Like it or not, the third-party cookie is crumbling. Once finally deprecated by Google Chrome in 2023, the programmatic advertising industry will need a backup plan. The question right now: what exactly do our options look like?

It’s the last call for third-party cookies.

As our CEO Boris Mouzykantskii recently said, it is time to start adapting to the cookieless world. And so, despite an ever-extending timeline, Google Chrome is planning to finally remove support for third-party cookies in late 2023.

By deprecating cookies, Google will alter the rules by which programmatic players operate, including advertisers, publishers, and data providers. Each player will need to decide which identity solutions work best to retain the targeting strategies they use today, and there’s already no lack of choice: Universal IDs, Privacy Sandbox, first-party data… or perhaps a combination of all three.

All of this uncertainty adds up to a growingly complex puzzle that is identity in a cookieless world, so let’s try to piece it all together – and discover which way the industry might be headed.

Third-Party Alternative IDs

Interestingly, alternative identifiers — those other than third-party cookies — already make up the bulk of solutions in-market today, and they operate across publishers, browsers, and devices to replicate third-party cookie functionality.

The only catch? They still rely on another data asset to accurately and reliably identify the user.

These solutions can broadly be split into two camps:

  • Deterministic: These IDs represent direct user matches, often relying on an email address to enable people-based solutions. User email addresses are hashed – a one-way consistent scrambling – which translates them into anonymised IDs, making them privacy compliant, while still able to be targeted. In addition, consent is still needed, which is usually attached to the sign-in process and stated user preferences. The primary challenge with these IDs will be scale, as they rely on publishers and advertisers securing some form of registered authentication from their first-party audiences.Examples: Unified ID 2.0 (, RampID (LiveRamp) 
  • Probabilistic: By modelling a number of user touchpoints, such as screen size, device type, OS, and so on, probabilistic IDs hope to solve the scale issue by approximating identity without relying on actual first-party data being gathered. As a result, this approach can result in some data inconsistency, not to mention difficulty in trying to connect people across different devices. As some of these solutions rely on fingerprinting, which Google and Apple have already said they won’t tolerate, long-term viability could also be a concern.Examples: ID5, Panorama ID (Lotame)

While alternative IDs may address one part of this identity puzzle, there’s a bigger fish in this pond that we simply can’t ignore – and it’s called Google.

Despite being the one creating this identity crisis, Google is also moving rapidly to develop systems which retain the ability to target users or audience cohorts across the open web.

It’s here that we step foot into the Privacy Sandbox.

Google Privacy Sandbox

The Privacy Sandbox is Google’s proposed framework to, and we quote, “create web technologies that both protect people’s privacy online and give companies and developers the tools to build thriving digital businesses to keep the web open and accessible”.

These initiatives have been developed to replace specific functionality that is currently being handled by the third-party cookie (such as retargeting and attribution).

The most talked-about of these proposals is FLoC (“Federated Learning of Cohorts”).

Designed to address privacy by eliminating the reliance on cookies altogether, it provides a framework for Google’s Chrome browser to facilitate advertising functionality (audience targeting, conversion tracking, etc) through APIs. It uses the browser to track the content that a user is consuming and, with machine learning, sorts users into similar groups or cohorts based on their interests. This will enable media buyers to target these cohorts, which contain sufficiently large numbers of users to maintain anonymity.

There are still many questions around FLoC, including how compliant it is with current privacy laws, and whether its stage of infancy is a key reason for Google extending the deadline on cookie deprecation. Even more recently, Google has indicated that they may be changing their approach again, shifting from cohorts to topic-based categorization.

Along with FLoC, Google’s Privacy Sandbox also proposes other solutions, including TURTLEDOVE (“Two Uncorrelated Requests, Then Locally Executed Decision On Victory”) and FLEDGE (“First Locally Executed Decision over Groups Experiment”). We’ll explore these in more depth in other articles, but the summary is that these are all methods of maintaining a privacy-compliant means to deliver and measure targeted ads.

In principle, these Privacy Sandbox proposals represent a new way of interacting with bid requests – and both DSPs and SSPs will need to spend some time reworking their platforms to ensure support. But because of Google’s size and influence, very few players (including publishers) have the luxury of not participating. Maintaining a flow of ad dollars from the largest ad tech player in the industry essentially requires them to support whichever framework Google eventually pushes forward.

But it’s not only Google which is working towards new browser-based solutions. A number of other adtech players have also contributed their own proposals (eg. Criteo’s SPARROW, MAGNITE’s PARROT, Microsoft’s PARAKEET), looking to strengthen areas where they feel Google didn’t go far enough, or to cover terrain where Google chose not to go at all.

Publisher First-Party Data

Publishers can use first-party data that they are able to collect on their owned and operated properties to segment and share audiences directly with buyers through a private marketplace (PMP) setup. Or, assuming the buyer also has first-party data they want to match, a data clean room can be used.

This first-party data could rely on first-party cookies (which aren’t going anywhere) or some other deterministic data point (like email address), or even a first-party content taxonomy that’s unique to the publisher.

Unlike the third-party alternative ID approach discussed above, which uses a cross-publisher framework (thereby allowing some level of cross-site frequency capping and measurement), when publishers go at it alone, leveraging their own first-party data in isolation, the buyer will lose out on some of that reporting intelligence, which may be problematic for some – not to mention scale (again).

Want to learn more about how programmatic players can make the most of their first-party data? Be sure to check out our First-Party Data Programmatic Playbook.

Where to next?

We hope this primer has given you the foundations you need to start considering your strategy as we head towards the cookieless world. At this point, you’re probably wondering exactly where to go next – and which of these solutions you should consider.

In truth, that’s not a question with a single answer. There’s a good possibility that programmatic players will need to use a combination of solutions to maintain the same functionality they enjoy today: attribution, retargeting, prospecting, and so on. In the meantime, the best approach now is probably to begin testing out these solutions – especially with the third-party cookie still around to use as a point of comparison.

With that in mind, whether you’re on the buy side, sell side, or somewhere in the middle, the IPONWEB team can help guide you to the best cookieless strategy to secure your outcomes.

Get in touch today to arrange a call and learn more about the future of digital identity.