Requiem for a Cookie Part 2: The AdTech Phoenix is Reborn

As the world turns anew in 2022, a seismic shift is underway in the AdTech industry as detailed in the first part of this Requiem for a Cookie series: online tracking technology as we know it is likely undergoing a permanent change. More specifically, the third-party cookie, which has been the dominant method for tracking online user behavior, is quickly being phased out—and in many instances pushed out by regulators. Out of the ashes of soon-to-be outdated tracking techniques, however, arise multiple privacy-forward alternatives. Which technique or techniques will ultimately replace third-party cookies, however, is unclear, and 2022 is expected to bring clarity to the plethora of alternative options currently vying for dominance. Pushing for third-party cookie eradication and leading the charge into new alternatives, Europe is a key incubator for new development in the space. Most notably, the Belgian Data Protection Authority (BE DPA) is spearheading a reanalysis of the Transparency and Consent Framework (TCF) implemented by the Interactive Advertising Bureau (IAB). Broadly adopted within the AdTech industry, the TCF stands today as the dominant consent solution utilized to satisfy EU members' affirmative consent requirements. But the days of TCF's prevalence appear to be waning as the BE DPA is expected to imminently release a decision confirming alleged infringements by the IAB arising from use of the TCF—specifically violations of the General Data Protection Regulation (GDPR) consent and transparency principals. As of the date of this article, the BE DPA is awaiting potential feedback from other European data protection authorities on its draft decision regarding GDPR infringements, and it is expected that this will be one of the first major privacy developments in the AdTech space of 2022. Given the uncertainties around TCF, many AdTech players have been implementing new techniques that are expected to eventually replace third-party tracking cookies. The French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) already released a statement warning individual consumers and data subjects that "the end of the use of third-party cookies does not mean the end of tracking Internet users online." [1] To make sense of the array of alternatives that are in development, the CNIL categorized prominent alternative technologies into four categories, as described below:

• First-party cookies and fingerprinting. While the eventual deprecation of third-party cookies is anticipated, the vitality of first-party cookies appears strong. Often necessary for certain operations and for website functionality, first-party cookies are only created and stored on the website a user directly visits. The CNIL cautions, however, that first-party cookies can still be exploited by third parties, as they can be configured to "return data via URL calls on the advertiser's domain." [2] A similar tool is known as "fingerprinting" and is another tracking technique whereby the information provided by a user's browser regarding the technical specifications of a user's hardware (e.g., the operating system or screen size) is collected and used to build a user profile. This information, when sufficiently specific, can be used to track users in a manner similar to cookies.
• Single Sign-On (SSO). Primarily used to facilitate a user's online connection, SSO allows the user's account to follow the user while browsing other related websites to which the user's credentials apply. The account can then be used as a tracker across those websites.
• Unique Identifiers. By tracking users via hashed data relating to a unique identifier (for example, Apple's Identifier for Advertisers or IDFA), third parties can use the login information and email addresses to link usage of various services.
• Cohort-based Advertising Targeting. Primarily pioneered by Google's Federated Learning of Cohorts (FLoC), cohort-based targeting avoids targeting individuals by instead clustering a large group of people with similar interests and assigning the group a unique identifier. This enables individuals to effectively "hide in the crowd" while allowing advertisers to reach appropriate audiences.