Third-party cookie replacements fall short of consent and transparency promises

Illustration of a disguised user.

Publishers, advertisers and ad tech companies are rallying around identity tech such as Unified ID 2.0, a system developed by several industry groups and companies, as a means to not only replace the third-party cookie but move the programmatic ad industry toward a more transparent, consent-based system. They are being much less forthright, though, when it comes to asking users for their consent and presenting transparent information.

Because many identity technologies, including Unified ID 2.0, use email addresses and other information gathered when people interact directly with a brand or publisher to build encrypted IDs, the companies that make and use them suggest they are created with people’s knowledge and consent. However, although these companies are modernizing their means of tracking people online, they have yet to update their methods of notifying them when these systems capture individuals’ email addresses to transform them into identifiers that can be passed throughout the ad tech ecosystem.

Unified ID 2.0 “improves consumer transparency, privacy and control,” noted a January press release from The Trade Desk, which has played a key role in developing Unified ID 2.0. The announcement stated that one of the core goals of the identity system is “simple and consistent consumer messaging” that explains “the value exchange of relevant advertising for consumers, and providing greater control for publishers.” However, there are no current requirements or even guidance on what explanatory messaging for Unified ID 2.0 (UID) should look like.

There are few if any requirements by other identity tech providers for how publishers and other companies should provide notice when collecting people’s personal information, said Justin Wohl, chief revenue officer at Salon. The publisher expects to enable UID on its site “in the coming days” and has already implemented identity tech from LiveRamp, ID5, BritePool and Neustar, he said. These technologies are triggered to generate an identifier when people submit their email addresses to sign up to comment on Salon’s articles or receive its email newsletters.

But, when people give Salon their email address, the publisher does not provide them with special notice to make them aware specifically that their personal information will be used to create an encrypted identifier that’s sent out into the real-time ad marketplace.

The only identity tech firms Salon works with that require specific notice to users are LiveRamp and ID5, both of which require publishers to include specific language about their technologies in their privacy policies and links to opt-out. Instead, when people provide their email address, Salon presumes they’ve given consent to use that personal information to produce a pseudonymous identifier under a privacy policy that states in general terms that the publisher uses that information for marketing and advertising purposes.

BritePool’s general counsel Robyn Tas said the company requires publishers to comply with applicable law regarding notice of data use and opt-out options in their privacy policies. Neustar did not provide comment for this story.

‘Only using consented IDs’

Ad buyers emphasize the importance of garnering consent from people when evaluating which identity technologies to adopt. But, for now, they leave it up to the publishers to decide how to obtain that consent.

“We want to make sure that we’re only using consented IDs. A big part of UID is around the value exchange and ensuring the consumer consent,” said Georgie Haig, product lead of identity at programmatic ad agency MiQ. She is lining up clients to test UID and has one client running a small campaign using LiveRamp’s identity tech. However, she said because UID is in such an early phase of development, guidance for how publishers will or should provide notice when identity tech is in use has yet to be determined.

“It’s all new tech; it’s all being developed,” she said. “I think we have a lot of work to do in this industry. If you are giving consent it’s probably very deep in some T and C [terms and conditions].”

Another agency executive said that, when gathering email addresses to generate identifiers, “legitimate websites will have a hyperlink to their data use policy, which describes how the visitor’s information will be used.” But, to reiterate: there are no requirements or even guidance for what those notices should communicate or how they should be presented.

From a technical data flow perspective, companies are following the same procedures they already have in place for other information types used for “marketing purposes,” said Brendan Riordan-Butterworth, a tech consultant for HIJ Consulting who has been evaluating identity technology for publishers, advertisers and tech clients. But he said that a standard approach may not be appropriate for an industry proclaiming a commitment to consumer privacy and transparency.

“Is the industry just squandering this opportunity to communicate these really good privacy intentions by going toward the low-friction path that assumes the applicability of existing consent?” Riordan-Butterworth asked.

A low-friction path

In the U.S., a code of conduct is in the works under the auspices of the IAB Tech Lab-linked industry body Partnership for Responsible Addressable Media which might create additional policy guidance for providing notice when emails are used to build identifiers through the UID technology, said Alex Cone, senior director of product management at IAB Tech Lab. He added that providing people with information about data uses “and making that not an overwhelming choice as well is what we’re aiming for.”

But Cone and others involved in the project say it is too early for consensus to be reached regarding any proposals for consumer messaging in relation to UID. “There are pieces of that that we cannot control because we’re not there yet,” he said.

While Unified ID is an industry-wide, open-source technology requiring a certain level of consensus, it is unclear why most proprietary identity tech reliant on personal data like emails does not require some additional form of notice to people.

Full-steam ahead

Despite the lack of consensus around developing consent practices, the industry is full-steam ahead with UID, which is being beta tested currently, according to a spokesperson from The Trade Desk, the ad tech firm overseeing the technology as it hits the market. The company declined to comment on this story.

Ultimately, in their quest for identifiable connections to people that fuel ad revenue, publishers like Salon are leery of bombarding them with too many obstacles to content. Presenting people with one more notice and another button to click might overwhelm them to the point of obscuring their understanding of how identity technologies work and what a person is being asked to agree to, said Salon’s Wohl. “I’ve thought about this from the perspective of the reader and what they’re being asked to do in any given session,” he said, “and the success rate is only going to be so high to get a reader to make an account.”

More in Media

Meta AI rolls out several enhancements across apps and websites with its newest Llama 3

Meta AI, which first debuted in September, also got a number of updates including ways to search for real-time information through integrations with Google and Bing.

Walmart rolls out a self-serve, supplier-driven insights connector

The retail giant paired its insights unit Luminate with Walmart Connect to help suppliers optimize for customer consumption, just in time for the holidays, explained the company’s CRO Seth Dallaire.

Research Briefing: BuzzFeed pivots business to AI media and tech as publishers increase use of AI

In this week’s Digiday+ Research Briefing, we examine BuzzFeed’s plans to pivot the business to an AI-driven tech and media company, how marketers’ use of X and ad spending has dropped dramatically, and how agency executives are fed up with Meta’s ad platform bugs and overcharges, as seen in recent data from Digiday+ Research.