PRIVACY BEAT: Companies said to be spending ‘hundreds of millions’ to replace the third-party cookie for controlling user data

Privacy Beat

Your weekly privacy news update.


Companies said to be spending ‘hundreds of millions’ to replace the third-party cookie for controlling user data — but no consensus yet on platform, browser or public

Who should control user identity on the web — those elements of a person’s interests and attributes, some of which may be considered deeply private? Should it be tech platforms, web browsers, “fiduciaries” or users themselves? Companies are spending tens of millions to be part of the answer, one insider says.

The IAB TechLab, a nonprofit standards-development organization for publishers, ad-tech and web platforms, was in the running, with its “DigiTrust” shared-identity solution. But it threw in the towel this week (see story, below).

“LiveRamp is working on this, The Trade Desk is working on this. Everyone says the cookie is going to go away,” Mark Dye, chief strategy officer at Bombara (and a LiveRamp advisor) said this week during a recorded BPA Worldwide webinar.  “The cookie is going to get replaced with something. We’re trying to figure out what that something is. So don’t be deluded into thinking the third-party cookie goes away and this whole thing gets solved. Because there are companies spending hundreds of millions of dollars to figure out what replaces the cookie. So there will be something.”

The competition is heating up, but so far the solutions comprise a confusing array of current practice, new ideas and entrants. (See: Google Experiments Hint At Cookie-Free Future | Martin Kihn, via AdExchanger) In the broadest sense there are at least three general possibilities:

  • For the most part, user identity is now controlled opaquely by a plurality of advertising, ad-tech, apps, social media or other technology platforms.

  • In public discussions facilitated by the World Wide Web Consortium (W3C) and elsewhere, web-browser software makers are discussing how their technology can control user-identity data collection and settings — in collaboration with or transparently to the user.

  • So far in mostly the idea category is user identity and data controlled by the user, either on their device, or in partnership with a “information fiduciary” such as a publisher or affinity group. 



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

Ad-tech trade group throws in towel on effort to control universal ID, but keeps consensus-building process going

Trade publications reported this week on the announcement by the IAB Tech Lab that it will sunset “DigiTrust” — its entry into the universal, shared-ID tech race, effective July 31. The decision came six months after it appeared the cookie-based effort was going to be blocked by at least one major web browser, Mozilla. 

“DigiTrust’s initial aim was to encourage ad-tech providers, along with publishers, to align around tech requirements to produce a “pseudonymous consumer ID“—albeit cookie-based—that multiple parties could use, provided they agree to respect a consumer’s privacy choices,” AdWeek reporter Ronan Shields, wrote in his DigiTrust demise account. 

“…[A]any service that relies on third-party cookies—including DigiTrust and other standardized cookie approaches—have a limited lifespan of utility,” DigiTrust’s Jordan Mitchell and  Benjamin Dick wrote in a blog post about the change entitled “DigiTrust — the Final Chapter.”

At Exchange Wire, reporter Grace Dillon wrote that DigiTrust “was set up to allow SSPs and publishers to consolidate their cookies with DSPs in order to enhance targeting.” She said IAB Tech Lab’s “Project Rearc” — a “global call to action”  would now help create a new privacy-aware ad-serving infrastructure. “However,” she wrote, “some believe that Rearc comes too late, and will not be enough to weather the post-cookie landscape.”

Concluded James Hercher, writing at “While it made sense for DigiTrust to exist within a neutral industry trade group, the clock has been ticking since Chrome announced it would deprecate third-party cookies in 2022.”


Business publishers complaint to ad-tech: We own user data we put in bidstream ecosystem — stop using it to assemble your own audience data for free

Who owns the data that a publishers sends about users into the ad-tech real-time bidding ecosystem? The largest association of business publishers say they do — and they want ad-tech and advertisers to stop using it without their permission.

Two executives of the nonprofit BPA Worldwide trade group and three guests explored the topic during a webinar this week, entitled: “Data Leakage, Bitstream and the Demise of the Third Party Cookie.”  Their argument — if a publisher submits an advertising position on its web page into the programmatic “bidstream,” should hundred of ad-tech companies and advertisers who “see” that data be able to save it for their own purposes? 

“If you loan me your car so I can run an errand, you don’t expect that I’m going to be renting out my car to other people,” argued Scott Roulet, BPA’s VP, programmatic advertising. “You may not explicitly state it, but if I do so that violates the spirit of the agreement.”  Roulet said BPA’s goal is to create awareness of the issue, “so we can have an industry discussion that ultimately hopes to define, in a collaborative way, standards so everyone understands the rules of engagement and how data and various digital assets are being used.”


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Harvard researcher’s book seeks Facebook, Google breakup on privacy and democracy grounds; privacy activists support new law and “microtargetting” ad ban 

In a book released this week, an academic dialogue, and in a letter to Congress, a Harvard University web researcher argues the advertising and data business models of Facebook and Google harm democracy and diminish individual rights to data and privacy.

The companies should be dismembered by antitrust enforcement, says Dipayan Ghosh, the Harvard research who is a former Facebook staffer and policy advisor to the Obama White House. He now runs the Digital Platforms and Democracy Project at Harvard and is author of the book, “Terms of Disservice; How Silicon Valley is Destructive by Design.”

Ghosh, along with a virtual who’s who of privacy advocates — individuals, academics and organizations — were cited by U.S. Rep. Anna G. Eshoo, D-Calif., as supporting a bill she’s filed that would ban demographic “microtargeting” of political advertisements by Internet platforms and others.

Meanwhile, a white paper funded by a project of the nonprofit New America Foundation, entitled: “Getting to the Source of Infodemics: It’s the Business Model,” argues the surveillance business model is a challenge to democracy. In a report summary, authors Nathalie Marechal and Ellery Roberts of Ranking Digital Rights call for federal privacy law to protect people from harmful effects of targeted advertising, giving users clear control over transparent collection and sharing of information, and “prohibiting the use of third-party data to target specific individuals.”

Esho introduced H.R. 7014 on May 26 (read bill summary). It applies to candidate and non-candidate microtargeting, and to social media sites, streaming services and ad networks; it prohibits completely targeting ads based on demographics or behavioral data; it has a private right of action; violations are enforced by the U.S. Federal Election Commission and the private right of action. However, it also allows microtargeting if a user gives “express affirmative consent,” such as by checking a box, and continues to allow targeting of ads based on where the recipient is geographically located. The bill appears to have some bipartisan support so has a chance of passage.

In addition to the book and statement to Congress, Ghosh was also part this week of a series of written dialogues hosted by the Columbia Journalism Review (CJR) about algorithms, competition, privacy, protest and policy violence. “I think, on all counts, we need to transfer power from the corporate to the user. Privacy, market competition, data portability, technical interoperability, algorithmic transparency — I believe these policies are the start of what will ultimately be a more sophisticated regulatory regime from top to bottom,” Ghosh wrote in one of the CJR sessions.




Awaiting status of CPRA ballot bid; websites must now acknowledge browser “Do Not Share” signals, 

There’s a cliffhanger in California as a state court suit seeks to make sure a bureaucratic delay doesn’t prevent these state’s voters from having another change to enact digital privacy safeguards by November ballot petition. Meanwhile, it’s pretty clear the state’s attorney general thinks the California Consumer Privacy Act (CCPA) requires that websites now must respond to a “Do Not Share” signal sent by a user’s web-browser software.

The AG’s office said it had studied public comments on its draft CCPA regulations and concluded that  “[t]he regulation is thus necessary to prevent businesses or ignoring consumer tools related to their CCPA rights and, specifically, the exercise of the consumer’s right to opt-out of the sale of personal information.” (for this language, see Page 38).









Facebook’s succeeds by managing user identity — when will publishers learn to do the same?

“Facebook has built a business on capturing the attention of people who use the social network to stay in touch with others, who basically provide content for free. Last year, the company started to pay publishers for content that appears in its Facebook News section, but the money is unlikely to replace all the ad revenue they’ve lost over the years. Facebook’s key strength has been its requirement that people use their real identities to set up an account, and collecting vast amounts of information about their activities to help with ad targeting. However, its biggest weakness is that user-generated content can be inflammatory, hurtful and divisive. The company has a mixed record of removing objectionable content, while also wavering between espousing free speech or blocking it. Publishers have enormous advantages in providing brand-safe, value-added content to self-selecting audiences, and it’s those characteristics that need to be central in their marketing efforts. Instead of seeking state-ordered subsidies, publishers need to respond to the threat of digital ad giants by gathering more information about their readers.”

– Excerpt from “Facebook Doesn’t Need News Content to Survive,” a June 16  opinion column at by contributing editor and former Bloomberg L.P. editor Rob Williams.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp