercial tests. No mainstream cookieless technology currently meets all the commercial requirements. Typically, a solution delivers only one between data quality or audience reach. For instance, authenticated audiences and clean rooms theoretically have good data quality pegged around a persistent identifier, but their reach is very limited. By contrast, the Privacy Sandbox and contextual solutions can provide great reach but have poor or non-existing audience data. First-party data by itself fails to deliver on most counts: only the biggest publishers can provide decent scale, but data quality is questionable and there is no measurement capability.

The privacy tests. Authenticated audiences and clean rooms fail all privacy tests because they allow companies to share pseudonymised or inferred data (which is personal). First-party data products can be compliant in certain circumstances but their use of standardised taxonomies (like Seller-Defined Audiences) creates backdoors for non-consented third parties in the programmatic ecosystem to profile individuals by triangulating first-party data with identifiers available in the RTB protocol (like the IP address). The same problem might affect the Privacy Sandbox too, unless it inserts enough ‘noise’. Contextual solutions are compliant so long as they do not use behavioural data to improve performance: if a contextual vendor is in the TCF Global Vendor List, what they do is not contextual advertising.

Finding a way forward

Perhaps because of these apparent failures of the mainstream products, the prevailing mood in the industry seems to be damage limitation: privacy and audience monetisation are seen as mutually exclusive, and the only thing we can do is find an acceptable trade-off. It’s as if the current ecosystem, plagued by fraud, dominated by walled gardens and in steady decline, is the best outcome advertisers could hope for. To find a way forward, the industry must invest in both privacy and audience monetisation, or achieve neither.

We built an Anonymised data solution based on a simple principle: that personal data belongs to the consumers and with them it must remain. Anonymised data describes a suit of technologies aimed at collecting, processing and anonymising personal data on the consumer device. It allows marketers to target anonymous groups of people instead of identifiable individuals. We already built a product that creates accurate cross-domain profiles for all consented users, processes the data on the consumer device using federated machine learning and sends to the bidstream anonymised cohort IDs. It’s basically a layer of data aggregation, processing and anonymisation that happens on the device. 

Legally, this delivers full GDPR compliance because it does not disclose any personal data. Commercially, it delivers high reach (because it makes all consented users addressable), great data quality (because it has persistent cross-domain identifier), the ability to measure conversions but also to perform retargeting, frequency capping and a lot of marketing functions that many assumes lost. Too good to be true? Well, the catch is that anonymised audiences are designed to have limited interoperability, because no personal data can be ‘synced’ or matched with other sources to extend reach or quality. At the moment, the technology only works where it is fired on the page, so only with enough adoption can it deliver on its potential. If the technology catches on, more products will follow and the industry will find ways to bring back interoperability between anonymised datasets.

It all begins with a small step. If you work for a publisher or an advertiser, try all the cookieless solutions and assess their performance and their compliance. If you feel that you are going nowhere, remember that there’s another path and give it a try. Behind the fog of cookie confusion, the future for the industry is bright.