Jon Fletcher 2021-03-23

Cookie alternatives fail to meet basic privacy expectations

One of the core features of a post-GDPR world is that whenever user data is in play, transparency and consent have to be built into the transaction. 

The practical implications of this mean publishers have to implement consent management platforms that ask users if websites can use their data, share their data through cookies, and use it to personalize ads. With consent messaging, users know what data is being shared, who it is shared with, and have the option to customize these permissions or decline to give consent if they wish. 

This is where proposed alternatives to third-party cookies are facing opposition. They position themselves as a more privacy-focused solution but fail to offer users a forthright request for their consent.

How do new identity solutions work? 

New proposals for identity solutions, including Unified ID 2.0, use email addresses and other information that is gathered when people interact directly with a website. This information is then collected to build up information profiles. 

These profiles are stored in encrypted IDs based on a hashed and salted, or anonymized version of that email. The identifier regularly regenerates itself to prevent a single user from being tied to an ID and users can set their preferences on how their data is shared.

Through the email address, the tracker knows the preferences of this user based on their browsing or the articles they read while logged in with their email address. 

Then rather than sharing all the user information with the advertisers, it’s possible to connect these tastes and interests with the anonymized user identifier. The advertiser doesn’t know who you are exactly, but it knows that you might be interested in an ad for anew tennis racquet. Alliances between publishers have been created to share identifiers across publishers through first-party cookies and are therefore viable in a world without third-party cookies, as a shared currency along the digital advertising supply chain.

With this system, advertisers, publishers, and data services will not be able to identify you as a specific user, but reading your encrypted identifier will reveal some information about the best ads to show you.

What are the privacy objections? 

The concern raised is all to do with explicit consent and notifications. Where third-party cookie ads need user consent, from a CMP, universal IDs are created without notification consent. 

Companies behind Universal identifier technology say that consent to use universal identifiers is implicit. They argue that when readers submit their email addresses to sign up, comment on articles, or receive email newsletters they should know that the data they are sharing will also be used for advertising purposes. This information should be available in the terms and conditions, after all. 

Detractors argue that this makes data and privacy transactions more obtuse and say that users should be given an explicit notification.

And they may have a point. Modern standards of privacy and transparency have set an example that says publishers need to provide users with a dedicated notice of how their personal information will be used. Whether publishers store this data in a cookie or an encrypted identifier if it is going to be used in the ad marketplace, there is an expectation users should be able to offer or withdraw their consent. 

Because readers are actively signing up, there is an assumption that these users are the same users that would agree wholeheartedly to give the publisher access to their data for the purposes of advertising, and therefore, a pop-up such as a consent management platform is not needed for this tracking. In fact, the people behind Unified ID 2.0 argue that the move “improves consumer transparency, privacy, and control,” in a January press release from The Trade Desk

Unified ID 2.0 has said that they will give users “simple and consistent consumer messaging that explains the value exchange of relevant advertising for consumers, and greater control for publishers.” 

However, there are no official requirements or guidance as to what this consumer messaging should be. Should universal identity solutions come into effect, they will be policing themselves until regulation is decided upon. 

Do users need notifications? 

The need for consent is all predicated on the assumption that users read and understand the long, dense agreements contained in these pop-ups and make an informed choice. We all know that this is rarely the case and consent notifications are transparency and privacy theatre. Users don’t read or digest the messaging, they click it to get rid of it. 

If universal IDs actively protect individual data while enabling the online economy to continue, should they be subject to the same rules just because they operate in the same arena? 

Solutions with better privacy by design can suffer because they don’t adhere to this performative standard for user protection. 

Publishers also don’t want to complicate the signup process by making users confirm that their data can be used in a universal identifier and shared with advertisers. It will be hard to communicate the differences between a third-party personal data sharing system and a hashed and salted, or anonymized version of your information in the flash of a CMP. 

For industry insiders, it may seem obvious that this is a more consistent, clearer approach. But for users that have grown used to giving active consent for the use of their data, it can appear like a return to the ‘black-box’. 

For universal IDs to get universal acceptance they will need to make their value and their process clear to users or we risk a viable solution failing for a preventable reason.

Latest Articles

‹ Back to Blog Home

Get the headlines

Sign up to get the best headlines direct to your inbox

Your name
Your email