Introduction

As we move closer to the deprecation of 3rd party cookies, combined with a multitude of other changes in identity, publishers are exploring both new & existing solutions to ensure audience addressability that respects privacy, quality and scale. With multiple solutions including the Google Privacy Sandbox to the host of players bringing out their own ID solutions (e.g. the Trade Desk’s UID2.0), there’s never been more need for clarity so publishers can prepare.

We’ve created this page to act as a resource to understand the changes happening in digital identity: what is changing, why it’s changing, how it will impact publishers, and how we can prepare.  If you have any questions or suggestions please feel free to get in touch.

What’s changing?

  • Web revolution in privacy & tracking

    There’s currently a web revolution within privacy & tracking, which will change the way publishers analyse, build and monetise their audiences.

    • User tracking across the web is about to change.  We know third party cookies are going (99.9% certain) when Google deprecates them in 2022. There are a range of possible solutions including Google’s Privacy Sandbox – much of which is yet to be tested & verified – and a host of players testing and bringing out their own ID solutions (e.g. the Trade Desk’s UID2.0).
    • New standards, rules, browser functionality, and apis are coming (probably) with various tests going on, and working groups formed tasked with bringing order to the various moving parts.
    • Browsers are driving these changes, with support/opposition from various other players, whilst the market seeks solutions.
    • Confusion & uncertainty has prevailed as many focus on the potential damage to the free web; but the opportunities shouldn’t be understated as identity partners (like us), with publishers, working groups and other tech partners try to shape the conversation for the future of identity.
  • The Key Players

    Big tech

    The likes of Google, Facebook and Apple are all pushing the privacy agenda, but within their own contexts.

    Governments

    There’s a lack of consistency across regions, countries and states when it comes to privacy and identity, which is leading to disparate and varied laws.  To some extent this could risk confusion and ‘privacy fatigue’.

    Standards Bodies

    W3C and the Privacy Collectives.  Big tech has influence/representation here too.

    Privacy Advocates

    These have no current power outside of lawsuit and prompting regulation.

    Identity Vendors

    There’s an array of identity vendors with either new identity approaches in response to the deprecation of 3rd party cookies, or open ID solutions whereby identity is based on existing identifiers such as 1st party cookies or logged-in hashed emails.

  • What does it mean?

    Ultimately the way publishers create, analyse, and monetise their audiences will change within the next few years with the dominant views being a shift to using more 1st party data combined with a mix of cohort, unified IDs and/or contextual solutions.

    However; there are a number of outstanding issues to solve when it comes to the upcoming changes in identity, issues we’re working hard to address to ensure publishers maintain control over their destiny, including:

    • Transparency: There’s potential for a loss of transparency in some solutions e.g. browsers can’t handle the calculations/AI needed for solutions such as FLoC, so would need to be on server side that could hide important info/data/analytics, including publisher’s own.
    • Ad control: There’s a threat to publisher’s ability to control elements of ad delivery such as the ability to track undesirable ads, or audit ad partners, etc.
    • Revenue: There’s a number of threats related to revenue generation that we can link back to identity such as cohort reliability, forced aggregation (where smaller players may not have big enough audiences to partake in FLoCs), login power, etc.
    • Login control: Who can login, where, and who ‘owns’ that data? Whilst ‘logged-in’  user data seems like a very interesting part of the ‘cookieless world’  it’s likely that logins will only be viable for/controlled by browser groups or big tech groups.  For instance, there’s a risk of a double standard in the case of Google that can track a login across the web i.e. gmail, YouTube, Chrome.
    • Competition: Ultimately, there is the threat to the open market and loss of competition driven by larger players’ ability to track whilst others can’t.

Carbon’s latest activities

Whilst there are multiple possible scenarios & solutions when it comes to identity, the reality is that there could be a mix of options for publishers.  As a result, Carbon is working hard in a number of areas to ensure we can play in all or a mix of the possible realities.

As members of two of the larger, more established global organisations – IAB and NAI – looking after compliant consent (the prerequisite for all identity operations) we’ve always been ahead of initiatives such as TCF2.0 and GDPR, CCPA etc.  More specifically to identity though, we’re staying busy to shape the conversation.

  • Prebid

    Prebid are working in several areas in preparation for the demise of third party cookies.  Carbon Chief Data Officer, Dr Al Mclean, sits on both the Prebid ‘Privacy’ and ‘Identity Management’ committees to ensure that we can contribute & shape the conversation.

    • Firstly, in conjunction with the use of SharedId.org and taking ownership of UID2 Prebid are developing identity modules to give publishers fine grained control of the use of their user’s identity and first party segments.  Given the UID2 is based on authenticated logins, gaining that critical mass will be crucial but the move also creates an incentive for publishers to create high quality, trusted content to encourage user logins as the yield on high quality authenticated users will be much higher.
    • Prebid are also making an ID Import Library Module available that allows publishers to automatically tie a persistent ID (eg an email, or logon id on the page) to a map of user IDs from the User ID Module.
    • Prebid are working within the W3C to ensure that they will be able to operate as a trusted server within a finalised Fledge implementation such that sufficient information is available for Prebid to continue to function successfully. They are aware of existing flaws in the Fledge proposal and are working to have those addressed.
  • W3C

    Carbon also have representation on The W3C Working Group for Google’s Fledge Privacy Sandbox Turtledove Proposal, and we plan to observe and participate in the upcoming origin trials and public tests in March.

  • Technology tests & investigations

    We are also actively supporting our clients by exploring a number of id consortiums such as ID5 and Zeotap, as well as Liveramp’s email based identity solution.  In all of these tests as an RMP we will be uniquely positioned to measure the most positive impact on reach and yield.

    As part of Carbon’s work within the Prebid community we are aware of other identity solutions that are currently being proposed, which we’re continuing to monitor. One is based on embedding a global anonymous ID inside the TCF Consent string. This proposed solution, which includes a transparency portal for the user, does not require any 3p cookies and is 100% independent is currently being demoed to DSPs, SSPs, CMPs and the big publishers.

  • SandPiper by Carbon – our own standards based proposal

    We propose a standards based approach that returns control to the domain and user by building on an existing protocol. The approach allows a property owner to declare a sandbox that specifies how data can be accessed and shared. This allows visibility over data movement and provides the opportunity for a user to selectively override specific actions or membership.

  • Fledge amendment accepted

    Carbon recently had an amendment accepted in regards to Fledge to allow for a publisher worklet to support publisher needs and level the field within one of Google’s main Privacy Sandbox solutions.

    A core idea of Google’s proposals is that event level data is not made available outside of the browser – although it seems DSPs and SSPs may have this data. Thanks to Carbon’s amendment Publishers can now supply or delegate a publisher worklet that can also access this data. This can be used to keep track of the auctions and the revenue transactions. Note that individual data cannot be extracted from the worklet but aggregated data can and this data is only available by using a secure reporting server (which is yet to be defined). The reporting server will decrypt the aggregated data and ensure it is still k-anonymous before making it available to the requester. This should be enough for Carbon to provide revenue reporting.

Proposed identity solutions

Below is a list of the main proposed identity solutions – with brief summaries on each and relevant links to find out more – presenting new identity approaches in response to the deprecation of 3rd party cookies.

  • SWAN

    Owner: Community

    Concept: Distributed

    Size of Change required: None

    Browser implementation change required: No

    Additional infrastructure required: Yes

    Current state: Working demo

    Reception: +ve, growing

    The core principles of SWAN is to enable a competitive, privacy respecting, and decentralized open web.  These core principles include:

    • No central controller
    • SWAN enables global opt out (in line with the ideas of GPC)
    • SWAN enables multiple processors to both share pseudonymous identifiers, personal identifiers, identity and consent choices whilst at the same time verify other processors are respecting people’s choices and relevant privacy laws.
    • All parties can verify the supply chain at any time
    • SWAN will provide people the information they need to understand which processors had access to data. Therefore all data processors that receive SWAN data must identify themselves in the response in such a way as to enable users to be able to inspect these processors when the processing of the data is completed. If someone feels they have been harmed as a result of tis data processing then they will be able to identify the parties involved and exercise their rights under the applicable laws.
    • Governed collectively as a ‘common resource’ as per Eleanor Ostrom in her Nobel Prize winning work Common Pool Resource principles. Wikipedia appears to operate under these rules.

    https://swan.community/

    https://github.com/51Degrees/swan/blob/main/explainer-principles.md

    https://github.com/51degrees/swan-demo-go

  • Global Privacy Control

    Owner: Not for profit organisation

    Concept: Browser sends signal

    Size of change required: Medium – both browser & publisher

    Browser implementation change required: Yes – need to request and send GPC signal

    Additional infrastructure required: Yes – websites need to respect signal.

    Current state: Live

    Reception: Limited to some initial participants

    Global Privacy Control is an initiative by researchers, several newspaper organisations (NYT, WashingtonPost, Cafe Media), some browsers (DuckDuckGo, Brave and Mozilla), the EFF, and some search engine providers to improve user privacy and rights.

    Under GPC, every time your browser or app visits a page GPC information is added to the header. Sites that are not participating will ignore it but if it is present then it will take account of the header information.

    Some people have said this is just Do Not Track V2 and will require the major companies as well as legislation to force its use.

    The GPC signal can be a legally binding invocation of user opt-out rights under CCPA and GDPR.  DuckDuckGo and Brave for example have it built in, other browsers require an extension.

    https://globalprivacycontrol.org/

  • SandPiper by Carbon

    Owner: Community

    Concept: Extend existing web protocol

    Size of change required: Small – browser

    Browser implementation change required: Yes – browser needs to process additional CORS headers

    Additional infrastructure required: No

    Current state: Proposal

    Reception: +ve friendly feedback

    More details coming soon.

  • Sparrow by Criteo

    Proposal: Sparrow by Criteo

    Owner: Now part of fledge

    Concept: Turtledove enhancement. Introduces a 3p ‘gatekeeper’

    Size of change required: Large – part of turtledove / fledge

    Browser implementation change required: Yes – part of turtledove / fledge

    Additional infrastructure required: Yes – part of turtledove / fledge

    Current state: Part of Fledge

    Reception: Accepted

    Sparrow is now part of Fledge.  For more detail see: https://www.criteo.com/blog/sparrow-why-birds-may-play-a-key-role-in-the-future-of-advertising/

  • Project Rearc by IAB

    Owner: IAB

    Concept: Add privacy/sec headers into TCF string for accountability & transparency

    Size of change required: Unknown – too early to tell

    Browser implementation change required: Unknown

    Additional infrastructure required: No/possible

    Current state: Early proposal

    Reception: Largely negative – too slow, too heavy, too expensive

    For more details visit https://iabtechlab.com/project-rearc/

  • FLoC

    Owner: Google

    Concept: Anonymous cohorts. Everything done within the browser. User is a member of one cohort at any given time

    Size of change required: Huge

    Browser implementation change required: Yes

    Additional infrastructure required: Yes, trusted servers, de-aggregation/reporting servers

    Current state: Currently (April 2021) in first non-EU trial

    Reception: Largely negative

    FLoC (Federated Learning of Cohorts) is part of Google’s Privacy Sandbox that addresses how to do interest based remarketing without 3rd party cookies. In FLoC cohorts of people with common interests replace individual identifiers. A cohort is a grouping of browser activity that contains thousands of people derived by the browser using machine learning (ML) from its user’s browsing history. All the input features to the ML are kept on the browser and the browser only exports the cohort ID. A user (device) can only belong to ONE cohort at any given time, with their single cohort being recalculated on the browser periodically (currently every 7 days).

    For details on FLoC and Google’s other Privacy Sandbox solutions visit: https://blog.google/products/ads-commerce/2021-01-privacy-sandbox/

  • Fledge

    Owner: Google

    Concept: In browser auctions

    Size of change required: Huge

    Browser implementation change required: Yes

    Additional infrastructure required: Yes, trusted servers, de-aggregation/reporting servers

    Current state: Trials later in 2021

    Reception: Mixed

    Fledge is an early experiment for ads serving in the TurtleDove family and came out of industry feedback on TurtleDove, Sparrow, DoveKey, Parrot and Tern. It consists of:
    Interest groups stored in the browser. A browser can join multiple interest groups. An interest group has an owner which can be advertisers, publishers or adtech vendors. These interest groups can then be periodically updated

    • On device bidding by buyers (DSPs or advertisers) based on the interest groups in the browser and other data loaded from a trusted server
    • On device ad selection by a seller (SSP or publisher) based on the bids and metadata in the auction
    • K-anonymous targeting from the browser ensuring that a minimum number of people see a specific ad
    • Ad rendering in a sandboxed frame that only allows logging and reporting

    For details on Fledge and Google’s other Privacy Sandbox solutions visit: https://blog.google/products/ads-commerce/2021-01-privacy-sandbox/

  • Turtledove

    Owner: Google

    Concept: In browser auctions

    Size of change required: Huge

    Browser implementation change required: Yes

    Additional infrastructure required: Yes, trusted servers, de-aggregation/reporting servers

    Current state: Trials later in 2021

    Reception: Mixed

    It is likely that but unclear if the original turtledove has been consumed by Fledge. The new Turtledove has declared Fledge as its first iteration. Variants exist such as https://github.com/WICG/turtledove/blob/main/PRODUCT_LEVEL.md and https://github.com/WICG/turtledove/blob/main/OUTCOME_BASED.md

  • 1st Party Sets by Google

    Owner: Google

    Concept: Allow cross domain 1p sites to be treated as 1p

    Size of change required: Low

    Browser implementation change required: Yes

    Additional infrastructure required: No

    Current state: W3C work item and feature for chromium

    Reception: Mixed – allows google.com and youtube.com to be treated as 1p

    Google’s ‘1st Party Sets’ defines a mechanism that allows related domain names to declare themselves as the same first-party, and defines a framework for browser policy on which declared names will be treated as the same site in privacy mechanisms.

    This is a work item in the W3C privacy working group: https://github.com/privacycg/first-party-sets and is a status item for chromium https://www.chromestatus.com/feature/5640066519007232

  • Swan by 1PlusX

    Owner: Unknown/Google

    Concept: Turtledove/1p-sets extension to 3p

    Size of change required: Large – part of turtledove

    Browser implementation change required: Yes – part of turtledove

    Additional infrastructure required: Yes – part of turtledove

    Current state: Proposal

    Reception: No activity for 2 months

    Standing for ‘Storage with Access Negotiation’, the Swan proposal by 1PlusX sets out to generalize Turtledove and 1st party sets to enable full profile based targeting while remaining compliant with the chromium privacy model. More precisely, the goal is to be able to target users based on behavioral data collected across domains and/or parties while making sure this data never leaves the browser.

    More formally, the “sandboxed private storage” has limited read capabilities and consists of data collected across domains. Only pre-registered scripts with a constrained signature are allowed to read this data and to output interest groups. No other read/write capabilities are allowed for these scripts. and the rest remains identical to Turtledove. The difference to Turtledove is that partial profiles are registered in the browser, not audiences (interest groups). Instead, the audience memberships are computed directly in the browser. One partial profile consists of several items/attributes that are collected on one domain only.

    For more detail on Swan by 1PlusX visit: https://github.com/1plusX/swan

  • Parakeet

    Owner: Microsoft

    Concept: Anonymized and differentially private ad requests to preserve the privacy of individual users while still providing critical information, such as publisher context and user features

    Size of change required: Large

    Browser implementation change required: Yes

    Additional infrastructure required: Yes

    Current state: Proposal

    Reception: N/A

  • MaCaW

    Owner: Microsoft

    Concept: Extension of Parakeet with secure multiparty compute catering for more advertiser and publisher use cases.

    Size of change required: Large

    Browser implementation change required: Yes

    Additional infrastructure required: Yes

    Current state: Proposal

    Reception: N/A

    https://github.com/microsoft/macaw

  • NextGen by Verizon

    Owner: Verizon Media

    Concept: Contextual + ML (unknown what this does). Part of a larger stack that includes an ID based solution (ConnectID)

    Size of change required: None

    Browser implementation change required: No

    Additional infrastructure required: Verizon ML

    Current state: Live

    Reception: Unknown

    “Verizon Media’s Next-Gen Solutions use content and other real-time data signals like weather, and location and device types to power machine-learning algorithms that allow advertisers to connect with their most relevant audiences without the need for cookies, mobile app IDs, browser storage or creating user-level profiles.” This sounds like a contextual data solution but could also include feedback for ads delivered to pages where the ML learns which pages are good for which ad segments.

    See the details on it’s launch here: https://www.verizon.com/about/news/verizon-media-launches-next-gen-solutions

Identity Passing Solutions

Below is a selection of the current open ID solutions whereby identity is based on existing identifiers such as 1st party cookies or logged-in hashed emails.

  • UID2

    Owner: Prebid/IAB (formerly The Trade Desk)

    Concept: ID bundle sent in bid request grounded with a hashed email so for authenticated IDs

    Additional infrastructure required: Not necessary, but seems to be moving to a prebid server solution which would need to be hosted

    Current State: live

    Reception: +ve

  • SharedID

    Owner: Prebid

    Concept: Shared domain for 1p/3p id solution testing. Non-authenticated IDs

    Additional infrastructure required: SharedId – hosted by prebid

    Current State: live

    Reception: +ve

  • Prebid ID Import Library

    Owner: Prebid

    Concept: Tools to support the capture of authenticated IDs from a page and link to other IDs

    Additional infrastructure required: No

    Current State: Live – beta

    Reception: Unknown

  • ID5

    Owner: ID5

    Concept: 1p Universal identifier shared to the whole ecosystem. Mix of authenticated IDs and probabilistic device graph for scale

    Additional infrastructure required: ID5 infrastructure

    Current State: Live

    Reception: +ve

  • ShareThis Atlas

    Owner: ShareThis

    Concept: Combines their page interaction derived interest data with other ID solutions such as ID5 etc

    Additional infrastructure required: Requires other ID solutions

    Current State: live

    Reception: unknown

Video Resources

  • [Webinar] Identity in publishing: Opportunity, Threat, Preparedness

    In a recent discussion panel Carbon were joined by experts from Imgur, Leaf Group and Magnite to discuss the upcoming changes in digital identity; specifically looking at the levels of opportunity, threat and preparedness in the market.  Below are some highlights from the webinar but you can find the full webinar here.

    Threat or Opportunity

    ‘One of the largest tools for suppressing publishers’ ability to monetise their inventory effectively and directly with advertisers is being removed.’ —Scott Messer, SVP Media at Leaf Group.

    We asked Scott Messer at the Leaf Group whether they see the future of the cookie as a threat or an opportunity. Find out which in the video below.

    Power to the publishers

    ‘I really think this is a huge opportunity to shift the balance of power back to Publishers again.’ — Heather Carver, SVP Sell Accounts at Magnite.

    We caught up with Heather Carver at Magnite to find out how they are advising clients on the identity shifts.

    Here’s Magnite’s take on the cookie shuffle.

    Surviving without 3rd Party Data

    ‘For a year we managed to survive fine without any third-party data.’ — Adam Carey, Head of AdOps at Imgur.

    What are you doing to ensure the demise of the third-party cookie won’t negatively affect your revenue? Hear how Adam Carey and the team at Imgur have already started to make these adaptations.

    Transparency & Control

    What people want is more easy control over the type of advertising they receive… it’s about transparency and control.’ — Alistair McLean, Chief Data Officer at Carbon.

    Al explains how we’re working with our clients and the likes of Prebid to promote the open web.

    The Element of Surprise

    ‘Age and gender may be completely removed from the internet very soon.’ —Scott Messer, SVP Media at Leaf Group.

    We found out how prepared the Leaf Group are and what they’re expecting to come out of the upcoming identity changes.

  • [Webinar] The Power of Consent in Adtech

    In a recent discussion panel; Carbon joined experts from OneTrust and Archant to discuss how publishers can use the power of consent to bridge the gap between privacy and monetisation.  See some of the key highlights below or check out the full recording at https://www.preferencechoice.com/virtualevent/consent-in-adtech/

    Communicating the value exchange

    We asked Carbon Chief Data Officer, Dr Al McLean, what publishers are doing to better capture consent.  The main activities revolve around clearer messaging: “A study from IPSOS last year showed that 68% of users recognise that they pay with attention and data in return for free content and tailored and efficient services”

    Acceptance and Trust

    Archant’s Ryan Cousins – Product & Platform Director – shared some best practice that they have used to drive acceptance & trust in the use of consent with an approach that is “very functional, very clear, and don’t be afraid to say why you’re asking for it”.  Find out what else here had to say below:

    Connect with your audience

    Stephanie Hanson – Product Offering Manager at OneTrust PreferenceChoice – shared insight into what OneTrust see on a global scale when it comes to consent: “…think about connecting with your audience in their preferred language but also their preferred terminology and preferred interactions”

    Measuring the Value of a consent

    “Once we have a group of consented users in our revenue analytics platform that allows publishers to dig into the facets of that audience to find opportunities to add more value”

    Dr Al Mclean tells us how – using Carbon’s revenue analytics – publishers can see the true value of a consented user vs a non-consented user to optimise the user experience with more relevant ads.

    Consented vs non-Consented CPMs

    “There is a really demonstrable and really quite dramatic difference in user value as they provide consent and as they get further engaged enough for us to segment them into our 1st party audiences the value of that audience really grows as their level of consent and engagement grows.”

    Ryan Cousin – Product and Platform director at Archant – shared some great insights into the impact consented vs non-consented users has on CPMs and audience value at Archant.

Articles & thought leadership

  • IAB calls foul of Google’s privacy announcement [March 2021]

    In a unique act, the European media, technology and marketing association, elected to issue a clarifying position statement, distancing itself from the comments of one of its members, Google, that sent the industry into panic.

    Read more.

  • Shaping the identity conversation [March 2021]

    It’s Q1 2021 and whilst we know third party cookies are going (99.9% certain) it’s less than a year until Google deprecate them and there’s still no definite replacement. Google’s Privacy Sandbox is one possible replacement, but many of its tools are yet to be tested & verified. Meanwhile; there’s a host of players bringing out their own ID solutions (e.g. the Trade Desk’s UID2.0), various tests going on, and working groups formed tasked with bringing order to the various moving parts.  In this article Carbon has simplified what the possible identity scenarios are and what we’re doing to help publishers to take the fear factor out of identity.

    Read more here.

  • Infographic: Identity in publishing: Opportunity, Threat, Preparedness [March 2021]


Interested in staying up to date with identity in publishing?

Simply sign up to our Identity 101 newsletter below and we’ll only use it to send you news & updates on the upcoming changes to identity in publishing.

Carbon’s Identity Manifesto

  • Simplify everything

    Adtech can be complex at the best of times, and opaque at the worst of times. Carbon will seek to simplify wherever it can.

  • No fear factor

    We don’t believe that terms like cookiepocalypse and death of the cookie are useful. For every threat there is an opportunity and we will look to be careful with our rhetoric.

  • Open always wins

    We believe that multiple partnerships will always beat one – Carbon will aim to aggregate more talent, more diversity and more tech than one single partner can offer.

  • Actions not soundbites

    Carbon will seek to be proactive, engage with the relevant stakeholders and be biased towards action and deliverables versus content and clicks.