Apple’s privacy overhaul of its Identifier for Advertisers (IDFA) is looming. The update — expected in early Spring — will revoke access to Apple’s in-app identifier, ruling out user tracking for advertising purposes without express consent. It means much of Apple’s disproportionately valuable iOS app user base will become anonymous overnight, disrupting in-app targeting, attribution, and monetisation.
It’s unwelcome news to app publishers and advertisers, especially those who channeled spend into app advertising to escape similar changes in the web ecosystem. Third-party ad tech players are desperately searching for new ways to access user data, and others are racing to provide one new identifier to rule them all.
While a replacement universal ID might feel like a logical ‘right now’ solution, it’s not the right solution for a better future — especially for publishers, who now have an opportunity to transcend the status quo. Without universal IDs, publishers can reclaim control of their biggest asset: first-party data.
Replacing identifiers doesn’t solve the privacy problem
IDFA is not the first casualty of Apple’s privacy mission. The tech giant has been bullish in shutting down the third-party cookies that once allowed cross-domain user tracking on Safari. By starting on a similar path in-app, Apple is carving out a future free from user tracking, in any ecosystem.
With Firefox and newer privacy-conscious browsers showing similar dedication to the prevention of user profiling and tracking, there’s now an expiration date on any identifier that facilitates it. In fact, Google has specifically ruled out the future use of identifiers that track users across the web.
Globally, regulators are exerting similar pressure, classifying online identifiers as personal data protected by law. With this viewpoint, the non-consensual sharing of universal identifiers into the bidstream actually enables illegal or privacy-violating applications.
Replacing universal identifiers is therefore not a viable long-term fix; IDFA itself is not the problem, and nor is the third-party cookie. It’s the application of them to build a user identity — a readily available profile of an individual spanning multiple domains and apps — that browsers and legislators want to do away with.
Authentication is limited; data access should be based on trusted relationships
As the anti-tracking trend continues and identifiers are dismantled, don’t be tempted to rely on email addresses as a replacement universal ID. Apple has already nixed their use for in-app user tracking without express consent, and Google states that PII-based solutions like this “aren’t a sustainable long term investment”.
Authentication, while useful, is limited to a maximum of ~10% of users over the next few years — and will yield low match rates as users sporadically log in and out. It simply won’t be enough to sustain the digital advertising industry.
A new solution is required for the open, anonymous web and app ecosystems. One that respects user information, and doesn’t enable the downstream data free-for-all that violates user privacy. This reset in the digital advertising ecosystem will force a reckoning around the user data access privilege, putting publishers in a unique position.
Publishers own the relationships with their users, and the information each user provides in exchange for the on-site experience is valuable, personal, and privileged. The digital advertising industry has been built upon the assumption that ad-tech players outside the publisher-user relationship have the same right to that information. These third parties have successfully inserted themselves into a privileged relationship, harvesting user data for profit, and publishers have grown to rely on them and public identifiers to understand their own users.
If publishers can let go of universal identifiers and resist the temptation to replace them, third parties will lose their grip on a user data access privilege they should never have had. Publishers will then be free to reclaim full control of their own first-party data and reap the benefits.
Universal identity is out, and publisher-specific identity is in — but beware
By restricting universal IDs, browsers aren’t opposing publishers collecting user data on-site. They’re simply pushing publishers to keep control of user relationships and better protect data downstream. In fact, the browsers are now attempting to show publishers the way forward with specific tools to allow the continued collection of first-party data within a safe publisher domain.
Apple’s Identifier for Vendors (IDFV) gives a publisher the ability to use publisher-specific identifiers across all the different apps they own and operate. Google Chrome’s ‘First Party Sets’ proposal does similar, letting publishers collect user data across all their owned and operated properties as a single ‘first party’. Mozilla Firefox has also just launched Total Cookie Protection, an in-browser partitioning of cookies into separate publisher-specific “cookie-jars”.
In the short term, publisher-specific browser tools like these are a good way to protect data and prepare for a future without universal IDs. However, they should only serve as a stop-gap — or inspiration — while publishers create their own publisher-owned toolset. This is because power over data will ultimately reside with the entities that can understand it. Tools like IDFV may be publisher-specific, but they are still browser-owned, and will therefore provide the greatest data understanding — and overall control — to browsers in the end.
This is an important risk to consider in light of Google Chrome’s recent ‘Federated Learning of Cohorts’ (FLoC) and FLEDGE testing announcements. Theoretically, advertising to anonymous users in cohorts offers a safe and viable future for advertising without universal IDs. Chrome’s proposals on the topic, therefore, offer a positive outlook at first glance.
However, the intended execution of Chrome’s FLEDGE cohorts would skew the balance in its own favor, lining the browser up as the center of power in segmentation and targeting transactions in the future. Should FLEDGE be adopted, publishers would again be commoditising their inventory, handing data over to third parties like large ad networks and DSPs.
At an exciting, pivotal time when publishers are closer than ever before to reclaiming control over their data, we must avoid handing that control straight over to another third party. Publishers should create and own their own identities to retain data ownership long-term. To make the most of that data, publishers will need to seek agnostic tools that allow them to scale and forge relationships with advertisers independently.
The perfect time to start is now — before we bid farewell to the universal ID for good.
