If the future of privacy is cookieless, what happens to the ad tech industry when third-party cookies go away?

It seems like only yesterday when if you thought something was following you your family or friends might think you were a bit paranoid and suggest you see a psychiatrist.

Nobody thinks that anymore. Thanks to the internet explosion of raw data and its wily little enablers-the Martech companies-you can rest assured that your every movement is being tracked in real time by an army of entities who want to detect what you're looking for first and sell it to you before the other guys get there.    

For years, the workhorse of the cyberstalking world has been third-party cookies, a small piece of text sent to your browser by a website you visit that allows it to collect information about your visit, like what you clicked on, your user name and password, and so on, purely in an altruistic effort to make the site more useful to you. (The last part is an attempt at satire in case you missed it.) When you visit a website directly it may give you a "first-party cookie" so it will know your preferences the next time you visit. if you click on a link on that site that takes you somewhere else that's a "third-party cookie" and it's probably meant to sell you something rather than enhance your browsing experience.  

That era is coming to an end. In January 2020, Google announced that it would "phase out" third-party cookies in its Chrome browser ‘within two years," which means by 2022. Safari and Foxfire stopped using third-party cookies a couple of years ago but that, as we'll get to, does not mean that you're not still being tracked. As Jeff Olchovy, chief technology officer at Tapad, a pioneering leader in cross-device digital identity resolution, owned by Experian said:

2020 was a hell of a year for participants in the ad tech ecosystem.  On top of the Covid emergency, we had to also deal with the exogenous shocks from Google and Apple and prepare for a cookieless future. Suddenly, the mechanisms that companies were leveraging to build products and capabilities were somewhat going away. A lot of the resources that we were reserving for pure play innovation had to change to focus more toward working on defensive mechanisms to ensure business continuity for ourselves.

Google's divorce from third-party cookies will not mean the end of tracking or even from tracking in the Chrome browser. Existing technologies that can track users just like third-party cookies include Local Storage, IndexedDB, Web SQL, and any other technology that makes it possible to save data on a user's device from browsers. 

All the more reason, for systemic innovation, Olchovy said:

Let's not be naive, there's going to be more of these types of exogenous shocks from the Googles the Apples. It's the third-party cookies today but maybe it's first-party cookies at some point in the future. Maybe it's local storage, you know, having a bit more restrictions on it. So how do we build these anticipated changes into our innovation pipeline.

Launched in New York in 2010 by Norwegians Are Traasdahl and Dag Liodden, Tapad was owned from 2016 until 2020 by  the Telenor Group, the Norwegian telco, when it was sold for $380 million to Experian. 

The company's "secret sauce" is that it can identify the same person or household across many different devices. The Tapad Graph, as it is called, collects data such as operating system IDs, IP addresses, online registrations, data from partnering publishers and the soon-to-disappear cookie IDs to fuel a highly accurate "cross-device," probabilistic machine learning algorithm which predicts, with a high degree of accuracy, that the person or household member who just looked up lawn mowers on Google on their computer is the same person who is now browsing Facebook on their mobile phone and might just be receptive to ads for lawn mowers in their feed.  

The corporate speak rationale of its utility is that it "enables brands, agencies and platforms to gain a unified view of customers, allowing for optimized scale, better targeting and more relevant experiences with your brand."

The Tapad Graph accesses 1.3 billion users across 4B digital IDs spanning five continents. In other words, it follows you everywhere. None of the data contains personally identifiable information, Tapad says, but a UK privacy group did ask European regulators to look into both Tapad and Experian back in 2018. (Neither was penalized.)

Olchovy said that Tapad has always played by the rules:

Privacy is one of the key pillars of our company. Our position in the market is that we're a small third-party player and we have to get privacy right. Although we're not directly interacting with the end consumers, we've always tried to stay ahead of the curve by keeping our fingers on the pulse of changes in regulations. On the eve of GDPR, a lot of our competitors dropped out but we went whole hog and put in  a lot of work and effort to make sure we would retain our European surface area and be able to deal with any of the waves caused by changing regulations. When the new California law was announced, we were able to adjust seamlessly so we have been prepared for continuing changes. 

And, that history of adjusting to change, is why Tapad is prepared for the cookieless future, Olchovy said:

The end of the third-party cookie will certainly lead to more fragmentation in the industry but that's is something we've been dealing with all along.  We're never depended on entirely on third-party cookies so we're accustomed to finding fragments scattered across multiple devices and tying them together into a given identity record. Since we've been doing this all along, maybe we have to only make small adjustments to our probabilistic graph-building algorithms to begin to associate all of those first-party fragmented cookies together. 

In early February, Tapad, launched a new product called Switchboard that aims to make the growing multitude of cookieless IDs interoperable with each other. Switchboard is a module that exists within the Tapad identity graph and uses machine learning to find connections between these newer IDs and more traditional digital identifiers, such as first-party cookies, mobile device IDs, connected TV IDs, IP addresses and hashed emails. The plan is to keep on signing up new partners and layering in new IDs as they emerge before the end of cookies deadline.

My take

The good news for users who care about privacy is that sometime this year, barring a major turnaround, Goggle will stop the use of third-party cookies in its browser.  The bad news is that marketing technology industry will still find ways to follow you around.  There's too much money involved to think otherwise. The challenge for the ecosystem will be making sure that the right ID and consent information within it is passed seamlessly across the ad tech supply chain in a privacy-compliant way. That sounds like a potential nightmare but from this angle, Tapad looks like a survivor.