How The Third Party Cookie Crumbles: Tracking And Privacy Online Get A Rethink
from the important,-but-not-as-important dept
Google made some news Wednesday by noting that once it stops using 3rd party cookies to track people, it isn’t planning to replace such tracking with some other (perhaps more devious) method. This news is being met cynically (not surprisingly), with people suggesting that Google has plenty of 1st party data, and really just doesn’t need 3rd party cookie data any more. Or, alternatively, some are noting (perhaps accurately) that since Google has a ton of 1st party data — more than just about anyone else — this could actually serve to lock in Google’s position and diminish the alternatives from smaller advertising firms who rely on 3rd party cookies to bootstrap enough information to better target ads. Both claims might be accurate. Indeed, in the “no good deed goes unpunished” category, the UK has already been investigating Google’s plans to drop 3rd party cookies on the grounds that it’s anti-competitive. This is at the same time that others have argued that 3rd party cookies may also violate some privacy laws.
And, yes, it’s possible that it can be both good for privacy and anti-competitive, which raises all sorts of interrelated issues.
In theory cookies should have been very pro-privacy. After all, they’re putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they’re not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information — as well as consumer-friendly tools to adjust things. But that’s not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I’ve referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you’re being tracked.
The actual death knell for 3rd party cookies happened a while back. Firefox and Safari phased out 3rd party cookies a long time ago, and Google announced plans to do the same a year ago, with an actual target date for implementation a year from now. Today’s news was more about what happens next, with Google promising not to use some sneaky method to basically replace cookies with something even worse. There is a concerted effort by some to track you through a “hashed email address”. This is really creepy and kinda sketchy.
So, Google’s latest point is that it’s not going to use some other unique identifier, and recognizes that the hashed email based-identifier is a bad idea:
We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not ? like PII graphs based on people?s email addresses. We don?t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren?t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.
Instead, Google is pushing for a different kind of solution — what it has referred to for a while now as a “Privacy Sandbox.” The idea is not to track individuals but rather to dump you into a “cohort” of similar users, thereby not needing unique identifiers, just slightly more general ones. Google has taken to calling this cohort setup “Federated Learning of Cohorts”, or FLoC, which it recently declared to be 95% as good at targeting ads, but in a less creepy way.
In many ways, this is obviously better than the use of full-on individual tracking via 3rd party cookies (or hashed emails). It’s sort of a step away from individual targeting and at least a very slight movement back towards contextual advertising, which is something I’ve argued both Google and Facebook should do. But it’s still not ideal. You still have the concerns about how much data Google has about you, and you still have the concerns about whether or not this locks in Google’s position. Those don’t go away with this move.
And, of course, there’s the other framework to think about this: the never-ending threat of new privacy laws. So much of the focus on privacy legislation is (stupidly) about fighting the last battles, and that’s why things like the GDPR and California’s CCPA focused on useless and counterproductive cookie notifications. In some ways, this could be seen as a step towards getting ahead of that coming meteor, sidestepping it by saying “okay, okay, there are no more third party cookies.”
In the end, you can’t argue that this is a great solution or a terrible one. It is… just a change. A change that helps one aspect of how our current online privacy paradigm works, but which might cause other problems. It’s good in that it’s a further step towards the end of 3rd party cookies, which have been abused in creepy ways for too long. But it doesn’t really fix overall privacy issues, and could still help lock Google into a position of dominance.