Third Party Cookies Replacement II

MediaTracking

Julià Pujol

April 10, 2021
Cabecera
Targeting is fundamental. It has changed the way marketing is understood. It has shifted marketing from mass broadcast advertising to a more smart focused Ad exposure.

This is the second part of the post about the phase out support for third party cookies in Chrome. In the first part we went over the reasons that lead web browser platforms to take a more user-privacy approach; we also touched base on how Ad Conversion Measurement will work in a post cookie world.

In this second part we are going to focus on how Ad Targeting will operate (with today’s available information) after third party cookies will no longer be available.

2. Ad Targeting

We all know what targeting means in digital, but just for those that don’t, simply put, targeting is the feature that allows us, the marketers, show Ads to specific groups of users sharing similar characteristics (gender, age range, location…), preferences (food lover, tech freak, sports fan...) and/or behaviour (visited more than 3 pages in the advertiser’s site, almost bought a product in our e-commerce store…).

Targeting is fundamental. It has changed the way marketing is understood. It has shifted marketing from mass broadcast advertising to a more smart focused Ad exposure. I don’t even think we can imagine digital advertising without targeting; that's why it plays a very fundamental role in Chrome’s Privacy Sandbox project.

To target an Ad we need the user characteristics/preference/behaviour (from now on, the "data") and this data should come from somewhere. It’s very important, in terms of privacy, to distinguish between first and third party data.

First party data is the one that an Advertiser (a company that pays for advertising - i.e https://glasses-store.example/) collects and stores from users that are visiting their website, for example what glasses color do they like, what range prices they can afford or even PII data bits such as the email or the telephone number. This data, as long as properly informed and accepted by the user, belongs to the Advertiser and it can be used for advertising purposes - again, as long as properly informed and accepted by the user.

Third party data is the one that doesn’t belong to the Advertiser (for example, it could belong to https://glasses-blog.example/) but that the Advertiser is willing to use to enrich his knowledge about their own users or to target his own users based on this new data or just to find new users that like glasses and expand its targeted advertising reach. If the data seller properly informed the user that his data could be used for advertising purposes, the data can rightfully be shared/sold.

Both data types are legitimate, glasses-store.example wants to sell as many glasses as possible and for that it uses its own user’s data and it also buys data from glasses-blog.example to reach more potential glasses buyers. So, why to change the system? what’s the problem?

Usually neither glasses-store.example nor glasses-blog.example have their own custom made technology to collect or transact with data nor to serve Ads, they use a middleware technology provider aka the AdTech platform (i.e https://adtech.example/). There are many types of digital platforms - it’s not my intention to go in depth about their uses and differences but, what it’s important to grasp is that normally they do collect and store all the data, first and third party.

A handful of AdTech platforms are being used by almost all websites that either sell or buy advertising and by a lot more that use those to gain extra functionalities in their websites. Those companies owning the AdTech platforms, thanks to third party cookies, have been absorbing data attributed to unique Ids (so to users) from everywhere.

The fact that these platforms are massively used from a lot of websites, provides to them data at scale to a point where some can even track (almost) the full user's browsing history. Let's think about that for a moment, would you, for example, allow me, a stranger, to have full access to your last year browsing history? I don't think so.

Privacy Sandbox Ad Targeting proposal aims to change that by making the digital advertising ecosystem more sostenible and privacy focused so all involved parties get their benefits, even the users.

2.1 Contextual and First party data targeting

There are some types of targeting that are not going to be affected by the third party cookies phase out, those are Contextual and First party data targeting.

Contextual advertising is a form of targeted advertising that takes words and contents of websites as a decisioning factor to either show or not an Ad or a set of Ads - i.e if a blog post talks about football, an AdTech platform offering contextual capabilities can infer the post's topic by reading the most repeated words on the post and then show a football related Ad. This kind of advertising does not violate the user’s privacy as it does not use any user’s data. Ads are shown "per web-basis".

First party data advertising, like contextual, it is also a form of targeted advertising. The difference here is that it uses user’s data as a decisioning factor to either show or not an Ad or a set of Ads. An example here would be when an advertiser uploads hashed telephone numbers or email addresses legally collected from its own website (or other channels) to, for example, Facebook or Google Ads platforms to find these (or similar) users inside those websites (technically also in apps but let’s simplify). Realize that there is no privacy concern here, the user willingly provided to the advertiser an email address or telephone number (advertiser should inform the user that his data may be used for advertising purposes) and the advertiser uses it to show ads to him.

2.2 Interest based targeting

Interest based targeting pretends to replace what today we understand as Audience targeting, intimately related to the usage and trading of third party user's data to target Ads while third party cookies are still allowed in some browsers.

Today, with browsers where third party cookies are still available, AdTech platforms do collect all the user’s data and decide "per user-basis" which Ads to show based on the advertiser’s setting in the platform. 

This "per user-basis" Ad exposure is possible thanks to a series of code snippets living on both advertisers (sites that pay to advertise their products) and publishers (sites that sell Ad spaces) by reading unique ids stored into third party cookies that can be read across different sites. 

As explained, this results in huge amounts of data (bound to unique identifiers) being collected from AdTech platforms, giving to them the full track of a user browsing history, among other things. So, how will Chrome avoid that while preserving the ecosystem?

First, as already announced, it will get rid of the third party cookies that hold unique identifiers (users) so no longer any party can get full visibility of a user’s browsing history. Second, it will limit the amount of data an AdTech platform can collect so no longer can those store (and make use of) "extra" data that doesn’t belong to them.

How to do that? Like with Ad Measurement, by storing and processing all the data into the user’s browser and just disclosing those pieces that are strictly needed for AdTech platforms to perform the targeting. Those required bits of data are nothing but the "interests" we want to target on, branded as FLoCs (cohorts).

(this photo is taken from a Google’s post where Interest based targeting is very well explained. I really recommend you to read it)

The browser by default, thanks to an algorithm called SimHash, will automatically categorize the user into a FLoC based on its most recent browsing history (i.e #1101) so there will be as many FLoCs/cohorts as similar browsing histories may be across all users using Chrome (Google says about thousands). Those can also change in time as new browsing patterns emerge and users can jump from one cohort group to another if their interest changes, although a user can only be in one and only one cohort at a time. Chrome 89 with flags already supports this API so you can check what cohort are you in here.

Realize that with these changes, users instead of being identified by an AdTech cookie Id which compromises privacy, they will be grouped and identified together by cohorts Ids based on similar browsing histories. We have moved from "per user-basis" to "per group-basis".

Being clear on the FLoCs/cohorts functionality, it’s very easy to comprehend how interest targeting will work:

(this photo is taken from a Google’s post where Interest based targeting is very well explained. I really recommend you to read it)

1) An Advertiser, in this case a shoe store, gets users (visitors). The first thing the site does when loaded is to request the cohort id to the browser. As different users navigate through the shoe store and visit different shoe sections, add products to the cart or purchase some products, signals (think of signals like kind of conversion pixels) about these actions along with the cohort id that the users are in is stored in the site.

When enough data from a cohort is aggregated, the site sends some data to those AdTech platforms selected by the advertiser. For example, if a bunch of users from #4569 cohort are interested in soccer shoes, the AdTech platform will receive #4569 and "soccer shoes".

2) A Publisher, in this case an online newspaper, is also sharing aggregated data with all the AdTech platforms that works with. For example, if a bunch of users from #4569 cohort are visiting the FC Barcelona football section, the AdTech platform will receive #4569 and "FC Barcelona".

3) At this point, the AdTech platform, instead of having all browsing data associated to unique identifiers over whom it gets control, it just has a cohort identifier (representing a group of users) defined by the user's browser and certain interests associated to it: #4569 => "soccer shoes" & "FC Barcelona"; nothing else.

4) If another or the same user belonging to the #4569 cohort vistes a publisher that serves ads through the AdTech platform that has been collecting the interests and the same one where the Advertiser is bidding on, it can then show a FC Barcelona soccer shoes Ad on the Publisher's site.

Notice how, under this system, although AdTech platforms keep being the glue that join the pieces together and still being very much the key actor holding the ecosystem's economy and maintain the aggregated user's (now, cohort or group of users) knowledge, they will view their power reduced as less data is being fed to them.

2.3 Remarketing

Remarketing is also a form of targeted advertising that targets users that have previously visited an advertiser’s website. As an example and following the previous section example, if there are a bunch of user’s that added some shoes to the cart but eventually didn’t make a purchase, the idea is to show them Ads to try getting the sell.

The differences between Remarketing and Interest base are basically two: first, in Remarketing a user has to visit the advertiser’s site before a targeted Ad is shown to him whereas in Interest based this isn’t necessarily the case. Second, in Remarketing, the audiences (cohorts or, group of users) will normally be created by the advertiser or the advertiser’s agency through an AdTech platform whereas in Interest based the audiences (cohorts or FLoCs) are given by the browser.

Remarketing is maybe the most unready proposal of all the media tools/APIs proposed in the Privacy Sandbox toolset as Google seeks the agreement and opinions from very important AdTech companies such as Criteo, RTB House or NextRoll - this takes time.

All the documentation from the progress made so far can be found here. The explanation is a bit too technical so let’s try to outline how it’s planned to work from a pure media perspective.

1 & 2) The most important thing here, as explained, is that either advertisers, publishers or AdTech platforms will be able to create a Remarketing group that the browser will store, much like it stores FLoCs in the Interest targeting type. Whoever party creates that group, will have ownership over it.

3) Once an interest group is created (i.e #8976) and enough users are in it (around 100 users), a user belonging to the group visits a publisher and automatically starts an auction run by the browser. It’s important to understand that today’s auction process is run from server-side, the switch to the client-side, the browser, is an important step to ensure that user’s data stays in the browser.

You may wonder how an auction process could be executed in the browser. To understand this it’s important to know that, at a time an interest group is created, its owner sends some information to the browser:

const myGroup = {
  'owner': 'www.example-dsp.com',
  'name': 'womens-running-shoes',
   ...
  'ads': [shoes_ad1, shoes_ad2, shoes_ad3],
};
navigator.joinAdInterestGroup(myGroup, 30 * kSecsPerDay);

You don’t need to understand javascript, just acknowledge that the browser, at the interest group creation time gets, among other things, the group’s owner and the Ads eligible to be rendered. Groups by default last 30 days, although this can be extended.

Getting back to the auction process, once a user belonging to different interest groups visits a publisher site, the site decides which groups are eligible to participate in the auction and scores them based on the site’s (publisher) own logic. The winning group picks an Ad from the ones it already sent to the browser and the Ad gets published.

This is a very simplified explanation but I hope it gives you some sense of how the future Remarketing in a post cookie era will look like.

Summary

Replacing third part cookies is a disruptive change to the web ecosystem and to the digital media industry. As with any change, it is key to get ahead of your competitors and understand what technologies should you relay on.

Privacy Sandbox isn't the only alternative to third party cookies, but surely it's the only one backed up by the browser that holds nearly the 60% of worldwide web traffic. Do not bet into options that haven't a real tech muscle to really make an impactful and sustainable change to the industry.

Posts that might be of your interest