At the same time, users want to receive a personalized advertising experience. This means that AdTech companies must strategically incorporate privacy-enhancing technologies (PETs) to protect user data, maintain their privacy, and deliver targeted ads.

In this blog post, we’ll explore the possibilities that PETs offer for enhancing user privacy.

Key Points

• Privacy-enhancing technologies (PETs) are critical for improving data protection in the AdTech industry by balancing between data privacy and the delivery of a personalized advertising experience. PETs primarily focus on minimizing the collection and use of personal data, as well as the amount of data processed, while maximizing data security to protect consumer privacy.
• Most AdTech platforms can implement a variety of PETs that include differential privacy, secure multi-party computation, techniques for anonymizing personally identifiable information, and solutions that incorporate PETs for secure data sharing (such as data clean rooms).
• Each AdTech platform can leverage different PETs to enhance user privacy.
• AdTech companies like ad networks, DSPs, SSPs, and ad exchanges can utilize PETs such as differential privacy tokenization, homomorphic encryption, secure multi-party computation, federated learning, and pseudonymization.

Please note: For the purposes of this article, we will be using the term privacy-enhancing technologies (PETs) to represent all technologies, techniques, and strategies that improve the quality of data protection.

What Are Privacy-Enhancing Technologies

Deloitte defines privacy-enhancing technologies (PETs) as a broad spectrum of “data privacy protection approaches, from organizational to technological.” PETs seamlessly integrate elements of cryptography, hardware, and statistical methodologies to guard against unauthorized processing or sharing of consumer data. They act as protective measures, ensuring the secure handling of sensitive information.

PETs help ensure data is secure by focusing on three key pillars:

• Minimizing the collection and use of personal data
• Maximizing data security to protect consumer privacy
• Minimizing the amount of data processed

We described most AdTech-related PETs in our previous posts: What are Privacy-Enhancing Technologies (PET) in AdTech and The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech.

The Key Privacy-Enhancing Technologies (PETs) that AdTech Companies Can Utilize

Most AdTech platforms can implement technologies that include differential privacy, multi-party computation, techniques for anonymizing personally identifiable information (PII), and solutions that incorporate PETs for secure data sharing (e.g., data clean rooms). Each piece of technology helps to achieve a different goal, resulting in enhanced data protection for users.

Differential Privacy: Adding Noise to Collected Data

Differential privacy (DP) provides a framework for sharing information about a dataset without revealing specifics about individuals. Differential privacy (DP) techniques introduce statistical noise into the data collected by publishers and advertisers, ensuring that users’ identities remain anonymous while still enabling valuable insights to be derived from aggregated data.

To add some clarity, differential privacy is achieved by incorporating a certain level of randomness into an analysis. 

Unlike conventional statistical analyses that involve calculating averages, medians, and linear regression equations, analyses conducted with differential privacy introduce random noise during computation. 

The “random noise” elements refer to randomized perturbations or statistical variations introduced into data calculations or results, typically through algorithms or mechanisms such as Laplace noise or Gaussian noise. 

As a result, the outcome of a differentially private analysis is not precise but an approximation, and if the analysis is performed multiple times, it may produce different results each time.

Examples of applying DP in the AdTech landscape include:

• APIs created for the Google Privacy Sandbox initiative, which prevent the Chrome browser from sharing identifiable data until it can be combined with many other users’ data points. 
• Apple’s implemented differential privacy in its systems, starting with iOS 10. When users choose to share Diagnostic and Usage Data, Apple applies the principles of differential privacy to safeguard that data. It further applies DP to Web Browsing data.
• Facebook used differential privacy to protect a trove of data it made available to researchers who were analyzing the effect that sharing misinformation has on elections.

Secure Multi-Party Computation (MPC): Safe Data Computing

Secure multiparty computation (MPC) allows two or more parties to perform computations on their collective data without revealing their individual inputs. However, the mathematical protocols of MPC do not attempt to hide the identities of the participants; this can be achieved by adding an anonymous-communication protocol. 

MPC enhances privacy, as parties can gain insights from the combined data set without exposing their private information.

Examples of MPC in the AdTech landscape include:

• Magnite creates synthetic stable IDs using encrypted data to activate the data without accessing the raw datasets.
• DOVEKEY by Google simplifies the bidding and auction aspects of TURTLEDOVE by introducing a third-party KEY-value server. 
• The Interoperable Private Attribution (IPA) initiative by Mozilla and Meta aims to provide a framework for attribution measurement without tracking users.

Anonymization, Pseudonymization, Encryption, and Tokenization Techniques: Replacing Personally Identifiable Information (PII)

Anonymization, pseudonymization, encryption, and tokenization are techniques for replacing PII with non-sensitive information tokens. These tokens are created to “cover” raw data so it isn’t exposed.

The names of the techniques may suggest similarities or differences between them. However, in the context of the AdTech industry, it is important to know the differences.

Anonymization

Anonymization involves the process of transforming data in such a way that it no longer identifies or can be linked to an individual. The goal is to remove any identifying information entirely, making it practically impossible to re-identify specific individuals from the data. 

Anonymization techniques applied in the AdTech industry can include aggregation, data masking, and other methods that significantly reduce the risk of re-identification.

Anonymization is often used by AdTech platforms to:

• Perform statistical analysis
• Conduct basic audience segmentation
• Generate insights

Encryption

Encryption is a security measure that involves transforming data into a coded form — often referred to as ciphertext — that cannot be understood by anyone who doesn’t have the key to decode it.

In the context of AdTech, encryption can be used to secure PII when it is being transmitted between systems or when it’s stored in databases. The encryption ensures that even if the data is intercepted or accessed without authorization, it will remain unreadable and, therefore, useless to the attacker.

Encryption is often used by AdTech platforms to:

• Secure data transmission
• Store data securely
• Protect user privacy
• Comply with data protection regulations

Pseudonymization

Pseudonymization involves replacing or modifying personally identifiable information (PII) with pseudonyms or aliases. The original data is transformed in a way that makes it more challenging to identify individuals directly but still allows for certain types of analysis or processing to be performed.

Pseudonymized data retains the potential for re-identification if the pseudonyms are somehow associated with the original identities.

Pseudonymization is often used by AdTech platforms to:

• Deploy targeted advertising
• Measure campaign effectiveness

Tokenization

Tokenization is a method of substituting sensitive data with unique tokens that have no meaning or value on their own. The technique allows for efficient data processing and storage without revealing actual personal information.

AdTech platforms may tokenize PII, such as email addresses or device identifiers, by replacing them with randomized tokens. 

Tokenization is often used by AdTech platforms to perform:

• Deploy targeted advertising
• Track users
• Measure campaign effectiveness

Data Clean Rooms (DCR): Data Sharing, Targeting, and Measurement

Data Clean Rooms (DCR) are controlled environments that allow multiple processes to be applied to data to protect it. The main purpose of DCRs is sharing and analyzing data without exposing the raw information in order to provide insights while simultaneously safeguarding user privacy.

Currently, the AdTech industry has two main types of DCRs.

The first type is represented by AdTech walled gardens — i.e., Google, Amazon, and Facebook — each of which runs media clean rooms from which they deliver hashed and aggregated data to companies that use their advertising platforms.

The second type is represented by independent AdTech companies, such as LiveRamp, Snowflake, Aquilliz, and Decentriq, that provide companies with ready-to-use data clean rooms to use across different industries and digital advertising channels.

In our interviews with Juan Baron, Director of Business Development & Strategy (media & adv) at Decentriq, and Gowthaman Ragothaman, CEO of Aqilliz, we learned that in the digital advertising space, the most common use cases of DCRs are:

• Media planning
• Retargeting
• Creating audience segments
• Activation
• Measurement
• Providing predictive analytics
• Attribution

Privacy-Enhancing Technologies for AdTech Companies

As mentioned before, the integration of privacy-enhancing technologies within AdTech platforms is a crucial component for ensuring user data protection and adhering to evolving global data privacy regulations. Another benefit of adopting these technologies is providing a competitive edge in a privacy-conscious market.

PETs for Ad Networks

Ad networks have several privacy-enhancing technologies at their disposal to ensure user data protection. 
By using tokenization and differential privacy, ad networks can deliver effective, targeted advertisements while also respecting and preserving user privacy.

Contextual advertising reduces the need for personal data collection by displaying ads on matching websites. Differential privacy prevents the identification of individuals while analyzing reports. And, tokenization replaces sensitive data — e.g., e-mail addresses — with non-sensitive tokens, securing data in case of data breaches and identity theft attempts.

PETs for Demand-Side Platforms (DSPs)

By incorporating data clean rooms, homomorphic encryption, differential privacy, and secure multi-party computation, DSPs can navigate the balance between ad personalization and user privacy.

Data platforms that incorporate PETs, such as data clean rooms, can provide secure environments for data processing and analysis, ensuring that sensitive user information remains protected. 

Homomorphic encryption allows DSPs to perform computations on encrypted data without decrypting it, thereby securing data while still making it usable for ad targeting. 

Similar to ad networks, DSPs can also leverage differential privacy, introducing statistical ‘noise’ into data to prevent the identification of individuals while still allowing meaningful analysis for ad targeting. 

Secure multi-party computation enables data insights from multiple sources without exposing raw data, further enhancing privacy.

PETs for Supply-Side Platforms (SSPs)

Supply-side platforms (SSPs) can also leverage various privacy-enhancing technologies to ensure the safety of user data while optimizing ad space for publishers. By adopting differential privacy, federated learning, and homomorphic encryption, SSPs can effectively protect user data while optimizing ad placements.

To aggregate and analyze user data (e.g., analyze trends and behavior) without infringing on user privacy, SSPs can leverage differential privacy. This technique introduces statistical ‘noise’ into data, thereby safeguarding individual identities.

Federated learning, an advanced machine learning algorithm that enables data analysis and processing on the device it was collected on, can strengthen ad optimization by building more accurate models of serving ads. 

Homomorphic encryption can protect user data while enabling SSPs to build encrypted user profiles. These encrypted profiles can be used to target ads effectively while the underlying user data remains secure and private.

PETs for Data Platforms (DMPs)

Data platforms, including data management platforms (DMPs), customer data platforms (CDPs), and data clean rooms, are central hubs for collecting, integrating, and managing large amounts of structured and unstructured data from different sources. Because of their primary function, they need to maintain user privacy on a high level. 

Both differential privacy and pseudonymization can enhance the process of audience segmentation and data sharing in DMPs. DMPs can use these techniques to create anonymized or pseudonymized user segments, enabling precise ad targeting without compromising individual user privacy.

PETs for Ad Exchanges

Ad exchanges are digital marketplaces for buying and selling ad inventory from multiple DSPs and SSPs where prices are determined through real-time bidding (RTB) auctions. 

Incorporating differential privacy and secure multi-party computation can help protect the sensitive information of users during the bidding process. By adding statistical noise to the data used for bidding, ad exchanges can ensure that bidding does not result in the leakage of sensitive user information.

Other use cases for differential privacy include reports and analytics modules. 

By using differential privacy, data and insights can be displayed in a way that prevents the identification of individual users, thereby enhancing privacy.

Ad exchanges can also utilize secure multi-party computation to match advertisers and publishers based on their respective criteria, without revealing the private information of either party.

PETs for Ad Servers

Ad servers store and deliver ads to websites and apps and provide reports on ad performance. With the technologies and techniques of differential privacy, encryption, and federated learning, ad servers can enhance user privacy significantly.

Differential privacy can ensure that the processes of data analysis do not expose sensitive user information.

Encryption in ad servers secures user data by encoding it into a format that can only be accessed with the correct decryption key.

For ad servers, federated learning allows for data analysis without needing to share the data itself, enhancing user privacy.

Summary

The adoption of privacy-enhancing technologies in the AdTech industry is an important step toward respecting user privacy and ensuring data security. With the correct application of these technologies, platforms can deliver effective advertising while also prioritizing the privacy and security of their users’ data.

Data & Privacy

What are Privacy-Enhancing Technologies (PET) in AdTech?

Natalia Figas

May 18, 2023

AdTech

The Future of AdTech Lies in Privacy-Enhancing Technologies (PETs)

Mike Sweeney

Jun 07, 2023

Data & Privacy

The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech

Natalia Figas

Jun 15, 2023

The post 6 Privacy-Enhancing Technologies for AdTech Companies appeared first on Clearcode.

In this blog post, we’ll explore the benefits of PETs in AdTech and the challenges that come with implementing them.

This is our second article on the topic of privacy-enhancing technologies in AdTech. If you want to learn what PETs are, what examples of PETs exist in AdTech, why and how they are used, and what the future holds for them, then read our blog post: What Are Privacy-Enhancing Technologies (PET) In AdTech? And if you want to know why companies should be looking at implementing privacy-enhancing technologies (PETs) into their businesses, read Clearcode’s piece in Exchange Wire’s Industry Review 2023.

Key Points

• Privacy-enhancing technologies (PETs) are technologies designed to protect user privacy while still enabling data collection and analysis. They can include techniques such as encryption, anonymization, and differential privacy.
• Thanks to PETs, advertisers can target specific audiences without collecting or sharing personal data. This can improve user trust and reduce the risk of data breaches or misuse.
• PETs can also help advertisers and publishers comply with privacy regulations, such as GDPR and CCPA.
• Advertisers can use PETs to gather insights about user behavior and preferences without exposing personal data. This can lead to more effective ad targeting and a better user experience.
• PETs can also benefit publishers by allowing them to monetize their content without compromising user privacy. By using PETs to collect non-personal data, publishers can offer more relevant ads to their audiences without risking user trust.
• While PETs can offer many benefits, they are not a silver bullet for privacy concerns in AdTech. Companies must still be transparent about their data collection practices and ensure that they are using PETs effectively to protect user privacy.

The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech

Protecting Personal Information

One of the main benefits of PETs in AdTech is securing personal information. PETs ensure that user data is collected, processed, and stored securely, reducing the risk of data breaches and unauthorized access. This not only protects the privacy of individuals but also helps companies avoid costly lawsuits and reputational damage.

Examples of PETs that protect personal information include:

• Anonymization techniques — to remove personally identifiable information (PII) from user data, such as names, addresses, and phone numbers.
• Differential privacy — to add noise to data to make it difficult to identify individual users.
• Homomorphic encryption — to process encrypted data. 

Maintaining User Trust

PETs can help companies build and maintain user trust by providing transparent data collection and processing practices. By being transparent about how data is collected and used, companies can show that they respect user privacy and are committed to protecting their data.

Things that help maintain user trust in the context of privacy-enhancing technologies include:

• Privacy policies — AdTech companies can explain their practices of data collection and thus give users control over their data.
• User consent — AdTech companies can obtain user consent through opt-in or opt-out mechanisms, depending on the type of data being collected.
• Data minimization — AdTech companies should only collect the data necessary to provide their services.

Compliance With Regulations

PETs can help companies comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations require companies to implement specific privacy protections and disclose how user data is collected and used. 

PETs can help companies meet these requirements and avoid fines and legal penalties.

Companies can use differential privacy algorithms in their data analysis to extract valuable insights while preserving individual privacy. By aggregating and anonymizing sensitive data, these algorithms prevent the identification of individual users. This approach helps companies meet privacy law requirements like GDPR and CCPA, reducing the risk of fines and legal consequences while safeguarding user privacy.

Examples of laws that regulate the collection, storage and use of data:

• General Data Protection Regulation (GDPR) — regulates the collection, use, and storage of personal data by businesses and organizations in the EU.
• California Consumer Privacy Act (CCPA) — gives California residents the right to know what personal information is being collected about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information.
• Personal Data Protection Act (PDPA) — the PDPA is a privacy law in Singapore that regulates the collection, use, and disclosure of personal data by organizations. It gives individuals the right to access their personal data and to request that it be corrected if necessary.
• General Data Protection Law (LGPD) — LGPD is a Brazilian privacy law that enhances privacy by regulating the collection, use, and storage of personal data by businesses and organizations in Brazil.
• Privacy Act 1988 — The Privacy Act is an Australian law that enhances privacy by regulating the handling of personal information by Australian government agencies and some private sector organizations.
• Personal Data Protection Act (PDPA) — The PDPA is a privacy law in Malaysia that enhances privacy by regulating the processing of personal data by organizations.

Improving the Accuracy of Data

PETs can also help companies improve the accuracy of their data. By using PETs, companies can ensure that the data they collect is high-quality and reliable, which can improve the effectiveness of their advertising campaigns.

Data validation

Data validation is the process of ensuring that data is accurate and complete. For example, one privacy-enhancing technology that can be used for data validation is homomorphic encryption. 

Homomorphic encryption is a type of encryption that allows computations to be performed on encrypted data without decrypting it first. AdTech companies can use homomorphic encryption to validate their data without exposing it to third parties or risking a data breach.

Data enrichment and collaboration

Data enrichment is the process of enhancing existing data with additional information. PETs can help AdTech companies to perform data enrichment in several ways. 

For example, they can use anonymization techniques to remove personally identifiable information (PII) from user data before enriching it with additional information. This ensures that the privacy of users is protected while their data is being enhanced. 

PETs can be used to enable secure data sharing and collaboration between different AdTech companies while preserving user privacy. 

This can be achieved by using techniques such as secure multi-party computation (MPC) or homomorphic encryption, which allow multiple parties to perform computations on encrypted data without revealing the underlying data.

Machine learning

Privacy-enhancing technologies (PETs) can be used in AdTech to ensure that machine learning models are trained on private data without compromising user privacy.

Reducing Costs

PETs can help companies reduce costs by minimizing the risk of data breaches and reducing the costs associated with maintaining a large and complex tech stack. 

By reducing the need for data storage and processing, advertisers, publishers, and AdTech companies can save money on infrastructure and maintenance costs.

The Challenges of Privacy-Enhancing Technologies (PETs) In AdTech

Despite the many benefits that privacy-enhancing technologies (PETs) offer for the AdTech industry, there are also several challenges that must be addressed for their effective implementation. These challenges can range from technical and financial to legal.

Complexity

Privacy-enhancing technologies can be complicated to understand and implement, requiring specialized knowledge and expertise. For example, the implementation of federated learning requires expertise in distributed systems and machine learning algorithms.

Compatibility With Existing Systems

Implementing PETs can be demanding and difficult, requiring compatibility with existing IT systems and integrations with workflows.

Cost

The adoption, maintenance, and adjustment of PETs can be costly, which can be a barrier for some companies. The cost of implementing PETs can include hardware and software purchases, employee training, ongoing maintenance and updates.

Trade-Offs

PETs can require trade-offs between privacy and other considerations, such as the accuracy of data. Companies may need to balance the benefits of PETs with other priorities, such as marketing effectiveness or business goals.

Lack of Standards

The absence of standardized PETs can make it hard for companies to choose the best solutions for their requirements. 

Nevertheless, the Interactive Advertising Bureau (IAB) has formed a dedicated group to develop standards for PETs in AdTech. 

This group consists of advertisers, publishers, technology providers, and privacy advocates. They aim to create a set of standardized protocols for PETs that will be accepted by the industry. 

The standardization of PETs will ensure that they are effective and consistent across the industry.

Opportunities of Privacy-Enhancing Technologies (PETs) In AdTech

Despite the challenges, PETs also offer significant opportunities for publishers and advertisers, including improved cybersecurity and new innovations.

As we mentioned earlier, PETs can reduce the risk of data breaches and leaks, which can help companies avoid costly legal and reputational damage.

PETs are a way to enhance the privacy and security of users, which can be a selling point for companies. By demonstrating a commitment to user privacy, companies can build trust and loyalty among their customers.

Summary

Privacy-enhancing technologies offer many benefits to the AdTech industry, including improved data protection, regulatory compliance, and user trust. 

However, the adoption of PETs also comes with challenges, including complexity, compatibility with existing systems, and cost considerations. AdTech companies must be aware of these challenges and develop strategies to overcome them effectively.

Overall, the development and adoption of PETs is critical to ensure the protection of user privacy in a constantly evolving digital landscape. 

By investing in PETs and working together to establish standards and best practices, AdTech companies can prioritize user privacy while continuing to provide effective programmatic advertising processes.

Data & Privacy

What Is a Data Clean Room and How Does It Work?

Mike Sweeney, +1

Apr 07, 2022

AdTech

The Future of AdTech Lies in Privacy-Enhancing Technologies (PETs)

Mike Sweeney

Jun 07, 2023

Data & Privacy

The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech

Natalia Figas

Jun 15, 2023

The post The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech appeared first on Clearcode.

As a result, governments worldwide are taking steps to protect users’ personal information online, recognizing the need to balance the benefits of ad targeting with the right to privacy. This has led to a shift in how AdTech works as companies seek to adapt to this new privacy-focused world.

The emergence of privacy-enhancing technologies (PETs) has been a key development in this space. PETs are designed to help companies protect user privacy while still enabling them to collect and use data for programmatic advertising. 

In this blog post, we will explore the various types of PETs available and provide examples of how they are being used in AdTech today.

Key Points

• Privacy-enhancing technologies (PETs) are tools and techniques used to protect user privacy and minimize the amount of data processed by companies. 
• They are adopted in industries that process large amounts of personal and sensitive data. 
• PETs focus on minimizing the use of personal data, maximizing data security, and minimizing the amount of data processed. 
• Examples of PETs include encryption, anonymization, virtual private networks, privacy-preserving APIs, trusted execution environments, on-device learning, privacy-preserving data mining, differential privacy, homomorphic encryption, and multi-party computation.
• The use of PETs has enabled the creation of many projects in the AdTech industry, including universal IDs, Google Privacy Sandbox, SKAdNetwork, PCM and PAIR.

Context

Going back a decade or so, companies in the programmatic advertising industry operated with very little regard for user privacy. Companies would collect large amounts of user data and use it to power everything from ad targeting to measurement.

But over the past few years, governments and tech companies have started to directly address the user privacy concerns by introducing new laws and making changes to how user data can be collected.

Law regulators across the world are working to improve the privacy of Internet users by introducing laws designed to regulate the collection, storage, and processing of personal data. Governments have enacted bills such as the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and Digital Services Act (DSA) in the European Union, Lei Geral de Proteçao de Dados in Brazil, and the California Consumer Privacy Act (CCPA) in the United States to establish standards for data protection. These laws are designed to ensure that individuals have control over their personal information and that businesses handle it responsibly, transparently, and securely.

Tech companies have been working on increasing user privacy by changing their software and devices. For example, Apple Safari and Mozilla Firefox have recently added new privacy features. It is expected that Google Chrome will do the same in 2024. These web browsers are moving away from the use of third-party cookies and user IDs, which are used to track individual users across websites, and instead favor anonymized browsing. 

This approach prevents online advertisers from identifying users on an individual basis, thereby putting an end to the practice of 1-1 ad targeting, which involves delivering personalized ads to users based on their browsing behavior.

The last piece of this puzzle is how the AdTech ecosystem responds to these changes. Publishers, advertisers, and AdTech companies are adapting privacy-enhancing technologies to preserve users’ privacy while delivering personalized advertising.

What Are Privacy-Enhancing Technologies (PETs)?

Privacy-enhancing technologies (PETs) is an umbrella term for tools, technologies, and techniques used to protect users from cyberattacks, maintain their privacy, and minimize the amount of data processed by companies.

Privacy-enhancing technologies are commonly used in industries that process large amounts of personal and sensitive data, such as banking, insurance, health, government, marketing, and advertising. 

PETs help ensure data is secure by focusing on three key pillars:

• Minimizing the collection and use of personal data.
• Maximizing data security to protect consumer privacy.
• Minimizing the amount of data processed.

Some examples of privacy-enhancing technologies include:

• Minimization techniques
• Encryption
• Anonymization/pseudonymization
• Virtual Private Networks (VPNs)
• Privacy-preserving APIs
• Trusted execution environment (TEE)
• On-device learning/federated learning (FL)
• Privacy-preserving data mining (PPDM)
  
  • Differential privacy (DP)
  • Homomorphic encryption (HE)
  • Multi-party computation (MPC)

There are other technologies dedicated to and utilized in the AdTech industry, which we will expand on in the next section

Examples of Privacy-Enhancing Technologies (PETs)

In order to deliver targeted and relevant ads, AdTech platforms process vast amounts of data, including personally identifiable information (PII) and personal data. 

Privacy-enhancing technologies can play a key role in ensuring this data is kept secure and protecting a user’s privacy across all layers in the programmatic advertising and AdTech ecosystem.

Most AdTech solutions that incorporate PETs combine one or more of the following techniques:

Secure Multi-Party Computation (MPC)

Secure multi-party computation (MPC) is a technique that enables two or more entities to share encrypted data through multiple nodes/servers and gain insights without learning about each other’s data. Private Set Intersection (PSI), a cryptographic protocol that allows two parties to compute the intersection of their sets while keeping the contents of their sets private, is an MPC technique.

Trusted Execution Environment (TEE)

While they share some similarities with MPCs, Trusted Execution Environments (TEEs) differ by enabling operations within a single server. TEEs use secure hardware with cryptographic protections to process data in a confidential computing environment, ensuring security and data privacy during data processing.

On-Device Learning

This technique is an algorithm trained on historical data, such as consumer interests or conversions, and is used to make predictions. The information is processed directly on the device, with no user information being sent back to the server.

Differential Privacy (DP)

Differential privacy is a technique used to analyze a dataset that provides a formal privacy guarantee by controlling the amount of privacy loss through mathematical methods. As DP is an algorithmic property, it can be applied uniformly to different data sets, thus protecting an individual’s identity from reconstruction or re-identification. DP can also be combined with other privacy-enhancing technologies (PETs) as part of a comprehensive approach.

Aggregation/K-anonymity

This technique involves aggregating data to a minimum privacy threshold, ensuring that the result includes at least a minimum number of data points with identifiers removed, commonly referred to as “k.”

Federated Learning (FL)

Federated Learning is a machine-learning technique that enables models to be trained on decentralized data across multiple parties without exchanging any information.

The Purpose of Using Privacy-Enhancing Technologies in AdTech

As technology continues to advance so does the need for privacy-enhancing technologies (PETs) in the AdTech industry. The basic purpose of using PETs in AdTech is to protect users’ personal information and prevent it from being used for unauthorized purposes.

However, AdTech not only processes data but also collects it, shares it between parties, and computes and utilizes it to power various programmatic advertising processes.

PETs can be used to increase security and user privacy for the following processes:

Data Collection

PETs can help organizations comply with data privacy regulations and avoid the potential legal and financial consequences of non-compliance when collecting data. Privacy-enhancing technologies also enable data minimization, which reduces the risk of data breaches, ensures that personal data is only collected for a specific and legitimate purpose, and decreases the space needed to keep data.

Identification

Without privacy-enhancing technologies, personally identifiable information and even sensitive data could be leaked. AdTech companies can protect this information from cyber attacks and data breaches by encrypting the data. There are many different techniques for encrypting data, but the three main ones are symmetric encryption, asymmetric encryption, and hashing.

Data Sharing Between Parties

Running advertising campaigns demands collaboration, such as data sharing between different AdTech platforms. However, this can also increase privacy concerns if not handled transparently and responsibly.

To keep the data safe and secure, AdTech companies can use encryption, secure multi-party computation, and differential privacy to exchange data confidentiality. Also, by using PETs, they can state who can have access to the data, which will minimize the risk of unauthorized access to it.

Data Processing

A set of procedures, such as computation, analysis, and measurement, are run on data every time an ad is served to a user. 

Privacy-Enhancing Technologies (PETs) play a crucial role in ensuring that personal data remains secure and confidential during these procedures. For example, PETs like differential privacy enable the analysis of anonymized user data without revealing personal information, such as personal identifiers or browsing history.

Ad Targeting

Advertisers want to show relevant ads to their audiences and provide personalized experiences to their users. PETs, such as federated learning, allow them to display ads by processing data on a user’s device, rather than sending it to an external server. This approach reduces the possibility of personal data being shared with multiple companies.

Use Cases of Privacy-Enhancing Technologies in AdTech

While you may not have heard about PETs, you’ve probably come across AdTech platforms and processes that incorporate these technologies.

Below are some of the main examples of privacy-enhancing technologies in AdTech.

Universal IDs

PETs can be used to generate a universal ID in a privacy-preserving way. For example, companies can apply a hashing algorithm, such as SHA-256, to an email address or phone number to produce an ID. So instead of using a user’s actual email address as the universal ID, companies can use the hashing algorithm to produce a random string of numbers and letters and use that as the ID. 

This not only prevents a user’s raw data (i.e., the email address) from being used, but it also protects their privacy, as the hashed ID can’t be unscrambled once it’s been hashed. This ensures that the universal ID cannot be traced back to an individual.

Google’s Privacy Sandbox

Privacy Sandbox aims to replace the processes carried out by third-party cookies by utilizing advanced privacy techniques such as differential privacy, k-anonymity, and on-device processing. 

Additionally, it helps to minimize other forms of tracking, like fingerprinting, by limiting the amount of information websites can access, ensuring that your personal information remains confidential, protected, and secure.

Data Clean Rooms

There are many different use cases of data clean rooms in the context of advertising. In an interview with Michael Sweeney, Head of Marketing at Clearcode, Gowthaman Ragothaman from Aqilliz shared some concepts on how brands can utilize data clean rooms for ad targeting, audience targeting, and measurement.

Encryption and double blinding for data inputs, differential privacy in running queries, injecting data noise, maintaining k-anonymity thresholds, are some of the techniques used in DCRs.

SKAdNetwork

SKAdNetwork is a privacy-centric API operated by Apple. For marketers running ad campaigns on iOS-powered devices, this system provides insights into campaign attribution that are anonymous, aggregated, and delayed.

Private Click Measurement

Private Click Measurement (PCM) by Apple was created for measuring ad clicks across websites and from iOS apps to websites. PCM uses on-device processing, differential privacy, blinded signatures and data minimization to ensure that user data is protected.

Publisher Advertiser Identity Reconciliation

Google’s Publisher Advertiser Identity Reconciliation (PAIR) enables publishers and advertisers to privately and securely reconcile their first-party data for audiences who have visited both a publisher’s and an advertiser’s website.

The solution works by allowing advertisers and publishers to activate encrypted first-party data that is specific to their sites via aggregation. This ensures that no data related to individual users is shared between parties, and the aggregated data is only readable and relevant in the context of their direct relationship.

MPC In an SSP

Magnite, a leading AdTech company, utilizes a form of technology called MPC to support activation without accessing raw data. Advertisers and publishers encrypt their data, such as first-party publisher lists or advertiser customer lists, using MPC. 

The encrypted data is then sent to Magnite, who can match and create synthetic stable IDs using the data. These IDs can then be used to activate the data without accessing the raw data itself.

Private Computation

Meta uses multi-party computation to improve its ad targeting capabilities while preserving user privacy. The system allows Meta to analyze encrypted user data to identify trends and patterns without accessing the raw data itself. This enables Meta to provide more personalized ads without compromising user privacy.

The Future of Privacy-Enhancing Technologies in AdTech

To define the future of PETs, we need to take into consideration multiple factors, such as the growing awareness about privacy protection on the Internet, technological changes, new legal regulations, and the ongoing debate about privacy among publishers, advertisers, and organizations representing their interests.

Consumers and governments recognize the importance of privacy in the digital age. This consciousness will drive the wide adoption of PETs and the creation of new regulations around the topic, similar to how the GDPR, LGPD, CCPA, and the IAB Tech Lab’s TCF have been adopted. These, and other, legal frameworks will require companies to incorporate PETs into their AdTech technologies and processes to ensure they are compliant with various privacy laws.

Some advertisers and publishers have already recognized the benefits of PETs, such as an increase in consumer trust and reduced risk of data breaches. 

As a result, more and more companies will dedicate budgets to new solutions such as data clean rooms to leverage PETs in their AdTech efforts.

Moreover, various technologies will go through different stages of development. The current priority lies in providing more granular control over the use of personal data, so in the nearest future, we can expect to see advancements and more sophistication in this field.

The last important aspect of the development of PETs is working on providing standardization.

The IAB Tech Lab has established a dedicated group to develop standards for PETs in AdTech. This group is made up of representatives from advertisers, publishers, technology providers, and privacy advocates. 

Their goal is to develop a set of standardized protocols for PETs that can be adopted by the industry. This standardization will help to ensure that PETs are effective and consistent across the industry.

To summarize, PETs will definitely play an increasingly important role in AdTech in the coming years.

Do you want to learn why companies should start PETs into their businesses? Read Clearcode’s piece in Exchange Wire’s Industry Review 2023.

Data & Privacy

What Is a Data Clean Room and How Does It Work?

Mike Sweeney, +1

Apr 07, 2022

AdTech

The Future of AdTech Lies in Privacy-Enhancing Technologies (PETs)

Mike Sweeney

Jun 07, 2023

Data & Privacy

The Benefits of Privacy-Enhancing Technologies (PETs) In AdTech

Natalia Figas

Jun 15, 2023

The post What are Privacy-Enhancing Technologies (PET) in AdTech? appeared first on Clearcode.

In this video, Michael Sweeney, Head of Marketing at Clearcode, spoke to Juan Baron, Director Business Development & Strategy (media & adv) at Decentriq about the various use cases of a data clean room and how data scientists use Decentriq to analyze data in a highly secure and privacy-compliant way.

Q&A: Data Clean Rooms

Below is the transcript from the video interview above.

Michael Sweeney: Hello, everyone. My name is Michael Sweeney, and I’m the head of marketing here at Clearcode. In today’s video, I’m joined by Juan Baron, who is the Director of Business Development and Strategy of Media and Advertising at Decentriq, and we’ll be talking about data clean rooms. So Juan, thank you very much for joining me today.

Juan Baron: Thank you, Michael. It’s a pleasure to be here.

Michael Sweeney: Tell us a little bit about yourself and Decentriq and what you do.

Juan Baron: Sure. So as my name suggests, I was born and raised in Colombia, spent many years in AdTech in the US, and migrated over to Switzerland — about eight years ago. I’ve been on both the AdTech side and also on the publisher side, and since the rise of GDPR, the move towards the privacy-first type of advertising has taken hold and data clean rooms aim to fill that gap. 

Decentriq is a Swiss-based data clean room provider, and our secret sauce is a hardware-based technology called confidential computing. But basically, we provide data clean rooms for a variety of industries.

Michael Sweeney: What are some of the other industries that you operate in, and the types of clients that use your data clean room for non-advertising and media use cases?

Juan Baron: At the core, Decentriq is a data science collaboration platform that is really the nuts and bolts of the technology. 

So, a lot of the use cases that we’ve seen are actually pure data scientists using our technology to collaborate with other fellow data scientists at another company. 

We have a company in Asia using our data clean rooms in the trade finance sector to collaborate with logistics data for tracking and monitoring cargo shipping data. We also work with numerous pharmaceutical companies on market share data inside the data clean room. 

Obviously, we work in the media and advertising sector, enabling banks and insurance companies to activate their data within premium publisher inventory. 

We also have publishers collaborating with insurance companies on what is called attribute prediction models. So they’re running machine learning models, in order to better predict data without ever leaking individual profile information. So the only thing that comes out of the data clean room is the model itself. So it’s probably it’s like the most privacy for serving this type of collaboration that we’ve seen.

We even work with the Swiss Army for protecting core infrastructure against cyber attacks.

Michael Sweeney: Great, thanks for the overview. I’m quite intrigued by the use of data clean rooms by companies and industries outside of advertising and media.

For most people, when they think of data clean rooms and applications for programming advertising and media, one of the key parts of the whole process is being able to match two different data sets together. You’ve got an advertiser and a publisher, and the advertiser might want to do some kind of ad targeting across the publisher’s website or properties. And in order to do that, they would use a data clean room to match the two different data sets together.

For the most part that would be some kind of linking ID that joins it all together: universal ID, mobile ID, phone number, email address, or something like that.

Michael Sweeney: How does that look when we’re talking about non-programmatic advertising and marketing use cases? Do both parties have some piece of data that can be connected together? And what can they do once they’ve done that?

Juan Baron: Not necessarily. 

In our data clean rooms, we have strict user permissions on who can access and upload data. For example, it could be a data scientist who needs to compute the data without linking the data sets. The data allows the data scientists to pull different data sources and run specific models to achieve a certain result. 

This is different from AdTech and programmatic advertising, where the focus is on following a person across different media properties.

Michael Sweeney: That’s really interesting. I guess data clean rooms can be used across different industries to do things with data in a highly secure and privacy-friendly environment. That’s the whole value of data clean rooms for those industries.

Juan Baron: It really depends on the capabilities of the data clean room provider. 

At Decentriq, we use Confidential Compute, which is hardware designed by Intel and AMD. We allow pretty much any programming language inside the data clean room. So we support not only SQL but also R or Python. This is exactly what data scientists use today but in a compliant way with sensitive data through our platform. 

We have access permissions by users and interactive data workflows built into the platform. This allows for a collaborative and speedy iteration of data scientists to work back and forth in a fluent matter. This is very different from what we see in traditional competitors in the space who tend to focus on finding a specific number of users for retargeting in a safe and compliant way. 

For us, that’s not the most exciting use case. The more exciting use cases are the ones that involve data science, especially in advertising.

Michael Sweeney: With the topic of data scientists using a data clean room, a lot of that programming-type stuff would be done inside the Decentriq data clean room, right? Because one of the whole points of the data claim is that other data, apart from your own that you put in, is not extracted from it. So a lot of analysis happens within your platform. Is that right?

Juan Baron: That’s correct. And then you can allow the other collaborating party to get access to specific results. 

We have what is called K-anonymity filters, or a privacy filter in a way where we can actually hardwire the end results to be aggregated results. So that is kind of hardwired into the platform. 

The whole idea as well is that you can have full transparency in what kind of code is being written. So, therefore, there’s no data leakage. On top of that, because of confidential compute, there’s this thing called remote data station, and what that provides is cryptographic proof of what is actually being done with the data. 

So, the sexier term for this in our platform is called the audit log. This provides cryptographic proof that whenever somebody clicks to view the results or run the computation, we have a very transparent log between all the parties of what is actually being done, what users do, and what’s happening inside of the platform. 

From a DPO perspective, this is an incredible feature because it provides a lot of assurance. It makes them sleep better at night, let’s put it this way.

Michael Sweeney: What are some of the clients doing with your Data Clean Room in the advertising and digital marketing space?

Juan Baron: In the digital and advertising space, the most common use cases are media planning. And then, obviously, activation. Activation takes place in very different flavors. And eventually measurement. When it comes to media planning, it all starts with an overlap.

That’s defined. I have my customer dataset, and I’m going to intersect it with the publisher’s network to see what the overlap looks like. 

You can bring in your own data identity graph if you want to expand the match rate. And then, through activation, there are a few different flavors. 

We have precise activation, which requires explicit marketing consent from the brand. That’s the traditional retargeting that everyone knows and loves. 

The other one is what we already built into the platform, which is top affinity segments. Based on the intersection of the data, we identify the top affinity segments of that particular publisher. Then we create audiences or deal IDs around those particular segments. 

The more sophisticated one is allowing the publisher to bring their own look-alike model inside of the data cleaner. And what that allows is actually to create one big segment built on a look-alike on that data intercept. And then the only thing that actually, exits that the data clean room is the model itself. 

And what we’ve been able to prove in combination, because we use confidential computing and all the privacy and security guarantees that we provide, is that we, Decentriq, don’t have any physical or any way to access the data because the encryption keys are with the data owner not with Decentriq.

We also guarantee that not even the cloud provider has access to the data. 

So what we do is that we actually back this up with legal opinions. So we have legal memorandums from prominent European legal firms backing our claims that: Yes, you don’t need marketing consent at all from the brand side in order to enable the top affinity and the look-alike model through Decentriq. 

On top of that, which is pretty groundbreaking because of the way that technology is built, we have major European publishers acknowledging that they don’t even require joint control or agreement with the brand. So that is a game changer because of the way we build Decentriq.

And then — measurement. At the end of the day, it’s all about showing results. And for the longest time, for many years, publishers have been limited in terms of how much data they’re able to provide and show results to customers — and measurement is key. 

So for the first time, they’re able to provide ad exposure data. Plus, add a lot of audience data into the measurement and provide very predictive analytics on behalf of the brand. 

So, finally, premium publishers, in a way, have taking control back and showing a lot more value than traditional programmatic advertising.

Michael Sweeney: What are some of the channels that your clients are using in your data clean room? Can you offer the data clean room in different channels like web browser advertising, in-app, CTV, or are you focusing on one channel at a time? How can your data clean room be used across different channels by different advertisers?

Juan Baron: The data clean room itself is agnostic to the channel. It really depends on the publishing partner. 

In Switzerland, we have publishers that not only sell standard programmatic display advertising or native, or even in-feed video, but we also have partners that sell CTV. 

So, it really is agnostic. It depends on the capabilities and reach that the particular publisher has, what kind of inventory they control, and then make their DMP data and/or CDP data available in the clean room so that the advertiser can choose which particular channels and audiences will be the most relevant based on the data intersect.

Michael Sweeney: Perfect. And in terms of the thing that ties it all together, right? Because I guess, in most cases, or maybe every case when it comes to programmatic advertising and digital marketing, if you have an advertiser and they want to match their data sets with a publisher’s data sets, there needs to be an underlying linking ID, let’s say. So is that generally the case, like 100% of the time, there needs to be some kind of underlying ID linking those two different sets together?

Juan Baron: Yes. The most prominent linking is typically the email address. But we could do a combination of multiple things in our clean room because you can write any type of code.

You can ingest an identity graph, you can ingest multiple identity graphs, if you really need to, you can do a combination of what we call fuzzy matching. So, if you really happen to have the email, phone number, first name, last name, and even home address in your data set, you can use a combination of everything in order to further increase the match rate.

Michael Sweeney: I wanted to get back to the thing you mentioned about consent when it comes to collecting data and then using it in the data clean room.So if I’m a publisher and I have some kind of login, let’s say, where I collect email addresses, and then I would encrypt those email addresses and then upload them to Decentriq, for example, to the data clean room. Is it the case that when I collect that email address, I don’t have to ask for consent to collect it because I’ll be using it in a DCR where that personal data won’t be shared with anybody else?

Juan Baron: Well, the data clean room itself does not solve the problem. The law around consent is not about the technology; it’s about the processing of the data. 

Based on our legal team, but also the law itself, what we are allowed to do is leverage data for legitimate business interest. 

Let me give you an example. 

Let’s say I am a bank, a big bank, let’s say I’m Barclays, and I want to advertise on The Guardian. So as Barclays, I have access to my own CRM. Perhaps I have surveys, perhaps I have Adobe Analytics, and I’m pulling all this data, and I have a very basic understanding of who my actual customers are. Maybe I have identified that they’re all male, 25-45, they’re interested in sports. Very plain and simple.

Then I’ll go to the Guardian and the typical workflow on programmatic advertising is like this: Hey Guardian, I want you to create an audience with male, 25-45 that are interested in sports, because that is what I know about my own customers. 

With data clean rooms, in particular with Decentriq, in order, for example, to identify the activation case of top affinity, once you’re intersect those data sets, you now come up with a very different perspective of your own customers because now not only are they male but the the age group is actually different, it’s actually 28 to 35. And they’re not interested in sports, it’s more about adrenaline sports.

Now, if you realize what has happened is that, yes — you leverage data on both sides, from each other’s customers, but at the end of the day, all you’re getting is you’re extracting business analytics. 

Therefore, based on the legal memorandums and the legal opinions that we have backing up this particular use case, no marketing consent or additional consensus is required in order to extrapolate that information because these are just business insights. 

But you’re using those insights in order to further influence, to create a segment. And at no point in time, you’re transferring individual profile information from one entity to the other. Neither are you given access to your customer database to that particular publisher.

Michael Sweeney: Yeah, got it. So essentially, the publisher or even the advertiser wouldn’t need to state Decentriq or any other data as a vendor that they work with as well.

Like, if we imagine the typical CMP scenario, we go into a publisher’s website, and they’ve got a list of all the partners they work with. Essentially, that publisher wouldn’t need to list Decentriq as one of those partners because you’re not processing personal data.

Juan Baron: Yeah, that is correct. And that is a big change for us because, as I said, the way Decentriq is built, we have no way of even knowing what’s going on inside of the data clean room. 

In some cases, we have no way of what kind of code they’re running, what kind of data they’re actually uploading, who has access to what. It’s kind of locked up in a hardware enclave protected by confidential computing.

And confidential computing, those hardware chips, those microprocessors are built in a way that they can only run the code that was agreed upon between the collaboration parties in the data cleanroom. 

So at the end of the day, it’s the code, the rules, not any type of commercial agreement. That is being agreed upon by the collaborating parties.

Michael Sweeney: I think it is a big game-changer, especially when we talk about using first-party data. I see that is a massive advantage for data clean rooms.

If we think about some other ways a brand or a publisher would need to activate their first-party data, I mean, if they’re talking about Universal IDs, I’m not a legal expert on the GDPR and the whole thing about the lawful basis for data processing using a universal ID, but I would assume, and I’m pretty sure this is correct, that they would be essentially processing personal data, right?

So publisher or the brand would need to state that that’s part of the data processing and that these companies will also be processing data, but that’s not the case with data clean rooms.

Juan Baron: It depends on the data clean room. 

As I said, it depends on how the data cleaner is built, what they require in terms of how they actually work with the data, the data architecture looks like.

In the Decentriq world, the data is encrypted on the device, so if you’re using our user interface, you can use it without even being connected to our infrastructure. 

Once you hit encrypt and upload, all you’re sending to Decentriq is a blob of encrypted data, which is entered through confidential computing using specially designed chips. These chips can actually compute data that is encrypted. 

So at no point in our infrastructure can anyone access the data, not even the cloud provider.

Every single data clean room provider will always hit the DPO office, the data protection officer. And they will always ask questions. 

That’s what we tend to see as well, and that’s why we’re trusted by pharmaceutical companies, insurance companies, banks, and other highly sensitive data owners. 

This is a testament to the trust they put in us because of the way our technology is built and the guarantees we provide. 

Not all data clean rooms are capable of doing this because of the way their infrastructure is built.

Michael Sweeney: Let’s jump to this topic about different data clean rooms that are on the market.

There has been a lot of news in the past few months about independent data clean rooms operating on the market. There is also a lot of activity around data clean room or DCR-tech provided by the Walled Gardens — Google, Meta and Amazon. Of course, AWS also announced their data clean room solution.

So let’s start with the comparison between Decentriq and other independent, non-walled garden data clean rooms.

Obviously, you’ve touched on this before about privacy and data. And I guess one of the key things that you mentioned a second ago about data clean rooms is that they are very much viewed as a highly privacy-friendly solution. Privacy and security needs to be at the heart of it.

Michael Sweeney: How does the Decentriq differ from the other independent data clean rooms on the market? And how do you provide the security and privacy aspects that generally most people would think need to come automatically with a data clean room?

Juan Baron: A key differentiating part of the Decentriq is that now we’re going into the privacy-enhancing technology space. 

Not only do we have a PETs environment, which is a completely new different world in particular for the advertising market, but we use a combination of trusted execution environment and confidential computing. As far as we know, based on the research that we’ve done and everything else, and partners that we talk to, we are the only data clean room in the space that uses this combination. 

So that combination of both hardware and software is by far the most secure. 

Now that being said, what we know of other data clean room providers in the space is that some of them are more like a CMO dashboard, so they’re pulling in information from existing data sources, creating collaboration between those data sources, but there’s not really sophisticated data science going behind it. It’s more about answering the chief marketing office query of the day.

On the other once, are built around data storage, which also has legal implications and limitations in terms of computational flexibility that they can run on the data clean room itself. 

Data clean rooms from the Decentriq think about it like Snapchat. We are formal data clean rooms. You agree on the computation, and you can run any code, SQL, Python, R. You can even create synthetic data sets inside of the data premium for further protection of your data. 

Once you agree on the code, you upload the data into the data clean room, your computer, and then you pretty much are done with it. 

We’re not in the storage business, but we’re in the computational flexibility business, and the way we try to describe the Decentriq is called a trusted computational layer. You can send data into processing or computation inside of the Decentriq, and what you do with the data afterward, you can also send it to internal analytic dashboards if you have them.

Obviously, the Walled Gardens have their own business interests. 

It’s to spend more money inside of the Walled Gardens, and that is the approach that they’re gonna take. 

They want to show that their inventory produces more results with very little flexibility, and they’re not going to provide any data from their own users because they’re the Walled Gardens for a reason. 

AWS is the same thing, right? Its marketing is trying to help you spend more inside of Amazon advertising. And it comes with these limitations as well because they’re not independent or data input-agnostic.

So, they kind of require for you to be on Amazon or perhaps you have to be in Snowflake. Then what do you do? You’re kind of limited in terms of the exposure or the possibilities that you can do with that. 

We do see a future where large brands will want to have a very independent, highly flexible, extremely secure data science data clean room. And large brands will demand from the Walled Gardens to provide data sets in that particular… because, at the end of the day, the Walled Gardens also need to protect the data of its own users. So they need the most secure data clean rooms as well.

So we do see a world where a very large brand will start demanding data from the Walled Gardens into their own independent data clean room in order to provide better measurement.

Michael Sweeney: Do you think that will happen in the future? Because from what I’ve read, you can’t really extract the data from Google’s Ads Data Hub, you can’t use that with other companies.

Juan Baron: That’s a very Google-centered view.

Michael Sweeney: Yes.

Juan Baron: They say: give me your data, I will ingest it, I will pretend that everything’s secure. Well, I will not pretend, I’m sure it is secure in a way, but it’s all about showing you how your data looks like in the Google Universe. 

But at no point in time, if you’re a large sophisticated advertiser, your entire advertising does not just live on Google. 

It lives on Meta, it lives on Snapchat, it lives on programmatic advertising, and maybe you have direct deals with the New York Times and the Washington Post, and the Guardian. 

If you’re a very big brand, you want to have full control and full disability of where your marketing spend is being run and how to properly allocate budgets as the world changes. With the Ads Hub from Google, it’s a very Google-centered view.

Michael Sweeney: Do you think there will be a point in time when Google will make their data clean room tech open to other parties?

Michael Sweeney: Or do you think it would be a situation where let’s say, a large brand that runs campaigns with Google and other independent ad tech companies and Meta, Amazon even, they’ll essentially just have a bunch of different data clean rooms that they will use?

Or do you think they’ll come a point in time where they’ll all be working together in some way? Or would it kind of be just like we’ve seen with pretty much every other area of programming advertising, where there’s the World Gardens and then there’s the independent AdTech companies?

Do you think that trend will follow into the data clean room space? Or do you think it will be a little bit different?

Juan Baron: I sure hope so. I think, at the end of the day, it’s all about trust. 

Even if Google opens up their own data clean room, do you think Meta will ever upload their user data or ad exposure data into the Google data clean room? I don’t think so. 

That’s exactly why we believe that independent data clean rooms are here to stay because it enables trust and control.

And those are the key factors that are definitely going to drive the adoption of data clean rooms. We’re talking about sensitive data, we’re not talking about third-party cookies, right? 

A brand, let’s say a bank or even an e-commerce platform, they have highly sensitive data to understand. 

These are personally identifiable information, lifetime value components, what kind of purchase history the particular customer has, wheter it’s a bank, mortgage information, credit card information, or transactional history. Very sensitive data. 

And at the end of the day, the data provider needs to be fully in control. 

If they are a very large advertiser, not only do they want to put in the data team room, the transactional data, and the CRM data, but they also expect the Walled Gardens and the programmatic of the world, or the publishers of the world, to be able to contribute. 

And they also want to be in control of their own data that they’re putting inside the data clean room. 

So that’s why we believe that independent data clean rooms are here to stay. And we believe that Decentriq obviously has a very strong future because of its computational flexibility, but also by far the privacy and security guarantees that we provide.

Michael Sweeney: Definitely. I think that there will absolutely be a need for independent data clean rooms because it’s simply because of the different applications of a data clean room.

As you mentioned, some examples of the companies that use these. They use Decentriq, for example, to deal with highly sensitive information that they won’t give to Google or Meta, especially because the main use case of Google’s data clean room is advertising, right?

Juan Baron: Absolutely.

Michael Sweeney: But that’s not always going to be the case.

Juan Baron: If you’re Kroger or Walmart, will you ever use a AWS?

Michael Sweeney: Exactly. So there’s always a market for independent AdTech companies and data clean room companies, which is fantastic to see.

Juan Baron: Exactly.

Michael Sweeney: I wanted to ask a couple of questions about the IAB’s recent standards and guidelines that were released in February of this year, in 2023. How does interoperability work with Decentriq, starting from a basic level?

Michael Sweeney: Let’s say you’ve got one advertiser and a publisher. If an advertiser wants to use a data clean room for campaign media planning, can they really only use that with one publisher partner? Or if they wanted to work with multiple publishers, would it just be a matter of bringing those publishers on, right? Is that essentially how it would work?

Juan Baron: Yeah. That’s exactly how it works today. We have cases where we have networks of publishers collaborating with one brand, for example.

Michael Sweeney: Perfect. In terms of the interoperability between the different data clean rooms, this was kind of part of the IAB standards and guidelines. What are your thoughts on that? 

Michael Sweeney: What are your thoughts on the future of the data clean room space for independent data clean room vendors in terms of interoperability between them?

Michael Sweeney: If you imagine we’ve got advertiser #1 using Decentriq, and then you’ve got a publisher that’s using a different data clean room — how do you see that situation and that future?

Do you see that it is a common thing, or do you kind of see how it is now, where there will be one data clean room, and it’ll be used by advertisers and publishers, and there won’t be any kind of interoperability between the different data clean room vendors?

Juan Baron: The topic of interoperability is the key one. Obviously, Decentriq is among the co-authors of that particular paper. And what we set out to do with that paper is just to create a baseline in terms of the future of interoperability.

Interestingly enough, it’s all about not only agreeing on the terms of privacy and security, and we take a very hard stance in terms of establishing a standard of what is really a private and secure data clean room, but also the subject of interoperability is data normalization between clean rooms, right? 

You want to make sure that in the Decentriq World, we are agnostic to the input and the output of the data. But if we’re going to ingest that data from a competing data clean room because our brand or our publisher is using our data clean room, we need to make sure that the data can actually be run and computed and intersected with whatever is going on inside of Decentriq data clean room. 

One of our largest partners here in Europe, their perspective of interoperability is not just about the data, it’s actually about the legal framework. 

It’s all about making sure that we can scale the usage of data clean rooms without being bogged down in compliance. 

So for them, the question is: can we somehow digitally or programmatically scale the legal frameworks around it? 

And I think, hopefully, my hope is that we can actually take up this topic and bring it into the subject of interoperability because it’s a very interesting approach. 

Because, as you know, programmatic advertising is all about scale without worrying. It’s about ease of use – click a button and then scale. We hopefully can actually do that through data clean rooms as well in the future.

Michael Sweeney: Yeah, definitely. And as you mentioned a moment ago, I think there are a lot of challenges with the interoperability part, especially with data clean rooms, right?

Because, by nature, especially as you mentioned with Decentriq, you guys are highly secure in privacy as well.

So there are a lot of challenges not only with the technical side, as you said with data normalization, but it’s also the fact that you’re not like a data warehouse, right? Where you can kind of do all that. Like a normal data warehouse would be. There’s a lot of separation with the different data sets. You don’t get the raw data even. It’s even challenging from that part of it as well.

It’ll be interesting to see how the interoperability part works out, even whether that’s something that brands and publishers even want as well.

I think that there are a lot of challenges, a lot of hurdles you have to overcome.

I think for a lot of brands and publishers, they might just be happy with how the data clean room process works now, where they use one data clean room like Decentriq, and just work with a bunch of their publishing partners rather than work with a bunch of different data clean rooms as well, because that could add a lot more complexity to their processes as well.

Juan Baron: Yeah, exactly.

Michael Sweeney: Yeah, perfect. Juan, that’s pretty much all the questions I had for today. Was there anything else you wanted to add? Was there anything that we didn’t cover that you would like to talk about?

Juan Baron: No, I mean, this was a very good conversation, so thank you very much for giving me the time.

Michael Sweeney: You’re very welcome. Thank you very much for sharing your insights. It’s always good to learn about data clean rooms.

I feel that every second day, I’m reading some kind of article about data clean rooms, and we’ll always try to make sense of it in my head, and chatting with people like yourself certainly makes that process a lot easier. So it’s really great that you took the time to tell us about Decentriq and how your data clean rooms work, as well as get your thoughts on some of the other topics in the industry. 

For today, we can wrap it up. If people want to contact you, they can obviously just head off to Decentriq. I’ll put a link to your website in the description below. I’ll also put a link to your LinkedIn profile as well. If people want to connect with you if they have any questions, that’s probably the best place to contact you. 

Juan, thank you very much for your time today, and all the best with Decentriq.

Juan Baron: Thank you, Michael. It was my pleasure.

Michael Sweeney: Perfect, thank you very much, and we’ll speak to you soon.

Juan Baron: Thank you very much. Bye-bye.

The post Data Clean Rooms: Q&A With Juan Baron from Decentriq [VIDEO] appeared first on Clearcode.

That’s why marketers, advertisers, and agencies have started to invest in different data strategies to continue offering personalized advertising without relying on third-party data, which has been the standard approach in programmatic advertising.

While many companies are starting to collect and utilize first-party data to power personalization, another type of data is emerging — zero-party data.

In this post, you will learn what zero-party data is, why it’s essential for AdTech, and understand the differences between the three most important data types: zero, first, and third-party data.

Key Points

• Zero-party data is data that customers own and willingly give to brands, for example, to personalize their experience or receive something of value.
• Zero-party data helps match the brand’s offering with the current customer’s needs and develops the business faster and in the right direction.
• Examples of zero-party data include information obtained from customers via newsletter sign-ups, calculators, quizzes, surveys, etc.
• To collect zero-party data, you need to have privacy and data processing policies that comply with current privacy laws, such as the EU’s GDPR. In the gathering process, you can utilize customer engagement platforms and enrich single customer views (SCV) in your customer data platforms (CDP) or customer relationship management systems (CRM). 
• To create audiences for ad campaigns, marketers use zero-party, first-party and third-party data.
• The difference between zero-party and first-party data is that ZPD comes directly from a customer to improve their experiences and, for example, get more personalized recommendations, while first-party data comes directly from the customer from other avenues, such as newsletter sign-ups.

What Is Zero-Party Data?

Zero-party data is data that customers willingly give to brands — intentionally and proactively. Generally, users provide companies with their zero-party data to improve their experience on a website or mobile app, such as via polls and surveys. First-party data is collected in various ways, such as via form submissions and web analytics tools.

The term “zero-party data” was coined by Forrester Research, a company that promotes the idea of a customer-centric attitude. In 2020, Forrester pointed out that brands will need to focus on working with the data shared directly from their customers because of the tightening privacy laws and regulations, such as GDPR, CCPA, and Vermont’s data broker registration law.

Typically, the customer will expect something interesting in return for their data — for example, an e-book, a report, an e-mail with interesting content, etc. Collecting first-hand information and permission to use it gives advertisers a more panoramic view of the customer’s preferences, challenges, goals, and interests.

Why Is Zero-Party Data Important?

To create an advertising campaign that addresses the right audience and the right problems, having information about them is the key. By collecting data directly from consumers about their interests and preferences, advertisers can display more relevant ads to them.

However, zero-party data is essential for a couple more reasons:

• Zero-party data is more trustworthy than third-party data — customers who share their personal information freely with a business and are aware that the information will be utilized for personalization or to improve the user experience are more likely to share honest and helpful data.
• Personalization and customer experience — the customer who is already familiar with or uses services and products of a given brand can submit more information on their preferences to customize recommendations.
• Segmentation — the organization collecting zero-party data can prepare the form in such a way as to obtain the information needed for customer segmentation.
• Data clean room collaboration — companies can share anonymized zero-party data in a data clean room and analyze combined data sets. Based on the analyses, their strategies and activities can be modified. For example, they can prepare a new ad campaign with better targeting criteria.
• Obtaining marketing consent — a potential customer can allow various forms of contact, such as e-mail, telephone, and SMS, when providing their data.

Current trends in the AdTech and MarTech industries are emphasizing the importance of zero-party data. Brands, publishers, and agencies include various data acquisition scenarios in their marketing strategies to obtain more zero-party data.

In the future, brands will need to focus on zero-party data to develop dependable, individualized connections with their customers as consumers’ privacy awareness grows.

Zero-Party Data Examples

There are plenty of tools to collect zero-party data. These can be simple forms next to newsletter sign-ups, calculators, quizzes, surveys — everything in the marketing funnel that helps obtain user information.

In general, brands offer something in exchange for sharing information. Materials that encourage customers to share personal details take various forms as well. These can be free newsletters, e-books, discounts, access to a closed Facebook group, free consultations, better matching of recommended content and items, etc.

How To Collect Zero-Party Data?

As we mentioned, marketers use various strategies to gather information directly from users.

However, organizations must also create appropriate privacy and data processing policies to collect, store, and process zero-party data. For example, European countries are regulated by the General Data Protection Regulation (GDPR) and California has its California Consumer Privacy Act (CCPA).

When creating these policies, organizations must provide answers to several fundamental questions:

• What personal information is being collected?
• How is the information collected?
• Why is the data collected?
• How is the information used?
• Who will have access to the information?
• What choices do you have?
• Can you review or correct the personal information?
• What security measures are used to protect personal information?
• How long will the organization honor its privacy policy?
• Who is accountable for the organization’s privacy practices?

To collect personal information, brands also need to put these policies in a prominent location, for example, in the footer of their website.

If it comes to tech solutions, to collect zero-party data marketers can utilize customer engagement platforms and enrich their single customer views (SCV) in their customer data platforms (CDP) or customer relationship management (CRM) systems with the zero-party data.

What Is First-Party Data?

Another valuable type of data for both advertisers and publishers is first-party data. This data type is collected directly from people who have interacted with the brand, such as customers.

Here are examples of first-party data:

• Data about products people have purchased and the value of orders, which is often collected by ecommerce and offline transactions. 
• Personal information such as names, postal and billing addresses, email addresses, and phone numbers — often collected by e-commerce and offline transactions.
• Data about people who have created an account with your business, downloaded a digital product (e.g., an ebook) and purchased something from you. This data is often collected by customer relationship management systems. Like with e-commerce data, this often includes names, phone numbers, and email addresses.
• Data about which pages the user has browsed, videos they’ve watched, and other content interactions, which is often collected by website and mobile app analytics.

The sources of first-party data can originate from online and offline activities.

How Is First-Party Data Used In Programmatic Advertising?

Data has played a key role in programmatic advertising since day one. Advertisers collect data, segment it, create audiences out of it and use it to power ad targeting, measurement, attribution and analysis. 

The goal here is to convert visitors into customers, upsell products and services to existing customers using audience-targeted and retargeting campaigns, identify which ad campaigns and channels are delivering the best ROI, and get insights into consumer behavior.

Traditionally, advertisers would use third-party data for audience targeting and measurement as it was readily available via third-party cookies and data brokers. 

However, the changing privacy landscape in programmatic advertising has meant that this data is much harder to come by, so advertisers, agencies and publishers have turned their attention to using first-party data for key advertising processes.

For instance, companies operating in the programmatic advertising industry use first-party data, such as an email address from a CRM or CDP to generate an universal ID. This ID is then used to identify that person across the web and show them relevant and targeted ads. In this context, universal IDs are essentially replacing the processes carried out by third-party cookies.

What Is Second-Party Data?

Second-party data, or partner data, is data gathered by one company and sold or exchanged to another. Usually, the other company is a business partner with similar audiences.

An example of this kind of partnership is a travel agency and a hotel chain.

The agency and the hotel chain could exchange information and show ads to similar groups of customers, or one of them could hand over the data so the other could target the campaigns to a specific audience.

Second-party data enables companies and advertisers to connect with an additional, untapped set of potential consumers, making it competitive with first-party data as it contains individuals who are either already customers or have indicated a desire to become one.

What Is Third-Party Data?

Third-party data is collected indirectly from a consumer by a company and is often seen as the least valuable type of data. Companies “stitch” the data together from different sources, such as commercial, academic, non-profit, or governmental websites.

How Is Third-Party Data Created? 

In the AdTech world, publishers, ecommerce merchants and app developers who want to monetize their audiences and data add third-party trackers to their websites or tracking SDKs to their apps and pass data about their audiences to data brokers (e.g., marketplaces or exchanges) and data management platform (DMP) vendors.

Data brokers can “stitch” different data sets into audience segments based on interests, purchase preferences, income groups, demographics, etc. They can also enrich these segments with information from offline data providers, such as credit card companies, credit scoring agencies, and telcos.

The main advantage of this data kind is scale — advertising campaigns constructed with third-party data can reach a much bigger audience compared to zero, first or second-party data.

Here are examples of third-party data:

• A user’s browsing history.
• Content interactions.
• Purchases.
• Profile information entered by the user (e.g., gender or age).
• GPS location.

What’s the Difference Between Zero-Party, First-Party and Third-Party Data?

The table below compares zero, first and third-party data by relevance and transparency, accessibility, competitiveness and reach.

If you want to learn more about the difference between first and third-party data, read this post.

Zero-Party Data vs. First-Party Data: What’s the Difference?

If zero-party data and first-party data can come from the same source, how can you differentiate between them? The answer lies in the reason why a consumer shares the data with a company. 

Zero-party data is provided by users because they want to receive a more personalized experience, e.g. content recommendation, whereas first-party data is collected via interactions with an advertiser or publisher, e.g. name, email address, etc. when signing up for a newsletter.

The effects of collecting data in these two different ways vary from each other.

Zero-party data can enhance ad targeting as advertisers and publishers can get better insights into their customer’s current needs and interests.

E.g. if a user fills in a survey and states that they prefer basketball shoes over running shoes, then advertisers can show them more targeted ads.

Data & Privacy

The Truth About Online Privacy: How Your Data is Collected, Shared, and Sold

Maciej Zawadziński, +1

Sep 07, 2015

AdTech

How to Boost Display Ad CTR With Content Personalization

Ian Simpson

Nov 17, 2016

Data & Privacy

How Will Display and Native Advertising Work Without Third-Party Cookies?

Maciej Zawadziński, +1

May 14, 2020

The post What’s the Difference Between Zero-Party, First-Party and Third-Party Data? appeared first on Clearcode.

In this video interview, Michael Sweeney, Head of Marketing at Clearcode, asked Gowthaman Ragothaman, CEO of Aqilliz, a series of questions about data clean rooms.

Get in contact with Michael and Gowthaman on LinkedIn

• Michael Sweeney, Head of Marketing at Clearcode
• Gowthaman Ragothaman, CEO at Aqilliz

Below is the transcript from the video interview above.

Michael Sweeney: Hello, everyone. My name is Michael Sweeney and I’m Head of Marketing at Clearcode. And in today’s video, I’m joined by Gowthaman or Gmen, for short, who is the CEO of Aquilliz.

Today we’re going to be talking about data clean rooms.

Welcome, Gman. Thank you very much for joining me.

Michael Sweeney: Tell us a few words about yourself, Aquilliz, how you started, and then we’ll jump into some questions about data clean rooms.

Gman: Thank you. I think everybody knows me as Gman. I’ve been in the ad industry for the past 30 years.

Three years back, I quit WPP to set up this company with the specific conviction that the marketing and advertising tech industries require a distributed ledger solution because that was getting decentralized, and there is the need for a decentralized solution. And that’s the germ of the thought. Aquilliz is borne out of that conviction. 

So we stand for distributed ledger or blockchain for marketing solutions provider. Data clean room is one of the solutions that we offer. 

Over and above that, we leverage clean rooms for many things, including cross-media measurement and attribution solutions. 

That’s what Aquilliz is all about.

Michael Sweeney: Regarding the topic of data clean rooms, it’s a fairly new topic, especially within the programmatic advertising industry. And there are different types of data clean rooms? In your words, what is a data clean room?

Gman: In my view, a data clean room is a place where data owners make data sets available for collaboration, which means it should be cryptographically secure. 

It ensures that whatever is being done with the data, they’re able to record, maintain, and update those capabilities. 

Essentially, a clean room is a place that gives the certificate that this data can be collaborated.

Michael Sweeney: What is the difference between a centralized and a decentralized data clean room?

Gman: If you look at it today, there are quite a few clean rooms in the marketplace. All the current solutions are built for an enterprise for the purpose of maintaining data. So it offers them an enterprise A, or a company A, or a brand A, or a publisher A a clean room facility where their data is safe and maintained and kept for collaboration purposes. 

When do such companies want to engage with each other, let’s say a brand A and publisher A, or a brand A and a data provider and a publisher, and more than two or three participants, each of them will have their own clean room, by logic, because that’s how the current leaders built; But when they are all collaborating together, they cannot be putting all the data in another centralized repository. 

It has to be in a place that is owned by all of them or is made available to all of them for the purpose of clarity, trust, and transparency. 

But it’s where the differentiation comes in. 

A centralized clean room means another entity is taking the data out from the respective location into a central server of their own location, and then they take the responsibility of processing the data on their behalf; In the liability shifts from the data owner to the processor. But we don’t know how the record is being kept and pushed back. 

That is where, in my view, a decentralized clean room essentially means that it uses the techniques of distributed ledger, and whatever data is being used and processed is made available to all the participants who contribute. Otherwise, the current system is not scalable. It is one plus one. Maximum one plus two. But then, if I had a partner with more than two participants, centralization would not help. 

That’s the difference.

Michael Sweeney: I’d love to learn more about the decentralized part, specifically how you handle that and how the process works, as you said, for example, between a brand and a publisher. 

But maybe some of these questions may be asked when we talk about some of the main uses of a data clean room. 

Many people would have noticed data clean rooms have started to emerge. With all the changes in privacy over the past couple of years, specifically with the end of third-party cookies in browsers, such as Safari and Firefox and, third-party cookies and Google Chrome and not too far away.

Michael Sweeney: What are some of the main use cases or applications of a data clean room in not only advertising and media, but also potentially in some other industries as well?

Gman: Medical industry is one which is now extensively using this today to understand patient data a lot better.  The patient data are sitting in multiple sources. It helps to resolve records in a privately compliant manner without disclosing sensitive things. 

Real estate is another industry that is using it very effectively right now. 

And if you extend this logic, whenever there is a supply chain, and wherever there is a value chain that is happening over a period of partners in the supply chain, you will necessarily end up having a clean room. 

Somebody is getting the data, they are adding value to it, and they want to know what value others have added to it and rightfully command a price for the job they are doing. But that core data is not being used for any other purposes. 

And that is why today, that industry is desperately looking for such a solution. Privacy is at the heart of it. Consumer data is being abused beyond control, and the supply chain needs to be transparent in the value exchange that it is offered to the system. 

Clean room will become an essential component of any partner who is part of the digital advertising supply chain. Very, very soon.

Michael Sweeney: Staying on the topic of programmatic advertising, I think a lot of the typical use cases that people think of when they hear data clean rooms in programmatic advertising and digital marketing is the measurement part, right? Something that happens after an ad has been shown.

Michael Sweeney: Are there applications where data clean rooms can be used for ad targeting, audience targeting, and measurement as well?

Gman: Yeah, I’m going to talk about what we are offering. 

We see there’s three broad buckets. 

One is pure play insights which helps the participant to learn about the consumers a lot better and they’ll help you with the use case as well. 

Second bucket is advertising or activation, where the clean room capabilities can be used for safe and secure personalized advertising. 

The third one is the measurement or attribution. Bucket split into one. 

In all the three use cases, clean rooms are becoming critical and are gathering all the three use cases. 

I’m going to refer to some of our partners as well, so it helps to bring it to life. 

For example, we are working with one of the leading sports franchise in India, IPL sports franchise, and they have a sponsor ecosystem of all the sponsors of the team in the jersey, beverage partner, so on and so forth.

So they want to create a layer out of configuration where the sponsors can share their first-party data to all the other member sponsors of the franchise in a complaint manner, which helps them to know about the sports fans a lot better. They know about the fans much more because they are all part of the same sponsors ecosystem. 

And that helps upselling and cross-selling solutions amongst the sponsor ecosystem. 

It is extremely useful in the world today because the sponsorships can go beyond simple vanilla spins and sponsor details; It can bring it closer to the sports, the fan, and the consumer. That’s a fantastic use case. 

So it is about insight. It’s about knowing the fan a lot better. And it’s not about advertising, but it’s about simple marketing. You see this initiative, right? 

Even in such a situation, the clean room works very well. 

The way we do it in this case is we install a node in each of the participants’ native location, so the data doesn’t leave the premises. Nobody pulls in data into a central clean room. The fan data remains with each of the sponsors and a query is made to understand attributes about the fans from all of them that sits in the federated layer of the campaign. And then it is pushed back to all the partners for any further activation purposes. 

This helps in the participants knowing very well that the data is not being abused for any other purpose. That’s the purpose of the decentralized data layer. 

That’s on the insights side of it.

Many brands can use it. 

Any of the CBD brands or any other brands, can bring the other partners in the ecosystem. 

I’m just saying it’s not a case in point, but it’s a brand I worked on for more than two decades in my earlier life. Let’s say PepsiCo. 

Pepsi can partner with their voting rights partner, then Pizza Hut, Domino’s or any of the other sponsors. Together, they can generate more insights about their own consumer than what they have today. 

That’s a very powerful proposition for a clean room. Simply on insight. 

Decentralization ensures that the number of partners can be as many as you want. So it is not one, not two, that’s one wanted from being a centralized clean room. Otherwise, why would ten companies give the data to one company? Doesn’t make any sense. That’s on insights. 

On activation, which is where we are currently working with Airtel. Airtel is one of our strategic investors. We are also working with the Zee broadcasting in India, and with a few other publishers as well. 

When cookies are deprecating and there is no way you can identify your own consumer, your first-party data is your only source of knowing who your consumers are. Clean room helps in that transparent manner and the compliant manner share your brands data with the publishers data to understand your consumers better and say: Hey, there’s a match.’ So I will use your platform for retargeting or create lookalikes to push ads to that platform.

It also helps in more publishers coming together to offer the marketplace in the decentralized platforms. It is what we are trying to do in India right now. That’s the activation use case. 

Last but not least, the measurement, which is my personal favorite and one which I really love. As a planner in my early life I always struggled to allocate my money across the platforms. Each one of them are their own Walled Garden. They would take care of their own attribution and say ‘I am the best.’ But a brand who spends $400 across five sets platforms still don’t know how to allocate the money between these guardians, right?

Which is where WFA and the industry is really looking at cross-media measurement solution. And we are partnering with Ipsos in the Middle East in offering cross-media solution to the industry using the clean room technology where each of the publishers shared their publisher logs in the complaint manner. 

Then virtual IDs created to then do duplication to give the brand a real cross-media measurement solution. 

To me that’s the most powerful one of the three, Mike. 

While the first and second use case is good to do, nice to do. But if my planers had, I would say just ensure that we offer something to the industry where the brands really get their money worth on true return, on investment, on measurement. 

So measurement is the heart of the problem. And if we can fix it, we unlock so much money in the industry.

Michael Sweeney: Definitely. You know, as you mentioned, it’s critically important, the measurement part and this is really one of the main challenges with the whole end of third-party cookies, IDs, and identity in general.

Gman: That’s right.

Michael Sweeney: Certainly other, all the other areas are impacted as well. But measurement, as you said, is the key for planning, for understanding whether campaigns worked or not as well.

Michael Sweeney: A moment ago when you were talking about the different applications of a data clean room, you talked a lot about first-party data. Let’s say you’ve got a brand and a publisher that want to come together use data clean room like Aquilliz. What would they need in order to make that happen?

Michael Sweeney: A lot of companies already have a lot of first-party data that they collect. Obviously, a lot of companies are starting to invest a lot more in building up their first-party data strategies and collecting it more than ever before. But what do they actually need to tie that all together? Is it some kind of ID that needs to be at a match up?

Gman: At the very basic level, I think a device ID, or a mobile number, or a email address is what is one of the three key-connecting attributes that can be used on both sides of the partnership. 

Many publishers today don’t even have that. They are comfortable with the way consumers are logging into that website without actually logging in – they just check in. 

The publishers are also looking at finding some kind of an identity resolution solution that helps resolve the signals to say: Hey, these are my consumers,’ and they create their own ID. The proprietary ad that represents that consumer base. 

That can also be tagged on to these three variables that helps in creating cohorts or lookalikes not better, because it need not be only extremely determinist match from the clean room. We can find a decent attributes when we are talking to each of the partners apart from the three persistent identifiers, what kind of programs they watch, what kind of movies they like. 

There are many other attributes: volume of consumption, value of consumption… Any other attributes can also be added to that repository which can be queried on both sides to find them and match. 

Today people use third-party cookies for chasing or tracking the consumer on the other side, but still it is 50% efficient. People think that we are tracking, but we are not tracking very, very well. We all know that data is only half efficient.

When the cookies go away, it is almost going to be at near zero. You’re going to shoot at the dog, you’re going to be blind in identifying consumer. 

Any kind of these attributes that can be matched is still better than shooting in the dark. And any kind of attributes we imagine still be better than the current third-party cookies that are being matched, because it never was really delivering its promise. 

So, to answer to your question, it is email address, mobile number, or a device ID plus any other attributes that we can bring in is more than enough to find the corresponding consumers for insights and activist.

Michael Sweeney: You mentioned some quite interesting points there — even when we look at some of the IT solutions that are on the market, many of those use things like email addresses, phone numbers to create IDs. It’s certainly not been done the same way from a privacy perspective as it is in a data clean room, cause there’s no real decentralization. You can set the things to be collected. There’s encryption, but there’s still this missing piece of all the other parts, like decentralization or privacy.

Gman: It’s a very important point, Mike, thanks that you brought it up. 

So whether it is GDPR, CCPA, our personal data protection bill in India and in Indonesia, and any other market, the fundamental question that everybody is asking for or requiring is: as a data owner, they need to maintain a record of what’s been done with that data to beam. And that needs to be made available upon request either by the consumer or by the regulatory authority. 

That record can only be maintained in a distributed ledger because you are sharing it with your partner. 

Let’s say I am G-man and then I am a telco user and I’m also a public publication reader. When I am found on both the databases and they phoned me and say: ‘Hey, this is Gman tracking’, then both the publisher and the telco needs to update the record that Gman was phoned and tracked and sold out. 

That is not simply possible if it is not on a decentralized ledger because there has to be somebody else and neutral layer that maintains that record who does not have any other intent of monetizing it. And that’s very important. 

I remember when we were working with Project Rearc on IAB Tech Lab years back when we’re setting these regulations, this was the first and most important thing. 

It has to be a neutral entity that maintains the record of processing of activity and does not have any motivation of monetizing it. That can only happen if it is a further layer. 

That’s the connection with which Aqilliz was built. I just want to bring it to life during this point.

Michael Sweeney: I remember when we spoke previously, you mentioned that you utilize blockchain for as part of this this ledger. If you go back a few years ago when blockchain first came out, a lot of people in the industry were talking about the potential applications of blockchain in programmatic advertising, potentially using it for real-time bidding. 

It’s interesting to see real-life application of blockchain and to see it being used in such an appropriate way. 

Generally, how blockchain technology is used, it’s not necessarily used to run auctions, but, as you said, to provide a path to show records in this ledger.

Gman: It is a great story, Mike. 

Years back everybody thought blockchain will jump into cryptocurrencies and Bitcoin, they said: ‘Hey, what are you going to do with tokens in advertising?’ 

We steer clear of it. It is a pure SaaS platform. We are not putting the impressions or the consumer data on the public blockchain.

It’s a distributed ledger, a permissioned ledger built for a specific participant to do whatever they want to do with it. And at a periodic level, a merkle proof or a hash is only being put on the public blockchain. 

So we have built a very patented hybrid platform, which has got the patent in both the U.S. and Singapore right now. We are not a Bitcoin company, know it’s all about blockchain, and that’s why it’s clear to see that distributed ledger technology rather than a blockchain technology.

Michael Sweeney: It’s always good to tread distinction. You don’t want to get caught up in the whole ‘crypto net’.

Gman: In any case.

Michael Sweeney: You said that in order for a publisher and a brand to work together, they need to have some kind of common idea, with an email address and phone number. What’s the general process in terms of encrypting those IDs and ensuring that their privacy is maintained? What does that process look like?

Gman: Ideally, the industry universally uses SHA-256 today as an encryption technique, which is a one-way encryption. It ensures that when you’re decrypted, you get the same results back again. 

We use that for matching purposes. By default, our technology ensures data is encrypted. You never get your digital data out. 

The processing log also tells you that you encrypted it. 

Then when we are matching it, and it matched on the encrypted field and when pushed back to the respective participants for activation, they decrypt it and then they activated it. 

That is also put on the record as proof of activity. 

We give them a full-fledged provenance ledger for both the participants so that they know this data was encrypted, matched, insights, generated, activated and pushed. 

So that’s the advantage of the platform. It is encrypted, and it enables encryption.

Michael Sweeney: Is it possible to decrypt this? I think a lot of people, especially non-technical people, when they hear of encryption, if they know that I send email addresses encrypted and then it spits out some random string of letters and numbers, is it possible to then decrypt that? Or is that once it’s encrypted, that’s it, you can’t decrypt it?

Gman: You cannot decrypt. Only the source, only the owner can decrypt it.

Michael Sweeney: What kinds of channels are you working across currently? What are some of the clients that you mentioned before? What are the main channels where they are using a data clean room?

Gman: Our current focus is on publishers who are offering this as a solution to go to brands, to say: ‘I can offer you a better targeting purposes’ 

They have rich depository of first-party data, but clearly what platforms and CTV was written off though. 

In any other means of targeting, this gives them much better targeting because brands can have their own first-party data set up in their own premises, they can match it and then serve an ad on the OTT platform, which is very, very deterministic and it’s in its nature. 

So it is predominantly publishers who are the first set of people who are showing a lot of interest. 

And as I told you, sport franchise is another one which is showing interest in terms of understanding consumer insights and fan data. That’s the second one. I think that’s where we are today. 

The reason for… I wouldn’t say slow adoption. The reason for whatever state in terms of adoption is because many of them still don’t have first-party data, or many of them don’t have a structured customer data platform that offers them their data and in a manner that can be used. 

Those are intermediary headwinds for adoption. But that’s a question of time. And everybody now knows that they need to maintain their database in their own devices.

Michael Sweeney: It’s interesting you mentioned before that a lot of the companies that are using your data clean rooms are publishers. 

I think we’ve seen this with a lot of the other solutions that have been developed in response to the end of third-party cookies, whether it’s, the seller defined audiences… A lot of it seems to be led by the supply-side. 

So, I guess, a lot of the companies, agencies, brands on the buy-side are still very much relying on the third-party cookies. And maybe we won’t see as much movement until they’re completely gone and they’ve got no other option.

Gman: There is still the state of denial that one day it will happen. 

Till the proverbial cookie totally crumbles. Life goes on, but some of them are getting ready for the world because the winter is coming.

Michael Sweeney: Yes, exactly. Getting closer and closer. Even though Google has delayed it a few times, there will come a point where there won’t be any more delays. They would just go. 

So, I wanted to ask you about the IAB Tech Lab. I think it was a month or two ago they announced that they will be working on some standards around data clean rooms. I understand that Aquilliz is part of this group.

Michael Sweeney: What kinds of things would you like to see in IAB Tech Lab Standards or definitions of data clean rooms?

Gman: We’re not discussed at the bottom, but I would say it’s more from an individual or a personal point of view that we need to standardize the provenance ledger. 

I would say the consistent way in which the participants can see how the data is being used, which can be simply shared to the complaints authority to say: ‘This is what we have been doing with the data’ 

The best way to show it is that know if you go to any of the product that is a barcode and then that shows you the specifications of the of the product and it is like a stamp, right? We need to get to that level of sophistication to have some kind of an immediate ledger that shows that your data is being used and it is being used like a trail of information. 

I think that, to my mind, it needs to be standardized because each one can generate an audit report. 

Another one is like we talked about encryption. Consistent format of encryption and standards on encryption, and how it needs to be maintained. 

It can even be a kit which can be given to all the publishers to say that: ‘Look, This is an encryption kit. You need to just be certified with the encryption kit.’ 

So, yeah, these are my two initial thoughts. I’m sure if you’re listening, you will say: ‘Yes, let’s get down to it!’ 

Michael Sweeney: Yeah, definitely looking forward to those standards from the IAB Tech Lab to see what comes out of that.

Michael Sweeney: The last question I have is about AWS launching a data clean room. Tell us a little bit about what this announcement is? What it means for brands, publishers, etc.? Also, what does it mean for the data clean room providers that are on the market?

Gman: I woke up in the morning with this news. My immediate reaction is ‘wow!’ I think even before the industry has begun, it is getting commoditized.

We already have quite a few players offering data clean rooms today. 

Amazon coming with its data clean room solution is a fantastic thing. They have a natural product extension capabilities of offering these clean room solutions. 

And in fact, many of the other solution providers, let’s say, if I ignore Azure and GCP, all the other clean room providers, the Infosum, Habu, LiveRamp recently, there are quite a few people there. All of them use any one of this cloud solutions provider to offer the clean room solution. The cloud essentially sits with these three big guys.

If the the big guys already offer this solution as clean rooms, it is interesting to see how this entire clean room solution is going to play out in the longer run, because encryption can become standardized. The ledgers can become standard in the longer run. 

So, what is the actual role of a clean room? Apart from generating insights, offering activation or measurement? 

I think I’m seeing an accelerated… It’s like watching a movie in fast-forward to the end. You had it available that it’s going to lead to. 

That was my initial reaction. 

It’s a good thing because there is no category awareness. All of us have been trying to sort from a rooftop to say: ‘Hey, it is important! It is important the world to see it evolves. I need a clean room!’

The category building and awareness is definitely good from this. 

From our perspective, we see it as extremely complementary. We already use AWS today as our federated layer because Amazon offers blockchain solutions. so our node installations and our federated layer are already built on innovative solutions today.

I wouldn’t be surprised if you ask the Amazon team, they will say: ‘Hey, a AWS is different from Amazon advertising. We are two separate companies. We deal with that separately.’ 

Amongst them they are still two separate enterprises and it is just a technical solution coming from their technology team. 

It’s a very good news. For us it is even better news because we are already working with them as federated layer partner. This helps us in building adoption faster.

Michael Sweeney: Was there anything else you wanted to add? Any other final points or anything?

Gman: Not really, Mike. I think it’s a fantastic opportunity. Thank you for giving me time. It’s a much needed solution for the industry. 

I’m wishing you all the very best for doing a fantastic job of bringing awareness to these solutions from Clearcode.

Michael Sweeney: Thank thank you so much for the kind words and likewise, all the best with you and your ventures in the data clean room space. 

We’ll leave a link to our LinkedIn accounts in the bio in the description below. I know you’re very active on LinkedIn talking about data clean rooms.

So and once again, thank you very much for your time and we’ll speak again soon.

Gman: Thank you, Mike.

Data & Privacy

How to Build a CDP, DMP, and Data Lake for AdTech & MarTech

Mike Sweeney, +1

Sep 22, 2021

Data & Privacy

What Is a Data Clean Room and How Does It Work?

Mike Sweeney, +1

Apr 07, 2022

Data & Privacy

What’s the Difference Between Zero-Party, First-Party and Third-Party Data?

Natalia Figas

Mar 15, 2023

The post Data Clean Rooms Explained: Q&A with Clearcode and Aqilliz [VIDEO] appeared first on Clearcode.

Key Points

• Web cookies are a storage mechanism in web browsers that are used to store data.
• There are generally two types of cookies: first-party and third-party cookies.
• First-party cookies are created by the domain (aka website) the user is currently visiting.
• Third-party cookies are created by domains other than the one the user is visiting.
• Third-party cookies are also referred to as tracking cookies, tracking codes, tracking pixels and the like.
• They are mainly used for cross-site identification, which can then power programmatic advertising processes like audience targeting, retargeting, frequency capping, and measurement.
• The main reason for the decline of third-party cookies in the web browsers is the changing privacy landscape in programmatic advertising.
• Third-party cookies are blocked by default in Apple Safari and Mozilla Firefox, but are still available in Google Chrome. Ad blockers also prevent third-party cookies from being saved to a user’s device.
• Other alternatives to third-party cookies include universal IDs and device graphs, data clean rooms, the IAB Tech Lab’s Seller Defined Audiences (SDA), self-serve ad platforms, and contextual targeting.

What Are Third-Party Cookies?

Web cookies are a storage mechanism in web browsers that are used to store data. There are generally two types of cookies: first-party and third-party cookies. Both types of cookies are the same from a technical perspective with the only real difference being who created them. First-party cookies are created by the domain (aka website) the user is currently visiting. Third-party cookies are created by domains other than the one the user is visiting. 

Third-party cookies are also referred to as tracking cookies, tracking codes, tracking pixels and the like. They are mainly used for cross-site identification, which can then power programmatic advertising processes like audience targeting, retargeting, frequency capping, and measurement. 

Third-party cookies not only track users across sites to provide a bigger picture of their behavior, but they also allow website owners to provide certain services, such as live chats. 

When a user visits a website, a first-party cookie is created on that domain (somewebsite.com), but in addition, a third-party cookie is often created by another domain (e.g. ad.doubleclick.net).

The latter is a third-party cookie because the URL (ad.doubleclick.net) doesn’t match the host domain (somewebsite.com). The cookie is created on somewebsite.com by a third-party provider (ad.doubleclick.net), hence the name “third-party cookie”. 

How Are Third-Party Cookies Created?

For a cookie to be created, a request needs to be sent from the web page to a server. The file being requested is different depending on the use, but it can be an actual creative (an ad) or a tracking pixel, which is completely invisible to the user but acts as a tracker in situations when there is no click event — for instance, when the ad was viewed by not clicked on.

For example, if the third party was an advertising service like Google Ads, the request would be for a creative – the actual ad the visitor sees. The Google ad markup can allow a third-party cookie to be placed. 

Here’s what the ad markup could look like:

When the web page loads, the above ad markup would also load and a request would be sent off to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time.

Different third parties may request different files from their web servers and send them back to the browser.

So essentially, in order to create a cookie — whether that be a first-party or third-party cookie — the website simply needs to send a request to a server.

The server will then respond to that request and create a cookie, provided the privacy settings in the web browser allow it.

Why Are Third-Party Cookies Being Phased Out?

The main reason for the decline of third-party cookies in the web browsers is the changing privacy landscape in programmatic advertising. Cookies aren’t inherently bad, and most websites use them to ensure a seamless experience for returning visitors. 

Still, the process of identifying and tracking individuals across the web using third-party cookie tracking is unambiguous, and regulators and legislators have been trying to tame the problem for the last two decades. 

Governments and web users are demanding more privacy and transparency regarding their choice and control over how their data is being processed and used around the Internet. As a result, many new privacy laws around the world have been introduced to help protect user privacy and secure their data.

Major web browsers like Mozilla Firefox and Apple Safari have also implemented changes to prevent third-party cookies from being created as a way to increase privacy for their users.

Safari and Firefox Turn off Support for Third-Party Cookies

Over the past few years, both Mozilla Firefox and Apple Safari have introduced new features in their web browsers to prevent cross-site tracking. 

Apple’s privacy crusade started in its Safari browser back in 2015 when it allowed iOS users to install content blockers, which blocked certain elements on a web page, such as ads. 

In 2017, they introduced Intelligent Tracking Prevention (ITP) which is a privacy feature that blocks third-party cookies by default and limits the lifespan of certain first-party cookies and other data storage mechanisms. 

In 2019 Firefox also made a step towards protecting user privacy and introduced a feature called Enhanced Tracking Protection (ETP) that started to block third-party cookies by default. 

In January 2020, Google Chrome announced that it too would be shutting off support for third-party cookies in the next few years. Currently, it’s expected that Google will shut off support for third-party cookies in Chrome in 2024. 

The European Union’s General Data Protection Regulation (GDPR)

The European Union’s GDPR came into force in May 2018 with the aim of protecting personal data and increasing user privacy. 

There are 6 legal bases for collecting personal data as outlined in the GDPR.

In the context of programmatic advertising, websites, AdTech companies, data companies and advertisers need to collect consent (Article 6, 1a), typically via a consent management platform (CMP), from users before they’re able to collect their personal data — e.g. create a third-party cookie on their device.

According to research from Reuters Institute, the introduction of the GDPR caused a 22% decrease in third-party cookies being created on news sites, including a 14% drop in advertising and marketing, and a 9% decrease in social media cookies on websites. 

There was also a 7% drop in the number of news sites that host third-party social media content, such as sharing buttons from Facebook and Twitter. 

Although the GDPR’s impact isn’t as direct as ad blockers or privacy settings in web browsers, it has significantly reduced the number of available audiences, especially in Europe.

What Information Can Be Stored in a Cookie?

Users are often unaware that their personal data is being harvested from third-party cookies.

Typically, the type of information that can be collected and stored in a first- and third-party cookie ranges from individual IP addresses, search and browser history, products and websites viewed, and specific details about devices.

This information can also be connected to sensitive information about a person’s health, family, sexuality, political views, religious beliefs and more.

Programmatic processes like real-time bidding (RTB) expose the personal data of billions of users by creating third-party cookies and saving them to the user’s device, often without the user’s knowledge or explicit permission.

The lack of self-regulation in the programmatic advertising industry has not only caused governments from different countries to introduce new privacy laws but also launch antitrust investigations into Google, Amazon Facebook and Apple (GAFA) because of their the dominance in the advertising industry, breach of user privacy, and use of privacy as a competitive advantage. 

Can First- And Third-Party Cookies Still Be Created Even if a User Doesn’t Provide Consent?

In some web browsers, like Firefox and Safari, third-party cookies are blocked by default. But third-party cookies can still be created in Google Chrome.

Even though first- and third-party cookies should only be created when a user agrees to it and shares their consent to be tracked, many reports confirmed that consent management platforms (CMPs) were still firing tags on a user’s device, regardless of whether the user provided consent or rejected it. 

The other thing is that users don’t seem to have a choice in whether a cookie is created or not. According to a study by Ebiquity, the vast majority (92.6%) of websites are tracking at least one user’s device prior to gaining their consent. 

The study analyzed 200,000 cookies and half were defined as ”marketing cookies” by the CMP with 82.4% of these tracking tools determined to have been installed on users’ devices by third parties. A third (32.3%) of the cookies were fired without valid user consent. 

Internet users also suffer from dark patterns in the design of the CMP to increase the chances of users giving consent. It means users aren’t given a clear choice of “yes” or “no” but rather click marathons which are supposed to discourage the user from providing informed consent and encourage them to simply select “yes” instead. 

Third-party cookies can still be created even if a website is using a CMP in the following ways:

1. Some websites still fire tags that create third-party cookies before a user has given consent or even after they have rejected it.
2. Via the use of dark patterns and assumed-consent approaches where a CMP displays a default option “OK” to encourage the user to give consent without taking any other action.
3. By leveraging legitimate interest as the basis for processing personal data — i.e. creating third-party cookies for AdTech companies because the website views advertising as “legitimate interest”.

Third-Party Cookies in Google Chrome

Third-party cookies can still be created in the Google Chrome browser, but the tech giant has set a deadline for phasing them out. 

On Tuesday the 14th of January, 2020, Google Chrome announced it would stop supporting third-party cookies within the next two years. 

Then, on Thursday June 24, 2021, Google Chrome announced it would be expanding the use of third-party cookies by 2 years and shut off support from the middle of 2023.

However, on Wednesday July 27, 2022, as the deadline was approaching, Google announced it will be delaying its shutdown of third-party cookies by another year to the second half of 2024. 

Google is one the most popular browsers that accounts for 65.24% of the browser market and around 80% of the revenue derived from Alphabet, Google’s parent company, comes from advertising.

Therefore, the tech giant has decided to shut off third-party cookies but still leave the gate open for advertising and provide some alternatives that respect user privacy.

Google aims to create a thriving web ecosystem with improved user privacy and maintain an ad-supported web via the standards set by its Privacy Sandbox. 

Third-Party Cookies in Safari & Firefox

Third-party cookies cannot be created in Safari and Firefox as they are blocked by default unless the users unmarks the option in their browser’s settings. 

Ad Blockers

Ad blockers can be compared to gatekeepers that prevent users from downloading and loading unwanted elements on a given website. 

In practice, it means that ad blockers block JavaScript ad tags from AdTech companies from firing, which means that third-party cookies cannot be created. 

The ad blocker prevents a number of key programmatic advertising processes from occurring which, for advertisers and marketers, means no data regarding:

• Identification across the web and AdTech platforms like SSPs and DSPs.
• Behavioral targeting and retargeting to show personalized ads.
• Audience activation via DMPs to create audiences and run the cookie syncing process.
• Frequency capping to limit the number of times the same user is shown the same ad.
• Attribution regarding ad views and conversions.

What Are the Alternatives to Third-Party Cookies?

Below are the main alternatives to third-party cookies in programmatic advertising:

1. Universal IDs and Device Graphs
2. Data Clean Rooms
3. Google Chrome’s Privacy Sandbox
4. The IAB Tech Lab’s Seller Defined Audiences (SDA)
5. Self-Serve Ad Platforms
6. Contextual Targeting

Read more about the alternatives here: Alternatives to Third-Party Cookies and Mobile IDs in AdTech

Data & Privacy

Identity in AdTech: Meet The Various Universal ID Solutions [Updated 2024]

Mike Sweeney, +1

Sep 03, 2019

Data & Privacy

How Google Chrome’s Privacy Sandbox Will Work + Possible Solutions for AdTech

Mike Sweeney

Apr 09, 2020

Data & Privacy

6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech

Mike Sweeney

Jan 23, 2023

The post The Demise of Third-Party Cookies in AdTech: Why Are They Being Phased Out? appeared first on Clearcode.

But the fact is that third-party cookies have been unable for some time already — both Safari and Firefox already block third-party cookies by default and have placed restrictions on other types of identification methods to prevent cross-site tracking, which is the main purpose of third-party cookies in programmatic advertising.

More recently, Apple has also introduced changes to its mobile advertising identifier (IDFA) to strengthen user privacy for its iOS, iPadOS and tvOS users. It looks like Google will also be restricting access to its advertising ID in Android, GAID, as well.

In this article, we’ll explain the role third-party cookies and mobile advertising IDs play in programmatic advertising, outline the privacy changes that have been introduced over the past few years and their impact on the industry, and list the main alternatives to third-party cookies and mobile advertising IDs.

Key Points

• Third-party cookies are a storage mechanism in web browsers. When third-party cookies are created, they can store different types of information, but for programmatic advertising purposes, most of the time third-party cookies contain a unique identifier (ID).
• Mobile IDs are used on mobile devices to identify individuals inside mobile apps.
• Both IDs in third-party cookies and mobile IDs are used to identify individuals as they visit different websites and mobile apps. 
• If an AdTech company can identify a user, then they can use the ID in the cookie to power key advertising processes, including behavioral targeting, audience targeting, retargeting, frequency capping, measurement and attribution.
• Over the years, various privacy laws from governments and policy changes from tech companies like Google and Apple have meant that creating and using third-party cookies and mobile IDs for identification has become a lot harder.

Understanding the Context Around Third-Party Cookies and Mobile Advertising IDs in Programmatic Advertising

What Are Third-Party Cookies and What Role Do They Play in AdTech and Programmatic Advertising?

Third-party cookies are a storage mechanism in web browsers. When third-party cookies are created, they can store different types of information, but for programmatic advertising purposes, most of the time third-party cookies contain a unique identifier (ID).

This ID is then used to identify individuals as they visit different websites across the Internet. 

It’s important to note that there are two main types of cookies: First-party cookies and third-party cookies.

First-party cookies are created by the website that the user is visiting.

Third-party cookies are created by websites other than the one the user is visiting.

From a purely technical perspective, both first-party and third-party cookies are the same — the only difference is the relationship between them and the user.

Third-party cookies have been the backbone of programmatic advertising for over a decade. 

Typically, an AdTech company, such as a supply-side platform (SSP) or demand-side platform (DSP), will create a third-party cookie either by placing their code on a website or via a process called piggybacking. 

Once the AdTech company has created a cookie for that user, they’ll be able to recognize that same user if they visit another website containing their code, or again, via the piggybacking process. 

If an AdTech company can identify a user, then they can use the ID in the cookie to power key advertising processes, including:

• Behavioral targeting
• Audience targeting
• Retargeting
• Frequency capping
• Measurement
• Attribution

What’s Happening With Third-Party Cookies?

Although third-party cookies power key programmatic advertising processes and enable advertisers to reach their target audiences and publishers to earn ad revenue, they raise a number of privacy concerns.

When AdTech companies started using third-party cookies in the 2000s, the process of creating and sharing cookie IDs went largely unnoticed. 

It wasn’t until mainstream media picked up on this process of collecting mass amounts of user data and tracking people across the Internet that Internet users, privacy advocates and governments started to take notice.

Certain governments started to discuss how to address this issue, but the first government to actually introduce laws to strengthen user privacy on the Internet was the European Union.

In 2009, the EU amended its 2002 ePrivacy Directive that has since been referred to as the cookie law.

One of the main features of the cookie law was that websites had to display a banner to inform its visitors that they would create a cookie during the visitor’s session on the website.

Since then, various laws have been introduced to strengthen privacy for Internet users. 

In addition to privacy laws, various tech companies have made changes to their products and devices to strengthen user privacy.

Both privacy laws and technical changes have caused the availability of third-party cookies to decrease.

The reason for this is simple: the easiest way to increase user privacy on the Internet is to make it harder for companies to identify individuals.

And as we explained above, the main purpose of third-party cookies is to identify individuals across different websites.

Here’s an overview of the main changes that impacted the availability of third-party cookies over the past couple of decades:

1994: Lou Montulli and John Giannandrea invent cookies while working at Netscape.
2006: Popular ad-blocking software, Adblock Plus, launches.
2016: The European Union publishes its General Data Protection Regulation (GDPR), setting off a two-year countdown to its enforcement. 
2017: Apple releases its Intelligent Tracking Prevention (ITP) feature.
2018: The EU’s GDPR goes into force on May 25, 2018.
2019: Firefox releases its Enhanced Tracking Prevention (ETP) features.
2020: Google Chrome announced that it will depreciate third-party cookies by 2022.
2021: Google Chrome announced that it will delay shutting off support for third-party cookies to 2023.
2022: Google Chrome announced that it will delay shutting off support for  third-party cookies to 2024.

Read more about the history of programmatic advertising and AdTech in our AdTech Book (free to read, no registration required).

What Are Mobile IDs?

Mobile IDs, also known as mobile advertising IDs, are IDs that are associated with a user’s mobile device, e.g. smartphone and tablet. Because practically every mobile device has a mobile ID, they are more persistent than web cookies. Even though users can’t disable or remove these IDs like they can with cookies, they can easily reset them.

What’s Happening With Mobile IDs?

Most of the attention over the past few years has been on third-party cookies, however, this attention is now turning to mobile IDs.

At its annual Worldwide Developers Conference (WWDC) in June 2020, Apple announced that it would be introducing changes to how app developers and AdTech companies can access an iOS user’s mobile ID — known as ID for advertising (IDFA).

These changes require app developers to obtain opt-in consent from users before they can access the IDFA for that device.

To facilitate this process, Apple introduced its AppTrackingTransparency (ATT) framework.

These changes have had a significant impact on app developers and their ad revenue, as it is now much harder to identify individual iOS users and show them personalized ads. For advertisers, it means it’s harder to reach their target audiences and measure the performance of their in-app mobile ad campaigns.

Google has also introduced some changes to how its Google Advertising ID (GAID) can be accessed on Android devices. Essentially, if an Android user has opted out of personalized advertising, then their GAID won’t be passed to the app developer. This, of course, hasn’t produced the same impact as Apple’s changes to its IDFA as users actually have to change this setting themselves.

Google has also hinted that there will be more changes to its GAID in the future as it plans to introduce its Privacy Sandbox standard in its Android-powered devices.

So What Does This All Mean?

When third-party cookies and mobile IDs are not available, it’s much harder for companies to identify individuals. This means it’s harder to show them relevant ads, measure the performance of advertising campaigns and attribute ad views to conversions.

For advertisers, this means their ads don’t perform as well, meaning they waste money on advertising and see a lower ROI.

For publishers, it means they see a decrease in their ad revenue.

This has led to the search for alternative solutions that can power the key programmatic advertising processes.

6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech and Programmatic Advertising

1. Universal IDs and Device Graphs

A universal ID is a unique ID that allows AdTech companies to identify users across different websites and devices. Universal IDs are created using probabilistic data (e.g. IP address, browser type and model, and user-agent string) or deterministic data (e.g. an email address or phone number), or both, to produce an ID.

Some universal IDs operate within one environment, such as web browsers, while others aim to identify users across different environments, such web browsers and mobile devices. For the latter, device graphs are often used to match together the IDs generated in web browsers with the ones generated in other devices, e.g. mobile IDs in smartphones. 

Universal IDs have emerged in response to the end of third-party cookies in major web browsers like Safari and Firefox, and the planned end of third-party cookies in Google Chrome in 2023. These universal IDs perform the same functions as third-party cookies, but the difference is in how they are created.

Many universal ID solutions will also offer a user ID or device ID graph.

These graphs work by combining IDs and attributes collected from a range of different sources, e.g. web browsers and mobile devices, which can then help power the ID resolution service.

2. Data Clean Rooms

A data clean room is a piece of software that allows two companies, e.g. a publisher and an advertiser, to match their data together without either party gaining access to it. This type of secure data collaboration can power many programmatic advertising processes, such as ad targeting and measurement.

There are essentially two main types of data clean rooms: centralized and decentralized data clean rooms.

Centralized data clean rooms store the data in one location, whereas decentralized data clean rooms store the data in separate locations (e.g. different servers).

Here’s the basic flow of how a decentralized data clean room works:

1. The two parties, e.g., a publisher and an advertiser, encrypt their first-party data and upload it to the data clean room.
2. The data clean room looks for similarities between the two data sets, e.g. hashed email addresses, hashed phone numbers and hashed mobile IDs, and matches them together.
3. The matched data can then be used for ad targeting, measurement and analysis.

Unlike other types of data partnerships whereby companies directly exchange user-level data, such as cookie IDs, device IDs, and IDs created from hashed email addresses, data clean rooms match the first-party data provided by brands and advertisers together but prevent any user-level data from being accessed outside of the data clean room. 

To ensure privacy and data security, the data is first encrypted and then added to the data clean room. Also, all of the first-party data stays within the data clean room and isn’t shared with anyone else.

3. Google Chrome’s Privacy Sandbox

Google Chrome’s Privacy Sandbox, which was first revealed on August 22, 2019, is a set of open standards aiming to improve user privacy and maintain an ad-supported web.

Just like with other sandboxes used in computer security, Chrome’s Privacy Sandbox will execute advertising processes in a restricted environment, which is in stark contrast to how these processes are carried out today.

There are three parts to Privacy Sandbox:

1. Replacing cross-site tracking processes — i.e., the ones currently powered by third-party cookies.
2. Phasing out third-party cookies by separating first-party and third-party cookies via the SameSite attribute and turning off support for third-party cookies.
3. Mitigating workarounds such as fingerprinting.

The main standards being worked on in Privacy Sandbox include:

• Topics API — for running personalized advertising campaigns based on the topics a user is interested in based on their web-browsing history.
• FLEDGE — for running retargeting and audience-targeting ad campaigns.
• Attribution Reporting API — for measuring the performance of ad campaigns, e.g. attributing ad views and clicks to conversions.

The standards are being discussed and worked on between AdTech companies, agencies, publishers, Google Chrome and Google’s ad teams via the W3C Improving Web Advertising Business Group.

Although it’s still in development, Privacy Sandbox puts forward a completely new way of how online advertising works.

4. The IAB Tech Lab’s Seller Defined Audiences (SDA)

On February 24, 2022, the IAB Tech Lab released its first addressability specification from the Project Rearc initiative: Seller Defined Audiences (SDA).

This new standard is designed to help publishers monetize their first-party data by creating audience cohorts that can then be passed on to demand partners (i.e. DSPs) via the OpenRTB protocol and Prebid.

SDA leverages other IAB Tech Lab standards, notably Audience Taxonomy, IAB Tech Lab Data Transparency Standard, and IAB Tech Lab’s Transparency Center. 

The IAB Tech Lab has designed the SDA specification to work with existing media-buying processes and standards — notably the OpenRTB protocol and Prebid. 

The procedure for utilizing SDA is as follows:

1. The publisher creates audience segments based on their first-party data.
2. The publisher passes the SDA IDs to DSPs via OpenRTB 
3. The DSPs examine the segment IDs and decide whether to bid on the impression or not.

5. Self-Serve Ad Platforms

One of the main outcomes of the increased privacy laws and changes is that publishers have once again gained control over their audiences.

For publishers, collecting and using their valuable first-party data will allow them to continue to monetize their websites even when third-party cookies disappear from Google Chrome.

While publishers can use universal IDs and Seller Defined Audiences to activate their first-party data, they can also give advertisers direct access to their audiences by using or building a self-serve ad platform.

Compared to selling their inventory via their ad server or supply-side platform (SSP), publishers can use a self-serve ad platform to enable advertisers to create ad campaigns directly on their websites.

The self-serve ad platform would typically integrate with data platforms, like a DMP or CDP, to allow advertisers to create audiences, and with an AdTech platform, such as an ad server, to power ad delivery and targeting.

The benefit for publishers is that they don’t have to share any data about their audiences with advertisers, as they do with real-time bidding (RTB) auctions. 

The benefit for advertisers and ad agencies is that they can directly reach their target audiences, without having to worry about whether their ads are being shown on websites whose audiences don’t match the advertiser’s targeting criteria.

6. Contextual Targeting

Contextual targeting allows advertisers to display relevant ads based on the website’s content rather than using the data about the visitor. 

The idea is not completely new; before the advent of the Internet, contextual targeting was widely used in magazine and newspaper ads. 

Remember the full-page or half-page ad of an SUV sneakily placed next to a feature on 4×4 cars? That was it. 

Contextual ads in print, along with topical advertising and interactive print ads, gave incredible creative freedom and served as an outlet for some very original ideas in the seemingly outdated print medium.

Over the years, the growing popularity of the Internet and emerging advertising technologies have enabled advertisers to segment audiences and target them based on their behavior and interests (i.e. behavioral targeting). 

However, today many print publishers still take advantage of contextual targeting simply because it’s very effective for specific kinds of content.

Although less elaborate than other techniques, contextual targeting is also gaining traction again due to smaller reliance on personal data.

Data & Privacy

The IAB Tech Lab’s Seller Defined Audiences (SDA) Explained

Mike Sweeney, +1

Dec 07, 2022

Data & Privacy

The Demise of Third-Party Cookies in AdTech: Why Are They Being Phased Out?

Mike Sweeney, +1

Jan 26, 2023

Data & Privacy

What’s the Difference Between Zero-Party, First-Party and Third-Party Data?

Natalia Figas

Mar 15, 2023

The post 6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech appeared first on Clearcode.

One such alternative to third-party cookies comes the IAB Tech Lab in the form of its Seller Defined Audiences (SDA) standard.

In this blog post, we explain what SDA is, how it works, why it was created, how it differs from other alternatives, and the pros and cons.

Key Points

• Seller Defined Audiences (SDA) is a technical specification released by the IAB Tech Lab that allows publishers to monetize their audiences without needing to use a unique ID or reveal a user’s identity to advertisers.
• The IAB Tech Lab developed the specification to provide a solution to the diminishing availability of third-party cookies, while at the same time offer a privacy-focused alternative to ID-based identity solutions, such as third-party cookies and universal ID solutions. 
• The SDA leverages other IAB Tech Lab standards, notably Audience Taxonomy, IAB Tech Lab Data Transparency Standard, and IAB Tech Lab’s Transparency Center.
• The IAB Tech Lab has designed the SDA specification to work with existing media-buying processes and standards — the OpenRTB protocol and Prebid. 
• Publishers will be able to create and sell around 1,600 contextual audiences with SDAs.

What Are Seller Defined Audiences (SDA)?

Seller Defined Audiences (SDA) is a technical specification released by the IAB Tech Lab that allows publishers to monetize their audiences without needing to use a unique ID or reveal a user’s identity to advertisers. The IAB Tech Lab developed the specification to provide a solution to the diminishing availability of third-party cookies, while at the same time offer a privacy-focused alternative to ID-based identity solutions, such as third-party cookies and universal ID solutions. 

SDA is the first specification from the IAB Tech Lab’s Project Rearc initiative. 

Project Rearc aims to create new standards for companies operating in the programmatic advertising industry to address their demands for privacy and personalization. At its heart are user privacy and the efficiency of AdTech solutions.

How Can Publishers Create Seller Defined Audiences (SDA)?

To avoid reinventing the wheel, SDA utilizes existing IAB Tech Lab standards to help publishers label their first-party data and help advertisers to recognize whether a user associated with a given SDA is a member of their target audience.

SDA is based on three pillars: IAB Tech Lab Audience Taxonomy, IAB Tech Lab Data Transparency Standard, IAB Tech Lab’s Transparency Center, and many smaller specifications.

The Audience Taxonomy categorizes audiences in a standardized way by assigning them to individual users. The IAB Tech Lab has defined more than 1,600 attributes within this taxonomy to help build various cohorts out of a publisher’s first-party data. Once those cohorts are big enough to anonymize, they can be dispatched in the bidstream using present objects within the OpenRTB protocol.

The Data Transparency Standard specifies how and when the data was obtained and indicates the quality of the data. Since the accuracy of this information is self-attested, the IAB has created a separate compliance tool that checks which trustworthy sellers are appropriately labeling their data.

The Transparency Center supports the Data Transparency Standard by enabling the posting of these data labels to a centralized resource that IAB Tech Lab members can review before purchasing a given SDA.

As a result, advertisers can determine which cohorts a person belongs to and the fineness of the data that informed the cohorts without any particular data being sent through programmatic streams.

If an advertiser wants to check if a given audience matches their target audience, they can refer to the corresponding data transparency label and view the details, such as data audience provider, audience segment, compilation method, and data source.

What Role Will IDs Play in Creating Seller-Defined Audiences?

Even though SDA doesn’t use unique user IDs, publishers can still create seller-defined audiences out of users that are associated with an ID. However, publishers will have to ensure that these user IDs are not connected with the SDA segments to avoid user identification.

Publishers can also use their existing data platforms, such as a data management platform (DMP) or customer data platform (CDP), to create seller-defined audiences using the first-party data stored in the platform.

What Data Can Publishers Use to Create Seller-Defined Audiences?

Because the IAB Tech Lab’s Audience Taxonomy contains three pillars — demographic, purchase intent, and interest — publishers can use data collected from registered and logged-in users to build SDA segments. 

For example, if a user provides their date of birth when creating an account with a publisher, then this information can be used to populate the demographic part of the Audience Taxonomy. This can later be enriched with interest and purchase intent data as the user browses the website.

How Do Seller Defined Audiences (SDA) Work?

The IAB Tech Lab has designed the SDA specification to work with existing media-buying processes and standards — notably the OpenRTB protocol and Prebid. 

The procedure for utilizing SDA is as follows:

1. The publisher creates audience segments based on their first-party data.
2. The publisher passes the SDA IDs to DSPs via OpenRTB 
3. The DSPs examine the segment IDs and decide whether to bid on the impression or not.

The image below illustrates how seller-defined audiences are created and passed onto advertisers.

Why Were Seller Defined Audiences Created?

Seller defined audiences were created to address the current privacy challenges in programmatic advertising and the declining availability of third-party cookies.

SDAs are one of the many proposed alternatives to third-party cookies, however, unlike alternatives like universal IDs, seller-defined audiences aim to balance ad personalization with user privacy. 

Usually, a publisher would have two choices if they wanted to activate their first-party data and enable advertisers to bid on it:

• OpenRTB auctions: Publishers make the data available to advertisers by pushing user-level IDs from an SSP or DMP to a DSP.
• PMP deals: Publishers establish a private marketplace deal (PMP) whereby they pass the Deal ID from their SSP to a DSP. The Deal ID can be linked to specific audience attributes.

However, there are many privacy and business-related issues with these activation methods, which we outline below when discussing the advantages of SDA.

It’s because of these reasons that the IAB Tech Lab has stated that it won’t be creating an ID solution nor will it be advocating for the “broad collection, use or sharing of email addresses or phone numbers as IDs across the ecosystem.”

“SDA emphasizes the ability to strengthen the value of a publisher’s first-party data and at the same time improve user privacy. Publishers who choose to use the SDA standard can activate their first-party data for advertisers without sharing user identification information with external platforms.” — Piotr Banaszczyk, CEO of Clearcode.

How Do Seller Defined Audiences Compare to Universal IDs?

Universal IDs were initially developed to offer a shared identity for users to be recognized throughout the advertising supply chain with reduced amount of cookie syncing. Some universal IDs use data like email addresses and mobile IDs to create IDs, while others use probabilistic matching to create IDs. The fact that universal IDs are not limited to third-party cookies is crucial. 

In other words, it is possible to build universal IDs using a range of both first-party and third-party data collected from online and offline sources, such as from point-of-sale (POS) and CRM systems. 

However, universal IDs revolve around identifying individual users to power targeted advertising in the programmatic advertising industry. It’s this user-level identification that is the crux of the privacy issue in AdTech.

On the other hand, SDA revolves around not identifying individual users to power targeted advertising. To preserve privacy, users are placed into audience segments based on demographic data, interests, and purchase intent but their actual identity isn’t revealed to advertisers or their DSPs.

How Do Seller Defined Audiences Compare to Google Chrome’s Topics API?

Both Topics API and SDA form cohorts and share anonymized data with advertisers. However, the similarities end there. The main difference between Topics API and SDAs lies in the pillars of those two solutions.

Topics API:

• Is based on device-managed audiences created via a Google Chrome API.
• Collects information about users’ interests (topics), which is then shared with other ad businesses.
• Assumes that all targeting and measurement will be done in the browser.
• Allows advertisers to target their ads based on users’ interests.

Unlike Google’s cohort-based Topics approach, SDA sorts online visitors into groups using a publisher’s first-party audience data rather than browser data.

It’s also worth mentioning that Topics will generate audiences automatically based on a user’s browsing history, whereas publishers will have to manually create the SDA themselves.

Seller-defined audiences:

• Are based on first-party data formed into cohorts directly by publishers.
• Are created using IAB Tech Lab standards such as Audience Taxonomy, the Data Transparency Standard, and Transparency Center.
• Allows advertisers to target their ads based on different factors such as demographics, interests, and purchase intent.

The Advantages of Seller Defined Audiences

The primary idea behind Seller Defined Audiences is to provide a standardized method for publishers and data providers to define targetable audiences that buyers can understand and bid on.

1. SDA secures consumer privacy. The technology avoids using user-level IDs for ad targeting. Instead, users are placed into cohorts and their identity is never revealed to the AdTech businesses.
2. SDA is good for reaching the same or similar audience at scale. Buyers can target the same cohorts across different publishers.
3. The technology offers standardized labeling and purchasing against first-party data cohorts across multiple browsers and devices.
4. The technology adoption should be straightforward. As SDA utilizes OpenRTB, Prebid.js, and IAB standards, the toolset is well-known to publishers, so implementing and using SDA won’t be completely foreign to them.
5. SDA can create a quality advertising ecosystem. Publishers can create valuable audiences that advertisers can target without having to expose user-level data. SDA is a good combination of somewhat detailed targeting and privacy.

The Challenges and Disadvantages of Seller Defined Audiences

The SDA is a great standard and more privacy-friendly than other alternatives to third-party cookies, but it is not without its downsides. 

Here are the main disadvantages of SDA:

1. Third-party cookie delay. As long as third-party-cookie-based targeting is available, the buy-side won’t be interested in investing a lot of time and money on third-party cookie alternatives. 
2. Shift in power. Third-party cookie IDs give advertisers control over creating the audiences as they, or rather their DSPs, can simply assign a third-party cookie to a user by simply receiving a request from the publisher (e.g. website). With the advent of SDA, the control is transferred to publishers as they own the first-party data and are creating the audience segments. The shift in control is a somewhat disadvantage for advertisers, but an advantage for publishers.
3. Browsing patterns are hard to define for niche publishers. Niche publishers may not have enough data to determine audience attributes and create seller-defined audiences based on the user interactions on their properties.
4. Less competitive angle for advertisers. Because of the lack of customization in the audiences and audience taxonomies, all advertisers can potentially target the same audiences, meaning it’s harder to compete against each other.
5. Small rate of testing. Not many publishers, AdTech companies, data providers or advertisers are currently testing SDA, so there is no explicit feedback yet.
6. Small priority. Demand-side platforms don’t see SDA as a priority, mainly because of the factors listed above, so it’s hard to increase testing rates if one side of the equation is hesitant on adopting it.

Data & Privacy

How the IAB’s GDPR Transparency and Consent Framework Works From a Technical Perspective (TCF 1.0 and TCF 2.0)

Maciej Zawadziński, +1

May 02, 2018

AdTech

The Main Standards and Initiatives from the IAB Tech Lab

Mike Sweeney, +1

Apr 30, 2021

Data & Privacy

6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech

Mike Sweeney

Jan 23, 2023

The post The IAB Tech Lab’s Seller Defined Audiences (SDA) Explained appeared first on Clearcode.