The beginning of the Great Adpocalypse can be traced back to April 2021, when Apple released its iOS 14.5 update and began enforcing a policy called App Tracking Transparency, which prevents apps like Facebook from tracking iPhone users across other apps and the mobile web, unless users opt in.
Less than one month after the update’s release, one report showed that 96% of U.S. iPhone users had opted out of being tracked. That not only hurt Facebook’s ad business—to the tune of an estimated $10 billion in 2022—but also sent online marketers scrambling.
Suddenly it was a lot harder to serve up targeted ads based on people’s internet activity, and to obtain the data needed to get the most out of their advertising buck. But a new group of startups is helping marketers get around some of those privacy filters.
This comes as the Federal Trade Commission recently announced a potential crackdown on “commercial surveillance,” and began seeking public comment on the harms from “collecting, analyzing, and monetizing information about people.”
At the same time, the bipartisan American Data Privacy and Protection Act, which would drastically impact companies’ ability to collect and harness data, is making its way through the U.S. House of Representatives.
Meanwhile, after several delays, Google has said its Chrome browser—the world’s most widely used—will eliminate the use of third-party cookies for tracking users in 2024 (Safari and Firefox took this step years ago), and replace them with new technologies that it claims will allow ad targeting “without relying on cross-site tracking identifiers.”
“A lot of what we do in the digital world relies on cookies,” says Melissa Chase, managing director at Boston-based agency Decibel Media. A cookie, she says, “is really just this piece of code that follows somebody around and allows us to attribute their actions back to our ad investment, which is what any client wants to see.” (Google’s third-party cookies, for example, are on millions of websites, feeding the company information about the sites you visit, which is how it is able to place such uncannily relevant ads.)
The crackdown on third-party tracking has given rise to a new breed of “digital attribution” startups—Triple Whale, Northbeam, Hyros, Wicked Reports, and Rockerbox, to name just a few. They promise to track and sync conversions (sales, signups, etc.) across all of your marketing channels, and to accurately credit each touchpoint in the customer journey, all without using cookies or other third-party tracking.
“There’s a lot of stuff that’s really valuable looking inside of Facebook analytics and Google’s reporting,” says Austin Harrison, CEO of 3-year-old San Francisco-based company Northbeam. “Where we come in is looking at the overlap between the two.”
As Facebook conversions have gotten “fuzzier” to track, many marketers have diversified their ad spending across more platforms. It’s a way of hedging their bets, but it also adds to the challenge of figuring out which specific ad, paid search link, or Instagram story actually got a customer to buy a product or sign up on a site. Say a user engages with a Facebook ad, does a Google search, and views some content on TikTok, then subsequently buys something a few weeks later.
“That kind of customer journey is [usually] hard to track,” Harrison says. “We have built state-of-the-art technology to help you understand [what channels], paid or unpaid, are going to generate revenue today—and to forecast what will generate revenue, profitably, in the future.”
All of these platforms—with subscriptions that cost a few hundred to several thousand dollars per month—essentially work by collecting, cleaning up, and analyzing so-called first-party data, which consists of information that’s collected on a business’s own platforms, such as visits, views, clicks, and purchases across its website, mobile app, social media accounts, email, text, and more.
“[These platforms] use first-party data for things that are knowable (sales, phone calls, landing page visits) and sync that data to the various ad platforms (Facebook, Google, etc.) that they’re using,” explains Jonathan Wilson, digital marketing director at consultant Wolters Kluwer. “Then they use their proprietary algorithms to estimate attribution based on how the data lines up.”
It’s a way of triangulating where your traffic is coming from, without actually tracking people off your site, essentially filling in the data gaps caused by the Great Opt-Out.
Since Facebook can’t track users off its site to measure conversions directly when third-party tracking is disabled, it’s up to the advertiser to basically share its own first-party data with the ad platforms (through Facebook’s or Google’s conversions application programming interfaces, for example), to determine which ads convert to sales, signups, and other actions. Without this data, a company’s ability to target its social media ads to the kinds of people who are likely to make a purchase is pretty limited.
Harrison, from Northbeam, says that his platform looks only at “first-party data, opt-in folks.” That is, people who’ve clicked “accept” for site-specific cookies, or better, signed up for a newsletter, opened an account, etc. “We think privacy is super important,” he says.
The reality, though, is muddier, and Northbeam and its ilk—and virtually anyone involved with digital marketing today—like it that way. The details tend to be obscured in jargon about “resolving user identity” or “recovering lost data.” But the fact is, even if you volunteer no information and opt out of everything for all time, companies can still build a remarkably detailed user profile of you using just publicly available data.
The techniques are familiar to digital forensics experts and hackers, says Dominic Villeneuve, head of cybersecurity at a Canadian insurance company and an “ethical hacker” who finds and reports flaws in software as a hobby.
“Cookies are a cheap way to track a user,” he says. “But you can do the same with server side [data]. You just need more computing power, and you have to screen all the data.”
Cookies are an example of client-side tracking, meaning they collect data directly from a user’s device. But whenever the user clicks on a site, it collects a bunch of server-side data, which includes things like an IP address that gives the user’s general location and internet service provider, as well as the type of browser, device, and operating system they’re using. It also includes referral data that shows the site the user just came from.
Using server-side data, a company like Amazon, say, can see that you have an IP address that is shared with three other users on different browsers and devices, and glean that you are probably a family that likes technology and has money to spend on it. And because it also sees that your devices are made by Samsung, it’ll make sure you get alerts about the latest Samsung products on Amazon.
Companies can combine server-side information, like your IP address, with any first-person data they also have—an email, social media account, phone number, previous purchases, etc. They can also “enrich” it with information gathered from publicly available sources on the internet or bought from third-party data brokers.
“First-party data combined with some other data points can lead to some fairly detailed profiling and tracking,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, an independent nonprofit research center focusing on emerging privacy and civil liberties issues. “But I do think there are some significant details. With first-party data, the consumer tends to be much more aware they’re interacting with that party. If I’m on a news site, I’m pretty aware they’re seeing my activity and maybe getting some information on me, but I’m choosing to be on that site.
“It’s very different than visiting a news site and hundreds of other companies that I have no intention of interacting with placing trackers on me,” she adds. “That more direct interaction is at least good when it comes to expectations and notice.”
In the U.S., the big changes in digital privacy have mostly been led by industry rather than by government. California’s Consumer Privacy Act, enacted in 2020, is an exception. There, as well as in the European Union, which enacted the sweeping General Data Protection Regulation in 2018, advertisers are more limited in the data they can collect. Notably, under those laws, IP addresses are considered to be personal information that can’t be collected for the purpose of creating consumer profiles.
However, it’s not likely that such a rule will come out of Congress or the FTC in the near future, so marketers will continue to have access to a range of third-party tracking workarounds such as those offered by attribution platforms.
While the long-term trend is toward greater privacy protections, digital privacy is a moving target. And for digital marketers, so are you.