top of page

The Life, Death, and Life of Cookies, Part III: Data and Privacy

Welcome back to our series on cookies, how they work, how they're used, and how they're changing. It's a pretty big series - last time around we talked about how cookies are used to collect data and how they're used for targeting online. Today we're going to talk about how data privacy, legislation, and how it led to Google's decision to deprecate third-party cookies.


The Evolving Need for Data

In the early 2000s securing advertising for your site as a publisher was an uphill battle. Larger sites - those will millions of monthly visitors - could sell their inventory to publishers directly, but for smaller publishers that wasn't an option unless they had a particularly valuable audience. And even then, what media buyer wants to make buys with three hundred different websites?


Enter ad networks, and at their forefront, Advertising.com. The idea behind ad networks was simple: Aggregate inventory from hundreds or thousands of different publishers across the internet, allowing advertisers to treat them as one large website with reach in the tens or hundreds of millions. But once the option became available, advertiser demands became more direct - why reach the entire network when they could just focus on several high-value sites saturated with their brand's target audience?


This was a tricky balancing act for an ad network - they want to sell their entire network to advertisers, and monetize the whole of their inventory, not just the most valuable sites in their networks - and those sites were also usually providing the lowest margin. Why not sell the people who visit a particular site, no matter where they go within the network?


And so behavioral targeting was born. Ad networks placed pixels on their publisher sites and used that to collect data about the sites and pages they visited, and from there could target them anywhere those people went within their network. The bigger the network, the more value they'd have and the larger the audiences they could sell. This also made social media much more valuable to networks - that inventory was considered to be pretty terrible given its proximity to User-Generated Content (ugc) and the placements not great, making it hard to monetize. But the rich data you could collect - things like age and gender - were valuable tools for audience building.


Of course, the next step if you're an advertiser is to just buy the audience and target them wherever you like, cutting out the ad network all together. This is what gave rise to data brokers, companies like BlueKai who specialized in collecting and making data available for targeting without attaching to a network or inventory. By 2010 hundreds of millions of profiles were being tracked online through data brokers.


Non-Personally Identifiable?

One of the key ways marketers and data brokers planned to avoid harsh scrutiny was by avoiding certain types of data, which they called PII, or Personally Identifiable Information - factors like your name, address, social security card, credit number, and so on. The idea was that to advertisers, you were anonymous and faceless, unable to be identified without those key factors. But they were still tracking the websites you visited, the pages you'd interacted with, the purchase you'd made, and when you combine those with your zip code, IP address, age, and gender, it turns out you can get pretty close to identifying a single person.


And that's exactly what the Wall Street Journal pointed out in their 2010 article, "The Web's New Gold Mine: Your Secrets," the first in a series of articles about cookies, data, and online privacy. Their investigation showed how the internet's top sites were hosting thousands of data trackers and companies like BlueKai and Lotame were tracking and segmenting those visitors. The series marked a turning point in public perception around digital advertising, bringing it to the forefront at a time when data collection was in its infancy.


I'll admit to a bit of cynicism on my part with regard to the article series: It's an important series in the history of data privacy, making the issue visible to a large audience who were previously unaware of what data was being collected and how. But it also came at a time when the Wall Street Journal was moving to a paywall for all of its digital content, leaving ads behind. And what better way to make a case for a paid experience than by showing the evils of an ad-supported one? Few publishers are capable of making the jump to a premium/paywalled model, particularly since the internet was built on a foundation of ad-supported content. Conditions for consumers have improved substantially in ways that I'm thankful for, but monetizing content online has remained an absolutely dismal experience and digital publishers continue to shut down left and right as they're unable to generate sustainable revenue.


Regardless of the intent, the effects of the series were pretty immediate, and many continue to this day. The largest was the removal of targeting data for P13-17. This was previously considered to be OK with regard to COPPA but following the WSJ piece BlueKai and other advertisers removed those segments, and since then only P18+ target is available. Likewise, advertisers buttoned up practices around targeting sensitive information online such as medical conditions and disorders. And brokers like BlueKai and Google made preferences managers available to the public, so anyone could see what data was being collected on them and opt out of being tracked for advertising purposes. The AdChoices program was launched later that year by the Digital Advertising Alliance, adding an opt-out button to ads internet-wide.



Photo Credit: Tim Samuel


The Rise of Cookieless Spaces and Content Blocking

As this was going on, another massive change was taking place - the mass adoption of smart phones. While smart phone penetration was only 27% in 2010, that would increase to 81% in 2016, and for many Americans, smart phones would become their primary means of interacting with online content. Apple and Google were at the forefront of this, with Android rapidly gaining ground on iOS (and eventually surpassing it globally). But while these devices were rapidly becoming the way people used the internet, they weren't subject to the same tracking as desktop and laptop computers.


While cookies did exist on mobile devices, they weren't nearly as effective - at best, they could only be applied in browsers, making them useful for tracking people on the mobile web, but had no reach into apps. Additionally, mobile browsers would reset cookies when they were closed or when the device was restarted. And on top of all that, a phone is a separate browser and device from a PC, so would appear to be a completely separate person with regard to data collection and tracking, with different cookies and device IDs.


So advertisers looked for ways to replace cookies on mobile devices, looking at things like Device IDs and trying to determine how to link devices within a household or for a person, creating the first cross-device maps.


By 2014 the digital landscape had shifted dramatically and the need for ad networks was nearing its end. Large publishers like Facebook (who had held its IPO two years earlier) were taking the reigns back on their advertising, building their own platforms and kicking out third parties. Likewise Apple had begun to think about their own advertising ecosystem, leveraging their own data and devices to build an ad platform, and began to roll out a series of changes which would add privacy controls to iOS devices and Safari browsers, reducing the impact of third-party cookies. In September 2015, they rolled out Content Blockers in iOS 9, allowing consumers to block ads and tracking scripts. They followed this up with Intelligent Tracking Prevention in 2017, blocking third-party cookies by default in the Safari desktop and mobile browsers.


This was a pretty big headache for ad tech companies, who had to scramble to figure out how to target consumers effectively on the phones owned by more than half of Americans, but an even bigger headache for Google - Apple was more than happy to take the mantle of Privacy Champion in the consumer mindset. The iPhone and its related devices were already marketed as luxury products; this new development allowed them to position Android phones as lower-end devices where you sold your privacy away to Google in exchange for a cheaper iPhone facsimile. By attacking Google, Apple got to have their cake and eat it too - they gained market share and brand equity while digging a massive moat around their own budding advertising ecosystem, one in which they controlled all the data.


Indeed, Microsoft and Apple realized early on that privacy was Google's Kryptonite, and both companies launched sustained attacks along those lines. While Apple was hitting them on browsers and phones, Microsoft was coming after them on email, accusing the company of scanning and monitoring Gmail messages to deliver targeted ads, a process which led to a lawsuit and Google ending their personalization of Gmail ads in 2017.


After years of sustained attacks and a sharp increase in privacy legislation worldwide, Google would announce in January 2020 that it was going to phase out support for third-party cookies in its Chrome web browser. As the fundamental backbone of digital advertising - Google owns not only the most popular web browser (Chrome), but also the second most popular email client (Gmail), the largest video site (YouTube), and the dominant ad server (Doubleclick) - they stood to benefit more than anyone from maintaining the status quo re: Cookies. So in early 2020 they shocked the world and put a ticking timer on the lifespan of cookies and the state of ad tech as we knew it. But we'll talk more about that next time.


Next Time: Privacy Legislation and Cookie Deprecation

Speaking of which, we'll also cover Privacy Legislation, and privacy concerns in the EU and US led to the creation of GDPR and CCPA, and how they protect (and don't protect) consumers. We'll also finally talk about Google's decision to deprecate third-party cookies, and what it would have meant. See you next week.



Kommentare


bottom of page