🔒 How web privacy changes and tracking prevention are shaping the future of web advertising – with Allison Schiff, Senior Editor at AdExchanger 🌐

Our guest today is Allison Schiff, senior editor at AdExchanger. Allison writes about mobile, Facebook, cross-device measurement, and the app economy, with an increasing focus on privacy and its regulation.

We’ve covered the upcoming iOS 14 privacy changes that are impacting primarily the app economy in a lot of detail in other episodes. Today, we’re going to talk about very similar privacy trends in the web space, which have happened in a manner that’s very comparable to what’s happening on the apps front; except that some of the changes on the web far precede what’s happening with the iOS 14.

In today’s conversation. Alison dissects how privacy has evolved in the web space, what the key browsers are implementing, how that impacts businesses—and web businesses—the world over, and more importantly, what to expect in the near future. For a great contextualization of what’s happening across the digital space, both in apps as well as on the web, this is a great episode to know and understand exactly what’s going on.

KEY HIGHLIGHTS

💰 Why Chrome raked up because of changes in Safari

⏳ A history of privacy on browsers

✋ Safari’s Intelligent Tracking Prevention vs. Firefox’s Enhanced Tracking Prevention

🎠 Companies tried to workaround ITP and failed

⏰ Mozilla’s privacy changes predate Apple’s

🍪 The difference between a first, second and third party cookie

📍 First party cookies are also tracking cookies

👾 Breaking down the Facebook pixel

⛔ How blocked cookies affect advertizing

⚔️ The end of cross-site tracking

🤑 The effect of personalized advertising changes on publisher revenue

🥠 The rise of cookie-less solutions

🤦 Ad tech is being shaken up

🤖 Unified ID 2.0 by Trade Desk

💣 There’s going to be an effect on programmatic

🧲 Advertisers will switch to Facebook and Google in the short term

⚡ Contextual will get more attention

🗞️ Why media companies are generating user value

🦸 Big publishers may save the day

💸 Smaller publishers are in for a rough ride

🆔 2021: The year of identity

KEY QUOTES

Apple’s Intelligent Tracking Prevention

Apple started rolling it out in 2017, as part of WebKit. And the aim is to prevent cross-site tracking by putting limits on how first party cookies function. So Apple uses machine learning algorithms to section off any first party cookies that have tracking capabilities, and puts a timer on how long they’re viable.

The original version of ITP made it so that a site only tracks a user for 24 hours after a visit. If that person didn’t visit again, for 30 days, they’d get purged. Then companies tried to get around that by doing funky redirects. And then Apple got hip to that, so they got rid of the 24-hour grace period for tracking and measurement. And then Facebook came out with a workaround, which was a first party cookie option for its tracking pixel. So then ITP 2.1, started to require consent to drop cookies, etc, etc, all the way up to March of this year when Apple pretty definitively came out and just said, “We’re going to crack down on any attempt to work around ITP.”

The difference between ITP and ETP

Unlike ITP—because they use machine learning to detect tracking cookies—Firefox uses a list of known trackers to block scripts by default. And that’s everything from cross-site tracking cookies to the cryptominers.

What are second party cookies?

Second party cookies, like second party data, they’re just transferred from one company to another through some sort of data partnership.

Privacy isn’t at the cost of UX

There really aren’t workarounds. There’s nothing you can do to get around the intention of something like an ITP. But I believe that there are some carve outs in Safari where they will allow someone to remain in the logged in state when there’s consent. Stuff like that, where the user experience doesn’t have to be affected just because of all of this stuff going on in the background like tracking cookies.

What happened when Safari implemented ITP

It would only go to reason that, when personalised advertising doesn’t work as well in certain environments, that revenue is going to go down. But I don’t think there was a massive dip in revenue for publishers after Safari really got started with ITP. Because the browser share is so small. I mean, you could argue it should have been writing on the wall, and I do think that some publishers started to think about their first party data strategies as that started to happen. But a lot of other publishers just sort of shrugged their shoulders, and put their head in the sand.

A mad scramble for alternatives

With ad tech vendors, everyone and their mother is coming out with some sort of cookieless solution. My inbox is absolutely jammed with pitches about cookieless solutions from everybody.

Privacy changes and programmatic

I do think programmatic advertising is going to be really affected. The programmatic ecosystem is really reliant on cookies, especially third party cookies, for everything from personalization, audience creation, targeting, retargeting, measurement and analytics. And so they really do need to find some sort of alternate way to target ads and personalised campaigns, but on the open web.

The disconnect between publishers and their audience

Middlemen, ad tech vendors just stepped in and sold the promise of programmatic, and then made the supply chain into the muddy mess that it is today. And so publisher sites are stuffed with third party tags, and some publishers don’t even know which tags are on their site. Data is leaking everywhere.

When third party data goes away, first party data will rise in value. And so some publishers have a head start. Like I was saying, they started to develop their first party data assets when Safari started making its moves back in 2017.

2021: The year of identity

You know how everyone was constantly talking about the year of mobile, till you want it to just bash your head into a wall? I think we might be entering a year of identity. But I think that 2021 actually is and has to be, because there is the deadline of 2022 that Google has set for deprecating third party cookies in Chrome.

FULL TRANSCRIPT BELOW

Shamanth: I’m very excited to welcome Allison Schiff to the Mobile User Acquisition Show. Allison, so thrilled to have you today.

Allison: Thanks for inviting me.

Shamanth: Yeah, I’m thrilled to have you just because I think every time we’ve spoken, you’ve had such an insightful point of view on how a lot of digital is evolving, how a lot of digital is changing—and you always ask very good questions. So in some ways, this is sort of reversing the tables from our earlier interactions, and I’m thrilled for this.

Allison: Yeah, it’s always a little uncomfortable to be asked the questions. I’ve been a guest on just a very small handful of podcasts. And I have more compassion now for the people who have to answer—being the one who is answering—which you don’t really have as the interviewer. But it’s humbling.

Shamanth: Yeah, I try not to be too difficult. So we’re going to talk about how privacy changes on the web are evolving. Because certainly on the podcast, we’ve talked earlier about a lot of privacy changes that are happening on mobile apps. But much before the changes with apps, the changes on the web have been happening—very substantial changes too.

A good place to start would be to look at where a lot of this began. And it’s my understanding that Safari and Firefox have been at the forefront of driving a lot of the privacy changes. So why do you think this has been the case? Why do you think they found it important to drive this?

Allison: A cynical take might be that Apple and Mozilla don’t make all that much money from web advertising, as opposed to Chrome—which is about to make, in about a year’s time, a really big change to how third party cookies are treated by the browser.

But less cynically, both Safari and Firefox have made privacy a priority for a long time. They’re not Johnny-come-latelys on that front; they’ve been really focused on privacy and security for years. And Intelligent Tracking Prevention on Safari in particular; that’s been a big deal. And there have been a lot of iterations. I think we’ll get into some of the details. But even though those were big changes, and Firefox also made changes of its own, I think Google’s planned phase-out of third party cookies; that is really going to shake things up. That’s the case because a lot of money that had been going to Safari flowed into Chrome, and now that Chrome isn’t as comfy of a spot, there’s the big question about what’s going to happen to its ad revenue.

Shamanth: I think these are very substantial changes. And I would love to dig into a lot of these aspects as we go on. To start with, what are the specific privacy changes that Firefox and Safari have been driving? Can you dig in a little bit deeper and explain exactly what these changes are?

Allison: Yeah, Safari and Firefox both block third party cookies by default. But their approaches are a little bit different in terms of how they implement their anti-tracking technologies.

Safari’s anti-tracking approach is called Intelligent Tracking Prevention, like we just mentioned, and Firefox, their version is called Enhanced Tracking Prevention—so ITP and ETP.

There have been tons of iterations of ITP over the last few years. But in a nutshell,

Just to take a quick detour into the sort of game of cat-and-mouse that was for a while—at AdExchanger we covered a lot of this.

On Enhanced Tracking Protection from Firefox—a lot of people refer to it as Firefox’s version of ITP but it actually predates ITP, because Firefox started working on it in 2015. And I think it’s mostly focused on third party cookie tracking, unlike ITP. And then also

unlike ITP—because they use machine learning to detect tracking cookies—Firefox uses a list of known trackers to block scripts by default. And that’s everything from cross-site tracking cookies to the cryptominers.

Shamanth: Sure, and to ask a potentially noob question, what’s the first party cookie? And what’s a third party cookie? And is there such a thing as a second party cookie?

Allison: The simplest definition of a first party cookie is that it’s created by the actual website that somebody is visiting. And it can be used to personalise the experience on a site and remember someone’s logged in state. So it’s set by the publisher’s web server.

The third party cookie is created and set by a website other than the one that you’re on, like a Facebook Like button or DoubleClick; those are our two classic examples.

That might seem relatively black and white, but there is a nuance to point out there—which I referred to before—which is companies trying to do some funky stuff and get around some of the restrictions that the browsers are putting in place. Like redirects that you send somebody really quickly to a page or domain owned by the tracker, so that you can recharacterize a third party cookie as a first party cookie.

There’s also one other point I would make about first party cookies. They are tracking cookies; they’re just limited to the domain they were dropped on. And sometimes the way people talk about first party cookies, it’s like they aren’t also trackers. But they are. First party cookies are generally considered to be less problematic than third party cookies, but you can still use them for defining audiences, you can use them for targeting. And Safari has actually really cracked down on their use with ITP.

Lastly, about second party cookies. So basically,

second party cookies, like second party data, they’re just transferred from one company to another through some sort of data partnership.

Like a brand selling its first party cookies along with bits of data, like email addresses, or whatever to some other brand through a set partnership for ad targeting or maybe some other purpose.

Shamanth: Gotcha. No, that makes sense. So just so I understand, what you are saying, “Look, first party cookie is something that’s set by the website.” So let’s just say the Facebook pixel is an example of a first party cookie set by Facebook to track users who are on Facebook. But this also tracks the user around the web.

Allison: The challenge with something like the Facebook pixel is that it actually is a third party cookie—because through things like the Like buttons and other functions and widgets that appear on pages—that gets dropped. And then there’s data sharing through all of those different connections.

Shamanth: Understood. So because a user is tracked across multiple websites, by different Facebook pixels, and Facebook aggregates 20 different pixels across 20 different sites, it is really a third party cookie. Is that an accurate understanding?

Allison: Yeah, that’s the way I understand it. If you like something on a particular website that had the Facebook Like button embedded, and then nothing ever happened after that, I guess that would just be considered a first party relationship, although, honestly, I don’t really know exactly how it works, considering Facebook, which is a separate entity is understanding what someone is doing on some other website. It’s tracking that Like and then it goes on from there.

Shamanth: Yeah. And since you mentioned on Firefox and Safari, there’s already been a crackdown, a lot of third party cookies are just completely disabled at this point of time. What happens if you are accessing Facebook ads? Do you just see completely non-personalised ads on Safari and Mozilla?

Allison: I believe so. I think there’s been a lot more focus on things like contextual. And most of the targeting happens, at least for the moment, in Chrome. It’s not that you can’t do ad targeting in Safari, for example, but there are just limitations. And so you can’t do cross-site tracking. But you can do personalization on a specific domain when there’s consent, and there’s a first party cookie dropped, but it’s just far more limited by design.

Shamanth: Right. So on Chrome and Safari, the website would remember your login, your password and whatnot, because that’s a first party thing. But you may not necessarily see super targeted ads in a manner that you might see on Chrome.

Allison: Right. Although there is a challenge with the Facebook login—I actually don’t know exactly what the status is right now. But limits on third party cookies have had, like we were saying, its impact on social plugins: Facebook analytics, Facebook login. Safari will delete facebook.com cookies, if people don’t visit regularly. So you don’t hit up Facebook on, I guess, a daily basis, then you have to reauthenticate, if you want to use something like a Like button or other Facebook widgets like comments and sharing. So it does have a bit of an impact on the user experience, although I believe there are some fixes for that. Because I know it’s not Apple’s intention to mess with the user experience.

Shamanth: Right. So these fixes or workarounds: how effective are they? And what are some examples of some of the more prominent fixes?

Allison: So

there really aren’t workarounds. There’s nothing you can do to get around the intention of something like an ITP. But I believe that there are some carve outs in Safari where they will allow someone to remain in the logged in state when there’s consent. Stuff like that, where the user experience doesn’t have to be affected just because of all of this stuff going on in the background like tracking cookies.

User experience stuff is really top of mind, but anything that’s trying to circumvent the inherent intention of these anti-tracking technologies are sort of SOL.

Shamanth: Yeah. And how does all of this impact publishers? Let’s just say there is a small website that makes a lot of money through AdSense; how might they be impacted?

Allison: I will take a step back for a second, and look at the current state versus what might happen; with a backdrop of thinking about the browser market by market share. So you have Chrome, Safari and Firefox—the three biggest browsers. Chrome is the biggest by far. I think Chrome is, at least in the US, something like five times as penetrated as Firefox, and then like six or slightly more than six times as penetrated as Safari.

Web publisher revenue is heavily reliant on personalised advertising and so

it would only go to reason that, when personalised advertising doesn’t work as well in certain environments, that revenue is going to go down. But I don’t think there was a massive dip in revenue for publishers after Safari really got started with ITP. Because the browser share is so small. I mean, you could argue it should have been writing on the wall, and I do think that some publishers started to think about their first party data strategies as that started to happen. But a lot of other publishers just sort of shrugged their shoulders, and put their head in the sand.

Then focused more on Chrome, where they could still have the status quo, and Chrome absorbed a lot of that revenue. And the same goes for Firefox.

And so for now, at least, it’s my impression that revenues haven’t plummeted. But that Chrome’s decision to phase out third party cookies is this whole other thing, and that’s going to have a big impact. It’s why the whole ad tech industry is freaking out right now and casting around for cookieless solutions, working on alternatives, messing around with the W3C, trying to get people to share their email addresses, the unified ID 2.0.

So I do think there’ll be a notable dip in revenue when Chrome finally stops supporting third party cookies early next year, and CPMs will probably go down if there isn’t audience targeting outside of the walled gardens, at least. I caveat that with ‘for now’, because there is a year left. Solutions will crop up and all ad dollars can’t go to the walled gardens—not all of them. Especially if you want a fourth estate, if you want journalism, which I do.

Shamanth: Certainly. And of all the alternate solutions that you mentioned, are there any that you think are more likely to succeed than others?

Allison: Well, the consensus, when you talk to really anybody, is that there’s not going to be one solution that wins. It’s going to be some sort of hybrid thing. And so a lot of people are trying a lot of things. Then what we’ll net out with is a bunch of alternatives that don’t ladder up to a replacement for third party cookies, but just a new way to think about targeting online.

I do think the unified ID 2.0, which was initially spearheaded by The Trade Desk has a lot of legs. There’s a question, I think, about how smaller publishers will be able to participate because they have more reliance on advertising to support their revenue, and maybe less of a capability to get people to sign in and authenticate. But there’s a lot of momentum there. And so the fire has been lit under the collective butt of the industry. There have been efforts at consortiums before and they really fell apart. But now there’s an imperative to do it. So there’s that, and I think we’ll see some success with it. It’s really still coming together.

Another one that I think we might talk about in a bit is publishers trying to think more about how they get their first party data assets really working for them. So there’s that as well. And

with ad tech vendors, everyone and their mother is coming out with some sort of cookieless solution. My inbox is absolutely jammed with pitches about cookieless solutions from everybody.

Shamanth: What’s a cookieless solution?

Allison: Well, just some sort of alternative, often using context, to try and target people without relying on cookies. It’s funny; cookieless has almost started to become synonymous with identifier-free. I’ve talked to people and I say, “What do you mean by just cookieless?” Like, “Well, cookieless and also when MAIDs go away. And I’m like, “Well, they’re different things but okay.” I feel like people have started using cookieless as shorthand for everything from cookies to mobile advertising ID; every kind of identifier isn’t really clear.

Shamanth: Yeah, it’s somewhat of a catch-all phrasing. How have advertisers been impacted thus far? And how do you think that they will be impacted when Chrome goes down this path to?

Allison:

Publishers will have to focus more on their first party data assets, which they should have been doing all along. But advertisers, in the short term, will most likely spend more money with Facebook and Google, because those are places that they do know who they’re hitting. They have identity. So I don’t think the open web is in trouble, but it’s at a nexus, sort of like an inflection point.

Shamanth: Sure, and you think more dollars will go to Facebook and Google, even though Facebook and Google cannot track people around as they are doing today?

Allison: I mean, just because of the scale that they have.

Shamanth: And it’s still better than the open web, you’re saying?

Allison: There’s going to be a lot of contextual buys. I know the kind of reader who reads a cooking blog is XYZ type person; I know the kinds of people that consume tons of political news might also be other things; and they’re very clever. Contextual didn’t have a lot of investment for a long time, and there’s going to be a lot more and it’s going to get more sophisticated. I mean, you can read CNN and be a Facebook user. Facebook has billions of users, and they see a lot of activity. And they see the kind of content that people consume. They can see what news articles people are reading, and from where. People are starting to make purchases. Facebook, in particular, is getting really into commerce. And so I think a lot of advertisers will—at least in the shorter term, while alternatives are still being spun up—they’ll just retreat to that safety.

Shamanth: Yeah, where you at least have the scale of Facebook and Google’s user base to seek.

Something else you touched on was first party data. And you also said you will start to target users who visit cooking blogs or users who read, let’s just say, Wall Street Journal, for example. What does first party data mean in all of this context? And how do you see that being used going forward?

Allison: Just as one other point about, say, like a cooking blog, or a sports blog, or something. I do think those kinds of publishers are pretty challenged. I mean, you do know what the context is, but they’re very reliant on targeted advertising, and then also hitting up those same users elsewhere. So I do think even though they have very clear context, they’re also pretty challenged.

A lot of web publishers in general, from small to large, they just feel over the years they’ve been disintermediated from their audiences, because they are the ones with the first party relationship. And then

middlemen, ad tech vendors just stepped in and sold the promise of programmatic, and then made the supply chain into the muddy mess that it is today. And so publisher sites are stuffed with third party tags, and some publishers don’t even know which tags are on their site. Data is leaking everywhere.

But media companies realise that they are the conduit to user identity. They’re making the content; they’re generating the ‘value’ in value exchange. And so they feel a little powerful about it right now. And

when third party data goes away, first party data will rise in value. And so some publishers have a head start. Like I was saying, they started to develop their first party data assets when Safari started making its moves back in 2017.

Making moves can mean a lot of things in practice. Some publishers are talking about sign-on alliances, so are some ad tech companies, like Trade Desk, like we said with the unified ID 2.0. Some publishers are involved in that initiative, like the Washington Post, and a lot of publishers that they have through their network, which is called Zeus.

That would be a way to scale first party data assets. Because it’s a little bit challenging. Even if you’re the New York Times, you only have a few million visitors—it’s many millions as opposed to hundreds and hundreds of millions. So that’s why some publishers are thinking about what it might mean to form second party data relationships based on their first party data relationships. You’ve seen a lot of publishers make moves like News Corp has an identity graph of its own. Vox Media has its own first party data platform since I think 2019. Meredith has in house audience insights platform and an activation platform. So they’re making a lot of moves.

Shamanth: Yeah, interesting. So it sounds like a lot of publishers have been preparing in some way for what’s going to unfold—what has unfolded and what will unfold. But again, a lot of companies you referred to somewhat larger advertisers that have the ability to put significant resources behind preparing for these eventualities. So what happens to smaller advertisers, or smaller publishers? Let’s just say maybe an independent ecom store or a cooking blog that makes a lot of money from AdSense—they don’t have these resources to just build first party data assets. What, if any, might be some of the options in front of these folks?

Allison: It’s a really good question. And if I knew the answer, I’d be rolling in the dollar bills; I would come up with my own solution. But I do think it’s going to be hard for them to make a living, as programmatic advertising becomes less of a revenue driver for them. Programmatic advertising has become shorthand for personalised targeted advertising, even though of course, you can programmatically do many things.

I don’t mean to be like a broken record. But I assume they’ll start to rely more on tools provided by the big platforms. It’s just like a theme of flight from the open web—they will also have to rely on the bigger platforms and any tools that they might provide.

I don’t know what will come out just yet. But I’m sure Facebook and Google will. Google is working on its privacy sandbox stuff, which might not necessarily be helpful to smaller publishers, but I do envision that the large platforms will swoop in to ‘help the little guys’.

But yeah, there’s a lot of work being done to the W3C right now, in the privacy sandbox. Actually, just today, as we speak on a Friday, January 8th, the CMA which is the anti-competition authority in the UK is starting an investigation into the privacy sandbox and whether it might be anti-competitive. So there’s just so much in flux. And so the question of what do small publishers do—what does anyone do? Smaller publishers, they’ll just have trouble retargeting their own audiences off of their sites. And they’re just scrambling right now, I think. Or not thinking about it, hoping magically, somehow it resolves.

Shamanth: Yeah, that’s an option, certainly. Yeah, Allison, so there’s a lot of things in flux, a lot of things are changing. And I guess the one thing people can do is be informed and keep their eyes and ears open, and move quickly, I imagine.

I certainly have learned a lot about the web landscape; just knowing and understanding what is unfolding from talking to you now. This is a good place for us to start to wrap up. I’m curious if you have any closing thoughts or anything to wrap up with?

Allison: Well, I don’t know if this is silly.

I mean, it’s possible that the deadline gets extended a little bit, but it’s an imperative. At the very least, it’s the year that I have to write about identity until I want to bash my head into the wall.

Shamanth: Yeah, certainly there’s going to be a lot written about it, a lot spoken about it. We’ve spoken about a lot of the changes on the apps front. It is interesting and significant to see this is not just app-specific, or Apple-specific thing, but this is a trend that’s somewhat overarching across the digital space.

That is perhaps a good place for us to wrap, Allison. But before we do that, can you tell folks how they can find out more about you and everything you do?

Allison: Sure, I guess, it’d be great if you could read AdExchanger. And I’m actually really good at answering email; I didn’t always used to be but it was a New Year resolution from a couple of years ago. So [allison] at [adexchanger.com]. And my Twitter is pretty much useless unless you like seeing retweets about cat GIFs and funny cat news. But you can follow me on twitter if you want to @OSchiffey, but it’ll be kind of a fruitless exercise. But I do love creeping on Twitter. So I’ll probably follow you.

Shamanth: Excellent. Lots of people might be into cats. We will link to all of that. And this is perhaps a good place for us to wrap Allison, thank you so much for being on the Mobile User Acquisition Show.

Allison: Thank you.

A REQUEST BEFORE YOU GO

I have a very important favor to ask, which as those of you who know me know I don’t do often. If you get any pleasure or inspiration from this episode, could you PLEASE leave a review on your favorite podcasting platform – be it iTunes, Overcast, Spotify, Google Podcasts or wherever you get your podcast fix. This podcast is very much a labor of love – and each episode takes many many hours to put together. When you write a review, it will not only be a great deal of encouragement to us, but it will also support getting the word out about the Mobile User Acquisition Show.

Constructive criticism and suggestions for improvement are welcome, whether on podcasting platforms – or by email to shamanth at rocketshiphq.com. We read all reviews & I want to make this podcast better.

Thank you – and I look forward to seeing you with the next episode!