Please keep those cookies but, for heaven’s sake, deprecate consent banners

I very much enjoyed chatting with Carissa Véliz once again last Friday (LinkedIn Live session, put together by the Ethical Commerce Alliance ), this time aiming to better understand the context and longer term consequences of Google’s decision to shelve the deprecation of third party cookies in Chrome.

The topic has surely been discussed to death, but I think that we managed to explore a couple of new angles.?

Here’s a little summary of the things I had in mind walking into our session, as well as a more structured set of conclusions (my own!) for future reference. Please add your thoughts.

First off, a TL;DR:

Given that neither privacy advocates nor competition authorities or digital advertising stakeholders find the Privacy Sandbox to be a reliable alternative to third-party (3P) cookies, it was becoming clear that they were to be replaced by a combination of consent pop-up armageddon and far more intrusive ID-based targeting solutions. In sum, the worst of both worlds: annoying, never-ending banners and a solution that is objectively considered more intrusive than 3P cookies.?

We are instead presented with a single persistent choice (yet to be defined) and two alternative frameworks for interests-based or profile-based advertising, with the current solution (3P cookies) representing the latter.

Now, for the crucial details:

• The UK Competition and Markets Authority (CMA) has led the scrutiny of the various protocols conforming Chrome’s Privacy Sandbox, once it became clear that these would determine the impact of a 3P cookie deprecation on the wider digital advertising market. The CMA’s latest report on their progress (hosted by the W3C and split across various working groups ) showed many pending concerns and pointed at a never-ending quest to satisfy all parties.?
• Despite being quite obvious to most that Topics API (a key building block of the Privacy Sandbox) is a more privacy-friendly approach to digital advertising than 3P cookies, the most relevant authorities and privacy activists have made it clear that they cannot support it as it stands. While the UK’s ICO shared concerns that a growing list of topics could be used to identify data subjects (undoubtedly true, even though, at nearly 470 today, we are still far from the 30,000 cohorts originally proposed under a previously discarded standard -FLoCs), Max Schrems’ NOYB considers it to be “privacy washing” , and the CEO of Chromium-based Vivaldi’s goes even further, to label it “spyware” .?
• While the Privacy Sandbox is attacked from all angles, the industry’s own alternative to such cookies remains even worse than the solution it comes to replace, building unique identifiers on the back of hashed email addresses and phone numbers -a practice that even the FTC clarified would be far from providing end user anonymity.?
• After extensive Privacy Sandbox tests with the 1% of Chrome users for which Google had already removed 3P cookies, Criteo and others estimated that publishers were losing 60% of their revenue . The IAB Tech Lab made it clear that the new framework was not supporting video ads, and publishers participating in the pilot complained about latency issues (resulting from moving the bidding logic to the browser). Bottom line: Digital marketing stakeholders are not happy.
• Most importantly from my point of view, the whole advantage of using a more privacy-friendly solution is counting on a larger sample size (than that resulting from having to gather consent for ID-based solutions, for instance), but France’s Data Protection Supervisory Authority (CNIL) dashed such hopes with a requirement that Topics API relies on consent -in the name of the never updated ePrivacy Directive-, while NOYB followed Google’s efforts to require such consent by filing a claim before the Austrian DPA.?
• Google is facing the US Department of Justice (DoJ) in early September over its dominance of the open advertising world (a separate case from the one that just deemed Google Search a monopoly). Imposing its own standard on Chrome would only extend remedies to the browser and perhaps even Android (for which the Privacy Sandbox has also been released). It does not make much sense to drag the browser into the game at this stage.?

?So, what does this really mean? What is Google offering instead? Can it get worse?

The choice on the table

The Google team has spoken of “elevated user choice” in the brief blog post that announced their latest decision.?

Are they referring to giving preference to our personal agency and the long-standing principle of individual participation? No, we are rather fighting to decide who will have to struggle to persuade data subjects to run counter to the natural flow of their internet browsing, as it seems obvious that, for all the studies about people really worrying about their privacy , few people care enough to spend thirty seconds of their life disabling third-party cookies - and for all the surveys showing an overwhelming preference for relevant ads , nobody walks into Safari to enable such cookies in the hope of more targeted offerings.?

Convenience and defaults are at stake, therefore, and Google is most likely referring to a direct opt-in (to 3P cookies) system.?

Does it mean using a prompt à la Apple App Tracking Transparency (ATT) ? Well, as often debated in ad tech circles, the company is caught in a catch-22 situation. If it relies on a similar prompt (“Do you want to be tracked?”) it will be accused of favoring its own properties, as it is to them (as well as Meta’s or Amazon’s) that advertisers will flock in the absence of signals in the open market. If, on the other hand, it makes it much more appealing, it will equally be accused of favoring the current status quo in favor of a less privacy-safe but so far better performing open market, mostly powered by its own stack.?

However, if we bear in mind the upcoming DoJ case, addressing Google’s ownership of both the leading supply-side platform (Google Ad Manager) and a primary ad exchange (AdX), the latter approach would definitely produce the worst possible optics, increasing the chances that future remedies drag Google Chrome into a drastic break-up of the company’s assets.?

That said, both choices offer a shot at getting rid of insufferable consent banners. And I really believe that this prospect is the single most positive thing to ever come out of this drama.?

Still, what would the real impact of the announced change be on all of the stakeholders? Obviously, it depends on our perspective of the pre-existing background.

From where I stand:

• "Walled gardens" trade in behavioral signals and first-party/direct relationships, offering precise targeting capabilities that actually work (whether they are worth the prices they charge is another matter). Their sheer audience volumes have forced quality media publishers to play by the same rules, against their nature, with questionable results .?
• Publishers do not have the resources or the internal culture to explore bold, high-impact alternatives. This is why ID-based solutions have prevailed as an answer to the looming cookieless world, given that they sit on top of the existing ad tech pipelines.?

• If consent is the only possible legal basis for digital advertising endeavors to comply with data protection regulations, then Big Tech will always win, as they command a disintermediated relationship with the audience, while the open market (in which no single publisher commands enough volume or leverage) relies on third-party relationships.?

So, surely, stakeholders in the open web that today rely on a mature system for addressability, fraud management or frequency capping on the back of a 50% 3P acceptance rate on Chrome browsers (already shaky enough given its smaller share on mobile devices, and the manner in which such rates are accomplished today) have the most to lose if the solution looks anything like ATT in iOS . I believe this would be the same whether new prompts are launched for each and every website (truly replicating ATT) or a single choice takes place at the outset - and I really hope it is the latter.?

Who wins??

I would say consumers in the short term -before the tide carries away the free press and small retailers, leaving us at the mercy of Insta-Facebook, YouTube-Google and Amazon.?

Which perhaps is all we want.?

What do we really want??

Here’s where I think most of us would benefit from a little introspection.

I believe that niche, small retailers do need basic targeting capabilities if they are to survive. These should never involve sensitive categories of data, or children. In my dream world it would be individuals themselves who share their preferences and needs in their own terms (à la Intentcasting ), but I have learned to settle for much less after a few experiments , provided that we help such businesses escape Meta’s black hole -I find it painful to watch one startup after another hand over to Instagram the little margin they make for as long as they can survive on their investors’ money. I do not want to live in a world in which everybody works for Insta-Facebook, either supplying it with free content or paying a revolutionary tax to show up next to such content, for the sole reason that the company was faster or more aggressive in digitizing our social graph at the one point in time when it really mattered.

I also want the same advertisers to find new customers in a respectful way that can rely on the legitimate interest’s three-part test rather than illusory, delegated consent. This is consistent with a Privacy by Design approach, and would guarantee that we enjoy?non intrusive, targeted advertising. After all, a binary, blanket consent requirement results in a race to the bottom and data gluttony by design - Why stop short at interest cohorts if I can build psycho-DNA clones under the cloth of the same indecipherable prompt that nobody will understand anyhow? This requires an urgent amendment to the ePrivacy Directive.

I want journalism to survive, and knowing what I know about the very limited ability of media publishers to innovate or even adapt, we probably need to help them escape the dictatorship of vanity metrics, but these are imposed by every single participant in the status quo, including media agencies and marketing executives. Quality media can offer quality inventory and alternative channels with unmatched reputational value and unique untested capabilities built on richer content taxonomies. This will still be labeled as “behavioral” advertising, as we are referring to context-defined interests across multiple websites, but avoiding purely “contextual” solutions should help us steer away from favoring mass-market brands (often the most harmful for both public health and the environment).?

I do not feel the specific urge to destroy Big Tech just because they are ruthless, selfish, giant, and American (with privacy, competition and everything else becoming mere tools to accomplish my goal).

So, putting my own priorities in order, this is what such introspection throws as my accepted trade offs:

• Give me locally-stored, cross-site interests or “topics” (by all means, keep adding safeguards to prevent fingerprinting).?
• Let me rely on legitimate interest when targeting audience cohorts on the back of such topics.?
• Do not allow websites to break this balance by asking for my consent in order to serve their own identifiers or alternative means of profiling, as if it were the bleach that cleans all stains.?

And with such rambling out of my system I am ready to head for the beach :) Happy rest of the summer.

NOTES

• Our talk is still available here .
• A previous exchange with Carissa Veliz can be found on the Masters of Privacy feed.