Privacy and Tracking in a Post-Cookie World

Privacy and Tracking in a Post-Cookie World

A whitepaper defining stakeholder guiding principles and evaluating approaches for alternative models of state management, data transparency and privacy controls for consumers, publishers, and trusted third parties.

JANUARY 2014

? 2014 Interactive Advertising Bureau

This document has been developed by the Future of the Cookie Working Group in collaboration with the IAB's Mobile Marketing Center of Excellence.

About the IAB's Future of the Cookie Working Group: The Future of the Cookie working group is reimagining the technology used to identify consumers across multiple sessions and devices in a way that promotes greater persistence of both identity and user choice. The starting point is "Imagining a world where HTTP cookies were never invented." More information can be found at: Future_of_the_Cookie_Working_Group

About the IAB's Mobile Marketing Center of Excellence: The IAB Mobile Marketing Center of Excellence, an independently funded and staffed unit inside the IAB, is charged with driving the growth of the mobile marketing, advertising and media marketplaces. The Mobile Center devotes resources to market and consumer research, mobile advertising case studies, executive training and education, supply chain standardization, creative showcases and best practice identification in the burgeoning field of mobile media and marketing. Our agenda focuses on building profitable revenue growth for companies engaged in mobile marketing, communications and advertising, and helping publishers, marketers and agency professionals understand and leverage interactive tools and technologies in order to reach and influence the consumer. More information can be found at: mobile

IAB Contact Information:

Brendan Riordan-Butterworth Director, Technical Standards (212) 609-3734 Brendan@

Belinda J. Smith Senior Manager, Mobile Marketing Center of Excellence (212) 380-4720 Belinda@ mobile@

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

1

Executive Summary

This paper is provided to acknowledge and address the limitations of the traditional cookie for providing persistent user privacy choices and tracking in our evolving multi-device, multi-environment digital landscape (discussed in this paper the "state management" challenge). Presented here is an initial examination of the various solution classes of state-management technologies currently and potentially available, as well as their efficacy as measured by the needs of disparate stakeholders. This paper lays the foundations upon which best practices for implementation for each statemanagement solution class may later be constructed.

The scope of this work is to define guiding principles for stakeholders, evaluate each statemanagement solution class against these principles, and to educate the reader on the current state management landscape. The intention is not to champion a specific solution class over another, nor to mandate which path the industry should pursue to address the current state management challenges. Rather, the guiding principles set forth in this paper will serve as a consistent measure of current and future state-management mechanisms and solution classes.

Guiding principles are presented for consumers, publishers, and third parties; defining each stakeholder's needs and requirements from state-management mechanisms. The needs and requirements of each stakeholder group are given, irrespective of the current existence of a technology or solution class which fully addresses all of these needs.

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

2

1 Contents

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What is State Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Importance of State Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Why the Cookie May Be Crumbling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

The Proliferation of Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Cookies and the Diversity of Internet-Connected Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Addressing the State Management Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Stakeholder Groups and Guiding Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Guiding Principles For Consumers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Guiding Principles For Publishers / Content Creators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Guiding Principles For Industry Third Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Evaluation of Solution Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Summary Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Other Important Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Ease of Industry Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Open Access and Open Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Cross-Platform State Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Fit Within Existing Privacy Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 State Management and State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Recommended Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Appendix A - Examining the Solution Classes in Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Server-Issued State (Cookies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Device-Inferred State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Client-Generated State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Network-Inserted State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Cloud-Synchronized State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Appendix B ? Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

3

2 Overview

Originally designed for temporary data storage, the cookie has long-since evolved into a fundamental infrastructure component of the Internet. However, for a variety of reasons, cookies are no longer an acceptable mechanism for "state management" (i.e. providing the information necessary for content creators and third parties to deliver personalized information and services to end consumers and respect their preferences for privacy, information transparency, and control). For online publishers the proliferation of cookies has slowed page load times, increased ad discrepancy counts, and led to concerns of data leakage. It has also perpetuated a broken compensation model, whereby publishers risk revenue loss if they don't support third party cookies, as well as from users who block or delete cookies, and a tilted playing field favors large consumer website brands. Publishers also experience operational and privacy policy burdens as various privacy initiatives, browser defaults, and regulatory measures gain traction.

For online consumers the proliferation of cookies has increased anxiety in regards to their online privacy. Data collection is fragmented over many websites, devices, browsers, apps, etc.--making it exceedingly difficult for consumers to understand who may be doing what with their data and to apply privacy controls centrally and consistently, while ensuring these choices persist over time.

For third parties the reliance on cookies has resulted in a battle between a rapidly degrading economic model, and the costly, persistent, and high-volume deployment of cookies. Though cookies are increasingly ineffective as a state management mechanism the industry continues to deploy them at an escalating pace causing: excessive network traffic and related costs, "internet bloat," regulatory threats, and anxiety among consumers and publishers alike.

In light of these challenges and their likelihood to intensify over time, the Interactive Advertising Bureau (IAB) and its Mobile Marketing Center of Excellence formed the Future of the Cookie working group to consider alternatives to the cookie. This analysis was grounded in a consideration of the needs and desires of online consumers, publishers and the third parties they trust.

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

4

3 What is State Management?

Imagine you work in a building with a security desk on each floor. Think how frustrating it would be if every time you walked into the building or went to a different floor you had to provide your name, company, job title, and ID so security personnel could make sure you're allowed to proceed. You would have to provide all of this information every time you left the building or went to another floor--even if you just went for a quick coffee break, or walked a guest to the elevator. To circumvent headaches such as these, security badges were invented. Now every time you enter your building or change floors you are able to swipe your badge at the security desk and that swipe provides information to quickly remind the system of all of your details and automatically gives you permission to proceed. Additionally, your security badge contains information about you that can only be read by the security desks in your building, it would not work if you swiped it anywhere else.

Similarly, "state management" refers to the method of and ability for systems to remember information about users, devices, or software applications over time. Cookies are the primary mechanism for state management on the Internet. They act like security badges for websites. Websites use cookies to remember things about the visitors they serve so that they can provide visitors more personalized content and services, and remember their preferences for future visits.

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

5

4 The Importance of State Management

State management enables publishers and third parties to deliver personalized content, advertising,

and services to end users. This includes the ability to persistently adhere to end-user preferences for

privacy, information transparency, and control. Publishers and third parties cannot perform these

functions without state management. In today's connected world, with flourishing growth in digital

content availability and choice, visitors

have come to expect and value

personalized digital experiences.

Publishers, advertisers, and other third

parties recognize personalization is

critical to attracting, engaging and

retaining desirable audiences, as well

as honoring their privacy preferences.

Many digital content and service

providers also rely on revenues from

personalized advertising to subsidize

their cost of doing business. These

subsidies can then be passed to

the consumer in the form of free or

substantially discounted content and

services. An inability to capitalize on

personalized advertising revenues,

and adhere to consumer privacy

preferences, could impact this

subsidy chain making digital content

and services more expensive for

consumers. That is, consumers' current ability to access a myriad of digital content, information, and services--

Consumers want more personalized content, but also want flexibility and control when deciding how personal information is used.

and to access it at little to no cost--may be tangibly reduced.

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

6

5 Why the Cookie May Be Crumbling

The current cookie approach to state management is fundamentally at risk for two main reasons:

1. The proliferation of cookies along with the resulting technical and privacy challenges

2. The growth and increased diversity of Internet-connected devices.

5.1 The Proliferation of Cookies

The cookie is the state management mechanism most commonly used today to support the many functions of digital personalization, reporting, and advertising. It is not owned or licensed by one party--rather, it is part of Internet Standards, and as such the Internet industry as a whole has innovated on top of it.

When cookies were originally conceived, nearly all of the content served to a web page was delivered from the website's own domain. For this reason, the number of cookies deployed was minimal and most were first party cookies. Websites today have become much more complex and sometimes use hundreds of third party vendors and systems in concert to deliver personalized content, services, advertising, features, and functionality.

Given the domain level access at the core of cookie functionality, each of these third parties typically deploys at least one unique third party cookie per domain, meaning hundreds of cookies could be stored on a visitor's browser after visiting a few web pages. Since the cookie is the primary foundation for so much of the Internet's functionality--managing user preferences, analytics, shopping carts, content recommendations, and advertising--cookies are being deployed by more companies, for more purposes, which is contributing to an exponential increase in cookies stored on visitor's browsers.

Online publishers find themselves stuck between a rock and a hard place. The proliferation of web beacons and pixels (mechanisms used to deploy third party cookies) slow down their website load times for visitors, increase advertising discrepancy counts, and lead to concerns of "data leakage". However, to remain competitive and attractive to visitors and advertisers, publishers have increasingly relied on multiple third parties to provide visitors with enhanced functionality and features. This gives publishers the option to risk revenue loss if they don't support third party pixels; though the proliferation of third party pixels has caused visitors to increasingly block or delete cookies (known as "cookie churn"), which also causes publisher revenue loss.

For online consumers the proliferation of cookies has increased anxiety over online privacy, transparency and control. With so many cookies being deployed, by sometimes unknown third parties, consumers are increasingly concerned about what tracking is occurring and by whom. As users become more aware of the data trail created as they surf across the Internet, but lack a fundamental understanding of how that information is used, many users choose to opt-out of tracking altogether.

With consumer concerns comes the very real prospect of regulatory intervention. Regulators are taking a close look at current practices and considering legislation to address consumer demand for increased transparency and choice, such as the FTCs recommendation for a "Do Not Track" mechanism1. As the appetite for intervention grows, the digital advertising industry faces increasing operational and compliance costs as regulatory measures become reality. To avoid these burdens on all sides, the industry is searching for solutions that can ease consumer and regulator concerns while proactively addressing current state management needs. Major browsers have also used "Do Not Track" settings (Internet Explorer) or are considering blocking all third party cookies (Firefox) as a mechanism for showing alignment with consumer's concerns.

1 Federal Trade Commission. (2010, December 01). FTC Staff Issues Privacy Report, Offers Framework for Consumers, Businesses, and Policymakers. Retrieved from :

PRIVACY AND TRACKING IN A POST-COOKIE WORLD

7

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download