hero-image
How the Latest Identity Solutions Stack Up to Consumer Privacy Demands

Digital identity powers the open internet. When consumers provide their personal information, brands, publishers and platforms create personalized ads. This keeps the internet free and open. And these experiences drive innovation and the creation of better content, websites and social apps.

Third-party cookies historically served as the backbone of digital identity. Google made headlines everywhere with its latest guidance, and without a doubt, third-party cookies will be sunset in 2022. The advertising industry is also awaiting Apple’s imminent iOS update, which will severely restrict tracking and targeting across Apple’s mobile devices.

The problem with third-party cookies and mobile ad IDs (MAIDs) is that consumers were left in the dark, with collection and usage hidden from end users. But without cookies or MAIDs, the current digital advertising model breaks. Time is running short to implement a privacy-focused solution that solves for audience analytics, frequency capping, measurement and attribution, while providing robust data controls for publishers.

This is a complex environment and Google alone isn’t going to be able to provide the silver bullet. 

The entire industry is on the hunt for ways to rebuild and adapt better privacy standards. Google is placing all bets (importantly, outside of its own properties) on its Privacy Sandbox proposals whereby the one-to-one targeting of the cookie-centric era is to be replaced with cohort-based targeting on Chrome: FLoCs and FLEDGE solutions.

Contextual advertising is re-emerging as another cookie alternative to augment upper funnel targeting for marketers. A tried-and-tested solution for early-stage use cases, marketers are experimenting with ways to use advanced context campaigns to deliver goals traditionally achieved through ID-based targeting.

If you’re a marketer or publisher, you’ve likely been inundated with alternatives for cookies and IDFAs. It’s important to break down the glossy exterior of these proposals and identifiers before rushing into adoption—the open internet may depend on our choice. Here’s how these identity solutions stack up:

Faults in fingerprinting

Fingerprinting aggregates browser and/or network signals, including user agent, screen resolution, installed fonts, operating system and device model, to create a synthetic ID in place of a cookie. The main problem with this off-label collection is that it is not transparent to the consumer and consent is difficult at best.

From a privacy perspective, fingerprinting is basically invisible lurking. Users don’t even realize their data is being collected and used, and there is no easy way for a consumer to opt out. By ingesting consumer data without clear permission, fingerprinting puts publishers and the brands they work with at high risk. All major browsers are against it and high-profile tensions are playing out in public in advance of iOS 14.5.

Fingerprinting offers a technical solution that only deepens the trust deficit between marketers, browsers and end-users. It has no place in the future of digital identity and could put your brand’s reputation at serious risk, ultimately losing the trust of the consumers’ whose data you rely upon.

Hashing bets on hashed emails

Proponents of hashed emails, on the other hand, boast the solution’s cryptographic, one-way encryption process that creates a code unique to the email, but there are glaring gaps with its security.

Namely, with hashing, not all methods are equally successful at pseudonymization. This is because hashed emails are standardized algorithms: It would be relatively easy for a bad actor to gain access to a list of plaintext email addresses and figure out the algorithm for those hashed emails, creating a massive breach of leaked emails littered around the web. These lists are easily repurposed and rehashed, which violate user privacy. Hashing is a good start, but on its own doesn’t provide a sufficient degree of protection.

Universal IDs have a use, but not for every impression

Universal IDs present a standardized identifier for all participants. In the device world, the Apple IDFA and Android AAID are good examples. Universal IDs based on authentications continue to gain steam and they have a purpose: Creating an email token that connects publisher to marketer.

But universal IDs also have two major downsides. First, they don’t give the publisher real control of their users’ data or identities. These IDs are purpose-built for scale in the Open Exchange—only 50% of RTB ad buys. They share the publisher’s data with every platform in the ecosystem. Platforms can then misuse those IDs and that data to gain intelligence and build audiences. It’s bidstream data on steroids. Second, some popular universal IDs are looking to use Single Sign-On (SSO) solutions to extend reach. While reach is important, it must be rooted in trusted and transparent value exchanges. SSOs pose a threat to ensuring consumers have full transparency in who they’re sharing their data with and how it’s used and run the risk of replacing one opaque tracking technology for another.

Universal IDs will have a place in the post-cookie ecosystem, but it’s important that publishers carefully evaluate which ones make sense and how they protect and share their data. Due to the lack of platform-level encryption, universal IDs also represent potential security concerns. For example, a breach on one platform would affect everyone using the ID. Having a clear data supply chain will become more important with the introduction of legislation like the CPRA. It’s unclear yet if SSOs should play a role in the post-cookie ecosystem and how marketers can offer consumers the right level of transparency.

Platform-encoded, encrypted identifiers are key

Encoded (or encrypted), people-based identifiers are, in my opinion, more privacy-safe and secure than any of the alternatives discussed here. Encrypted identifiers move into a pseudonymous space quickly. If offline identifiers, like email, are used as input, an encoded identifier is immediately put through a multi-step hashing process to move it to a meaningless string on the server side, meaning it’s not fully visible to any participant. Then, that obfuscated ID can be encrypted with a key and turned into a secure, encoded digital customer identity that can be sent to other trusted parties.

Unlike universal IDs, encrypted and encoded identifiers can be made fully responsive to publisher or marketer controls, allowing for secure transmission only to intended parties. Publishers, marketers and their technology vendors must still make responsible data governance decisions, but encoded and encrypted identifiers give those decisions teeth and keep the control with the publisher.

3 takeaways to define the success of a cross-platform identity solution

This is a complex environment and Google alone isn’t going to be able to provide the silver bullet to the challenges posed by mounting regulation, user privacy expectations and a competitive media landscape. Instead of looking to Google to fully address the challenges stakeholders face in achieving marketing objectives, publishers and brands should take the initiative to work with proven partners. Ultimately, stakeholders need to use a combination of tools to address the post-cookie ecosystem and the mix will vary based on need: authentications, browser cohorts and unauthenticated publisher data.

Let’s be very clear—the loss of cookies will have a major effect on the industry. While it’s an exciting time to reinvent, there is no perfect solution. But if the solution you’re vetting meets these three criteria, you’re on the right path to effectively maintain the addressability enterprises need with the privacy and security features consumers deserve.

  1. Meet modern expectations for user privacy and security. Does the vendor have a thoughtful approach and key workflows to support consumer privacy and security that is ready to adapt as privacy regulations evolve?
  1. Make the value exchange crystal clear. Does the business clearly explain the value exchange to consumers? Does it deploy robust disclosure, notice and control mechanisms? We need to evangelize authentications as a mechanism for transparency. Only when people have a transparent understanding of this value exchange will they feel more comfortable and able to make an informed choice about offering their personal information.
  1. Be effective, omnichannel and competitive with what exists in other channels. Is the solution scaled, competitive and interoperable in order to be effective not only on the web, but in mobile, offline, CTV and beyond? Identity solutions help ensure consumer dollars continue to be spent on the web, support free or low-cost content, and promote ongoing customer engagement across the tech ecosystem.