Why email is not a sustainable alternative to cookies

When it comes to privacy and reading the tea leaves, the collective industry has been unable to truly embrace the changing tide of consumer sentiment, overt signals from the technology industry and warnings from regulators.

We all know that the days are numbered for third-party cookies and mobile advertising identifiers. Delays to proposals such as Google’s Federated Learning of Cohorts (FLoC), driven by regulatory concerns, are not a reprieve because macro trends remain. Increasingly, regulators and the public are airing their concerns over privacy, unfettered data collection and data-driven advertising.

Instead of really hearing the concerns, the industry marches blindly forward and is positioning email as the panacea for when the cookie crumbles. Email addresses are being held up as the primary mechanism to provide an alternative to cookies and mobile IDs – enabling everything from addressable advertising to ID graphs – all wrapped in the promise that email is a unique, persistent identifier that will set everyone up for the future.

Nothing could be further from the truth.

Slowly but surely, the alarm bells are sounding that reliance on email as an identifier is flawed and fraught with risk – both technical and regulatory – and that its days as an identifier are numbered.

The first warning bell

Since 2019, Apple has come out adamantly against email as an identifier. Craig Federghi, Apple’s senior vice-president of software engineering, noted at the company’s 2019 Worldwide Developers Conference: “Your personal information sometimes gets shared behind the scenes, and these logins can be used to track you.”

It’s no surprise that Apple knows that the industry uses email logins for other purposes. In fact, Apple has even taken steps to educate the public on the practice. But, as is often the case with Apple, it’s also making operating system and service-wide changes to limit the practice and protect user privacy – all of which place email in the crosshairs.

Apple’s introduction of sign-in with Apple ID and the ability to use unique, disposable, anonymized email addresses anywhere is a deliberate effort to strip away the ability to use an Apple iCloud email address as a unique identifier. But it didn’t stop there. With iOS 15, Apple doubled down by adding features to iCloud+ that block tracking pixels in emails and the ability to mask location and IP address with a feature called ‘Private Relay.’

The second warning bell

Off the back of Apple’s private email offering, Firefox followed suit with Firefox Relay, which offers a similar experience.

But the industry, perhaps distracted by the limited market share of the Firefox browser, overlooked the news. That Firefox followed, however, is significant, because it serves as a sign that Apple’s approach resonated with the open-source development community.

The third warning bell

The next warning came from Google. In a March 2021 blog post, David Temkin, a ​​senior director of product management, ads privacy and user trust, wrote: “We will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.”

This was Google’s overt declaration to the industry that it was not interested in joining the army of technology providers embracing email as an identifier. Yet the announcement was read as an indication that Google planned to double down on FLoC – not that Google believed the clock to be ticking on email as an identifier.

The fourth warning bell

While competing interests of Apple, Firefox and Google can be blamed for everyone collectively ignoring the warning signs about the future of email, it’s much more difficult to ignore warnings from regulators.

Watching from the sidelines, Ashkan Soltani, the executive director of California’s Privacy Protection Agency, saw the advertising and technology industry moving to email and voiced his displeasure: “The proposed first-party identifiers essentially are more privacy-invasive than even cookies, and provide users with less transparency and control.”

Soltani’s position is unsurprising in a world where data collection – lacking transparency as well as adequate consent or opt-out frameworks – is viewed as ‘surveillance capitalism.’ Despite all this, the industry is still yet to wake up and move on from email as the third-party cookie alternative. It will take one last alarm bell to sound.

The future five-alarm emergency

The final bell, yet to ring, is Google’s potentially forthcoming roadmap toward email privacy.

Historical evidence suggests that Google always follows the lead on the privacy developments of Apple and Firefox. To understand why this is requires a little diversion into the history of browser-based privacy solutions.

Apple introduced Intelligent Tracking Prevention (ITP) in 2017 and Firefox introduced Enhanced Tracking Prevent (ETP) in 2018. Two years later, in 2020, Google announced third-party cookie deprecation for Chrome.

Apple introduced email relay in 2019, which Firefox followed up with its own email relay last year. If past trends hold true, the pattern would suggest that Google is gearing up to introduce anonymized private relay for Gmail or Chrome sometime in in the coming year or so (notwithstanding that Google already offers a version of the solution by adding a ‘+’ to users’ email address to indicate it has created a new separate email address). As it stands, however, Google hasn’t made these truly disposable.

A hypothetical press release from Google need only note some universal truths: increasing rates at which data breaches occur, phishing attacks and the growing volume of email spam. And for users to protect themselves from these issues, an anonymized and disposable email address is the solution. Google could integrate it directly into Gmail or make it a feature of Chrome – and as a result, turn a whole host of known email identifiers into anonymous tokens.

This five-alarm fire would force the industry to sit up, take notice and change again. We should prepare for this possibility now, rather than wait for the alarm to sound.

The road ahead

What does this all mean for marketers? While a first-party data strategy is the right path forward, email addresses are not enough to truly futureproof a marketing strategy.

Partnerships with companies that offer loyalty programs, card-linked offers and retail media programs should create more resilience and are at less risk of arbitrary browser and software-based blocking. This is because in a retail transaction, you cannot hide or mask your identity if you want to receive your order – real addresses, proof of identity and legitimate payment details are needed to process transactions.

Further, rather than betting the farm on email, being agnostic on identity solutions – and embracing a mix of deterministic, probabilistic and even contextual solutions – will be key. Agencies and marketers must be wary of anyone promising a silver bullet. Nothing in this industry is ever that easy. We need to embrace the new realities, not be resistant, and look for ways to circumvent the concerns, spirit and intent of regulations.

That all said, at the heart of the issue remain the shifts in consumer attitudes to privacy and a regulatory environment that is ready to hold the adtech industry to account. As marketers, we need to spend more time understanding this and what the public is telling us about our own industry – not just what the public tells us about our clients and their brands.

Joshua Lowcock is executive vice-president, chief digital officer at UM Worldwide.