The Digiday Privacy Glossary: What it all really means

Cookie-based targeting 

First-party cookies are created and stored by the site you visit. This makes surfing the internet more enjoyable because the site recognizes you and automatically applies your desired settings and log-in data from the cookie.

Third-party cookies are placed on a site by a third-party — like an advertiser — as a way to track what you do online. Advertisers use this information to serve personalized ads to you. The problem, however, is you have little control over who is collecting this information or where it is going.

Cookieless targeting

Deterministic identifiers are a privacy-friendly alternative to third-party cookies in that they use deterministic data, typically a hashed email or another form of personally identifiable information, like a phone number, to track you online.

Probabilistic identifiers use a mix of signals — across several channels — to create a profile of you based on matching anonymous data points with data from known users who show similar preferences. It’s effectively impossible to link those data points back to you, but the advertiser knows they have a profile that shares similar behavior to a known user and they can use that information to reach certain conclusions about the person behind the probabilistic identifier.

Google’s Privacy Sandbox

Google’s Privacy Sandbox is a batch of new technologies Google is developing in partnership with the industry to allow advertising to continue without the privacy snafus associated with third-party cookies.

FLoC (Federated Learning of Cohorts) is part of the sandbox that has the most momentum behind it. It is used to sort users into groups, or cohorts, based on common interests in place of user-level identifiers.

Trust API is Google’s alternative to CAPTCHA within the Privacy Sandbox. You complete a CAPTCHA-like program while in Chrome which then generates anonymous “trust tokens” to prove you are real.

Privacy Budget limits the amount of user data a site can collect on you. A budget will be given to the site for collecting data from the APIs in the sandbox. This way, only the most necessary data is passed to the site.

Conversion Measurement API lets an advertiser know if a user saw its ad and then eventually bought the product or landed on the promoted page.

Aggregated Reporting API ensures that performance-focused information, from impressions to reach, is folded into a single report and only reported back if it’s sufficiently aggregated enough. Doing so means measurement isn’t reliant on cross-site identifiers. 

Apple’s App Tracking Transparency

IDFA (Identifier for Advertisers) is the mobile identifier companies use to track  Apple device users (without revealing personal information). Companies will have less access to the IDFA once apps are required to ask people for permission to collect and share them.

SKADNetwork is an aggregate way for measuring attribution of mobile ad campaigns for iOS apps. It launched in 2018, but advertisers were never really incentivized to use it. If they had, then it’s likely many would have had to have scrapped other more established attribution models. Now, they don’t have a chance but to use the SKADNetwork should they want to continue to reach Apple device owners. 

Fingerprinting is what happens when certain attributes of a device — like its IP address or the version of the browser it uses — are used to identify it as a device being used by an individual user. Companies are using it as a workaround to Apple’s crackdown on user tracking. 

SDK spoofing is a type of mobile ad fraud that tricks attribution firms into believing events like in-app purchases or registrations have taken place when they haven’t.

Regulatory headwinds

The General Data Protection Regulation in the European Union is trying to give people more control over their personal data by requiring that businesses gain explicit consent to collect and use that data.

The California Consumer Privacy Act draws people’s attention to the personal information that companies collect from them and how that information can make its way into other companies’ hands. Unlike the GDPR, the CCPA doesn’t require companies to get people’s permission to collect their information in the first place.