Digital advertising in a privacy-first world

Disclaimer: This article should not be seen as legal advice. We strongly recommend to seek legal advice on applying the regulations to your specific circumstances, and disclaim any liability in connection with the use of this guide.

Disruptions to the digital advertising system have been underway for a while. Privacy-concerned consumers have pushed both regulators and businesses into action. Governments across the world have implemented stricter privacy laws, most notably the EU, UK, and China. The perhaps most notable change are new restrictions on using cookies – small amounts of data generated by a website and saved by the browser to store and communicate user information. While cookies remain allowed for basic functionalities of a website (e.g. for logins and shopping carts), their use for analytical and advertising purposes now requires explicit consent. This applies to both first-party cookies (set by the server of the visited website) and third-party cookies (set by third-party servers, e.g. ad servers behind display ads). Some web browsers (Safari, Firebox and soon Chrome) go beyond this restriction and block third-party cookies by default. That is, because third-party cookies allow the building of user behavior profiles across several websites, and thus are most privacy-invasive.

The lack of third party cookies will strongly reduce the targeting accuracy of display ads. Ads will be less personalized, and thus less effective. We will evaluate the alternative options for advertisers in light of these changes.

Focusing on first-party cookies

While first party cookies are less privacy-invasive, they too can be used to personalize ads, based on data collected about the user on the website. Many marketers thus advocate an increased use of first-party cookies. This is a valid option for large platforms and publishers, such as Google, Amazon, Facebook and the New York Times. These have an abundance of users that willingly create accounts, accept the privacy policies, and log in when using the platform. This provides enables the collection of an abundance of first party data, even across user devices (phones, tablets, laptops etc.). Smaller websites, however, will find it more difficult to collect abundant first-party data. Their users are less likely to create accounts and stay logged in, thus accepting the company’s privacy terms. Instead, they must rely on the acceptance of consent banners by users.

The requirement for consent banners, on the other hand, will prevent many first-party cookies whose purpose are analytics and advertising. Seeing little benefit in accepting such cookies, many users reject them. Even when accepted, many browser vendors limit the lifespan of such cookies. Apple, for instance, limits these to 7 days. This makes it very difficult to track users across several visits and attribute the impact of marketing campaigns accurately. Again, big platforms are at an advantage due to their users remaining logged in.

Small advertisers do have some options though. To enable conversation attribution and remarketing without third-party cookies, Google and Facebook have developed first party cookie solutions that may replace the previous third-party cookies. These first-party cookies carry unique identifiers that are limited to users of a advertiser’s site. This helps to more accurately attribute conversions with these major platforms.

In short, first-party cookies have lost their usefulness as well, but they do remain a useful tool for marketers. Let’s look at the other alternatives.

Cookieless Advertising - Digital fingerprinting

Some analytics companies offer digital fingerprinting as a tracking method instead of cookies. Browser fingerprinting identifies individual users based on their IP, browser settings, and device settings. For websites to display correctly, browsers provide information about their device, including screen resolution, operating system, location, and language settings. Trackers assemble this data into a digital “fingerprint” and use this identifier to trace the browser across the web.

While analytics companies often proclaim this technique to be more privacy-compliant than cookies, there are various concerns: In particular, fingerprinting is less visible to the user. Moreover, fingerprints cannot be cleared from the browser like cookies do. This gives users less control about their data. Recent developments allows cross-browser fingerprinting to successfully identify users 99% of the time, even if multiple privacy precautions are taken, such as masking IP addresses through a VPN and deleting or blocking cookies.

The discussion about the GDPR compliance of fingerprinting goes beyond the scope of this article. In short, a digital fingerprinting technique would only be allowed if user data would anonymized in way that is impossible to reverse with reasonable measures. The threshold for this is very high and regulators have not yet agreed to an acceptable technique (even the hashing and salting of user data does not suffice, as a hash function is considered pseudonymization, and thus results in personal data).

Thus, digital fingerprinting would require the same consent as cookies do. Having collected consent, however, we may as well work with first-party cookies.

Cookieless Advertising - FLoC

Ad-dependent companies such as Facebook and Google are scrambling to come up with alternative tracking solutions. Google's Federated Learning of Cohorts (FLoC) is the most prominent example. It aims to give advertisers a way of targeting ads without exposing details on individual users. It does this by grouping people with similar interests together: football fans, retired travelers, etc. These groups are called cohorts. They are generated through algorithms, which put consumers in a different cohort each week. Cohorts that are too small get grouped together until they have at least several thousand users, to make it harder to identify individual users.

However, a number of privacy advocates have pointed out problems with FLoC. As it groups users in clumps of thousands, ad tech companies may still find ways to identify individual users using additional tracking methods like fingerprinting. Moreover, none of the other browser developers has committed to implementing FLoC. They might never do, unless FLoC get a lot more transparent and secure from privacy perspective. It's also not clear if FLoC passes GDPR data regulations in the EU.

At this point, it remains to be seen whether FloC will provide a suitable alternative to cookies.

Cookieless Advertising - Contextual Targeting

The aforementioned tracking methods – cookies, logins, fingerprinting – are needed for behavioral targeting, i.e. the serving of ads based on the user’s browsing and purchasing behavior. However, there is another targeting approach that does not require knowledge of the users’ pervious behavior, and thus no tracking: contextual targeting. Instead of the user’s behavior, it displays relevant ads based on the content of the web page the user is on. This is of course similar to non-digital advertising, e.g. on billboards, magazine, radio and TV. An example would be ads for wedding suits on the wedding announcement pages of the New York Times.

Modern contextual targeting, of course, is still digital and allows for automated processes where algorithms select the advertisements based on keywords and other metadata included in the content.

Contextual Targeting for Display & Social Ads

Contextual targeting for display ads is already available, with the largest player being Alphabet and its AdSense platform. AdSense allows a publisher to insert code throughout a site where ads are served by AdSense. The site is crawled for keywords and context and relevant ads are placed. The site owner can customize certain features, such as where and how ads are displayed, and the types of products or services advertised. Advertisers provide the topics of the campaign (e.g. “Autos & Vehicles”, “Trucks & SUVs” etc.) as well as keywords  for more precise targeting within the selected topics. This including negative keywords, which will help the network match ads to website content. Google will then analyze the content in each display network web page to match ads with relevant content. It takes into account text, language, page structure, link structure, while taking your keywords into account, on top of other targeting.

Furthermore, YouTube recently unveiled “advanced contextual targeting”, which allows for quite granular contextual targeting. It understands, for instance the difference between luxury travel and budget travel, and it understands the specific interests within categories such as home and garden or interior design. Its machine learning analyzes YouTube videos frame by frame, looking at images, sound, speech and metadata connected to specific videos. While YouTube already has 300 pre-packaged video lineups matched to specific interests, brands can also work with a YouTube rep to create their own. This capabilities are complementary to Youtube’s behavioral targeting (advanced audience) solutions, which lets advertisers know what YouTube watchers are generally interested in, based on what they watch.

While display and social ads are improving their algorithms for contextual targeting, it highly unlikely that their ads will ever be as personalized and effective without behavioral targeting.

The most effective contextual targeting is likely to remain search advertising, e.g. on Google or Microsoft. As each ad matches a search query, it is based on the explicit need of the users in the moment (while often still using previously collected information about the user). This, naturally, increases the likelihood of clicks and conversion. While expensive on a per click basis, often they still provide the best return on advertising spend.


We do not believe that the alternatives for cookies are strongly enough at this point to replace the cookie. Digital fingerprinting, while bypassing some privacy-focused browser controls, does not evade the restrictions of privacy regulations.

At this point, brands must accept a certain loss and make the best use of consented data. Supporting this trends, Google announced “Consent Mode” as a beta feature to help advertisers remain compliant with regulations in Europe. Consent Mode automatically ensure that Google tags do not read or write cookies for advertising or analytics purposes in cases where the user did not consent to being tracked. The settings can be varied by region to always collect as much data as possible.

Understanding that advertisers have a measurement gap due to the loss of data, Google has further announced that Consent Mode will also allow for conversion modeling to help fill those gaps. Consent Mode will enable conversion modeling to recover the attribution between ad-click events and conversions measured in Google Ads. Google’s data shows that Consent Mode can recover more than 70% of ad-click-to-conversion journeys that were lost due to user consent choices.

Advertisers using Consent Mode will now see their search, shopping, display and video campaign reports within Google Ads updated with modeled conversion data in the conversions, all conversions, and conversion value columns. Modeled conversions will be integrated into Google Ads campaign reports in the same way and at the same level of granularity as regular conversion so that it can be leveraged within Google’s bidding tools in the same way as existing conversion data.

Advertisers already using Consent Mode will start seeing gradual improvements as what-would-have-been-lost-conversions are captured through modeling. Advertisers in the European Economic Area or the United Kingdom that are interested in implementing Consent Mode and are using Google Ads conversion tracking can get started here or can work with one of Google’s many consent management platforms.