Cross-domain ID solutions — such as HEM (hashed email addresses) and fingerprinting — have seen increased attention across the industry. However, the majority of this attention is misplaced. Here’s why cross-domain ID solutions aren’t the ideal alternatives to a deprecated third-party cookie.
Why Cross-Domain ID Solutions Don’t Stack Up: HEM
HEM is a cross-domain ID solution that uses hashed emails, a form of deterministic data—data supplied directly by users—to create identifiers. It works by matching publisher-collected emails with advertiser-collected emails to create an anonymized ID. This anonymized ID can be applied to some of the same use cases as third-party cookies.
Why HEM Is Trending as a Cookiefree Alternative
Add in the benefits of HEM, and there’s good reason why many in the industry see HEM as a viable successor to the third-party cookie:
- Deterministic data is generally high value and accurate because consumers supply it directly.
- Because it’s based on deterministic data, HEM is considered more privacy-compliant since consent is implied.
- The nature of email use means that a user’s email rarely changes and can be tied to that specific user.
- And finally, HEM enables tracking across domains without being reliant on cookies.
But while these elements combine to present HEM as an elegant solution in a world without third-party cookies, on closer examination, there are clear reasons why it’s not as smart as it seems.
HEM’s Major Weakness
The root of HEM’s potential efficacy lies in its ability to track individuals across domains. But this ability is also its Achilles’ heel: tracking users across domains impacts consumer privacy, and there’s little doubt that privacy will continue to be a regulatory priority.
This means web browsers and platforms like Apple and Google actively prioritize privacy protection. A current example is Apple’s iCloud+ Hide My Email, which enables individuals to generate unique, random email addresses that can be used just like their personal email. These emails automatically forward to the individual’s email, where they can be replied to like a regular email, all while keeping the personal email private.
This aspect alone derails any long-term potential of HEM to replace third-party cookies. But HEM also faces other difficulties:
Collection challenges. Emails are often costly and difficult to collect. For example, even those publishers doing well see only around 10-15% of traffic logging in. And while brands have fewer problems collecting emails, the emails they collect are typically from existing customers rather than non-purchasing website visitors.
Difficulty of scaling. Even if a publisher were to have a phenomenal 80% login rate, each hashed email from that publisher could only be matched with a hashed email from one advertiser. But to scale, that hashed email needs to be associated with several different domains across the web.
And other scaling obstacles exist. For example, wide adoption is required to scale, but the adoption rate is roughly 10%. Add to this the lack of a standardized approach to email collection, resulting in a higher potential of the same emails not matching, and the scaling problem becomes evident.
These issues point to the unlikelihood of HEM’s capacity to rise to the top as a viable third-party cookie option.
Why Cross-Domain ID Solutions Don’t Stack Up: Fingerprinting
While HEM uses deterministic data, fingerprinting is an ID solution based on probabilistic data such as IP addresses and user agents. This data is used to create data points stitched together to generate an ID of a device or browser.
Why the Industry is Eyeing Fingerprinting’s Potential
Like HEM, fingerprinting offers several benefits that enable industry players to replicate some of the techniques that work within a third-party-cookie environment:
- Passive fingerprinting can collect IP addresses and user agent information undetectable to the user, so it’s not intrusive to the user’s experience.
- Unlike cookies, the data is stored server-side rather than user-side, and it’s harder to block or delete.
- Regarding scalability, it’s easier to collect probabilistic data than deterministic data.
- And finally, fingerprinting enables tracking across domains without the need for cookies.
Fingerprinting’s Major Weakness
Fingerprinting has the same Achilles’ heel as HEM: its ability to track users across domains means it’ll be a regulatory target.
In fact, browser interventions designed to prevent fingerprinting have already been implemented or are currently underway. Google has stated its anti-fingerprinting goals, for example. And Apple has rolled out anti-fingerprinting initiatives such as opt-in requirements for mobile device IDs and its iCloud Private Relay, which masks IPs by sending requests through two separate internet relays. Masked IP techniques, in particular, make fingerprinting IP addresses virtually useless.
Fingerprinting also comes with a slew of other issues, including:
Lack of consent. Regardless of the type of fingerprinting used—active or passive—there’s no user consent. From a privacy perspective, this is highly problematic.
Needs deterministic data. While it’s easier to collect, probabilistic data doesn’t score well when it comes to accuracy, as it’s based on probabilities and inferences. So instead, it’s best used to enhance deterministic data and provide scale.
Lack of persistence. Unlike email addresses or phone numbers, people change devices and browsers more frequently, making fingerprinting less persistent than HEM techniques.
These issues mean that fingerprinting isn’t just a runner-up to HEM-based ID solutions. It’s also unlikely to qualify as a contender in a post-third-party cookie world.
Alternatives to Cross-domain ID Solutions
Cross-domain solutions fall short, but how can they be avoided? Fortunately, there are some viable alternatives with long-term potential.
Google’s Privacy Sandbox
Google’s Privacy Sandbox is aptly named: it’s a playground for innovation and experimentation, where the industry can solve for targeting use cases using behavioral cohorts rather than individual identifiers to create a set of open standards on which to base a cookieless ad ecosystem.
While the Privacy Sandbox continues to be an exciting industry-wide initiative, it’s already faced several challenges:
- The evaluated proposals will solve some targeting use cases, but cohort analysis will only be marginally helpful for other use cases.
- There’s been significant pushback from vendors already about efficacy. So the question is, will proposals be practical or widely adopted?
- Solutions are browser-by-browser, requiring significant changes in how advertisers set up their campaigns.
In a world without third-party cookies, first-party data, with its ability to provide rich insights about customers and visitors in a privacy-compliant manner, will be more valuable than ever. Made up of more than just log-in information, first-party data can be collected from numerous sources, including visitors’ website behavior, survey results, social media interactions, and customer feedback.
Despite its value, though, first-party data is up against several obstacles:
- Like all deterministic data, first-party data tends to be costly to collect and difficult to scale.
- Many organizations aren’t structured to collect data in one central storage place across all their systems.
- To get the most out of first-party data, it’s necessary to add meaning to it through contextual and behavioral elements.
Seller Defined Audiences
A concept developed by IAB Tech Lab, seller-defined audiences is a specification that creates a standardized taxonomy based on context and first-party data. It aims to enable both publishers and advertisers to scale publishers’ first-party data without the risk of data leakage.
While sound in theory, the concept isn’t without its issues. Because individual publishers self-define segments within the standardized taxonomy, buyers can lack consistency when purchasing a particular audience segment.
For example, while one publisher might define its “basketball fanatic” segment as someone who reads articles about NBA game scores, another publisher might define that same segment as someone who reads any NBA-related article, including celebrity-based reporting.
Combining Approaches: Opportunities in the Making
While each of these alternatives offers promise, they each confront obstacles that must first be addressed. In the current experimentation environment, the answer may lie in combining approaches. For example, pairing the power of first-party data with the standardized taxonomy offered by seller-defined audiences has the potential to provide both publishers and buyers with the best of both worlds:
- Level of engagement data—the number of articles read, time on page, scroll depth—adds the behavioral elements that take the data beyond just context.
- The platform defines the segments within the standardized taxonomy rather than individual publishers.
- Publishers can remove specific segments from inventory (for example, to use for targeting direct ads), giving them complete control over access to their inventory.
For advertisers, the benefit of this combined approach is quality, consistency, and simplicity: They can stay focused on the buy without worrying about anything else.
Publishers benefit because they can put more highly engaged readers into a programmatic environment without fear that their data will be used for media purchases on other sites. The result? Publishers can raise CPMs while leveraging their first-party data in a cookie-constrained environment.
TripleLift’s platform, which uses 1plusX to define its segments, is one example of such an approach. The platform also strips any unnecessary information from the bid requests going out to buyers, resulting in packaged deals for buyers based on segment IDs and the bid request, with no identifiers to connect data between domains.
How Do the Solutions Compare to Third-Party Cookies? A Note About Measurement
The challenge for any potential cookieless solution lies in measurement. Unfortunately, the reality is, no matter how viable the solution, it’s impossible to make a comparison to third-party cookies because of how success is currently measured.
This challenge reflects several issues:
- Current metrics are, undeniably, not very accurate.
- Widespread adoption of ID identifiers is necessary before accurate measurement can be attained.
- More testing within a cookieless environment is needed to obtain the numbers necessary to develop better metrics.
While it’s a difficult challenge, it’s not insurmountable: a cookieless environment already exists in Safari as a testing ground for industry players. And there’s a corresponding opportunity to see how effective these solutions are within a third-party environment in Chrome while third-party cookies still exist.
The Uncertain Future of Cross-Domain ID Solutions
While cross-domain solutions are more privacy-friendly than third-party cookies, they face uncertainties that make them unsuitable as a long-term solution. For example, in addition to the need for widespread adoption, their cross-domain nature subjects them to a higher regulatory focus, similar to the scrutiny placed on third-party cookies. And this means their status will remain perpetually in flux.
In the long term, the right solutions will prioritize privacy. And the viable alternatives to cross-domain ID solutions described above are already doing just that. First-party data, in particular, allows the industry to create more predictability in the future.
Eliminating cross-domain ID solutions doesn’t mean the industry will be left floundering. On the contrary, the enormous gap created by the deprecation of third-party cookies has created an environment ripe for innovation, collaboration, and experimentation. And for the industry as a whole, this spells opportunity.