In the years since Google first announced its decision to remove third-party cookies from its Chrome browser, one consistent refrain spoken at conferences and written in think pieces is that publishers should invest in first-party data. More specifically, they should make sure they’re equipped to collect data on their audiences, preferably down to the level of an individual, and make sure that data is organised in a way which is useful for advertisers.
There is good reason for this advice. Removing third-party cookies will, by definition, make it harder for third-parties to power targeting and measurement of digital ads. So first-party data will play a bigger role, and ad money is likely to flow to those who are able to target and measure based on first-party data. Plus some (though not all) of the technologies gaining traction as cookie-free ad tools require publishers to have some first-party data in order to get the most out of them, clean rooms being a good example.
This resounding sentiment can create the impression that any ad tools based on first-party data are shielded from privacy pushes from regulators and tech companies. This however isn’t the case – and while publishers are adjusting to Google’s reworked cookie deadline, they’re also fighting to preserve their access to advertiser-friendly first-party data.
GDPR Moves into Action
For all the talk of the death of the cookie, it’s important to remember that it’s strictly third-party cookies which are being removed by Chrome. First-party cookies, which publishers set themselves, can play a key role in monitoring user behaviour for advertising purposes, both targeting and measurement. Indeed, Google is building tools within its Privacy Sandbox to enable publishers which own multiple properties to drop cookies across a limited number of different domains. But while Google is leaving first-party cookies alone for the time being, they’re still under threat from privacy regulation.
Talking about the impact of the EU’s General Data Protection Regulation (GDPR) just under six years since it came into force sounds strange. But much of the threat to first-party data originates within these laws. Data protection authorities across the continent who have power to enforce these rules have taken a gentle approach to enforcement, giving businesses time to understand and adapt to their new obligations. Now however, we’re seeing a stricter approach being taken.
The UK’s Information Commissioner’s Office (ICO) issued a warning at the end of last year for publishers to update their cookie consent mechanisms, stating that many weren’t compliant with data protection rules. Under rules which originated with GDPR, users must formally opt-in to have their data collected and processed, with informed consent over how their data will be used. And for advertising cookies, it must be equally easy for users to “reject all” as it is to “accept all”. This includes first-party cookies used by publishers for advertising purposes, not just third-party cookies.
The problem for publishers is that adhering to these rules by the letter has a significant impact on consent rates. The easier it is for a consumer to reject all advertising cookies, the more likely they are to do so. While privacy advocates argue that making it easy for consumers to reject data collection is essential, publishers say that as more consumers opt-out of data collection, it becomes ever harder to monetise their content. And publishers aren’t exactly having an easy time in the advertising market right now.
DMG Media, the media sales house which handles sales for MailOnline, the i, and Metro among others, said in a submission to Parliament earlier this year that its current opt-in rate for MailOnline is 93 percent. For competitors which place the ‘Reject All’ option with equal prominence next to the ‘Consent All’ option on the first page of a consent mechanism, it says consent rates fall to around 50 percent. The company estimates that adhering to the ICO’s standards could lead to a 41 percent drop in monthly ad revenue.
Peter Wright, editor emeritus at DMG Media, said in an appearance before a parliamentary committee on the future of news that the ICO’s crackdown essentially forces publishers to give away their content without any form of remuneration. “No subscription, no advertising, you’ve just got to give it to them,” he said. “Nobody would expect a supermarket to operate under those rules. I don’t think anybody stopped to think: is this proportionate? OK, data privacy is desirable, but it’s also desirable that you have a properly resourced news media.”
Ask, or Force?
Given the ICO’s enforcement push, publishers are looking at their options. One is to adopt ‘consent or pay’ models, whereby users are given the choice of either consenting to data collection or paying for a subscription. This would rebalance the value exchange for publishers, avoiding Wright’s concern that they’re essentially forced to give away content for free (or perhaps more accurately, below a sustainable price level).
The problem is that it’s not currently entirely clear whether this model is compatible with privacy laws in Europe. The European Data Protection Board, an EU body designed to ensure consistent application of the GDPR in Europe, issued its opinion that in most cases consent given within these frameworks isn’t valid – though this opinion referred specifically to large online platforms. The ICO meanwhile is currently consulting on the topic. The data authority says its current thinking is that consent or pay models are possible in theory, but are likely to risk the validity of consent.
Industry body the IAB has been engaging with regulators at the UK and European level, pushing for consent or pay models to be allowed. The trade group says the alternative, which forces publishers to lean on contextual advertising (and specific forms of contextual advertising without cookie-powered targeting or measurement), is unsustainable. “It must be stressed that contextual advertising is not always a viable monetisation alternative,” IAB Europe said in a statement. “Yet, no company can be required to provide their product and services at a loss. Moreover such a requirement is not supported by the GDPR which is not intended to interfere with the business models chosen by companies.”
If regulators move against consent or pay models however, publishers will have to find a way to make truly cookie-free advertising work. The Guardian has been proactive on this front, launching a suite of cookie-free ad solutions called Guardian Light. “The Guardian have worked on mitigating this with our ad solution Guardian Light,” the publisher said in a statement. “As always its essential to us that any change works for both our readers and advertisers. Guardian Light does this by respecting our readers’ privacy while still enabling us to deliver effective campaigns on behalf of our advertisers.”
The Guardian also publishers a blog post for readers laying out the trade-off between privacy and revenue. “The reality is that without the use of data to personalise advertising to readers, brands will spend less money on advertising with publishers like us,” said Katherine Le Ruez, The Guardian’s director of digital. “Less money generated from advertising means that we need to ask readers to contribute to funding our journalism directly.”
Implications Across the Board
The Guardian Light doesn’t just run without first- and third-party cookies. The publisher says it doesn’t use any kind of tracking or programmatic auction technologies, cutting out the risk of personal data being layered in or applied to ad buys.
The ICO’s crackdown on consent applies specifically to data collected through cookies, but many publishers are building up banks of first-party data by getting audiences to sign up and log in to digital properties. Consent for this data is collected separately, and is not currently under the ICO’s microscope.
But all personal data collection and consent is subject to the GDPR and other privacy laws, and practices which inflate opt-in rates may well be targeted by regulators further down the line. If that’s the case, and if consent or pay models aren’t validated by regulators, publishers will need to lean much more heavily on completely tracking free solutions like The Guardian Light – and hope that resulting ad revenues are sufficient to keep them afloat.
