Privacy Regulations Privacy Privacy Legislation

The privacy pendulum: What can ad tech’s past teach us about the future of tracking?



Open Mic article

This content is produced by a publishing partner of Open Mic.

Open Mic is the self-publishing platform for the marketing industry, allowing members to publish news, opinion and insights on

Find out more

February 2, 2023 | 8 min read

By Mark McEachran, VP platform product management

By Mark McEachran, VP platform product management

The year was 1994. Lou Montulli, a Netscape engineer, had just invented the cookie. Did he mean to build the foundations of a digital ad industry that revolved around audience tracking and targeting? No. He just wanted a shopping cart to work properly in the early days of the web.

Montulli’s invention allowed publishers to set data inside a browser and retrieve it when the browser requests assets from the domain used to set the data. Their intended use was to keep a browser logged into a service, like shopping carts, banks, the DMV; anything that would otherwise repeatedly have to ask for credentials or pass credentials from page to page. Before cookies, keeping you logged in was a clunky affair.

By 1998, enough people were using the internet that marketers and emerging ad tech companies started paying attention to how cookies could be leveraged to create audience cohorts. All it took was a simple pixel, placed on a web page, allowing the image host to retrieve and set cookies, then infer a user’s interest based on the pages they visited. With enough pixels on enough pages, a company could effectively track a user across the internet.

This is the beginning of the behavior that would eventually turn web users and regulators against cookies, but they also allowed for highly functional, vital, and harmless elements of online advertising, most notably, frequency capping and attribution. Marketers started to enjoy the benefits of less waste from overserving an ad to a single user, gained the ability to optimize campaigns based on performance, and show the return on their investments.

Ad tech hopped the geo fence and Apple hit back

2008 is the next stop in our history tour, when the first iPhone with GPS hit the market. While Apple’s customers were excited to be able to find their nearest coffee shop, publishers found an opportunity to improve their struggling mobile ad revenues. In the early days of the mobile web, the user experience plummeted as soon as you started dropping ads on a page, but with targeting by location, publishers could run fewer but more targeted — and therefore profitable — ads.

Using a device’s geographic coordinates opened up a whole new targeting paradigm: geofencing. Clever campaigns could target you with ads based on your precise location. Advertisers for Burger King could geofence all the McDonald’s locations and serve up competitive ads, enticing users over to the fast-food monarchy.

By 2011, mobile app capabilities were introduced to OpenRTB, the communications protocol that enables real-time bidding. Suddenly, device IDs from everyone’s phone were flowing freely through the bidstream, along with their GPS coordinates.

Then Apple started paying attention to data leakage. A team led by Erik Neuenschwander created the Identifier for Advertisers (IDFA) that let the user reset what was effectively a virtual device ID. This seemed like the lightest possible touch a platform could have applied to growing privacy concerns, but it was in the shape of more aggressive actions coming from the company.

As soon as Google followed suit with its Android platform, these identifiers gained a new moniker, Mobile Advertising Identifiers (MAIDs). This was the first indication that the pendulum swing was reaching its amplitude. As a bonus, addressing consumer privacy concerns returned favorable market sentiment from the platform’s users.

The backswing momentum started with IDFA, but that was quickly followed in 2012 with new restrictions on the cookie coming, again, out of camp Apple. While the official time of death of the third-party cookie has yet to be called, Safari’s restriction foreshadowed its fatal trajectory.

At first, the market response was muted. Safari wasn’t a big part of the media mix for most campaigns as it was isolated to Mac computers and the nascent smartphone channel. Nearly the entire ecosystem continued to spend where the light was good, Chrome, and ignored the growing footprint of Apple’s privacy-friendly browser.

The EU turned the privacy pendulum into a wrecking ball

It wasn’t until the European Union dropped its GDPR anvil on ad tech’s head that privacy became serious business. Firms relying heavily on probabilistic data exited the market almost immediately after the regulation became law in 2018. Others stayed and took a financial hit, and a bunch of big and small players got sued.

But with GDPR came a terrible user experience. Publishers wanting to leverage advertising for revenue all had to implement annoying user notifications about… well, about using advertising for revenue. The user had to accept the terms, or not. When they didn’t, though, the publisher still had to serve them the same content as they would to more valuable users; those who could potentially provide revenue from the ads.

The pendulum, as it turns out, is sharp on both sides. Even when privacy wins, the user can still suffer.

Apple, not being satisfied with just crippling advertising in its browser, rolled out Intelligent Tracking Prevention in 2017, a collection of features under an initiative to protect user privacy and sell more phones by positioning themselves as privacy champions — a position Google would struggle to compete on due to the centrality of its ad division.

With ITP there are limits on trackers on the web and in Apple’s mobile app ecosystem. The latest additions to the program offer throw-away email addresses, proxied web requests, and even more restrictions on cookies.

At this point, some in the industry see Apple as advertising hostile, while others are waiting for a broader push into advertising monetization by the phone maker as the company gradually evolves into a media company. Walling up their garden will pay dividends in the same way that it did for Facebook, although thanks to their carefully cultivated privacy reputation, they might avoid many of the pitfalls of the social media networks.

Finally, we have Chrome cookies, the last vestige of Montulli’s online shopping cart enabler. A technology based on an idea nearly three decades earlier could see its most prolific use case cut down in 2024. Many don’t think they’ll do it. I think they will.

This has left team Chrome between a rock and a hard place, working on a Privacy Sandbox that’s supposed to empower ad tech while protecting user privacy. In the process, however, some of their solutions have integrated ad tech directly into Chrome itself, which raises new privacy concerns.

FLEDGE, for example, requires that the browser itself receives and stores a retargeting ad, then waits to spring it on the user when a partner publisher is found. Now, instead of ad tech tracking the user from afar, it can track them right up close. Will it survive the next swing of the privacy pendulum?

How to prepare for the privacy pendulum to reach its peak

As the pendulum swings, we must take a balanced approach in the near term: continue to leverage cookies and identity when available; use audience and attribution in the traditional ways; keep existing tech and vendors in place in the markets they still operate. But, also, look to the future.

That future is privacy-compliant user engagement. This means both marketers and publishers must establish first-party relationships with their customers. Only a subset will want to get close, but that’s good enough. Small, high-quality samples –seed audiences– are what feed the machine learning (ML) everyone’s been talking about.

Incentives can and should be leveraged to bring in more of these model citizens of marketing’s future. These users fill out surveys, provide attribution signals, and willingly allow themselves to be seeds. We need these folks, so we should make sure we take care of them with loyalty programs, exclusive discounts, members-only areas, and whatever else provides a value exchange for their cooperation.

Take solace in the fact that while we can’t track everyone anymore, we can still and will still have these subsets to pin our ML models to. From there we reach into our audience expansion toolbox. In your partnerships look for terms like prospecting, cohort marketing, panel-based attribution, and look-alike — or act-alike — audiences.

These technologies will become the new pillars of online advertising. All of it will be opt-in and privacy compliant, with ML filling the gaps left by the cookie’s eventual demise. The privacy pendulum will keep swinging — just look at the ongoing TCF feud in the EU — but the history of online advertising shows that technology can adapt whichever way it goes.

Privacy Regulations Privacy Privacy Legislation


Industry insights

View all
Add your own content +