Blog

Google is planning to remove support for third-party cookies in two years. This was released in a chromium blog post that is causing an uproar among the ad tech community. The section of that blog post that broke the news can be found below:

After initial dialogue with the web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years. But we cannot get there alone, and that’s why we need the ecosystem to engage on these proposals. We plan to start the first origin trials by the end of this year, starting with conversion measurement and following with personalization.

-Justin Schuh, Engineering Director on Google Chrome

Impact of Third-Party Cookies

• A Google study with 500 publishers found that publisher revenue dropped a staggering 52% with the removal of third-party cookies, and even 62% with news publishers.
• Google Chrome accounts for an enormous 67% of US web browsing activity.
• With Firefox and Safari already blocking third-party cookies, Chrome’s addition to the party will essentially spell the end of third-party cookies.
• Chrome SameSite is already in effect. This requires cookies that don’t have a SameSite label as first-party, and require all third-party cookies to be accessed over HTTPS.

Google Privacy Sandbox

Effectively, the Google Privacy Sandbox will allow third-party companies to make API calls from the browser to the sandbox in order to receive personalization and measurement data without receiving sensitive user-level information. In theory, the Google Privacy Sandbox makes sense as a replacement for the third-party cookie. However, it requires a significant amount of testing before it can begin to take over the third-party cookie. The ad tech community also has concerns of Google controlling yet another large part of the ad tech ecosystem.

According to adexchanger.com:

Google’s Privacy Sandbox will first try to solve for conversion measurement, followed by interest-based advertising.

By the end of this year, the Google Chrome team will begin trials that allow for click-based conversion measurement without third-party cookies. Conversions will be tracked within the browser, not a third-party cookie, according to a Google spokesperson. When an advertiser needs to track a conversion, they’ll call an API  that will send the conversion value from the browser. Individual user data would not be passed back.

Google Chrome will next explore how to run interest-based advertising without third-party cookies.

According to the Chromium page, these are the major areas of development for the Google Privacy Sandbox.

Replacing Functionality Served by Cross-site Tracking

• Combating Spam, Fraud and DoS: Trust Tokens API
• Ad conversion measurement:
  • Click Through Conversion Measurement Event-Level API
  • Aggregated Reporting API
• Ads targeting:
  • Contextual and first-party-data targeting fits into proposal of Privacy Model in that it only requires first party information about the page that the user is viewing or about that user’s activity on their site.
  • Interest-based targeting: Federated Learning of Cohorts (FLoC)
  • Remarketing: Private Interest Groups, Including Noise (PIGIN) now replaced by Two Uncorrelated Requests, Then Locally-Executed Decision On Victory (TURTLE-DOV)
• Federated login

Turning Down Third-Party Cookies

• Separating First and Third Party Cookies: Requirement to label third party cookies as “SameSite=Note, as well as require them to be marked Secure
• Creating First-Party Sets
• Removing third party cookies

Mitigating workarounds

• Fingerprinting:
  • Privacy Budget
  • Removing Passive Fingerprinting Surfaces
    • Client-side language selection
    • User-Agent String
  • Reducing Entropy from Surfaces
    • Device Sensors
    • Battery Level
  • IP Address
• Cache inspection
  • Partitioning HTTP Cache
  • Connection Pools
  • Sessions Tickets
  • HTTP Server properties
  • Other caches
• Navigation tracking
  • Referer clamping
• Network Level tracking
  • DNS
  • SNI
  • Moar TLS

Marketer Outlook

With 3rd-party cookies running on borrowed time, marketers need to find new ways to advertise and reach their intended audiences. Until there are more concrete details released on Google’s Privacy Sandbox, marketers will have to evolve and adapt to the inevitable death of the third-party cookie.

• Building a first-party strategy
  • Without a benefit of 3rd-party cookies, marketers should think of ways to bring customers back to their own sites, and to store 1st-party data. Advertisers should further aim to establish direct relationships with their customers.
• New targeting and optimization strategies
  • Marketers will rely much more heavily on first party data
  • Marketers may rely on identity consortiums such as Digitrust. However, this depends greatly on what Google will allow within it’s Privacy Sandbox.
• Granular measurement hangs in the balance
  • Measurement granularity depends entirely on what type of attribution Google will allow in its privacy sandbox.
  • If measurement is limited, the industry may have to revert back to antiquated methods such as last click attribution.
• Agencies will gain more traction
  • Guaranteeing an audience is a lot more feasible these days thanks to third-party cookies
  • The ability of an agency to strike direct deals between publisher and advertiser will become much more important once the third-party cookie becomes deprecated.

Sources

• https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
• https://www.adexchanger.com/advertiser/4-ways-the-death-of-the-cookie-in-chrome-could-affect-marketers/
• https://digiday.com/media/publishers-planning-end-third-party-cookie/
• https://whatsnewinpublishing.com/rip-third-party-cookies-what-googles-pivot-to-privacy-means-for-publishers
• https://oko.uk/blog/google-banishes-third-party-cookies
• https://www.adexchanger.com/online-advertising/google-chrome-will-drop-third-party-cookies-in-2-years/

Tell me and I forget. Teach me and I remember. Involve me and I learn.

— Benjamin Franklin

Cookies have been the primary way of tracking online users since the dawn of the internet. Many companies in the ad tech space have been heavily relying on the third party cookie to track audiences, target users, and create user identity graphs. However, there will be large changes to this starting on February 4, 2020. Starting on that day, Google will implement SameSite Cookie changes which effectively force everyone to comply with their SameSite Cookie infrastructure.

What is the SameSite cookie?

The SameSite cookie attribute is a format of information exchange where the type of cookie is declared. The cookie can be declared as one of 3 different variables:

• None: Available for 3rd party cookie sharing
• Lax: Allows for cookie sharing among a publisher’s owned sites
• Strict: No cross-site sharing at all

Google SameSite Cookies Changes

• Starts on February 4, 2020
• Will be released concurrently with Chrome 80.
• Currently, the default SameSite cookie attribute is set to “SameSite=None”. Google will change the default to be “SameSite=Lax” when it rolls out the change. This means that developers must consciously set switch their defaults when they change rolls out.
• Currently, non-secure HTTP requests work with “SameSite=None”. All attributes with “SameSite=None” will be invalid if it is not passed via a secure HTTPS request. This means that any publisher that wishes to use third-cookies will have to move to HTTPS if they have not already done so.

Why the Update?

Google is getting more aggressive with SameSite to prevent insecure data sharing across domains and cross-site request forgery (CSRF), which is when hackers manipulate authenticated cookies into taking malicious actions which can lead to a plethora of negative implications.

Possible Results of Cross-Site Request Forgery

• Unauthorized transfer of bank funds
• Damaged client relationships
• Data theft
• Changed passwords
• Malicious social engineering
• Malicious tracking

Cross-Site Request Forgery Example from Imperva

Sources

• https://adexchanger.com/privacy/google-will-limit-cross-site-tracking-in-chrome-by-default-starting-in-february/
• https://digiday.com/media/what-is-chrome-samesite/
• https://web.dev/samesite-cookies-explained/
• https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/

You have brains in your head. You have feet in your shoes. You can steer yourself any direction you choose.

— Dr. Seuss

At the turn of the next decade in December 2019, there are 3 major header bidding wrappers that are prevalent in today’s programmatic environment: Prebid, Amazon Transparent Ad Marketplace (TAM), and Google Open Bidding (previously Google Exchange Bidding). Other header bidding wrappers such as those of Media.net and Index Exchange exist, but these are the 3 wrappers that dominate the market today.

Prebid.js

The major draw to Prebid is that it is a financially free and transparent open-source tool that anyone can use. In fact, the Prebid source code is openly available on Github. At the time of this post, the latest version of Prebid is 2.43.

https://github.com/prebid/Prebid.js/releases

The table below from Prebid.org notes some of the latest releases in reverse chronological order. One aspect of their release numbers I’ve noticed is that the release versions follow a strictly numeric order. For example, version 2.20 is newer than version 2.4.

Release	Feature
2.20	AuctionEnd event now always execute when auction completes even when there’s no callback handler
2.18	Currency Module: always adding originalCpm and originalCurrency to bid object
2.17	Ability to limit the size of keys sent to ad server via targeting controls
2.16	User ID module refactored to support external sub-modules
2.10	User ID module released with support for PubCommon ID and Unified ID
2.10	A bidder which responded in time is now considered a timely bidder, even if it responded with no bids. See PR 3696
2.9	Add ‘hb_cache_host’ targeting for video bids when cache is set to support upcoming video cache redirector
2.9	remove removeRequestId logic. See PR 3698
2.8	Added s2sConfig syncUrlModifier option to modify userSync URLs
2.8	Add hb_uuid and hb_cache_id back to dfp module after having been removed in 2.7
2.6	Update auction algorithm logic for long-form. See PR 3625
2.6	In case Prebid.js is called from within an iFrame, matchMedia is applied to window.top, not the containing iFrame.
2.5	Fix event firing on native click. See PR 3589
2.4	Long Form video
2.4	Bug fix for hb_uuid/hb_cache_id. See PR 3568
2.3	Bug fix for Firefox for some ads that use document.write See PR 3524
2.1	Refined the bid.adId and bidRequest.bidId. See PR 3340
2.0	The limited bid caching feature now turned off by default.
1.39	The limited bid caching feature can be optionally turned off.
1.39	Bug fix in the currency module introduced with 1.37 where it wasn’t calling for the currency conversion file when defaultRates are specified.
1.37	The default location of the currency conversion file changed.
1.36	New NO_BID event makes a “no bids” response available to analytics adapters.
1.34	User-sync iframes are now inserted at the bottom of the head element, rather than at the top.
1.30	Bugfix to Auction Init events. The timestamp had been removed in 1.28 and caused issues in some Analytics Adapters.
1.27	Render outstream safeframe with prebid universal creative.

In addition, publishers with more complex ad stack setups are free to optimize more freely with Prebid as compared to other solutions such as Index Exchange or Google Open Bidding.

One downside to Prebid is the operational complexity involved with setup. The operational complexity usually involves heavy engineering resources and time in order to complete a Prebid setup. Because of this, companies such as Rubicon and Pubmatic have started to offer managed Prebid services where there is a fee charged for helping publishers set up and manage their Prebid.js instances.

According to Prebid.org, at a high level there are only 4 steps to running a Prebid auction.

1. The ad server’s tag on page is paused, bound by a timer, while the Prebid.js library fetches bids and creatives from various SSPs & exchanges you want to work with.
2. Prebid.js passes information about those bids (including price) to the ad server’s tag on page, which passes it to the ad server as query string parameters.
3. The ad server has line items targeting those bid parameters.
4. If the ad server decides Prebid wins, the ad server returns a signal to Prebid.js telling the library to write the winning creative to the page. All finished!

Google Open Bidding (Previously Google Exchange Bidding)

The more substantial benefits for publishers when adopting Google Open Bidding include much less operational complexity and a much faster page load time due to it being a server-to-server connection.

According to admanager.google.com, there are only 3 steps for the Google Open Bidding Solution.

1. An ad request is triggered
   Requests are sent to the Ad Manager server using Google Publisher Tags, the Google Mobile Ads SDK, or the IMA SDK. Support for native inventory is not yet available.
2. Ad Manager hosts a unified auction to determine the highest eligible bid
   Ad Manager requests bids from eligible Authorized Buyers, third-party exchanges, and/or mediation networks, through targeted yield groups, which return their highest bids to Ad Manager. These bids then compete with all of your reserved and non-reserved line items in a unified first price auction, and the highest bid wins.
3. The winning creative is returned to the publisher
   After a winner is selected, the ad server returns the winning asset or mediation list to the publisher for display.

• Dramatically minimized latency:
  With direct server-to-server connection to third-party exchanges and an extended auction time of 160ms (up from the Ad Exchange requirement of 100ms), Open Bidding reduces latency (when compared to header bidding implementations) for a more seamless user experience.
• Reduced operational complexity:
  Open Bidding eliminates the need to manage complex custom header bidding code and the numerous Ad Manager line-items associated with a header bidding implementation. Eligible inventory trafficked in Ad Manager can benefit from Open Bidding with no additional technical development required.
• Increased transparency and unified payments:
  Understand the exact revenue you’re  earning from each exchange with unified and accurate reporting. Get paid faster (net 30 days) and bill more accurately, without the 5-10% discrepancies common today — since serving, billing, and reporting are all on a single stack.
• Improved reporting and analytics:
  A unified reporting interface provides valuable advertiser and brand information, with improved query tool reports that cut across sales channels. The reports provide clarity on the value each partner brings and help you identify, report on, and analyze the advertisers and brands who bought impressions that were filled through Ad Exchange and Open Bidding.

Amazon Transparent Ad Marketplace (TAM) vs Amazon Unified Ad Marketplace (UAM)

Below is a comparison of TAM vs UAM according to aps.amazon.com. TAM is dedicated for enterprise publishers whereas UAM is meant for smaller publishers.

Comprehensive Comparison of Top Wrapper Features

Paul Bannister of Cafe Media has created a fantastic header bidding wrapper comparison of the top 5 wrapper solutions, which breaks down how each stacks up to one another in 14 different areas of comparison.

Sources

• https://adexchanger.com/platforms/3-auctions-rule-digital-advertising-heres-a-guide-to-navigating-them/
• Paul Bannister – Header Bidding Wrapper Overview on LinkedIn
• https://prebid.org/
• https://www.indexexchange.com/debuting-the-ix-wrapper-ecosystem/
• https://admanager.google.com/home/resources/feature-brief-open-bidding/

Whoever is happy will make others happy too.

— Anne Frank

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a bill (AB 375) that was passed in June 2018 which provides similar consumer protections for California as the GDPR does for Europe. CCPA goes into effect on January 1, 2020.

The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

Currently, there is an surface-level interest in CCPA, where everybody wants to be compliant, a desire for a deeper level of understanding remains to be seen from advertising companies, whether it be due to fear or a mindset that “This is practically the same thing as GDPR except for California”.

Which Companies are affected by CCPA?

• Any company that serves California residents with at least $25 million in annual revenue
• Any company that has personal data on at least 50,000 people
• Any company that collects more than half of its annual revenue from the sale of data

Note that companies don’t have to be based in California to have to abide by CCPA. This is similar to how an NYC based company must abide by GDPR if it serves European consumers.

What Data Does The CCPA Cover?

According to csoonline.com, CPA covers:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
• Characteristics of protected classifications under California or federal law
• Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
• Biometric information
• Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory or similar information
• Professional or employment-related information
• Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

Consumer Rights Under CCPA

• Consumers can request that companies do not share their data with third-party companies
• A company has 45 days from the time of the request to provide a consumer a comprehensive report about what type of information they have, if it was sold, and to whom.
• Companies must have a clearly visible footer on websites that offer consumers the option to opt out of data sharing (AKA the “Do Not Sell My Data” button.)

Penalties for Non-Compliance

• Once a company is notified of a violation, they have 30 days to comply or they will face a fine of up to $7,500 per record. This could be a substantial amount of money considering the vast number of records that companies typically have.
• AB 375 allows for penalties for the great of of the $100 to $750 per incident or actual damages.

CCPA’s Effects On Other States and Companies’ Policies

According to Gary Kibel, partner at Davis & Gilbert, LLP, “More than a dozen states either have new data protection regulations on the books or in committee, from Nevada, Maine, Pennsylvania and Connecticut to Massachusetts, New Jersey, Illinois and Maryland”.

Many of these states will follow California’s lead and implement some sort of data protection regulation to protect its residents. It will be interesting to see if a federal law will ever be passed that will require CCPA-like data regulations to be applied across the entire United States.

A likely strategy for companies starting January 1, 2020 is to simply start complying with CCPA in all states, not just California. This will allow for them to abide by CCPA’s rules and preemptively prepare for other state data regulations that will likely follow suit. This will not only proactively prepare companies for what is likely to come, but it will also simplify its strategy by having one nationwide data policy instead of splitting up its data policy by state.

Sources

• https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
• https://digiday.com/marketing/wait-see-mode-ana-conference-marketers-feel-uncertainty-looming-ccpa-regulation/
• https://adexchanger.com/privacy/everything-you-need-to-know-about-ccpa-for-now/
• https://adexchanger.com/privacy/california-isnt-the-only-state-getting-busy-with-new-privacy-laws/

I have no special talent. I am only passionately curious.

– Albert Einstein

What is the Federal Trade Commission (FTC)?

The Federal Trade Commission is a federal entity that is meant to encourage fair trade practices. According to the FTC website, the main strategic goals of the FTC are:

1. Protect consumers from unfair and deceptive practices in the marketplace
2. Maintain competition to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes
3. Advance the FTC’s performance through excellence in managing resources, human capital, and information technology

The FTC is meant to protect consumer interests by preventing trusts, consumer manipulation, and other predatory practices.

FTC Divisions

The FTC has 8 divisions, each responsible for a specific aspect of business:

• Division of Privacy and Identity Protection
• Division of Advertising Practices
• Division of Consumer & Business Education
• Division of Enforcement
• Division of Marketing Practices
• Division of Consumer Response & Operations
• Division of Financial Practices
• Division of Litigation Technology & Analysis

We will be focusing on the Division of Advertising Practices, which encompasses digital media.

FTC Division of Advertising Practices

FTC enforcement priorities include:

• combating deceptive advertising of fraudulent cure-all claims for dietary supplements and weight loss products
• monitoring and stopping deceptive Internet marketing practices that develop in response to public health issues
• monitoring and developing effective enforcement strategies for new advertising techniques and media, such as word-of-mouth marketing;
• monitoring and reporting on the advertising of food to children, including the impact of practices by food companies and the media on childhood obesity;
• monitoring and reporting on industry practices regarding the marketing of violent movies, music, and electronic games to children;
• monitoring and reporting on alcohol and tobacco marketing practices.

As we can see here, the FTC is meant to prevent and punish many types of deceptive or dangerous marketing behaviors In addition, it is extra sensitive of marketing to children. It aims to protect sensitive consumer information, prevent predatory advertising, and also prevent consumers from getting spammed with advertising.

Google and Facebook, previous FTC Fines

FTC and NY Attorney General vs Google and Youtube

According to the FTC:

Google LLC and its subsidiary YouTube, LLC will pay a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General that the YouTube video sharing service illegally collected personal information from children without their parents’ consent.

The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule. The $136 million penalty is by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.

The below graphic from FTC shows the impact against Google. This recent fine was greater than all of the previous fines combined.

Facebook FTC Fines

From NY Times:

The F.T.C.’s investigation was set off by The New York Times and The Observer of London, which uncovered that the social network allowed Cambridge Analytica, a British consulting firm to the Trump campaign, to harvest personal information of its users. The firm used the data to build political profiles about individuals without the consent of Facebook users.

The agency found that Facebook’s handling of user data violated a 2011 privacy settlement with the F.T.C. That earlier settlement, which came after the company was accused of deceiving people about how it handled their data, required the company to revamp its privacy practices.

Facebook has recently been fined a record $5.1 billion dollars for misappropriating user data. Despite the massive fine, it seems that the market saw this as just a “slap on the wrist” because Facebook shares actually increased after the fine amount was announced.

Conclusion

The FTC is meant to act in the best interests of consumers and encourage fair trade while preventing deceptive/predatory advertising practices. Although Facebook and Google offer incredible lifestyle conveniences and social connectivity, it’s no secret that they harvest a massive amount of information. With Facebook and Google Q4 2018 ad revenue at $16.6b and $32.6b respectively, many politicians are wondering if the fines are enough to generate any meaningful action to protect consumer interests and privacy.

I leave you with a comic from AdExchanger:

Sources

• https://adexchanger.com/comic-strip/comic-thats-fine/
• https://www.nytimes.com/2019/07/12/technology/facebook-ftc-fine.html
• https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations
• https://www.ftc.gov/about-ftc
• https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection/our-divisions/division-advertising-practices

Remember, hope is a good thing, maybe the best of things.

— Stephen King