Almost all major browsers have already discontinued default support for third-party cookies. Only Google Chrome is still holding out, but the writing is on the wall (well, actually, on the Chromium blog): Google Chrome will eliminate support for third-party cookies by 2022.
However, this doesn’t mean browsers are about to go on a low-carb diet, because first-party cookies will come out of the “cookiepocalypse” unscathed. They were even deemed vital in a privacy-first online world by Google itself.
Sounds like a good thing, right? As a user, you will still benefit from first-party cookies conveniently saving your website preferences, but there will be no more unknown agents processing your precious data.
Yes, but this has serious consequences for the online advertising industry. Not all kinds of online ads rely on third-party cookies, but many still do – particularly retargeting and behavioral targeting ads.
Tech giants like Google and Facebook earn billions of dollars serving these kinds of ads, and advertisers are happy to throw all this money at them because they know these ads are extremely effective and will generate even more money for them in sales. This means it is highly unlikely that personalized behavior-based ads will disappear any time soon. If that’s the case, then what will replace third-party cookies?
No one knows yet, but a lot of very smart people from the tech industry and universities are coming up with ideas. Some are specific solutions to improve fraud prevention or ad performance measurement while still increasing users’ privacy. Since these are so particular to a specific feature and cover a wide range of topics, we’ll leave those aside and focus on the main ones that take a more comprehensive approach to what the future relationship between advertisers, ad platforms, browsers and users might look like.
Click on the links below to jump straight to the ones that catch your attention, or keep reading to learn about all of them!
Federated Learning of Cohorts (FLoC)
This is Google’s main proposal, which is why we’ve written a whole article about it. Click below to read it:
In a GitHub repository where they are developing FLoC and other proposals for the post-cookie era, Google has outlined three broad categories of information upon which ad serving can be based:
- First-party and contextual information (e.g., "put this ad on web pages related to games");
- General information about the interests of the person who will see the ad (e.g., “show this ad to people who love running”);
- Specific previous actions the person has taken (e.g., "offer a discount to someone that abandoned a cart in my online store").
Both the second and the third categories would previously involve third-party cookies, but FLoC relates specifically to category #2. Google has a different proposal for the third category, called TURTLEDOVE, which is also on this list – click here to jump straight to it.
To put it simply, FLoC involves grouping users’ browsers into cohorts that share the same interests. These cohorts would be identified by a random numerical ID and retain each user’s anonymity while still allowing for meaningful ad targeting.
For example, let’s say you have an online store that sells bikes and biking equipment, and you want to advertise your products online. With FLoC, an advertising platform could show your ads to a cohort of users who share similar behaviors that signal an interest in bikes: maybe they’ve searched for bikes on Google, watched biking videos on Youtube, or visited biking forums.
Under FLoC, these details would never leave the browser or be shared with anyone. Everything would be calculated by an algorithm inside the user’s browser, which would then assign itself a cohort ID – the only information made available by the browser. This association with a cohort ID would last for seven days. After that, it would be calculated again based on more recent data, at which point the browser might assign itself to a different cohort. As with cookies today, users would have the ability to allow or block FLoC on their browsers.
FLoC is already being tested in some Google Chrome users. If you want to know if you’ve been “FLoC’ed”, click here.
This is Microsoft’s proposal. PARAKEET is an acronym for “Private and Anonymized Requests for Ads that Keep Efficacy and Enhance Transparency” (yes, really). In short, it involves a proxy server that would stand between the user and the ad company, anonymizing data from both sides.
For example, when an advertiser submits an ad request to PARAKEET, this intermediary system would anonymize the context provided by the advertiser (e.g. the kind of audience they wish to reach) before showing it to the users that match that context. Similarly, the system anonymizes all data gathered from the users' browser, and doesn't share this data with any third party. PARAKEET would then try to find the optimal match between user and ad context, and later provide performance reports to the advertiser.
This proposal considers that the user will be able to opt-in or out of ad personalizations and have full control over which interests are being taken into account by the system – much like Google already offers in their Google Account settings. However, the level of transparency and control offered to the user is largely up to the browser, which is a potential weakness in this proposal. It’s one thing to support full control by the user, but if that may not actually be available, it’s cause for at least some concern.
Also, considering that the whole process would be entirely in the hands of a for-profit tech giant making money as an auctioneer for online ads (déja vu, anyone?), this proposal changes little in terms of how personal data is used for advertising purposes – like Google’s FLoC, PARAKEET is still all about tracking users, just not using third-party cookies anymore.
Secure Web Addressability Network (SWAN)
Not to be confused with Storage With Access Negotiation proposed by 1plusX, which uses the same acronym but is actually a variant of TURTLEDOVE (see below).
This proposal was created by an international group of companies in the ad-tech space which forms the SWAN community. As the CEO of one of these companies said, SWAN “is so simple it’s almost difficult to explain”.
It works like this: when a user enters any website within the SWAN network for the first time, a simple pop-up will appear showing a unique identification code generated for that user (like a first-party cookie) and asking if that user agrees to be shown personalized ads. The user only needs to answer this once, and it will cover all of the websites within the SWAN community. This decision could then be reversed at any time.
That’s all there is to it.
So this is essentially a transparent consent contract between the user and the SWAN network, which consists of advertisers that want to show ads, and websites willing to sell their space to said advertisers. One of the major differences between SWAN and the other bird-themed proposals is that the relationship between advertisers, websites and users would be open and fully auditable by everyone involved.
The funny part about SWAN is that it is so simple and straightforward, it could have been implemented from the very beginning of the internet. But no one could resist those damn cookies…
Sensible Privacy Enablement by Clustering Targeting Attributes in CLiEnt (SPECTACLE)
Ok, SPECTACLE isn’t a bird name but I refuse to ignore the whole bird thing going on with these proposals. So here’s the soul-piercing gaze of a Spectacled Owl!
This proposal has been put forward by eyeo, a German software company that has created, among other things, the popular Adblock Plus browser add-on. SPECTACLE is envisioned as an installable software that could be packaged in the form of a browser extension, custom web browser, or an option within an existing browser or mobile OS.
From the user’s side, SPECTACLE builds upon a solid privacy foundation which involves blocking browser-fingerprinting, offering automatic email aliases while browsing, proxying advertising traffic (so advertisers can’t see your IP), and other measures.
For advertisers, this proposal would offer comprehensive user profiles by interpreting webpages to understand user interests, while also inferring demographic and geographical data – both from available sources as well as from user input, which would improve segmentation granularity while still respecting user privacy by giving them the freedom to share only the information they want, if they want to.
Another positive aspect of SPECTACLE is that, unlike the other proposals, which involve creating new advertising platforms (or at least retrofitting existing ones), it could easily integrate with the ad networks currently being used.
However, one of the obvious drawbacks is the fact that it would have to be manually installed by a large number of users for it to work. But hey, they achieved that with Adblock Plus so, who knows?
Remember those three categories of information we mentioned in the beginning? This is Google’s proposal for the third category, related to previous actions the user has taken. In other words, retargeting ads.
You might be thinking: “no way is TURTLEDOVE an acronym”. You’d be wrong. It stands for “Two Uncorrelated Requests, Then Locally-Executed Decision On Victory”. Wow.
Anyway, the idea behind TURTLEDOVE is to continue tracking user behavior but, similarly to FLoC, have the browser itself do it locally and anonymously instead of using third-party cookies. Then, based on user behavior such as viewing a page or adding a product to a cart, the browser would assign users to specific groups created by the advertiser, so that the same advertiser could show ads to those users later on.
For example, let’s say you are an e-commerce selling shoes at www.example.com. When someone enters your website, they might be assigned to a group called “example-visitor”. When that person goes to see the athletic shoes category, they might get assigned to the “example-athletic-shoes” group. If they see a specific product, they could be assigned to a group like “example-item-01234-viewer”. Finally, they might buy and be assigned to the “example-buyer” group, or abandon the cart and go to the “example-cart-abandoner” group.
Later, if that store wants to show an ad for a new athletic shoe, they could target those users assigned to the “example-athletic-shoes” group, but the advertiser won’t know the browsing habits of that particular user, even if that user was assigned to multiple groups. The way TURTLEDOVE achieves this is by the “two uncorrelated requests” part of its name. Ads would be fetched via two requests:
- Contextual request: when a user visits a website that shows ads, that website makes a request to the ad-serving platform informing the page’s URL, ad sizes and locations, etc.
- Group request: a new and different type of request is constructed by the browser and sent to the same ad-serving platform, calling for ads related to a given group (such as the “example-athletic-shoes” we mentioned above).
To ensure user browsing habits are kept anonymous, browsers would have the responsibility to make sure these two ad requests remain independent and uncorrelated. But there are concerns about some technical loopholes that could still leave user privacy somewhat unguarded – and even prevent ad blocking software from protecting it.
There are several enhancements to this proposal under discussion, so it will probably look a bit different a few weeks or months from now. Here are a few examples:
- Secure Private Advertising Remotely Run On Webserver (SPARROW): Adds a gatekeeper into the TURTLEDOVE framework in order to increase advertiser control, expand ad offerings beyond retargeting, and (supposedly) improve User Experience. Proposed by ad-tech company Criteo.
- DOVEKEY: a modification of SPARROW where the gatekeeper acts as a simple key-value server. This was proposed by Google as well – more specifically, the Google Ads team (as opposed to the Chrome team).
- TURTLEDOVE Enhancements with Reduced Networking (TERN – yes, also a bird name!): This basically tries to combine all TURTLEDOVE enhancement proposals into one big bird-themed Megazord. This was proposed by ad-tech company NextRoll.
So… which one will prevail? Is it winner-takes-all, or can they coexist in some sort of online ads ecosystem? Are we ever going to stop being tracked online? Why are these proposals named after birds?
If anyone gives you a definitive answer to these questions, they’re either lying or trying to sell you something (or both). We prefer giving you the information you need in order to reflect about what’s coming next and stay ahead of the game.
Our aim here was to give you a bird’s-eye view of the moving parts in this complex machinery moving the internet into a (hopefully) safer, more responsible, but still incredibly abundant future. We’ll meet you there.