Privacy in the Future of Advertising

Online content is often free — that’s thanks to the blessing and curse of targeted advertisements. But the vast network of personal data capture technologies that enables targeted ads is coming under growing scrutiny from users and regulators. As a result, current methods for tracking users online are going away, and advertising companies are attempting to launch replacements that sometimes respond to — and sometimes evade — privacy concerns.

That raises new questions around which of these many proposed alternatives will gain adoption, and what each means for personal data collection. Gartner clients can read more about emerging targeting efforts in the Hype Cycle for Digital Advertising, 2021.

Tracking Today and New Regulations

Whereas traditional TV ads reach every viewer at once, online ads can be displayed to one individual at a time, making them more relevant, effective and valuable. To show the right ad to the right person at the right place and the right time, advertisers use a long list of personal data points — including your age, gender, location, income, the websites you visit, the places you go, the content you watch, the products you buy, the emails you open, and even the other ads you’ve seen.

Increasingly, internet users and governments are paying attention to personal data collection. The European Union enacted the General Data Privacy Regulation (GDPR) in 2018 to require greater transparency and consent for personal data collection. Other governments, notably in California and China, followed suit.

Growth of the Walled Gardens

Tech gatekeepers like Google and Apple have responded to this pressure by preemptively reforming online tracking in ways that address some of the growing privacy concerns, but simultaneously preserve or expand their dominant positions.

Google plans to end its support of third-party cookies, the identifier that companies rely on most to track users across the open internet. Blocking these cookies will strongly limit the open trading of personal information. However, it won’t prevent “walled garden” ecosystems like Google and Amazon from collecting information and selling targeted ads, so these ads will likely become more valuable, while smaller publishers that rely on selling ads will suffer.

Apple has created a more privacy-safe experience for its users, and is marketing itself as a privacy-centric brand. For one, Apple now requires informed consent before apps can track you on an iOS device. While this is a win for privacy advocates, it also makes app developers more dependent on App Store revenue instead of ad revenue, and Apple takes a percentage of those sales.

Amazon also sees opportunity. Historically, its small ads business has primarily focused on helping brands sell on Amazon.com. But as independent publishers and advertisers lose access to consumer data across the open internet, Amazon’s ownership of that data becomes more valuable. With media channels like Twitch and sales channels like Amazon.com and Whole Foods, Amazon can still provide targeted and measured advertising. As such, Amazon is expanding its ads offerings at a rapid pace, and the platform stands to attract a growing share of advertising budgets.

Advertising within the walled gardens prevents the free exchange of personal information on the open internet, but doesn’t prevent the walled gardens themselves from collecting and using this information however they see fit. In the case of Amazon, the end of traditional tracking technologies likely accelerated their development of new targeted advertising capabilities. In the short term, advertisers may shift budgets toward these walled gardens, since they match or exceed the clarity of targeting available on other media channels.

Email-Based Identifiers

The actions of regulators, Google and Apple are causing independent advertising technology companies to develop new ways of tracking customers online. Some of these strategies better preserve user privacy, while some of them sidestep the issue altogether.

One common model involves capturing a user’s email address to track them across multiple websites where they’re signed in. The most prominent of these email-based solutions is Universal ID 2.0, an identifier shared across a coalition of publishers and ad tech companies led by The Trade Desk. UID 2.0 creates a shared Single Sign On system across websites. Users can view ad-supported sites’ content for free if they sign up for tracking across the UID 2.0 network.

Email-based identifiers like UID 2.0 allow independent publishers and advertisers to capture and share personal data, similar to what they can accomplish with current tracking technologies, while promising users more control over how they’re being tracked.

But questions remain over whether email-based identifiers will be the best or the worst of both worlds. UID 2.0 only works for publishers within the consortium. That will exclude a lot of the time consumers spend online, hampering data collection. And because UID 2.0 is an open consortium, consumers can’t know who has access to their data now or in the future, and therefore can’t give fully informed consent to share it with them.

Personification

Personification solutions group web users into cohorts, such as demographic or interest groups, without passing their identity along to advertisers. Instead of targeting individuals, advertisers target these cohorts. The most prominent personification initiative is Google’s Federated Learning of Cohorts (FLoC), but independent ad tech companies like Neustar offer alternatives.

With Google’s backing, FLoC is gaining traction among advertisers. Its personification solution lives in a user’s browser and communicates to a centralized server. Many advertising technology providers plan to support FLoC for ad targeting. Browsers, however, are less convinced. Firefox has already announced that it won’t support FLoC, while Microsoft Edge has hinted it is unlikely to do so. DuckDuckGo plans to allow users to block FLoC even within Google Chrome using its browser extension.

Some groups are unconvinced by FLoC’s claim of greater privacy. The system still leverages personal data — such as a user’s interests — without their explicit knowledge and consent. Further, personification systems often leverage artificial intelligence to infer user traits beyond users’ demonstrated behavior online, leading to what some users consider an invasive level of personal knowledge.

The effectiveness of personification is also largely unproven. Google claims it is 95% as accurate as existing individual-level tracking technologies, but more time is needed for advertisers to test these claims in the wild. That’s partially why in June, Google delayed the transition away from existing tracking technologies for an additional two years.

Data Clean Rooms

Data clean rooms are platforms for advertisers to send targeted ads and measure ad performance without receiving individual-level data or users’ personal information. Ads, targeting specifications and budget go in, and aggregated performance reports come out. Walled gardens like Google and Amazon offer clean room solutions, and several agency-run alternatives exist as well.

While clean rooms give advertisers less visibility into a user’s behavior, they don’t prevent the company managing the clean room from collecting that data in the first place. In theory, personal data is also susceptible to breaches.

Clean rooms face several obstacles to adoption. Marketers dislike them because they provide less transparency into how their ad budgets are spent. They also require a long deployment effort and a high degree of technical knowledge to operate. When managing multiple data clean rooms to comply with privacy laws around the world, they also create a logistical headache.

Device Fingerprinting

Without cookies to track users across websites, some ad tech companies have turned to device fingerprinting. When you visit a website, a company records attributes of your device — including the default language, IP address and screen size to create a “fingerprint.”

Device fingerprinting is at least as privacy-invasive as cookies, and the resulting data is generally worse quality. Because fingerprinting happens on a server, rather than on the user’s device, it gives users little to know control over when and how they’re being tracked. And whereas cookies can identify each unique device with certainty, Fingerprinting relies on a probabilistic model to determine whether the server is interacting with the same device across browsing sessions. That model can be incomplete or wrong, reducing the effectiveness of ad targeting.

But fingerprinting is already facing pushback similar to the third-party cookie. Browsers including Chrome, Firefox and Safari already attempt to block device fingerprinting. It’s therefore unlikely that fingerprinting will become the new standard for ad targeting on the open internet.

Single-Publisher Initiatives

Like the walled gardens, some large publishers have built out their own abilities to target ads in the absence of third-party cookies. These initiatives generally leverage the publisher’s own data on users to target ads, rather than data they collected openly on the internet.

The New York Times has one such initiative. The newspaper measures which articles users read and interact with to determine their interests. Separately, it gives a survey to a large panel of readers, asking about their purchase habits. Because the New York Times knows both the survey responses and the reading habits of the panel, they can use machine learning to extrapolate the purchase behavior to other users who weren’t in the panel but behave similarly to those who were. They can then use this data to target ads to all users.

Like tracking technologies from the walled gardens, publisher-led targeting initiatives like this don’t stop the collection of a user’s personal data, but do prevent advertisers from accessing it directly. Smaller publishers, without the resources to build a sophisticated measurement operation or the volume of frequent readers necessary for this strategy, will likely be left out.

Contextual Targeting

The last targeting alternative is essentially not targeting users at all. Advertisers would instead target ads based on the content on a webpage, without knowing who is viewing it.

These solutions, called contextual targeting, have been around as long as advertising itself. When a beer brand buys airtime for Monday Night Football, that’s contextual targeting. New technologies promise to make contextual targeting better — artificial intelligence algorithms can interpret webpage content, and serve ads more specifically relevant than was traditionally possible.

No user data is necessary for contextual advertising. But without the ability to identify who saw a given ad and how it affected their likelihood to make a purchase, advertisers will lose visibility into ad effectiveness. That level of visibility has been a key selling point for online ads, and without it, ad-supported publishers will likely face declining revenues.

What This Means for Data Privacy

In some of these new targeting programs, users have no greater control over their data privacy than they had before. In others there is a real advance in users’ privacy, accompanied by caveats and obstacles to mass adoption. So far, no new ad targeting solution for the open internet has emerged as a clear winner. Whether it’s possible to maintain targeted ads in a privacy-safe world, and whether independent publishers can survive without them, has yet to be seen.