Moving the Web Beyond Third-Party Identifiers
(Thispiece overlaps a bit with Mike's piece from yesterday, Howthe Third-Party Cookie Crumbles";Mike graciously agreed to run this one anyway, so that it can offeradditional context for why Google's news can be seen as ameaningful step forward for privacy.)
Privacy isa complex and critical issue shaping the future of our internetexperience and the internet economy. This week there were two majordevelopments: first, the State of Virginia passed a newdata protection law,the Consumer Data Protection Act (CDPA), which has been comparedto Europe's General Data Protection Regulation;and second, Googleannounced that itwould move away from all forms of third-party identifiers for Webadvertising, rather than look to replace cookies with newertechniques like hashes of personally identifiable information (PII).The ink is still drying on the Virginia law and its effective dateisn't until 2023, meaning it may be preempted by federal law ifthis Congress moves a privacy bill forward. But Google's actionwill change the market immediately. While the road ahead is long andthere are many questions left to answer, moving the Web beyondcross-site tracking is a clear step forward.
We'rein the midst of a global conversation about what the future of theinternet should look like, across many dimensions. In privacy, onehuge part of that discussion, it's not good enough in 2021 tosay that user choice means take it or leave it";companies are expected to provide full-featured experiences withmeaningful privacy options, including for advertising-based services.These heightened expectations-some set by law, some by themarket-challenge existing assumptions around business modelsand revenue streams in a major way. As a result, the ecosystem mustevolve away from its current state toward a future that offers aricher diversity of models and user experiences.
Google'sPrivacy Sandbox, inparticular, could be a big step forward along that evolutionary path.It's plausible that a combination of subscription services,contextual advertising and more privacy-preserving techniques forlearning can collectively match or even grow the pie for advertisingrevenue beyond what it is today, while providing users withcompelling and meaningful choices that don't involve cross-sitetracking. But that can't be determined until new services arebuilt, offered and measured at scale.
Andsometimes, to make change happen, band-aids need to be ripped off. Byending its support for third-party identifiers on the Web, that'swhat Google is doing. Critics of the move will focus on theshort-term impact for those smaller advertisers who currently rely onthird-party identifiers and tracking to target specific audiences,and will need to adapt their methods and strategies significantly.That concern is understandable; level playing fields are important,and centralization in the advertising ecosystem is widely perceivedto be a problem. However, the writing has been on the wall for a longtime for third-party identifiers and cross-site tracking. Firefoxblocked third-party cookies by default in September2019; Apple'sSafari followed suit in April2020-Firefoxfirst made moves to block third-party cookies asfar back as 2013,but it was, then, an idea ahead of its time. And the problem wasnever the cookies per se;it was the tracking they powered.
As forleveling the playing field for the future, working through standardsbodies is an established approach for Web companies to shareinformation and innovate collectively. Google'sengagement withthe W3C should,hopefully, help open doors for other advertisers, limiting anyreinforcement effects for Google's position in Web advertising.
Further,limits on third-party tracking do not apply to first-party behavior,where a company tracks the pages on its own site that a user visits,for example when a shopping website remembers products that a userviewed in order to recommend other items of potential interest. Whilefirst-party relationships are important and offer clear positivevalue, it's also not hard to imagine privacy-invasive acts thatuse solely first-party information. But Google's moves must becontextualized within the backdrop of rapidly evolving privacylaw-including the Virginia data protection law that justpassed. From that perspective, they're not a delaying tacticnor a substitute for legislation, but rather a complementary piece,and in particular a way to catalyze much-needed new thinking and newbusiness models for advertising.
I don'tthink it's possible for Google to put privacy advocates'minds at ease concerning its first-party practices through voluntaryaction. To stop capitalizing totally on its visibility into activitywithin its network would leave so much money on the table Googlemight be violating its fiduciary duty as a public company to serveits shareholders' interest. If it cleared that hurdle and stoppedanyway, what would prevent the company from going back and doing itlater? The only sustainable answer for first-party privacy concernsis legislation. And that kind of legislation will struggle to befeasible until new techniques and new business models have beentested and built. And that more than anything is the dilemma I thinkGoogle sees, and is working constructively to address.
Often,private sector privacy reforms are derided as merely scratching thesurface of a deeper business model problem. While there's muchmore to be done, moving beyond third-party identifiers goes deeper,and deserves broad attention and engagement to help preserve goodbalances going forward.