What will a Post-Cookie World Look Like?

I had the honor of speaking last week at the International Association of Privacy Professionals (IAPP) Privacy Academy and CSA Congress 2014. The formal title of my presentation was “The Future of Maintaining State: Business and Policy Considerations for Next-Generation Tracking in the Mobile Environment.”

A simpler title for my presentation could have been “What is the Post-Cookie World Going to Look Like?” 

Over the past 20 years, the http cookie has played a critical role on the Internet serving as the method for “maintaining state” – the method for systems and services (such as a web site) to remember information about users, devices or software applications over time.  It may not be obvious to users today, but web traffic is inherently transient.  State maintenance is therefore crucial for the personalization consumers have come to expect online for managing preferences, account logins, shopping carts and Interest-Based Advertising which helps support free content and services.

It has taken a while, but as Bob Dylan said, “The Times They are a Changin’” for publishers, advertisers and ad tech.

What’s changin?  The move, or more like the stampede, by consumers to mobile.  Over 1.75 billion consumers now have Smart Phones.  Many of these consumers use multiple devices to surf the Internet from tablets, laptops, to mobile phones and addressable TV.  Brands, advertisers, and online services want to provide consumers a consistent experience across these devices and consumers are starting to expect just that.  If a consumer begins to research a product on their smartphone but makes the purchase on their laptop, brands want to be able to connect those experiences and obtain a holistic view of the consumer experience.

In addition to the move to mobile, technological improvement and the growth of social media platforms also accounts for the move to a world beyond cookies.  Social media platforms like Facebook, Twitter, Instagram and Pinterest for example, enable more engagement and generate more consumer-provided data.  The players in this new world include mobile apps publishers, mobile ad networks and exchanges, demand side platforms, advertisers (Brands), companies providing cross-device identification solutions and, of course, the two primary mobile platforms, Google Android and Apple’s iOS.

I don’t want to suggest that the http cookie is dead.  That’s not the case.  The http cookie continues to work well for the collection of data across websites on a browser, unless of course cookies are blocked by default on the software. The real challenge for advertisers is that 86% of use on mobile devices is in Apps, not on web browsers.  Cookies are not used to collect data across apps and thus are less useful in this App-dominated ecosystem.  Moreover, how will advertisers maintain the connection to the consumer across Apps and mobile devices – linking activity in mobile web browsers and apps on the same device and cross-device?  It won’t be with http cookies ¬¬– at least not alone.

So what’s the future like?  In my address at IAPP last week, I discussed three possible categories of alternatives to http cookies:

• Statistical IDs – Already in the market, this is the use of statistical algorithms that use information passed by the device, browser or operating system to infer a user ID that can then be used by publishers or third parties.

• Client IDS – Also already in the market, Client IDs are deterministic identifiers that sit on the app or browser.  Some are set by the server such as HTML5 local storage and so-called “flash cookies.”  Other are created client side by the OS such as the platform IDs on Androids and iOS.

• Centralized Cloud-Synchronized IDs – Not in the market, these IDs are set and managed through a centralized cloud service that all parties in the ecosystem agree to work with instead of a third party intermediary such as an ISP.  One recently announced effort to move forward with this type of solution is DigiTrust.

The move to a post-cookie world is inevitable.  But as we enter a world without cookies – or at least the diminished use of cookies— we are facing several compliance and consumer privacy challenges.  Each potential alternative to the cookie comes with different costs and benefits, pros and cons, and will be perceived differently be different stakeholders in the ecosystem.  In each case, we need to bake in privacy by design and ensure that there is transparency, notice, control, choice and accountability.  If we don’t, consumers and then brands will not embrace these solutions.

We at NAI are thinking about a post-cookie world on a daily basis. The NAI recognizes that the digital advertising ecosystem is rapidly evolving and individual companies are developing new technologies and business models to address these changes in the ecosystem.  The NAI Code requires notice and choice with respect to Internet-Based Advertising (IBA) and imposes a host of substantive restrictions on NAI member companies’ collection, use, and transfer of data used for IBA.  We are exploring how these core principles (which are based on the full set of Fair Information Practice Principles) apply in different contexts while remaining technology and business model neutral.  We are also examining technical, legal and policy issues so that we produce logical and practical policies that can be implemented and honored at scale by the full range of NAI member companies.

Stay tuned.  My presentation at IAPP last week was part of the ongoing dialogue.  In fact, Lydia Parnes, former director of the Bureau of Consumer Protection (BCP) at the Federal Trade Commission (FTC), and I will be speaking on a panel “Beyond Cookies and Cross Device Platforms” to kick-off Advertising Week in New York City as part of NAI’s complimentary in-house counsel invitation only networking event.  The panel and networking event will take place from 6:00 to 9:00 PM on Monday, September 29 at Bocca Restaurant & Bar.  Registration and more details can be found here. 

There’s more to come from NAI on how we as an industry can move forward in this post cookie world responsibly so that consumers, brands, publishers, and others continue to benefit from the diverse, competitive, free, ad supported Internet.