Arms race on OnSite, AdTech and Publisher side. In times of Browser Tracking Prevention, DSGVO & Adblocking the question arises how the online industry can deal with the crumbling cookie or replace it with a substitute... Here are a few possibilities.
[cookie substitution, consent, GDPR, adblocking, tag, tracking, targeting, retargeting, fingerprinting, customer journey, dco, attribution, etag, cache, meta data, login alliance, itp, etp, walled garden, adid, werbeid, unifiedid, household graph, cdp, taxonomie, dmp, 1st party, segment, 3rd party, doh, programmatic, havas, havasmedia, ressmann, online media, display, advertising, martech, adtech, data driven, s2s]
2. 2Reader-Version
This license allows third parties to distribute,
remix, enhance and build upon the work,
even commercially, as long as the author of
the original is named and the new works
based on his work are published under the
same conditions.
This license applies only to the content of the
presentation. All images and icons are still
subject to copyright and the applied license
of the respective creator.
This is therefore a "hands-on presentation"
and the author looks forward to receiving
feedback, improvements and suggestions so
that it can give impulses to our industry.
3. 3Reader-Version
This document constitutes general non-binding information. The contents reflect the opinion of the author at the
time of writing. Although the information has been compiled with the greatest possible care, there is no claim to
factual correctness, completeness and/or up-to-dateness, in particular this document cannot take into account the
special circumstances of the individual case. This document is therefore neither legal advice nor instructions for
action! Any use is therefore the responsibility of the recipient and should be explicitly approved by the respective
DPO and legal department. Any liability is excluded.
5. 5Reader-Version
On OnSite, AdTech and Publisher Side (in Web)
Tracking-Method Pros Cons GDPR & ePR
Fingerprinting
(computed ID)
No domain binding. Fully 'synchable' with the same algorithm. Can only be
prevented by deactivating Javascript. Can be configured browser
independent. As of Oct 2019, fingerprints will also get through with
incognito windows & active blocking!
Multiple users could create the same fingerprint, especially on mobile devices. Tor
browsers and a few plugins generate random browser values and are not trackable.
Requires active Javascript. The more tests are done, the longer the duration of the
fingerprinting and the load on the user's hardware. FireFox and Chrome have
announced to block fingerprints.
Fingerprinting is not mentioned in the GDPR as long as no personal
data is used! With the upcoming ePrivacy-Regulation this changes.
Fingerprinting is already mentioned in the ePrivacy Directive. The
DSK evaluates this already now as Profiling which requires an explicit
consent.
eTags
(transferred ID; could also be a
Fingerprint, UnifiedID,
LoginID,…)
Uniqueness of a browser is very high. Also works without JavaScript. High
compatibility, difficult to decloak. For a simple referer tracking and
attribution no database and no large server reconfiguration are necessary.
The RAW logfiles provide everything you need. Not yet strong in blocking
scope.
Can be cleared by emptying or deactivating the cache. Origin binding such as
cookies, browsers & plugins could block domains.
Unique assigned ID will be considered as pseudonym. Under
circumstances Art6.1.f - TMG §15. Since 30.09.19 (ECJ judgement)
rather only with consent. With ePR, consent is required.
Authentication Cache
(ID; ; could also be aUnifiedID,
LoginID,…)
The uniqueness of a browser is very high. Can only be cleared by
emptying the password cache or exiting the browser session. The session
can be restored with tricks.
Are created with JavaScript and are therefore easy to bypass. Possible warning
message from the browser.origin binding such as cookies. Browser & plugins could
block domains.
Unique assigned ID will be considered as pseudonym. Under
circumstances Art6.1.f - TMG §15. Since 30.09.19 (ECJ judgement)
rather only with consent. With ePR, consent is required.
Login-Alliances /
Walled-Gardens /
Social-Logins /
Consent-Frameworks
(LoginID could also be a
UnifiedID)
Uniquely assigned LoginID which is shared in the network, can be done
with a central server or S2S; if necessary also via blockchain account,
browser plug-ins or even VPN and DoH (DNS) bound. Easy cross-device
tracking. User adaptation is achieved through incentives (Free Content /
get payed for Data).
Login trade-off because 3rd Party Cookie blocked and Local-Storage needs a
Consent. Interminable, high implementation and adaptation effort. Limited to alliance
members or WalledGarden. IAB-TCF would have to be linked to a UnifiedID and
rebuilt as a kind of login alliance or a unifiedID would have to be found with NetID
Foundation, Verimi, Mobile Connect, Advertising ID Consortium, DigiTrustID,
OpenAdID, ID5, etc. FireFox is going to block UnifiedID requests!
Clear contractual situation at the request of the party concerned.
Explicit login to each session if necessary. It may be based on Art.
6.1.b GDPR.
Tracking-Wall
(proactive tracking approval)
Trackings can be fired again in the browser after white listing or proactive
lowering of security settings by the user.
Will only be accepted for 1st party cookies, mainstream users will be more likely to
leave the site than change the default browser settings.
Unique assigned ID will be considered as pseudonym. Under
circumstances Art6.1.f - TMG §15. Since 30.09.19 (ECJ judgement)
rather only with consent. With ePR, consent is required.
Household-Graph /
Meta-Segment-ID
(Meta-Data) like eg. Havas-
Converge
Data (also CRM) and trackings collected with Consent result in an
anonymous SegmentID in which a large number of users are combined.
Segment matching can be done via S2S.
Too rigid segmentation; user either has multiple segment IDs or moves from one
segment to another by adding signals. If the segments are too granular, these IDs
can be regarded as personal data again. WalledGarden or Fullstack stand-alone
solution. Id-synch and Fullstack servers can easily be blocked by browsers.
If the raised taxonomies cannot be aggregated narrowly on an
individual person or the segment size is high enough, no PII are
present and the GDPR does not come to application. As long if the
consent has been obtained and the rights of the affected persons are
protected by the data harvester.
Standardized
Consumer Taxonomy
(Meta-Data) et al. acc. to Google
Proposal Aug. ´19
Through a standardized procedure, only taxonomies, such as interests, are
assigned to the user as meta data or IDs. An individual user ID is not
created. Target group targeting and DCO would thus be possible without
personal data, not only on contextual placements. All data are in the
hands of the user, he has full transparency, choice and control over his
data and thus GDPR Art. 12 - 23!
3rd Party Cookie is blocked and Local-Storage needs a Consent. Alternatively, a
profile would have to be provided by the browser manufacturers to store the
taxonomies / meta data, but this is currently not provided in any browser.
If the collected taxonomies cannot be aggregated to a single person
or if the segment size is high enough, there is no PII and the GDPR is
not applicable!
[Icons are from FlatIcon.com]
POSSIBLE COOKIE SUBSTITUTIONS
6. 6Reader-Version
Not quite. There is still the GDPR!
As shown in the table, a simple "move the data" or "move an identifier to another
location" is not enough. Unfortunately, the biggest misconception is that the topic
only revolves around the cookie.
It is actually about personal data as well as transparency, selection and control of
recipients and content by the user.
I.e. with an "alternative storage space" one does not deal, on the one hand, with the
consent according to art. 6.1.a GDPR nor can browsers or AdBlockers be cheated for
a long time (Browser War 3.0).
But this also means that online advertising, programmatic planning and purchasing,
targeting, attribution, etc. are not dead - it is not as easy as with the antiquated
cookie.
COOKIE SUBSTITUTION & ALL IS FINE?
7. 7Reader-Version
To compensate the lost signals
Non-Blocked Cookie Substitutions with Consent
Aggregation & anonymization of (1st party, not only online,) PII with Consent to
household graphs or meta-segments
"Reanimate" classic contextual, editorial environment planning
Use semantic-NLP, brand save, in programmatic
Filling the gaps in the journey by advanced statistical methods and machine
learning (AI)
SHORT TERM
8. 8Reader-Version
Transparent targeting in the hands of the user
In addition to the Short Terms:
Standardized Consumer Taxonomy via Browser (MetaData)
Pay-with-Data / Login Alliance Models
LONG TERM (IN A PERFECT WORLD)