After winning the battle over third-party cookie tracking, will privacy advocates lose the personal-data use war?

tarot card tower

This article is part of the Digiday Privacy Preview, a digital issue of stories examining what the coming changes to Chrome and iOS will do to the worlds of media and marketing. Read the rest of that coverage here.

Call it a pyrrhic victory. 

For years, privacy advocates argued that data collection and sharing among countless hidden ad tech intermediaries, via third-party cookies, was a privacy invasion. Thanks in part to their advocacy, government and consumer pressure for more privacy protections has finally pushed Google and others to disable third-party cookies. Now the digital ad industry is gravitating toward replacements that some in the privacy community consider even more invasive.

“Indeed, that irony is not lost on me,” said technologist Ashkan Soltani, who helped craft the California Consumer Privacy Act and served in the Division of Privacy and Identity Protection at the Federal Trade Commission.

Advertisers, ad tech firms and digital publishers for two decades have relied on third-party cookies and the data currency they hold to facilitate the quid pro quo of the open web: content, services and more relevant advertising in exchange for personal information. Some forms of cross-site tracking enabled by third-party cookies have been “abusive,” said Pam Dixon, founder and director of the nonprofit World Privacy Forum, another longtime advocate for a privacy-safe digital ecosystem.

But today, more personal information than ever is being harvested for a new crop of identifiers that can be passed like cookies throughout the ad tech supply chain. Some require email addresses or phone numbers — first-party data — to work. 

Tech firms such as LiveRamp and the Trade Desk and industry bodies like Partnership for Responsible Addressable Media say they protect privacy better than third-party cookies because they transform emails into encrypted strings of numbers and letters, creating pseudonymous IDs. And they argue these IDs are created with people’s consent, because emails and other personal data is gathered when people interact directly with a brand or publisher.

Veteran digital privacy crusader Jeff Chester, executive director of the nonprofit Center for Digital Democracy, isn’t buying it. “We cannot allow the industry’s claim that first-party data is accompanied by permission to stand,” he said. “That is a canard.” So far, there is little guidance and few requirements for what notice to people for consent should look like.

“The proposed first-party identifiers essentially are more privacy-invasive than even cookies, and provide users with less transparency and control,” said Soltani. While people can delete or block third-party cookies, he said, identifiers incorporating hashed or encrypted data “are more problematic” because they create persistent, identifiable connections to people across activity on multiple devices. Soltani said in some ways these technologies produce “even more robust of an identifier than your actual name or other [personally-identifiable information].”

Born with a data addiction

In another blow to the quest to minimize data collection, the race to gather first-party customer data like emails has quickened, as advertisers prepare for the loss of third-party data connections that help them customize messaging and connect ad exposure to sales. 

But strategic efforts to gather first-party data are just a continuation of the industry’s perpetual push toward hyper-personalized communication between advertisers and consumers, said Chester. “It’s really the trajectory of the one-to-one marketing model at the heart of digital advertising since its inception in the 1990s,” he said. “They’ve been growing their first-party data sets and porting them over to Facebook and Google,” he added. “This is not a new trend.”

It was the way in which cookies were designed (back in October of 1994, the same year the first banner ad appeared), that jumpstarted an industry reliant on data tracking at an individual level, said Bennett Cyphers, a staff technologist at the nonprofit Electronic Frontier Foundation, which has fought for protections against digital ad-related privacy infringements for over a decade.  Because cookies were designed with full default third-party access, they “made it really easy to do this tracking and profiling on the web,” said Cyphers. “It’s a shame that the tracking industry has gotten so used to all these practices that are so anti-consumer in a lot of ways, and also seem so dependent on them.”

Presumed consent?

Yet, there are obstacles to the proliferation and adoption of alternate identifiers. Namely, Google’s announcement on March 3 that it will no longer support any cookie replacement identifiers such as those built using email addresses in advertising inventory it sells outside its own properties has compounded uncertainties about these technologies

Another potential hurdle: the law. Few identity tech firms require any explicit or just-in-time notice or informed consent mechanisms for people in the U.S. when their emails are used to build pseudonymous identifiers to track them across the web. For now, many companies employing them presume people have given consent because their privacy policies state in general terms that they may use personal information for marketing and advertising purposes.

But that standard approach may not be appropriate for an industry proclaiming a commitment to consumer privacy and transparency, and it may not hold water with regulators. California’s privacy law, for instance, states that mere acceptance of general terms of use describing personal information processing does not constitute consent for the sale of personal information. And some argue the use of email-based IDs will be considered a data sale under the updated version of that law, which covers personal data collected by a business as of January 2022.

“The regulators will not stand for it,” said Soltani. “[A publisher’s] transfer of my identifier including a hashed identifier [is a sale].”

Meanwhile, Jeff Chester expects a coalition of privacy groups to coalesce to convince lawmakers that email collection does not equal consent for identity tech. In fact, he contends there’s an even greater irony afoot as consumer advocates push increasingly receptive lawmakers for more meaningful privacy safeguards.

“The irony is that now the industry’s attempt to jettison cookies may in fact trigger the political backlash we’ve all been waiting for for two decades,” he said.

More in Media

Publisher execs talk AI licensing deals, new applications for AI in latest earnings calls

Publicly-traded media companies touted new deals with generative AI tech companies and other new applications for the technology in their Q1 2024 earnings calls.

Transparency shift: CMOs navigate new norms in agency profit models

Many CMOs seem to be okay with their agencies finding new ways to increase margins, as long as the process is transparent, or at least openly acknowledges a lack of transparency.

Media Briefing: Publishers’ Q1 earnings show promise, but also room for improvement

Publishers’ Q1 earnings show some promise in the digital ad market.