What Next After the Cookie Crumbles?
Most of us nowadays understand that the places where we spend most time online — Facebook and Google mostly — charge us no money. Instead, they make their fortunes from the advertisers who pay to sell us their wares while we’re there. For them therefore, we are the product.
What many increasingly object to is just HOW MUCH these tech giants know about us. It would also be wise to think about HOW they know it especially as that is about to become centre stage.
For many of us, the issue of cookies — what they are and what they do — has never been a big deal. It was likely only the introduction of European data law (GDPR) that made us give them much attention because we were bombarded with tick boxes to agree to their use. Even if we don’t understand exactly how they work, we know that they’re how ads are targeted based on what is known about us.
Even though we may only just have become used to cookies, it will soon be time to think about life after them. Google has announced that it will stop supporting cookies in Chrome next year. This of course does not mean that Google and its advertisers will stop targeting ads based on our behaviour — they’ll just do it differently. Defining that difference is the biggest issue facing online advertising and, since it’s advertising that indirectly pays for many of the services that we use online, it’s one of the biggest issues facing online itself.
The sensitivity of cookies is of course that they are collecting information about our behaviour that we haven’t directly volunteered. It’s one thing to submit personal information in a form but quite another to have it collected invisibly by virtue of the fact that we have visited a site. Still another to realise that it’s shared across a myriad of invisible companies involved in the ad serving ‘ecosystem.’ It’s not hard to see why a lot of people would like to see them gone.
Google’s announcement has set the clock ticking. The company itself has of course been investigating alternative means of targeting (via its Privacy Sandbox) and has announced its proposed choice to protect its vast advertising incomes. It is now attempting to convince both advertisers and consumers that this new way is better because it uses ‘privacy preserving technologies’ and ‘anonymisation’ yet nevertheless maintains the ability to personalise ads. On the face of it that looks contradictory.
The claim is that Google ‘Federated Learning of Cohorts’ or FLoC will create groups in which similar behaviours are aggregated and by which ads can be targeted but without individual identities being generated. We might therefore be shown ads for mowers because Google has identified browsing activity across gardening sites — without ever knowing who we are.
This might seem to be a big step but actually cookies know less about ‘you’ than you might think. They identify a device — not even a user of that device. For that reason, they were always treated as anonymous by the online ad industry. Then the GDPR defined them as ‘personal’ and, in one fell swoop, everything was turned on its head. Nothing actually changed in what was being done but everything changed in the way that it was defined. A large, complex and very lucrative industry suddenly had to explain what cookies did and ask permission for consumers to allow them to do it. The result was pain for businesses and suspicion for consumers. Jettisoning cookies started to look like a good way of being rid of both.
If FloC is to be one of the ways to do it, then it’s hard to escape an odd retro feel because it strongly resembles pre internet targeting. Back in the 90s and before when I was a young marketer, direct mail was often targeted on such a generalised basis. One example was that buyers of a sofa from Habitat were classed as having a certain sense of style which in turn was assumed to be an indicator of a particular demographic. Another was the use of categorisations built using census and electoral roll data that would define everyone in the 18 households of a postcode as a certain ‘group type’ for targeting. Yes, the data companies had names and addresses but advertisers generally didn’t.
FLoC may well be a twenty first century version of this group based (‘birds of a feather flock together’) approach but its detractors point out that browsing data is still likely being collected at device level even if it’s not being applied that way. Moreover they point out that Google has yet to define what these groups will be (might gender, ethnicity or sexual orientation be attributes within them?) and they fear that groups could be used to adversely discriminate (tarring with the same brush) more broadly than can individual identities.
Cookies are good at collecting and combining data from a large number of sites across the web. That’s why they have been the foundation of today’s complex advertising landscape — and why this is the area of greatest concern.
Sensitivity is greatly reduced — or arguably even removed — when they are used within a single site or by a single company. Over 20 years ago now I was one of the founders of a company that used this direct permission to serve ads and send emails, whilst always retaining central control for the consumer. This is a long way from today’s world where our permission is given to one company and our data is shared unknowingly amongst a huge array of companies in the advertising chain, none of which are likely to be known to us.
Today, there are just a tiny handful of companies to which we give this direct permission and with which we have this direct relationship. Facebook and Google head the list and so removing cross-site cookies would further strengthen their position whilst side-lining challengers who would likely be unable to survive without advertising income (the Competition and Markets Authority estimates that news sites would see their revenue decrease by 70% if they couldn’t serve cookie-based ads.) This is why the CMA is investigating Google’s plans as a suspected breach of competition law in the UK; the EU is looking on too. It’s also one of the reasons that some of us (albeit a tiny number) eschew Google in favour of specialist browsers/search engines (e.g. Firefox/DuckDuckGo) that do not track and why Apple is luxuriating in its business model that is not based on personal data.
Most of us though can’t avoid these concerns because of the ubiquity of services with which they’re associated. We might therefore be on the lookout for a bigger and more fundamental way of addressing our privacy worries. Here’s one. How about companies stop tracking us for indirect ad income and start charging us to create direct service income? It sounds simple but it would likely wreck Facebook and Google as we know them because they’d see their user numbers decimated if we refused to pay for what we’re used to having for nothing. It’s too bold a move and too big a risk for the companies to take if they have a choice.
The choice however will not always be theirs. As we become increasingly aware of the value to these companies of our data, huge numbers of us may simply insist on at least having the choice. This is especially so when the issue of security is combined with that of privacy. Late last year, Google admitted that millions of its Gmail accounts had been hacked and personal data compromised; very recently, Facebook’s apparently casual approach to the loss of over 500m users’ data (downplaying the event as a problem that was ‘found and fixed in August 2019’ despite the fact that the data is still out there somewhere) sounds uncomfortably similar to its response to the Cambridge Analytica fiasco. Our sensitivity to all this is driven by prominent media attention (including Netflix’s ‘The Social Dilemma’ and Roger McNamee’s ‘Zucked’) such that events like this are no longer somewhere in the business pages; we all know that we need to take notice. The data here is MUCH more sensitive than cookie (or FLoC) data but the issue of trust is not.
The online ad industry has traditionally seen itself as being based on a value exchange — we give up our data for advertising in return for free access to services. For consumers though, that exchange was rarely recognised as a choice. If we think about it as one then we must ask ourselves what we get in return. We might expect targeted, intelligent and non-invasive/non creepy ads. Despite the vast databases and AI based technology behind the ad industry, it’s rarely what we get.
Whatever means of targeting the industry decides to favour post cookies, this question will remain. Until we consumers have a better answer it is likely that a bigger challenge to the ad funded model will remain in the shadows.
