Google's burnt cookies: What now for FLoCS, fraud, cohorts, consent and universal IDs?
Google's 'privacy pivot' has major implications for marketers, agencies, publishers and data companies - as well as regulators attempting to curb its might. The upside is no more cookie bombing and a likely collapse in cookie-based fraud. But everything follows the money. Meanwhile, in a first party world, marketers can no longer pass the buck to agencies when it comes to data transparency, consent and control. Next year looks interesting.
What you need to know:
- Google's alternative to tracking is FLoCs - bigger cohorts, but some are unconvinced its ends are that different to current means.
- Some ad execs think alternative ID solutions can still find traction on the open web, others think they have been fatally undermined.
- Data providers will have to pivot, likely more will start transacting media with data.
- In first party world, brands held accountable by regulators for data and consent.
- Fraud will likely shift to first party data.
- ACCC's plans hampered.
- Facebook will have to move next.
You will be asked, and be answerable to, how you collected first party data on both the buy and the sell side.
Shift happens
Google last week reiterated its commitment to phase out third party cookies – but everybody knew that was coming.
What was new was its explicit rejection of other tracking approaches within Google properties, which sent shares in listed adtech firms tumbling (though they insist the sky is not falling in).
Either way, there are some major unknowns, such as whether Google’s decree applies across both buy and sell side, and some serious questions, such as how much time Google’s ‘privacy pivot’ buys with antitrust regulators, especially if it appears to further already unassailable market dominance.
For the next 18 months or so, it seems to be business as usual. After that, for digital marketers some of the biggest impacts will be felt around retargeting (Atomic 212’s James Dixon has compiled a summary here): a hurdle for marketers, but sweet relief for those who don’t want to buy their new pair of jeans again a week later.
No third party cookies also means no cookie bombing – and there are potentially broader wins for advertisers from getting rid of third party tracking.
Ad businesses built on third party cookies will pivot – most already are – if they can’t put their hashed IDs through buying platforms. That should throw up some interesting new models.
“Some of those [ad data firms] are looking at how they can become more of a managed service, how they can offer data and media at the same time,” said one senior ad holding company exec.
If that kind of bundling is allowed under Google’s new rules, he thinks it could mean that more retailers and loyalty card data providers start transacting media, creating a different kind of opportunity for brands.
“A lot of those kind of operators already do in-house buying for their businesses. Will they spin out a solution? Some already seem to be going in that direction.”
However, the exec said the local Google team is still awaiting clarification on exactly what is – and what is not allowed – from HQ.
Once again, Google will mark its own homework, and funnily enough, algorithms will be able to adjust those valuations.
What the FLoC?
Google’s current preferred alternative to third party cookies are ‘federated learning of cohorts’, or FLoCs. Per the ad giant, FLoCs “effectively take third-party cookies out of the advertising equation and instead hide individuals within large crowds of people with common interests.”
It’s claiming 95% performance versus third party cookie approaches (which is interesting in itself).
Some are unconvinced FLoCs are hugely different to Google’s current approach.
“It’s a bit of red herring,” said one ad senior exec. “Within DV360 (Google’s demand-side platform), Google does not disclose every single URL, so you never really know where every dollar went – it just went to a group of URLs. The same thing will happen when you are buying a cohort of individuals: you won’t know who they are, you won’t know if it really was 20,000 individuals, you’ll just have to take Google’s word for it.”
The exec said buyers should be concerned. “Once again, Google will mark its own homework, and funnily enough, algorithms will be able to adjust those valuations,” he suggested. “Google is free to readjust the value of those cohorts as Google sees fit.”
Others are sceptical that a cohort approach can ever be truly ‘privacy first’, given even large groups can be relatively easy to unpick, and given the data that Google has hoovered up for the last 20 years.
“I’ve asked privacy lawyers several times over the years ‘when does a sample become identifiable?’ There answer is always ‘it depends’,” said Dave Whittle, co-founder of customer data platform (CDP) firm Lexer, which last month raised $33.5m in series B funding. “It is a massive grey area and very difficult to be conclusive.”
Google plans to start testing FLoC with advertisers in Q2.
Google can power the right personalisation but they can [if minded to] also block the wrong, potentially fraudulent ad targeting too.
Less fraud?
Whether FLoCs or something else ends up as Google’s de facto targeting system, getting rid of third party cookies should reduce ad fraud – at least the current most prevalent forms, according to Lexer’s Dave Whittle.
While the digital industry tends to play down ad fraud as a low single digit percentage in Australia, Whittle thinks it could be higher.
“I’m surprised ad fraud has never had the airtime that it probably deserves. But I'm also not surprised, because much of the media that controls the messaging is disincentivised to communicate the significance of ad fraud,” said Whittle. “It is not small. The materiality of it is huge.”
Post-cookies, Whittle thinks fraudsters will just shift mode.
“There will be a different type of fraud. It will be driven by stolen databases - and it’s probably already happening through stolen identities,” he said. “You can buy millions of email addresses on the dark web, or any PII for the ad targeting, and enable advertisers to target those audiences and generate fraudulent ad revenue.”
Platforms could largely stamp out fraud, per Whittle, if they wanted to.
“If the browser, operating system, or the website has a logged-in state – all of those parties actually know who the user is. It’s interesting to think about how Google, for example, has the opportunity to help personalise targeting, but they also could block the ‘wrong’ personalisation,” said Whittle.
“It’s a case of offensive and defensive. They can power the right personalisation but they can also block the wrong, potentially fraudulent ad targeting too. And likewise, in that example, you can switch Google out for Apple.”
When consent is controlled by the brand, the data is an asset for the organisation, just like brand value is calculated into goodwill. From an accounting perspective, data will go the same way.
Brands: prepare for regulation
People will question Google’s motives, but something had to give, according to Clay Gill, CEO at Matterkind, formerly IPG Mediabrands' Cadreon unit.
“When you’ve got that many data companies piggybacking off consumers – and the consumer never consented to that in the first place – that’s a problem. And it’s an unregulated problem,” he said.
Gill thinks brands and publishers must urgently get to grips with what is coming down the track – and first party consent is everything.
“Top line the demise of third party cookies is a good thing. Bottom line, look at consent management – the story will get to this eventually,” according to Gill.
“You will be asked, and be answerable to, how you collected first party data on both the buy and the sell side.”
Lexer’s Dave Whittle agrees. For brands, privacy-compliant first party data management “has never been a higher priority” as third party avenues close.
“If you're relying on the traditional use of third party cookies for ad targeting to drive your new customer acquisition, it’s a risk,” he said.
“So you could say the story is already [about consent]. Because when the brand is managing and collecting their own data, they control the consent.”
Whittle believes this will ultimately have major financial implications for brands – and not just around regulatory enforcement.
“When consent is controlled by the brand, the data is an asset for the organisation, just like brand value is calculated into goodwill,” said Whittle. “From an accounting perspective, data will go the same way, over time.”
Which is why brands and publishers should probably take this report from White Ops seriously: It finds 22% of marketers think their first party data is at least a quarter full of bots and fakes.
In a first party world where brands are held accountable by regulators, that means no more kicking the can down the road to agencies.
This is a direct shot across the bow of some emerging methods of identifying users across the web using email addresses for advertising purposes.
Impacts on alternative ad IDs
Google’s move has implications for regulators and other adtech firms attempting to build out alternative ad tracking technology.
MiQ CEO Jason Scott thinks it’s "unlikely" consent-based ID initiatives such as the Trade Desk's soon-to-be open source Unified ID 2.0, "will be completely abandoned just because Google has rejected them from their ad platforms – and it’s important to note they won’t be blocked from Chrome". He suggests it could spark "clear motivation for innovation opportunities for the industry outside the walled gardens".
But others are not so sure. Who knows what Google will decide to do with Chrome now that is is updating the browser on a fortnightly basis.
“In some ways, this is a direct shot across the bow of some emerging methods of identifying users across the web using email addresses for advertising purposes,” according to Phillip Eligio, a Germany-based consultant at the coalface of Europe’s evolving attempts to regulate platforms and overhaul privacy laws.
The former Guardian Australia exec and Aussie digital marketer thinks Google’s statements may indeed "dissuade tech companies from collaborating” on things like Unified ID 2.0.
Google’s announcement directly undermines the concept of data portability, particularly around user identifiers, as it directly paints such remedies as privacy infringing.
Impact on ACCC's plans
Locally, Eligio thinks Google’s proposed approach has major implications for Australia’s attempts to regulate platforms. It appears Google is playing off those responsible for antitrust and privacy concerns.
“Google’s announcement directly undermines the concept of data portability, particularly around user identifiers, as it directly paints such remedies as privacy infringing. Therefore, it suggests that those who regulate and enforce such conditions (government) are against user privacy, and those who may request the data from such a mechanism (ad tech providers) are acting to reduce user privacy,” argues Eligio.
“While it is debatable if Google's own advertising practices across their vast web of owned and operated sites and services upholds the ideals of user privacy, this is positioned to place their competitors in a negative light, should this proposal from the ACCC move forward.”
Eligio adds that Google’s move hamstrings the ACCC’s proposal for common user ID, “as Google is suggesting that any mechanism to identify a unique user across the web does not fundamentally provide the consumer with privacy protection”.
Eligio and others suggest a ‘privacy first’ approach could worsen Google’s mounting antitrust issues by increasing its market dominance, potential for self-preferencing and conflicts of interest.
He points out that Google’s announcement “does not commit Google to any form of data siloing across its owned services” and suggests regulators consider “meaningful purpose limitations” so that, for example, data collected by Google in one area, (such as email) cannot then be used to power others (such as advertising).
Guardian Australia MD, Dan Stinton, agrees.
“The only reason Google is able to make a change such as this without weakening its business is because it doesn’t really need cookies. Google can fall back on its own email addresses from Gmail and aggregate this with data from search, Youtube, Chrome, Android, maps, and many other services, which is much harder for the rest of the industry without Google's market power,” he said.
“The only way to mitigate this is with the use of purpose limitations, whereby strategies such as reading a person's Gmail for the purposes of selling targeted advertising in another environment is outlawed, as one example. This is the most pragmatic way to stop the data arms race that is currently underway between Google and Facebook, while further protecting consumer privacy.”
Whether Australia’s regulators alone can score a win against Google this time around with purpose limitations or any other measure is debatable. But lawmakers around the world are mounting serious antitrust challenges (this one is interesting).
However, antitrust cases tend not to be quick affairs – and Google may yet beat all those trying to open up its vast ‘privacy first’ walled garden.
Facebook’s data graph is highly reliant on identities via cookies, emails, and mobile ad IDs... this move puts so much pressure on Facebook.
What will Facebook do?
What might become clearer in the near term is how Facebook reacts, given the looming impact on its business.
“Facebook’s data graph is highly reliant on identities via cookies, emails, and mobile ad IDs,” per SynergyStack founder, Chris Brinkworth.
“As we already know what is happening with Apple’s Safari and ID for advertisers, this move puts so much pressure on Facebook," he added.
“So now, Google can find easier ways to compete in a world that involves Amazon without worrying so much about fighting both Amazon and Facebook for their main ad revenue.”
Meanwhile, the independent ad tech players have seen share prices tank.
Who says privacy doesn’t pay?