This article is part of the Digiday Privacy Preview, a digital issue of stories examining what the coming changes to Chrome and iOS will do to the worlds of media and marketing. Read the rest of that coverage here.
For years, privacy advocates argued that data collection and sharing among countless hidden ad tech intermediaries, via third-party cookies, was a privacy invasion. Thanks in part to their advocacy, government and consumer pressure for more privacy protections has finally pushed Google and others to disable third-party cookies. Now the digital ad industry is gravitating toward replacements that some in the privacy community consider even more invasive.
“Indeed, that irony is not lost on me,” said technologist Ashkan Soltani, who helped craft the California Consumer Privacy Act and served in the Division of Privacy and Identity Protection at the Federal Trade Commission.
Advertisers, ad tech firms and digital publishers for two decades have relied on third-party cookies and the data currency they hold to facilitate the quid pro quo of the open web: content, services and more relevant advertising in exchange for personal information. Some forms of cross-site tracking enabled by third-party cookies have been “abusive,” said Pam Dixon, founder and director of the nonprofit World Privacy Forum, another longtime advocate for a privacy-safe digital ecosystem.
But today, more personal information than ever is being harvested for a new crop of identifiers that can be passed like cookies throughout the ad tech supply chain. Some require email addresses or phone numbers — first-party data — to work.
Tech firms such as LiveRamp and the Trade Desk and industry bodies like Partnership for Responsible Addressable Media say they protect privacy better than third-party cookies because they transform emails into encrypted strings of numbers and letters, creating pseudonymous IDs. And they argue these IDs are created with people’s consent, because emails and other personal data is gathered when people interact directly with a brand or publisher.
Veteran digital privacy crusader Jeff Chester, executive director of the nonprofit Center for Digital Democracy, isn’t buying it. “We cannot allow the industry’s claim that first-party data is accompanied by permission to stand,” he said. “That is a canard.” So far, there is little guidance and few requirements for what notice to people for consent should look like.
“The proposed first-party identifiers essentially are more privacy-invasive than even cookies, and provide users with less transparency and control,” said Soltani. While people can delete or block third-party cookies, he said, identifiers incorporating hashed or encrypted data “are more problematic” because they create persistent, identifiable connections to people across activity on multiple devices. Soltani said in some ways these technologies produce “even more robust of an identifier than your actual name or other [personally-identifiable information].”
Born with a data addiction
In another blow to the quest to minimize data collection, the race to gather first-party customer data like emails has quickened, as advertisers prepare for the loss of third-party data connections that help them customize messaging and connect ad exposure to sales.
But strategic efforts to gather first-party data are just a continuation of the industry’s perpetual push toward hyper-personalized communication between advertisers and consumers, said Chester. “It’s really the trajectory of the one-to-one marketing model at the heart of digital advertising since its inception in the 1990s,” he said. “They’ve been growing their first-party data sets and porting them over to Facebook and Google,” he added. “This is not a new trend.”
Yet, there are obstacles to the proliferation and adoption of alternate identifiers. Namely, Google’s announcement on March 3 that it will no longer support any cookie replacement identifiers such as those built using email addresses in advertising inventory it sells outside its own properties has compounded uncertainties about these technologies
Another potential hurdle: the law. Few identity tech firms require any explicit or just-in-time notice or informed consent mechanisms for people in the U.S. when their emails are used to build pseudonymous identifiers to track them across the web. For now, many companies employing them presume people have given consent because their privacy policies state in general terms that they may use personal information for marketing and advertising purposes.
“The regulators will not stand for it,” said Soltani. “[A publisher’s] transfer of my identifier including a hashed identifier [is a sale].”
Meanwhile, Jeff Chester expects a coalition of privacy groups to coalesce to convince lawmakers that email collection does not equal consent for identity tech. In fact, he contends there’s an even greater irony afoot as consumer advocates push increasingly receptive lawmakers for more meaningful privacy safeguards.
“The irony is that now the industry’s attempt to jettison cookies may in fact trigger the political backlash we’ve all been waiting for for two decades,” he said.