Digital Advertising after Third-Party Cookies

Finding a Path in a Privacy-Centric Market

Executive Summary

With changes to online advertising tracking infrastructure seeming to be both delayed and accelerating, stakeholders in the digital ad ecosystem are building, reinventing, or complacently waiting for alternatives to replace the power of third-party cookies. While the demise of cross-site tracking was years in the making, stakeholders are trying to determine the impact, as much remains unclear. Dozens of solutions, old and new, continue to be proposed as alternatives for the third-party cookie functionality, however, none appear likely to replace all prior use cases. Instead, brands can use this opportunity to prepare over the next 18 months, ensuring data systems and processes are healthy and ready to integrate future standards.


Transformations in the Digital Ad Ecosystem

For nearly 25 years, the digital ad industry has been a domain of continuous and innovative change with technology and methodology borrowing and adapting from other fields and creating exponential advances. Maximizing the value of a small browser-based text file, Advertising Technology (AdTech) enabled brands to create nearly comprehensive and unified customer views. Combined with data platforms, the expansion of delivery channels, and real-time data analytics powered by machine learning, the industry was capable of an ideal goal: 

Provide the right message to the right person at the right time.

However, for many in the industry, recent and upcoming changes in AdTech have dampened enthusiasm. Third-party cookies, the small text file (averaging 36 bytes), is going away, as is the mobile ad ID that functioned similarly, potentially transforming the practices of digital advertisers, online publishers, mobile app developers, and end-users. 

Since the late 1990s, advertisers have used third-party cookies as a precise method to track users across the internet, enabling targeting, personalization, retargeting, segmenting, and measurement. Responding to a variety of interests, needs, consumer sentiment, and regulation, several key AdTech players are moving to restrict how personal data is tracked, captured, and used. Apple’s Safari and Mozilla’s Firefox now block third-party cookies by default. Google has announced plans to phase out support for the practice as early as 2023. 

Since 2007, mobile app publishers have used unique identifiers to track users across the internet, enabling targeted advertising to reach audiences. This year, the two largest mobile OS platforms, Apple’s iOS and Google’s Android, moved to make the practice far less practical. In April 2021, Apple changed its settings to require users to opt-in any time a new advertiser requests tracking. Google is scheduled to implement a similar restriction later in 2021.

These changes are driving advertisers, agencies, AdTech companies, and publishers to either develop or seek out solutions replacing the value lost with the depreciation of third-party cookies and mobile identifiers. 

Why the Ad Industry is Restricting Tracking

While the most recent plans by Google’s Chrome and Android may be the tipping point that caught everyone’s attention, the drivers pushing for balance between privacy and commerce have a much longer history. 

A push for the protection of digital data in general, and for online users’ personally identifiable information (PII) specifically, has grown during the millennium. This increased focus on privacy parallels the growing base of internet users, their expanding personal experience and awareness, the personal data sharing of Web 2.0, and repeated high-profile data abuses. As a result of these changes in the data landscape, regulations began to become law, and tech companies began to respond to the accumulating pressure. 

Internet User Perceptions

Over the last two decades, internet users have grown from 43% of the United States to 90%, with over 313M active internet users, including over 275M accessing over mobile devices. Research published this year found that an overwhelming majority of Americans are online daily, while 31% report being online “almost constantly.” 

Millions of computer users are familiar with EULA and Terms of Service from installing software and signing up for online services. Even though many quickly scroll down to find the “Agree” checkbox, users understand the agreements are complex and non-negotiable. Similarly, as the Brookings Institute observed, “Businesses are able by and large to set the terms on which they collect and share data.” A 2014 study on perceptions of privacy among Americans found 91% believed that “consumers have lost control over how personal information is collected and used by companies.” Similarly, 80% of social networking site users are concerned about third-party advertisers and businesses accessing the information they share. Users experiencing repeated retargeting noted how brands and products seemed to follow them. Finally, a strong majority (64%) feel the government should regulate advertisers more. 

Web 2.0

A key development in the last 20 years, Web 2.0 refers to websites characterized by a move from static web pages to user-generated content, highly dynamic and participatory experiences, and the rise of social media. Moving away from simply visiting and viewing static content in a passive model, Web 2.0 fueled the growth of sharing personal information online. The ability for anyone to easily create content (or interact with web apps and sites) with personal information, opinions, and collaboration has opened the floodgates of data, much of it commercially valuable and parts of it personal. Web 2.0 sites enjoy broad popularity across many demographics and interests: WordPress, Facebook, Twitter, Wikipedia, YouTube, Pinterest, etc.

High-Profile Data Abuses

In the recent decade, new stories proliferated with accounts of various data breaches and unethical (or illegal) private data abuses. Edward Snowden’s revelations shocked many in the public when the reach and depth of surveillance and personal data tracking was exposed, leading to hearings by the US Congress. In the lead-up to the 2016 US Presidential election, massive information campaigns targeted Americans with precision in an attempt to sway the election with inflammatory rhetoric across the country. While numerous parties conducted such campaigns, the British consulting firm Cambridge Analytica was widely publicized later for illicitly acquiring personal data for over 80M Facebook users to target information campaigns.

Since 2000, large data breaches involving customers’ personally identifiable information (PII) became commonplace, with many getting increased visibility as large-scale PII theft and dissemination was often in the news (and users’ news feeds). 

Data storage efficiency and low cost encourages broad data capture and retention causing the rapid accumulation, aggregation, and retention of PII for millions of online users; worldwide estimates are the creation of quintillions of bytes of data each day (Brookings 2018). 


Of the three most widely known data regulations affecting the US, only two have been enforced for one or more years. The EU’s General Data Protection Regulation (GDPR) has now been in effect for over three years. The California Consumer Privacy Act (CCPA) has been enforced for one year. Virginia’s Consumer Data Protection Act (CDPA) takes effect January of 2023.  

The GDPR protects EU members, and is applicable to any company storing or processing personal information of EU citizens. As a result of the reach of online business, many US businesses are required to meet many GDPR requirements. Fines for non-compliance can reach over $20M or 4% of annual global turnover (whichever is higher). Some of the more impactful requirements are below:

  • Auditing company data and service providers
  • Create practices that ensure data subject rights (consent, data portability, erasure on request, etc.)
  • Designating a data protection officer
  • Report personal data breaches per GDPR guidelines
  • Follow a compliant data retention policy

While few small businesses have received significant fines, large multinationals have been penalized, with the largest penalties for companies such as Google ($56M), Marriott ($24M), Amazon ($880M). 

Summing Up the Pressure on AdTech

With increasing momentum from the public, US legislatures, and EU regulators, AdTech responsible for some of the more intrusive tracking and targeting are moving to head off further ramifications to the industry and their businesses. By taking steps to self-regulate, AdTech giants remain in control and avoid restrictions that could decimate their revenue.

Depreciation of Third-party Cookies and Mobile ID

Browser Support for Third-Party Cookies

Currently, Apple’s Safari (36% US market share) and Mozilla’s Firefox (3.4% US market share) block all third-party cookies by default. Google’s Chrome, with the largest market share of 48% (world 65%), postponed their 2022 target for blocking third-party cookies to a later phased approach ending in late 2023. Of the major browser brands, only Google receives a significant percentage of revenue from online advertising. 

While Google has much to gain from continuing third-party cookie tracking, it has more to lose. If the industry does nothing to curb private data abuses, legislation could impose far more draconian measures than AdTech leaders desire. By making changes now, Google is able to architect a solution that appeases privacy advocates while ensuring a future state enabling a consistent revenue stream.

With Safari and Firefox already blocking third-party cookies, Google Chrome’s proposed change will effectively end using third-party cookies for any purpose.

Mobile Phone OS Support for Advertising IDs

Mobile phone OS leaders Apple (iOS) and Google (Android) have both provided identification tools that power tracking for advertisers. Apple’s Identifier for Advertisers (IDFA) is a random identifier connected to each iPhone, and is used by advertisers to track users across the internet. Google’s Android Advertising ID (AAID) serves a similar purpose for Android phones.

In April 2021, Apple updated its code to require opt-in consent from phone users each time an app desired to track a user’s phone. As a result, app owners were required to modify apps to comply with Apple’s new App Tracking Transparency (ATT). 

In June 2021, Google announced changes to their privacy settings for apps, with several actions phased throughout the remainder of the year. Once the privacy changes are complete, advertisers will need user consent to track Android users as well. 

By depending on users who willfully consent to each advertiser’s request for cross-site tracking, mobile advertisers are expected to lose a significant percentage of trackable users.

Impact of Tracking Restrictions

With third-party cookies underlying targeting, personalizing, and measuring of digital ad campaigns, the impact affects all participants currently receiving value in the digital ad supply chain. 


Of the cookies on an average website, 60% are third-party used for marketing and advertising. 

As a core method of tracking behavior across the internet, third-party cookies can follow and capture the actions, interests, and attitudes of users as they trek across different websites. While this data alone is both broad in scope and detailed in data elements, datasets are combined through cookie syncing and record matching to build even more comprehensive profiles that are used for hyper-specific targeting. 

The loss of this key mechanism (and Advertiser IDs for mobile tracking) will make behavioral targeting, retargeting, cross-site attribution modeling, and measurement much more difficult at scales advertisers are accustomed to. Without the same targeting precision at scale, reach will be lower and performance will decline.

Advertising Impact Examples

Any practice with data points captured (and aggregated) by third-party cookies is impacted. Also, any behavioral targeting or retargeting that requires third-party cookies to identify users on different websites in order to serve the ad is impacted.


Ad revenue for publishers will decline without the ability to provide clearly addressable audiences to advertisers. While large publishers can leverage their first-party data, making it highly targetable, their reach will be restricted from audience extension. No longer able to sync cookies with other ad exchanges, supply-side platforms (SSPs), or demand-side platforms (DSPs), the audience addressability and volume declines sharply. With weaker targeting, advertisers will pay much lower cost per impression due to the lower advertising ROMI


Internet users could gain significantly from changes in the digital ad ecosystem ostensibly designed to protect their data privacy. Users will have more control by selecting to opt in or opt out of behavioral tracking for mobile use. Transparency is improved as more disclosure requirements for data tracking and use are mandated. 

However, users potentially could experience significant downsides. Much of the targeted and retargeted advertising that users find alarming will no longer appear as they travel from site to site. However, instead of relevant, targeted advertising, users will be more likely to see generic or contextual advertising related to a visited page, but not individuals. 

Of much greater concern is the many free online content and services sites that will no longer be available. Many free sites provide value that otherwise would be subscription-based, or cost per use were it not for targeted advertising practices. A significant percentage of free content and services is available precisely because of targeted advertising, providing either a significant or primary revenue source for site (and app) operators. Much of the internet operates on this value exchange between customer data and return offerings from publisher, developer, or creator.  

Understanding the Data Behind Cookie Tracking

When cookies were created by a young Netscape engineer in 1994, they were used to help websites remember their own visitors, their preferences, shopping cart, login–and specifically not to track users browsing behavior across different websites. In two years, advertisers figured out how to repurpose the technology, and the third-party tracking cookie was born. Remarkably, the digital advertising system became structured around this small text file identifying users as they journeyed across the internet.

How Cookies are Created

Cookies are relatively simple technology, yet challenging to explain, in part, because of the variety of technical processes that can be used to create, match/sync, aggregate, profile, and apply. 

A cookie is merely a small text file that is written to (and updated on) a user’s device, either by the site domain visited (first-party cookies), or by a different site or entity domain than the one being visited (third-party cookies). 

Regardless of cookie type, when a visitor accesses a site, the domain checks the browser for its cookie. If it finds the cookie, it is updated. If it doesn’t find it, a cookie is created.

Creating First-Party Cookies

Anytime a user visits a website domain, that domain can (and probably does) create a first-party cookie. Because first-party cookies are created by the site visited, they are typically used to create a better user experience for their visitors: it remembers what is in the shopping cart, the user password, user preferences, preferred site pages, or even products viewed on the site. First-party cookies are not being impacted by current and upcoming browser restrictions. Often this “remembering” is done simply by storing a user or browser identifier in the cookie which is then tied to a user or browser database on the server of the website. 

Creating Third-Party Cookies

While a first-party cookie is created by the website domain visited, a third-party cookie is created by a different domain, not the one being visited. 

By using third-party cookies, advertisers (and other AdTech firms) can track users across the internet, creating a history of the sites they visit, the actions they take, and ultimately creating a robust profile of individual users.

First-party cookies are created by the website domain someone is visiting; third-party cookies are created by domains other than the website the user is visiting.

Third-party cookies are typically created when the website someone is visiting requests a third-party service, e.g., a chat app, an image, clicking a social media “follow” or “like” button, etc. Usually, a snippet of code or script from another domain is present on the visited website. When the page loads, the script sends a request to the third party, which checks the user’s browser for their cookie. If one is already present, it is read and/or updated. If one does not exist, it is created. 

Social Media Cookie Example

When a user visits a news site and reads a story she wishes to share, she clicks the social media icon. While the article is shared, the social media domain (linked to the icon) creates a third-party cookie for the user who clicked it. Now, the social media platform can track the user’s behavior on this news website today and in the future, or until the cookie is set to expire. 

Keep in mind, a user does not have to click anywhere on a visited site for a cookie to be created. Simply accessing the web page can load a third-party script that calls the third-party domain, which writes the cookie, which then tracks the visitor–all without the visitor ever accessing the third-party domain that writes the cookie.

Now, the third-party domain can track the user on any website that has the third-party domain’s script. 

How Third-Party Cookies Gather Rich Data

Cookies are primarily used to create and store an ID that allows the party to recognize the same user across different websites. As someone browses across dozens of pages, any site that contains the party’s script will assign or update an ID, capture user actions related to the site visited and store it in a database with other user webdata. 

Because a cookie can be read-only by the domain that created it, the third party must have a cookie-generating script (or similar code) on all the websites for which data is tracked, or have data-sharing agreements with other third parties with cookies on additional websites. 

For example, if AdTech1 is writing third-party cookies on thousands of websites, and another company, DSP2 is writing them on thousands of different websites, they can pool data resources across an ad network. Neither AdTech1 nor DSP22 store all a user’s data in a cookie–most third-party cookies are primarily used as an identifier. Instead, user data (sites visited, behavior on sites, purchase history, time on site, etc.) are saved in databases.

Just how widespread can an ad network be? Industry analysts estimate that Google Analytics is used on 20-50M websites, including half of the top 1M websites that use Google Analytics. Facebook has scripts on over 8M third-party websites.

Building User Profiles from Third-Party Cookie Tracking

For user data to provide value to advertisers and publishers, data volume and quality must be sufficient to target audiences across a wide range of properties. In order to build user profiles, cookies must be synched/matched to resolve different cookie identifiers that represent the same user. 

Cookie syncing can occur in real-time on the internet, or after data is stored in an AdTech database. For real-time syncing, a server can send a cookie ID within a request to a separate server, which then creates another third-party cookie that is shared with the first server. Now the two cookies are matched. Matching cookies in a database can use large user datasets which can compare each element to until common identifiers are recognized.

For large ad networks and platforms, syncing “owned” data alone is sufficient to build enough profiles to create marketable audiences for advertisers. Other ad networks collaborate, and different data pools are aggregated, matching or syncing cookies or records, eliminating duplicates, and creating as many full user profiles as possible. Remember, when a user’s behavior is tracked across dozens or hundreds of websites, the matched profile will contain detailed information about interests, habits, personality, demographics, geo-targeting, and much of it personally identifiable information (PII). 

Sufficient profile volume allows AdTech companies to segment and build detailed audiences, and using machine-learning to extrapolate can further expand the addressable audiences. 

Applying Use Cases to Data Profiles 

Detailed user profiles built from cross-site third-party cookie tracking allow advertisers to target based on demographics (age, gender, income, education, etc.), behavior (purchasing and spending habits, brand interactions, etc.), geographic (zip code, city, urban/rural, etc.), and, using inferences from sites visited and 3rd party matched data, psychographic (values, attitudes, interests, beliefs, priorities, etc.) data. Ad targeting can use combinations of these data types and attributes to create complex audiences that match a brand’s buyer persona: e.g., young conservative married couples starting a family, heavy watchers of streaming services, consumers of key competitor products, environmentally aware, living in rural communities. 

While many ad networks ban intrusive targeting based on certain user attributes (e.g., political, medical, spiritual beliefs), actual targeting practices depend entirely on what guidelines are enforced within each ad network.

Behavioral Targeting

As the list of user attributes above suggests, the data that is captured by compiling cross-site behavior is critical for targeting specific buyers based on their profile build. 

If a prospect visits four different commercial realty firm sites in one week, an ad platform can confidently deliver ads for a commercial service based on high intent and service focus. Without cross-site tracking, neither the publisher or the advertiser would know the user visited multiple relevant sites. 

Without the cross-site behavioral targeting of third-party cookies, brands will no longer show ads to users based on their viewing behavior across different websites.


Retargeting, or targeting ads at users who have previously shown specific interest in a specific brand’s product, is part of most online advertisers’ campaign portfolio. Rather than displaying ads to users who have an affinity for cooking or outdoors, showing ads to users who have viewed a brand’s specific custom smokers and custom grills will reach those with much higher intent and who cost less to convert. However, without third-party cookies, retargeting is limited. 

When a user accesses a brand’s site, spends 30 minutes viewing specific information about a grill, even placing the item in a shopping cart, a third-party AdTech cookie records the actions. Later, as the user visits completely different sites across the web, the same AdTech can serve ads for the brand’s specific grill to the user. Because the tracking cookie code is on both sites, the AdTech’s ad server recognizes the cookie identifier from the brand’s grill site and serves the relevant ad.

In this case, a first-party cookie would have also recorded the visitor’s action by placing the grill in the shopping cart. However, the later visited sites would not be able to access the first-party cookie. Only a third-party cookie can enable this scale of retargeting.

Frequency Capping and Exclusions

Frequency capping ensures that the same user (or device) will not see the same ad an unlimited number of times. Instead, because of an identifier that is tracked cross-site, an advertiser can set a threshold for the frequency and duration of an ad for an individual user.

For example, if an advertiser wants to show a specific ad to a user no more than once per day, most contemporary ad platforms allow capping that meets the chosen exposure level. If a user cannot be identified across different websites, one person could see an ad frequently, causing a negative reaction. 

Similarly, advertisers may not want to bombard someone with ads immediately after a major purchase from the brand. By tracking a user across different sites, the AdTech can exclude advertising from appearing to user IDs that completed a recent transaction.

Without a third-party cookie identifying the user across sites, or a mobile ID identifying the device, the identifier (user) cannot be excluded. 

Attribution and Measurement

Without cross-site tracking, attribution models would likely fall back to the “last touch” model, capturing only the final conversion, or at best, multiple touches on the brand’s site without knowing what other relevant interactions occurred elsewhere. 

With third-party cookies, cross-site tracking can capture brand touch-points across many different sites, including views, clicks, downloads, interactions, that move the customer journey forward. By tracking each touch-point, brands can accurately calculate the appropriate attribution and measure true conversion cost.

The cross-site tracking data and the individual profiles it builds, power many core practices of targeted online advertising; as a result, forward-thinking advertisers and publishers are expressing concern about the depreciation of both third-party cookies and mobile advertising IDs–key identifiers used to track visitors across websites and build the profiles that underlie much of contemporary digital advertising.

The Solutions Spectrum 

Deciphering the Solution Landscape

If brands are finding it difficult to stay current on the state of alternatives to third-party cookies, mobile IDs, and other drivers of online advertising tracking practices, the confusion is understandable. 

Stakeholders from key architects of tracking mechanisms to influential industry players continue to announce changes to the online advertising ecosystem. Alternatives and proposals have been rolling out even before Google Chrome’s January announcement, with dozens of competing processes and structures in various states of readiness: in development, in testing, or existing in code snippets on programming repositories such as GitHub. 

Many are new (FLoC, Unified ID 2.0), and many are existing practices revamped (First-Party Data, Contextual Targeting). Despite the confusion surrounding timelines and choices, one fact remains: many of the core practices used for targeting, segmenting, personalization, and attribution are going away or greatly diminishing.

Ideal Solution Goals

For advertisers, the goal of any proposed solution is to retain the value gained from years refining a customer-centric data ecosystem, investing in platforms, methodologies, machine learning, and supporting analytics. Leading brands and advertisers developed an infrastructure providing unified views of the customer, the ability to tailor messaging and customer journeys, measure and refine practices, provide offerings matching consumer needs, and deliver an overall better customer experience. The biggest fear among companies invested in the existing practices is losing years of progress developing these frameworks that provide superior value to all stakeholders. 

Now that Google has pushed their support for third-party cookies well into 2023, some advertisers and brands may be content with remaining patient, waiting for competing initiatives to shake out to a top handful that receive backing and broad adoption. When the dust settles, these brands will be competing against brands that are proactively planning for the continued restriction and ultimate demise of several unique identifiers such as mobile ad IDs and data gathered by third-party cookies.

The solutions below include just a few from an overwhelming number of alternatives currently being proposed, sold, or discussed. These either have some history of successful use, substantial planning and trials, or extensive industry participation. However, the full list of practices being implemented, proposed, or sold today span an even larger universe, from identity graphs and server-side tracking, to probabilistic profiling using mobile carrier data, and even email-centric tracking.

While various alternatives (as well as whatever might become a de facto standard) will cover many of the current use cases, the consensus is that these will be unlikely to cover all use cases. Nevertheless, understanding some of the leading alternatives proposed will better enable brands and advertisers to plan their own strategies.


Asking visitors to login to company sites in order to learn about products and services might seem counterproductive, or even a reversal to practices long abandoned. Today, most free sites requiring authentication offer recognizable value not offered elsewhere without sign in. Often these are sites with niche markets (local news), comprehensive aggregations of content and tools for specialized practices (training for a specific web-development skill). 

Estimates of the likelihood of internet users providing identification range wildly depending on the context. For example, in June 2021, the opt-in rate for tracking in iOS was less than 25%.

Still, even as awareness of potential abuse of PII is heightened, most internet users are willing to share some information to gain access to free online content and services. 

Because a foundation of first-party data is now acquired consent, exchanging a registration for access may become more common, if not normalized; however, much depends on where the industry is in two years. With publishers realizing the value of first-party data, and no longer able to create addressable markets created by third-party cookies, many will seek revenue through reselling first-party data or conforming to a subscription model. Universal ID frameworks are also dependent on authentication, although the return for users is much broader than authenticating for one site.

Contextual Advertising

Like site authentication, targeting strictly by context is a step back for many in the industry. Much like magazine advertising, users are targeted based on the publisher’s content (context), and based on assumptions about visitors to different sites, e.g., sites for pet health, recreational travel, economics, sports, camping. Instead of behavioral-based targeting, audiences are targeted based on-site and page topic keywords. Ads are delivered that are relevant to the content visitors are viewing, but no private or individual data is used in the process. 

While personalization is limited in sophistication, measured returns show marketers where it works best, and expectations (and ROI) can be clearly articulated by publishers and advertisers. 

Contextual targeting limits reach to only those members of the target audience who visit the topic-targeted sites. If a lawn mower brand targets brand keywords on a large lawn care blog, many in-market individuals who favor product review sites will miss it. Reach is significantly lower than behavioral targeting across different sites.

Recent advances in artificial intelligence and machine learning have also improved behavioral targeting for some publishers and advertisers.


Grouping users with commonalities, whether demographic, behavioral, psychographic, or geographic provide targeting without individual identifiers for advertisers. While proposed as a strong privacy protector, the actual details of how each cohort works remain vague for many proposals, including Google’s FLoC, until live testing is conducted by real-world users and targets. Many proposed data-matching initiatives specifically plan to combine available cohort groups with individual-level datasets in order to build robust profiles with individual identifiers. Until cohort groups reach a considerable scale, both the efficacy and privacy are unclear.

Google’s FLoC

The Federated Learning of Cohorts (FLoC) is a component of Google’s Privacy Sandbox, their proposed vehicle for identifying solutions to power online advertising while maintaining user privacy. In January of 2020, Google invited various AdTech companies to participate in developing proposals, over 30 of which have been offered. While many are in progress, Google’s proposed FLoC has moved to limited testing and is the primary focus to date.

How FLoC Works

FLoC is a custom-API cohort approach to targeting, allowing advertisers to target interest-based groups (cohorts) without needing access to specific user’s browsing history. Rather than report individual user-level data from cookies that each website passes to the ad platform for use by advertisers, in FLoC the data would stay within each user’s browser. FLoC then dynamically assigns each user browser to large cohorts of users who share traits based on their browsing data. For example, a user may be assigned to a cohort of people who have visited sites for adventure vacations and trout fishing recently. 


Because cohorts are dynamic, and updated every seven days, a person whose browsing behavior changes might be in a different cohort later that reflects those interests. Because individual data is no longer shared, a specific user’s browser history is not available for anyone–publisher, advertiser, or Google–to track across websites.


Google claimed in January of this year, after testing FLoC in-market and affinity audiences, that “advertisers can expect to see at least 95% of the conversions per dollar spent when compared to cookie-based advertising,” and was met with skepticism from the online ad community. 

In July 2021, after original trial testing with publishers and AdTech companies, Google began improvements, but without publishing any test feedback. As a result, little is known of test results.


FLoC could scale to meet any size audience requirements, if performance is in line with that reported for initial internal tests. While practitioners are desirous of an effective solution backed by a company with the clout to set a standard (Google’s Chrome maintains 48% of US market share, and 65% worldwide), some have questioned the impartiality of Google. With the majority of their revenue from online advertising, Google could extend market control even more by building a “walled garden” where advertisers and publishers are required to compete on Google’s terms. Others have noted that unethical actors could still find ways to match FLoC data with their own data set (first-party, third-party, fingerprinting, identified users from login/purchase data), and the combined data could be shared or sold. However, since little is known, and the live date is late 2023, risks and benefits are both difficult to assess. 

Customers increasingly desire both highly personalized experiences in their brand interactions, and a much more transparent approach to the collection, use, and dissemination of personal data.

Universal ID (UID)

One of the most popular types of alternatives currently being developed or deployed, Universal IDs (UIDs) seek to provide a single ID for each user across a shared group of participating AdTech companies and publishers. Aimed beyond a brand’s owned domain, UID delivers cross-site tracking and data, with all the targeting and measurement functions that third-party cookies were fulfilling. And unlike traditional authentication models limited to one domain, the UID value exchange is between a one-time consent and access to a large body of content and services. By requesting consent once for a large group of publisher domains, both advertisers and publishers anticipate attracting a user base large enough to gain momentum across a broad set of users.

Currently, dozens of UID variations are either in place or being built, with variations including open-source, small-publisher consortiums, mobile app publishers, online-offline pools, and some that seek to build full traditional profiles by matching UID data with all available data sources.

Unified ID 2.0 Example

One of the prominent UID frameworks, Unified ID 2.0 (UID2) was developed by The Trade Desk, and later pushed out as an open-source, non-commercial approach that helped it gain momentum and attention within the industry. Aiming to reproduce cross-site targeting performance similar to that of third-party cookies, UID2 creates a privacy-compliant identifier underlying the targeting, and uses encrypted values to create dynamic tokens that are used in bidding with DSPs. All administration and operation is independently operated (the UID2 Administrator is IAB Tech Lab, and the first UID2 Operator is

Pros and Cons

Numerous advantages to advertisers, publishers, and users could be an effective argument for growth if the benefits are clearly communicated to all stakeholders. In the ideal design, users enter the exchange with clear expectations and transparency with publishers, receive anonymity with an encrypted version of their email, and control how their data is used by advertisers. Publishers can continue to monetize digital content and properties without additional privacy hurdles. And advertisers will enjoy robustly targeted and tracked audiences across different websites.

Like many UID frameworks, UID2 will attract advertisers accustomed to the targeting of quickly depreciating cookies. However, the same challenges exist for all independent UID models: scale. In an environment in which all online tracking has become suspect, scale obtainable only by user consent will depend on publishers educating users on the value exchange that drives much of the internet. 

Finally, the same fears of rogue aggregation of data persist for UID frameworks as much as large cohort models such as FLoC. With machine learning and advanced matching processes, data from a wide set of sources could ultimately be matched with the encrypted key UID profiles, leading to comprehensive profiles with PII that can be shared or sold. Only after more UID candidates move into live production will risks and controls be proven.

Interoperability UID Approaches

It is unlikely that any one UID framework becomes a singular standard. However, it is possible that several will gain traction, and proposals for interoperability (through which publishers support multiple UIDs) could gain enough volume through collaboration to be a standard approach.

First-Party Data

With the depreciation of third-party cookies, owned digital media (e.g., brand websites, blogs, e-commerce platforms, online customer service, etc) is rediscovering value. Large publishers with high volumes are increasingly monetizing first-party data inherent in their ecosystem, making audiences available for advertisers. While some have built their own AdTech, a few have even exported it as a licensed offering

Pros and Cons

The ability to measure clicks, scrolling, duration, and interactions provides actionable information, especially on a robust, sophisticated site or app. From on-site behavior, advertisers can identify buyer’s interests, preferred path, focus, and purchase intent. Similarly, insights are gained from transactions whether soft or hard conversions, such as completing forms, downloading trials or white papers, loading a shopping cart, or making a purchase–all the touchpoints soon unavailable across different third-party sites.

To maximize impact of first-party data, companies should leverage all existing touchpoints with prospects and customers across all mediums. In addition to their core website, businesses must capture data from social media interactions, customer support emails, digital chat apps, call center communication, and point-of-sale. Finally, first-party data aggregated in a CDP or similar platform can be mined for insights continuously as it is generated. 

First-party data will remain intact regardless of the depreciation of third-party cookies and mobile ad IDs, and can be used for local behavioral targeting, on-site attribution, and measurement. However, without the ability to similarly target the audiences across different websites, the scale of first-party falls far short by itself.

Merkle’s 2021 report shows that 88% of the marketing executives of $100M+ companies surveyed are making first-party data a major focus of brands over the next 6-12 months.

Zero-Party Data

While first-party data is often centered on visitor’s tracked behavior across a brand’s site, app, or page, zero-party data differs in the collection process and the data type. According to Forrester Research who coined the term, “Zero-party data is that which a customer intentionally and proactively shares with the brand.” 

How it Works

Zero-party data can come through efforts such as content marketing, in which customers trade contact information for brand-offered content. But it also includes variously provided information through polls, questionnaires, sweepstakes, and similar informed data sharing. Moreover, zero-party data exchange can be introduced in multiple channels, as not even first-party cookies are required to track a user clicking a poll originating on a social media presence. Brands are able to personalize marketing and product offerings, while consumers control their data. 

The data typically includes identifying information, but can be much more diverse than a typical opt-in form, including a consumer’s interests and any range of customer data relevant to the need addressed, and the drivers for offering selection. Explicit opt-in data exchanged with the brand can be effective in multiple channels, unlike first-party data, and can include surveys, questionnaires, short polls, or even games. 

Pros and Cons

Customers maintain control of their data choices while providing product or service preferences, experience with competitors, or purchase intentions. Zero-party data powers targeted personalized interactions and offers, boosting ad performance and customer trust. Zero-party proposers suggest that wholesale adoption of the approach can transform a business that centers goals and actions on the customer, their experience, and long-term value.

The increased focus on privacy and consent requirements make zero-party data even more valuable. Because the data is directly obtained from the consumer, validity is higher than inferred data points, or data resulting from a cookie match across a dozen assigned IDs.

Consumer preference data continues to reveal that customers are willing to provide their information in exchange for personalized experiences and custom offers that provide superior value.

Combination or Aggregate Approaches

While many articles focusing on specific alternatives are single-minded in a belief in the superiority of one solution over all others, a far more likely (and successful) approach will be combinations of technologies, methodologies, and newly proposed and newly rediscovered approaches. For example, multiple UID initiatives could agree to interoperability to boost scale, while participating advertisers might also use an aggressive first-party strategy. 

Quantify brand risk by conducting a full data audit: Validate data quality, identify data streams and practices providing the most goal-centric value; clean and optimize data and data gathering processes. Then focus on those high-value datasets and practices.

Our Guidance

Positioning for the Future and Minimizing Risk

Because the online ad market is dominated by a handful of large companies, the practices implemented by Google, Facebook, and Amazon will have outsized influence on the direction of future digital advertising. Consequently, some brands are adopting a wait-and-see approach. However, these brands will be far behind those who choose to prepare for a post third-party cookie and mobile ad identifier market.

At this time, brands should not select one method to replace all the practices set to disappear by 2023. Brands should focus energies that will provide return regardless whether Google’s FLoC or a specific Universal ID framework (or neither) becomes a dominant standard. Any current practices that prove their value during a data audit should continue, including targeting using third-party cookies. Even contextual targeting, multiple forms of first-party data (whether first-party tracking, content marketing, or other inbound strategy). Search, or a unique channel currently meeting the need and validated through a full audit, should be continued.

When to Experiment or Adopt Alternatives

When should brands experiment with a net new alternative practice? When new frameworks meet a company’s risk tolerance. Each company’s risk depends on their expertise, infrastructure, and market niche at minimum. Many will follow alternative proposals with an eye for technology stabilization, demonstrated real-world success, and even industry adoption rates. 

However, if AdTech or stakeholder’s context is pre-aligned with an alternative, they can begin trials before many. For example, if a brand’s current structure aligns with the adoption of a promising universal ID without complicated process modifications, testing could be a great opportunity. Don’t lock into a specific technical platform solution that demands substantial change to components of the brand’s web infrastructure and customer relationships to work. 

The immediate path to future success isn’t necessarily bound by adoption of entirely new frameworks or proposals. Instead, taking evergreen steps that position brands well in a wide-range of possible future scenarios will begin rewarding now and after the dust settles. 

While the goal may seem unrealistic in this moment of uncertainty, future-proofing data practices is both feasible and productive, immediately and long-term.

Audit the Brand’s Data

Brands must audit their data, then evaluate it, clean it, and refine it. The process of a comprehensive data and data process audit will create a roadmap helping brands transition to a post-cookie and restricted identifier environment.

Quantify Brand Risk

A comprehensive audit will quantify current risk if no alternative standard were to emerge in 18 months. But it will also provide brands with the actions that will improve their position, decrease the risk, and prepare them for new process adoption when the time comes.

Measure and Compare Data

Determine what is most important by identifying data which provides the most goal-centric value. While the practice of tracking “everything” became popular once the cost of data space and processes plummeted, a brand’s data focus should be narrowed. Prioritize data that has significant return or is a clear part of a strategy already paying returns, and not at risk due to coming changes. 

Identify Post-Cookie Gaps

Now is the time to evaluate how much high-value data is dependent on behavioral targeting, retargeting, cross-site attribution, and other practices dependent on third-party cookies. Brands that can quantify the performance gaps expected from a post-cookie environment will be able to plan accurately for the future, not be paralyzed with the uncertainty of those deciding to “wait and see.” 

Evaluate and Quantify Data Practices

Compare the cost of data gathering processes with the value of the data output. Identify which practices generate high-value data, how much spend is required for high-value data (and how much for vanity metrics, intermediate goals, and other low-purpose data). Measure spends required for data from third-party cookie practices. Calculate costs beyond media spends required for each data stream.

Identify Medium-Term Approaches

Based on the results of the data audit, brands can identify where resources are best applied, which data and processes should be cleaned and optimized, and which practices should be part of any medium-term strategy. The datasets and practices identified will be those that continue to build infrastructure and customer views over the next year. 

Selectively Grow First-Party Data

First-Party Data Value

As the large publishers increasingly monetizing their customer base demonstrates, first-party data is still paying dividends. While many brands will not have 100M unique visitors per month of large publishers such as The Washington Post, the visitors to a brand’s digital properties are unquestionably valuable: pre-screened, high-value and often high intent. As preparation for a more restrictive identifier environment, a brand’s goal should focus on growing quality customer data that informs both strategy and tactics.

Preparing for Enhanced First-Party and Inbound

A comprehensive audit will assess a brand’s first-party data: volume, quality, application. With analytics tuned to first-party data, brands can evaluate local touch points and preferred paths, while customizing interactions for a superior customer experience. Validate site structure and efficacy through a competitive market assessment focusing on user experience on brand sites and competitor sites, using click and scroll heat maps, on page SEO, and competitive keyword distribution evaluation. 

Choosing Collection Practices 

Brands should review the spectrum of first-party data types and collection processes beyond a first-party cookie strategy. Content marketing that aligns with the business model and compliments the offering type should be natural, and value exchange must recognize customer expectations. 

Meet Current Consumer Expectations

Offering simple “Top 10” type checklists appear dated in most business sectors, and no longer motivates the exchange of personal information with a brand. The exchange value must be mutual and ongoing, from first touch to post-purchase. A customer’s lifetime value (LTV) depends upon a continuous, collaborative value exchange, with brands that address customer challenges and seek to improve services over the entire lifecycle.

Connecting with a Future State

First-party data can further be leveraged as other large collaborations work toward alternative IDs and even Universal IDs. Once a significant consensus builds, brands adopting a standardized ID collaborative can use proven data matching techniques and further expand unified views of their customer base. First-party data will likely be usable in different ad platforms for targeting beyond that of an existing cohort model. One of Google’s Privacy Sandbox proposals, FLEDGE, is planning to test an approach allowing advertisers to use first-party data in conjunction with cohort data. 

Contextual Targeting High-Impact Options 

Brands already using some form of contextual targeting have existing performance data identifying highest performing placement, as well as ad types that work best within the practice. If new to contextual targeting, brands should evaluate the key categories for target segments, identifying top categories for inclusion and exclusion. Those without a recent contextual placement history may need to check various publisher channels for current return expectations and even begin with small campaign tests. Unique offerings may be able to effectively target within niche marketing publications that align with a highly specialized industry. However, depending on a sector, some specialized fields are served by premium publishers with higher spend requirements. 

Because the goal is low-risk and commitment, brands need only gain return acceptable for the spend, and not require expansive volume and reach.

Identify Strong Partners 

Superior brands design the value they seek to create for the customer as deliberately as they do for the company. Value is always multi-faceted, not because it must be created for the so-called 5Cs, but because each targeted stakeholder is multi-dimensional. Long-lasting brands have created the elements of offering value that are expressed through the range of brand interactions. Strong partners must have the acumen to expand a brand’s strategic and tactical reach and impact, while at the same time understanding this value offering customers must receive. 

Strong partners can align their expertise and unique talents with the value proposition for the customer, and help ensure that the enterprise journeys through transitions to innovation.


No single alternative or new standard will replace the value that was maximized with the cookie. And some current customer data points will become challenging, or impossible, to achieve. Still, brands and all stakeholders should monitor progress of alternatives capable of scale, those aligned with current interests, and those making it through real-world testing.

With current levels of interest and investment, the changes will spur innovation, creating opportunity for new players, new customer-focused methodologies and supporting technology, improving aggregators such as customer data platforms, and advancing known accelerators such as machine learning (ML). 

AI and ML can help close the almost certain near-term increasing gaps in customer data points to come. Whether to help segment, complete a view of the customer journey, or predict unobserved actions, AI/ML will advance by necessity and become packaged and portable to reach a wider pool of adopters. 

Companies can allow the disruption of the digital ad ecosystem to derail their efforts, “wait-and-see” for tech giants to work through solutions, or they can mitigate risk and position their brand. By building and enhancing the core components and practices of a customer-centric marketing strategy, brands will be prepared to negotiate new approaches and technologies that balance a respect for individual data privacy and customer engagement.

Suggested Reading

Auxier, B., Rainie, L., Anderson, M., Perrin, A., Kuimar, M., Turner, E. (2019). Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information. Pew Research Center.

Timely resource revealing recent perceptions of Americans and their personal private data, the lack of control and ownership, and desire for more regulations. These trends are significant drivers for AdTech’s continued attempt to restrict intrusive tracking. 

Brodkin, Jon. (2021). EU Antitrust Regulators Launch Probe into Google’s FLoC Plan. Arstechnica.

Overview of EU’s announced investigation of Google’s new privacy initiatives by the EU. Good breakdown of the “walled garden” competitors have complained about since the announcement of Google’s Privacy Sandbox.

CookieScript. (2021). All You Need to KNow about Third-Party Cookies.

Solid, clear walkthrough of cookie functions and high-level of current state.

Dillon, Grace. (2021). The Present and the Future of Audience Addressability. ExchangeWire. 

Detailed description of different Universal ID approaches, along with approaches to combine UID data with existing data such as first-party, in effect, defeating the purpose of cohort modeling and UID approaches. Proposes a minimum combination of data sources that provide alternatives for attaining behavioral targeting.

Github. Customer Profiling and Behavioral Targeting. Accessed 8/20/21.

Excellent, if dated, explanation of cookies

Schiff, Allison. The Industry Reacts to Google’s Bold Claim that FLoCs are 95% as Effective as Cookies. AdExchange.

Interviews with senior marketing and advertising executives commenting on Google’s January claim of efficacy in internal tests of FLoC.

Stack Overflow (2017). How do Third-Party “Tracking Cookies” Work? Stack Overflow.

Short discussion of the basic functions that create a third-party cookie with simple examples.

Sweeney, M., Zawislak, P. (2021). The Role of Third-Party Cookies in Programmatic Advertising and AdTech. ClearCode. 

Excellent roundtable of online advertising executives from Clearcode, discussing the contemporary cookie tracking landscape, including technical details for functionality, including live syncing across platforms, as well as specific practices, their ramifications, and the current state.

Willens, Max. (2021). The Coming Cookie Changes Will Force Some Small Publishers to Give Up on Advertising Altogether. Digiday.

Brief article documenting the precarious situation of small publishers in a post third-party cookie targeting environment. Without the resources to compete with larger technology-enabled publishers with large volume, small publishers will settle for smaller CPM rates rather than invest significant funds in a system over which they lack control. If an alternative to prior targeting and segmenting is not available, many stakeholders may fail to stay solvent.

Wlodarczyk, Lukasz. (2021). Google Quietly Drops New Privacy Sandbox Guidance, Clamps Down on Workarounds for Cross-Site Identity and Tracking. AdExchanger.

Interesting update with Google acknowledging that workarounds persist for proposed FLoC even before testing is complete. Numerous reports from different sites state that various AdTech companies plan to circumvent Google’s privacy goals by merging FLoC’s cohorts with other data sources, including first-party, bought third-party, and fingerprinting data.