As the digital ecosystem continues to evolve, the avenues that exist to look how advertising is bought, targeted & measured is under increasing scrutiny from both data regulation alongside privacy first needs of consumers. Technology often plays a role in how both digital & non-digital marketing is looked at, which may ultimately come back to looking at user level touchpoints / experiences.

But as there is increasingly a move towards a more aggregated approach, certain technologies & vendors are attempting to find workarounds to try where possible to continue supporting the user level that everyone is very much used to.

This blog will focus on the different forms of identifiers that play a role in the ecosystem & what the long term view may end up being for them.

3rd Party Cookies

The 3rd party cookie has been a fundamental part of the digital ecosystem ever since PPC & Programmatic gained popularity on web browsers. It has been exploited to do many things such as cookie syncing for targeting / frequency purposes, multi-touch attribution & forms of identity stitching.

However with all browsers now starting to restrict / block these from functioning, which will come to a conclusion once Google completely deprecate this in Chrome in mid-2023, many of these key use cases will have to migrate to an approach that may work on different identifiers or not at all.

Advertisers / Brands who are continuing to invest in heavy 3rd party cookie led strategies, which does also include everyone’s favourite strategy in pixel based retargeting, are going to lose out big time. No doubt this impacts Programmatic at the most extreme level but it is also the most agile channel to evolve. And this is not to say the cornerstones of paid media in Search & Social are not also impacted, especially when we think about measurement.

Nevertheless, it is important to plan / target / measure without reliance of 3rd party cookies on any web based activity & keeping an eye on the newer solutions, some of which depend on other identifiers below.

CURRENT RISK: HIGH

LONG TERM RISK : HIGH

1st Party Cookies

The 1st party cookie unlike the 3rd party cookie, is a cornerstone to how web browsers work in terms of certain functionality it brings from a non-marketing perspective. But as all technologies evolve, the 1st party cookie has become a bigger piece of the jigsaw when looking at digital advertising.

Pretty much every vendor has attempted to shift their technologies from setting 3rd party cookies to 1st party cookies, by leveraging the advertiser’s domain & using concepts such as CNAME cloaking. Alongside this, the “art” of link decoration i.e. from simplistic URL parameters from the likes of Google Analytics UTMs to the more sophisticated click id’s, are part of pretty much every savvy solution.

There are quite interesting occurrences when you look at special use cases such as leveraging CM360 as an adserver on Facebook Ads, where both Google & Meta attempt to set a click ID, which sometimes can break unless you structure it properly. And if it breaks, your chances of tracking via a 1st party cookie diminish.

But if you think 1st party cookies are safe when it comes to future restrictions, think again. Apple have made it clear that they will tackle any 1st party cookie workaround on Safari through the latest version of ITP & I can see this more widely adopted. Whether Google Chrome would go that far remains to be seen but again it is worth stipulating that a 1st party cookie strategy is also limited, even without considering the core limitation of how 1st party cookies worth outside of the 1st party “domain”.

CURRENT RISK: LOW

LONG TERM RISK: MEDIUM

IDFA

Moving into the mobile app world, identifiers specifically for advertising purposes have always remained a lot more persistent than that of the web cookie based world. Within the iOS world, Apple’s IDFA was the commonly utilised identifier with the IDFV existing also from a publisher perspective.

That all changed however in 2021 with the introduction of iOS14.5 & Apple’s ATT framework, which introduced the concept of consent to being able to get this data to use between multiple 3rd parties and ultimately for mobile app advertising purposes.

Whilst the IDFA remains important on iOS devices, consent rates are a key variable that differs between verticals / markets. This increases when you introduce other important variables such as gaining consent from a media platform perspective (Meta / Snapchat / TikTok etc) vs advertiser / publisher.

Apple has introduced other solutions around identity in a more privacy first approach such as their SKAdNetwork, but there are some core limitations vs the traditional IDFA approach as well as the fact that this doesn’t align to how Apple’s sole media platform (Apple Search Ads) works which has its own rules. Having big lists of IDFAs are still useful but consent is key in today’s privacy first world

CURRENT RISK: HIGH

LONG TERM RISK: HIGH

AAID

Conversely on the Google Android side of the Mobile App world, the Android Advertising ID (AAID) has remained relatively untouched up until the back end of 2021. Whilst Google are not planning to go all out in copying what Apple introduced with ATT on IDFA’s, their intended approach is not so far off & will have consequences for the other slice of the app ecosystem.

As communicated in the Google Play support guide, when an user opts out of personalised ads, the AAID will be replaced by a string of zeros. The full implementation of this into the wider Google Play ecosystem will happen by April 2022.

This will ultimately put the Mobile App ecosystem into some form of parity where consent plays a role in what identifiers can be passed onto advertisers / vendors. The question then opens up as to what the approach will be where consent is not granted. It is quite likely Google will adopt a similar API led approach that Apple introduced with the SKAdNetwork & particular postbacks, with some level of interaction to the ongoing state of its Conversion API product which is part of the Privacy Sandbox for web.

CURRENT RISK: LOW

LONG TERM RISK: MEDIUM

IP Address

Now that we have covered the base identifiers used in the web & app world, attention turns to other variables which are often leveraged to make assumptions around user level identities. The most commonly used variable could be argued to be the IP Address.

IP Addresses have been important in digital advertising for a long time, with some core use cases such as being able to excluded offices from blurring analytics data, a key part of most location based targeting methodology & to also being one of the key currencies of measurement for the Connected TV world. Certain DSPs also offer the ability to target on an IP address level.

But it can also be used in a probabilistic manner to make assumptions, which leads into the forbidden world of fingerprinting, a term coined to used characteristics (such as IP address) to triangulate to an individual. In fact right now, the large majority of so called “cookieless” solutions are using IP Address as a key part of this solution.

Is this safe? Absolutely not, especially when you start to bring in data regulation into it. The likes of GDPR are pretty clear on how it treats IP Address, it is personal data and therefore cannot be used without implicit consent from the end user. In the programmatic world, IP is at the heart of pretty much any bid request and not all SSPs strip out the last octet of an IP Address for privacy needs, though unless you have access to the logs or have your own bidder, the normal user won’t have access to it.

But you can already see where IP addresses can be leveraged to do things in a similar way to what the 3rd party cookie ended up doing. Which is why the likes of Apple & Google are already reacting to reduce how IP flows into the ecosystem. Those core use cases stated above will increasingly become harder to do if for example something as critical as location targeting becomes inaccurate.

CURRENT RISK: MEDIUM

LONG TERM RISK: HIGH

User Agent

In a similar theme to IP Address, User Agent strings are a key component of a lot of adtech, from the likes of how vendors attempt to determine different browsers / operating systems to also be a variable of interest to look at for ad verification needs.

But much like IP Address, User Agents can be used as a way to do fingerprinting given the very powerful information it can track on an individual’s browser at any given time.

And interestingly enough, Google are on a warpath here to eradicate the traditional application of user agents from Chrome, in a multi year plan that will ultimately sunset it as per their origin trials. This is still quite a long way away and may align with the 3rd party cookie deprecation timelines, but is another sign that any workaround / fingerprinting on web browsers in strictly against where the web is going.

CURRENT RISK: LOW

LONG TERM RISK: HIGH

Hashed PII

I’ll leave speaking about some of the more interesting identifier / cookieless solutions for another time, but one that is important & does play some form of role is hashed PII.

First party data from an advertiser has never been so important to collect in a privacy first, consented manner. This will play a big role in marketing strategy & analytics going forwards, which puts larger brands & certain verticals at an advantage to make use of it.

What to do with it is the next question. Hashing PII is commonly used to send to data onboarders like LiveRamp to cross-stitch a form of identity graph across the ecosystem. And also is becoming a key “join” when we look at solutions such as server side tagging & evolving matching on media platforms.

The non-hashed versions also have a role to play, with the likes of Google Customer Match & Social Media equivalents existing. These processes can be automated and move away from the cookie-syncing approach of old, though not without limitations especially in the programmatic world. Data clean rooms also work on the assumption of PII to match against in data bunkers without moving anywhere.

Will Hashed PII and cookieless solutions powered by it ever solve all marketing use cases however? Fundamentally no is my thoughts, especially in markets where data regulation is heavier. This will also ever represent a proportion of users who are logged in & happy to share information. The anonymous user is an area the 3rd party cookie made success in but is much harder to do when no PII exists against it..

CURRENT RISK: LOW

LONG TERM RISK: MEDIUM

CLOSING THOUGHTS

Identity has always been key to marketing, both from a paid and non-paid media perspective. Understanding how your website users browse your website, interact with your mobile app & impact of paid media campaign ultimately filters back to identity.

As the ecosystem migrates away from the legacy approach of cookie / device id identifiers, the new world will not necessarily be the same. This shouldn’t mean that data becomes less powerful, but it is also important to not necessarily expect the same level of user level insight that has become common currency.

Predictive modelling & machine learning will be tasked with closing the gaps where appropriate, especially for media attribution & targeting. And what is quite easy to see is that any technology that attempts to circumvent from a privacy / regulatory perspective when it comes to identifiers, is looking at short term success, especially if Apple have their way. Even things you may think may stand the test of time e.g. UTM parameters are not immune to all of these ecosystem changes. But keeping on top of it should be high on the agenda for any marketer, especially as add in the eventual emergence of Web 3.0 & the Metaverse buzz.

All views are of myself and not of my employer