BLOG

The ad industry is abuzz with the recent announcement that Google is seeking an industry alternative to the “third-party cookie” in 2 years time. From AdAge:

Google says it’s launching an initiative called “Privacy Sandbox,” a collaboration with other industry players to find alternatives to cookies while limiting the fallout to publishers and the rest of the ecosystem. Cookies are the digital tokens that websites leave on people’s browsers to log information about their whereabouts online. 

Google says it just started working on new ways to think about serving targeted ads while maintaining privacy. One method could be to keep consumer data in large enough pools of fellow web users so that individuals maintain anonymity, but also share characteristics that would be useful to advertisers.

This move affects only browser-based advertising and not mobile in-app advertising that uses mobile advertising IDs (MAID) or identification for advertisers (IDFA), which are persistent though resettable IDs set by the mobile operating system. The majority of time spent is now on mobile in-app so a large portion of digital advertising is not going to be affected. In addition, with the rise of connected TV (CTV) and over the top video (OTT), there are new device identifiers being used that are not cookie-based and not affected. That said, browser-based advertising is still a material portion of digital advertising and it’s critical the industry solves this problem.

Thunder has been thinking and planning for this future for some time. Here is how Thunder is leading the industry in solving for data-driven advertising and privacy at the same time.

Differential Privacy
With its Truth in Measurement industry initiative, Thunder convened in 2019 dozens of the largest publishers and advertisers to discuss new approaches to protecting user privacy while providing advertisers’ reliable cross-platform measurement. This industry group endorsed an approach by Thunder known as differential privacy, which is fundamentally what Google is only now in 2020 proposing.

Differential privacy is a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset. Grouping users in pools is the key to maintaining anonymity. Here’s additional resources on learning the basics of differential privacy:

• WTF is Differential Privacy (Digiday)
• Introduction to Differential Privacy (Thunder)

Thunder is now in a working group with the industry leaders to finalize such a standard that Google and others can follow to allow data-driven advertising to work with cross-device/platform accuracy and user-level privacy. We expect to release such a standard by the end of 2020 to enable Google and the industry to adopt in 2021 ahead of the 2-year Google goal.

Authenticated, Consented Users
Separately, Thunder is collaborating with leading industry players such as MediaMath and LiveRamp on several different methods that use 1st-party cookies, which are different than the 3rd-party cookies being sunsetted by Google in 2-years.

1st-party cookies are cookies set by the website you’re visiting. If you visit CNN.com for example, CNN can set a CNN.com cookie on you that is considered 1st-party while you’re on CNN.com. If a traditional ad tracker such as Doubleclick drops a cookie from Doubleclick.com while you visit CNN, it would be considered a 3rd-party cookie and in 2 years, it may no longer work. 1st-party cookies are essential to keeping users “logged-in” and remembered by the websites you visit.

Going into the future, Thunder’s COO Ka Mo Lau predicts more publishers will require you to register and log-in in order to read their content. You’ll have to opt-in (or opt-out) of that log-in data for being used for targeted advertising. Once you’re logged in, an anonymized person-based identifier can be used and shared with ad tech companies such as Thunder to provide targeted messages to consented users.

Much of the ComScore top publishers are now testing a form of this solution with the different providers and by the end of 2020, a majority of potential Internet reach should be covered by some form of authenticated consented user solution where the publisher enables targeted advertising for its logged-in users.

Going forward
The industry has at least 2 years to accelerate some of its existing efforts. Since the beginning, Thunder has been an advocate for a more privacy-centric, people-based approach. We are looking forward to working with the industry and want to hear from you if you’d like to join us.

What is 1st Party Data?

First party data is information a company has directly collected itself on a consumer. 

For a brand, this data could be personally identifiable information (PII) such as name, mailing address, email address, and phone number. It could also be the technical identifiers such as cookies or mobile device IDs associated with an anonymous user or his/her PII as well as behavior/engagement with the brand. This information could be gathered from sales, surveys, lead gen forms, and direct observation of consumers on-site engaging with the brand. 

For a publisher, this data could be similar information collected from subscription or registration to read content. 

What is the difference between 1st-Party Data and 2nd-Party Data?

Second party data is when two trusted parties share their directly gathered information. Typically these companies are partners or have a direct financial arrangement to share such information. For example, American Airlines and Hyatt have partnered around their loyalty programs. American Airlines might market to Hyatt customers and Hyatt might market to American Airlines through this partnership which may facilitate sharing of user data for joint customers. If American Airline receives information its customers from Hyatt, they are receiving 2nd-party data.

What is the difference between 2nd-Party Data and 3rd-Party Data?

Third party data is when consumer data is aggregated across multiple sources, joined together into a package, and sold by the aggregator under its own brand. Because the buyer/user of the data isn’t directly gathering the data and because the seller isn’t necessarily the one collecting the data directly from the customer (or directly obtaining consent), then the data being used is 3rd-party data.

Is 1st-party data better than the other types?

Yes, but it is hard to scale. You only have information on the users you already have successfully converted to become customers or enter your funnel. If you want to reach more customers, you have to use on 2nd-party or 3rd-Party Data to reach potential customers that are qualified based on your customer profile. 

How can I use 1st-party data in targeting?

1st-party data such as CRM/PII data (name, email address, etc.) can now be used to target specific individuals. By uploading your 1st-party CRM/PII data to an ad platform such as Facebook, you can directly target the users that the ad platform has a matching profile for. This allows you to target specific people in your mailing list or customer data base for example.

How can I use 1st-party data in personalizing?

1st-party data such as past purchases, products viewed, and registration data can be now used in dynamic creative optimization (DCO) solutions to select the right ad to serve to the user. Because you directly observe/collect the data, you know the information to be highly accurate which allows you to deliver the right experience to the right user.

How can I use 1st-party data in measuring?

1st-party data such as as offline sales information can be used to match to online ad exposure so you can measure the impact of digital ads to offline sales.

Is 1st-party data the same as having my own identity graph?

Not necessarily. An identity graph connects different user profiles and their associated device IDs together. You can use a 3rd-party identity graph provider such as LiveRamp which may have much more data points on users to build a more robust identity graph than most brands can build on their own since most potential customers haven’t yet given their data to the brand and most brands don’t have enough of a digital footprint to build a build enough graph themselves.

What are 1st-party cookies and how do they relate to 1st-party data?

1st-party cookies are a form of 1st-party data. They are a brand’s own cookies dropped on users from the brand’s own website. On Chrome browsers, these 1st-party cookies will continue tracking users across the web whenever a user encounters a page or ad that sends a request for that cookie (this requires special implementation). 

On Safari and Firefox, these 1st-party cookies no longer work outside the brand’s own website which means you can generally only use the 1st-party cookies to track activity, reach, and frequency on your own website. It would take special implementation of registration information tied to your 1st-party cookies and registration information tied to your media publisher’s 1st-party cookies to do any cross-site tracking and personalization for Safari and Firefox. More info on this to come in our forthcoming article on intelligent tracking prevention (ITP) by Safari.

As more and more people consume media across multiple screens, device-based measurement has become increasingly inaccurate and incomplete. Thunder and TiVo recently partnered up to discuss some of the challenges with people-based measurement from TV to digital, and ways marketers are tackling this tricky problem.

Challenges with Measuring:

Marketers are scrutinizing their approach towards measurement to make sure they are truly understanding what goes into their media spend, and how this spend translates into results. Some of the areas they’re focusing on include:

• Quantifying sales and brand impact
• Increasing marketing ROI
• Measuring omnichannel campaigns
• Integrating in-store transactions with digital media data
• Linking cross device data
• Improving media attribution and optimize media mix

Applying traditional cookie- or device-based measurement approaches to these areas leads to imprecise, incomplete, and sometimes incorrect insights. As such, marketers have embraced People-Based Measurement as the new way forward.

What is People-Based Measurement

People-based measurement refers to the use of persistent identifiers to capture user behavior across channels and devices. This approach provides a more holistic view of user behavior compared with traditional cookie- or device-specific measurement. Here’s a simple video that explains the differences in approach.

There are two common ways people-based measurement is done: panel-based measurement and direct measurement.

Panel based measurement refers to the use of certain technologies that monitor how certain subgroups of individuals behave, and uses those observations to make general conclusions about the population. The advantage of this method is that you can make conclusions with far fewer data points. The downside, of course, is that your extrapolations are prone to sample bias and may be inadvertently distort reality.

Direct measurement, in contrast, provides far higher accuracy. Unfortunately, this approach requires collecting more more data via a persistent identity, which is a technological challenge for marketers who do not have access to this type of technology.

Both approaches of doing people-based measurement provide far greater accuracy relative to cookie- and device-based approaches. In a cookie-based world, ID’s are temporary rather than persistent, and impressions are subject to fraud, deletion, and blocking. In the device-based approach, each device may offer a persistent, unique identity, but one individual may have multiple devices.

Omnichannel with People-based Measurement

People-based measurement connects ad exposures across all environments – from open web to walled gardens, including linear and OTT video. Ad exposures can be connected to a persistent identifier, which can then be tracked against both online and online conversions.  For example, TiVo’s data set includes exposures from three million active households across 210 DMA’s. Using TiVo and Thunder’s people-based measurement, the marketer can combine the data from television with data from open web and walled gardens to provide a true view of the customer journey.

What is the Impact of Measuring by Person

When marketers evolve from device- or cookie-based measurement to persistent people-based measurement, they typically notice some startling changes in their reach and frequency. These observations include:

• A decrease in reach (which happens when you connect multiple devices and cookies to a single person)
• An increase an frequency (which happens because your audience may see the ads on multiple screens)
• An increase in conversions that are ad attributed (which happens via events that are not tracked by cookies or devices such as offline purchases).

Looking to make the transition to People-based measurement?

There are two ways for marketers to embrace people-based measurement.

The quick and easy approach is a Wrap & Measure test, which uses a people-based ad server to track your ad exposures, person counts, and digital conversions for a particular campaign, and provides a report on a particular campaign to see the people-based difference.

The more comprehensive approach is the “Always-On” People-based ad serving, which uses a people-based ad server to track and personalize your message across all campaigns by person. Marketers using a people-based ad server switch from “per campaign” or “per channel” mindsets to “customer-centric” mindsets that focus more on customer journeys and lifetime customer value. Relative to the quick and easy approach, this more comprehensive approach can fill your data lake in real-time with people-based data.

To get the full scoop of the webinar, see the video below:

If you’re a large digital marketer, ad platform, or agency that reaches any consumer in the EU or California, you will need to soon comply with both GDPR which went into effect in May 2018 and the new California Consumer Privacy Act (also known as CCPA or CaCPA) which will go into effect January 2020. While GDPR is generally seen as more stringent than CaCPA, there are still some nuanced differences and compliance with one doesn’t mean compliance with the other.

In Part I of this series, Thunder summarized the key differences and similarities between the two sets of laws.

In this Part II of the series, Thunder has provided a detailed breakdown for digital marketers, agencies and ad platforms comparing GDPR and California Consumer Privacy Act (known as: CCPA or CaCPA for short) to make sure they are compliant with both:

Jurisdiction

GDPR: Applies to data collection of persons in the EU (whether the company is based there or not)

CaCPA: Applies to data collection of California residents (whether the company is based there or not)

Personal Data

GDPR: Any information relating to an identified or identifiable natural person.

CaCPA: Any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with particular consumer or household.” A “consumer” is a California resident as defined by tax code. The “personal data” definition is developed through examples, exclusions and cross-references to other laws. Data subject to HIPAA is exempted from CaCPA but data subject to FCRA, and GLBA is excluded only to the extent those statutes conflict with the CaCPA.

Data Subject

GDPR: An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

CaCPA: A California resident as defined under California tax law.

Data Controller

GDPR: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law.

CaCPA: For-profit controllers that meet ONE of the following thresholds: (1) Annual gross revenue over $25M; (2) Buys/sells or receives/shares for “commercial purposes” the data of 50,000 California residents; or (3) Derives 50% of revenue from “selling” personal data of California residents. If a controller qualifies under the thresholds, parent companies and subsidiaries in the same corporate group operating under the same brand also qualify.

Processor

GDPR: A natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller. The GDPR also defines a “third party” as a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, is authorized to process personal data.

CaCPA: A “service provider” is a for profit entity that acts as a processor to a “business” and that receives the data for “business purposes” under a written contract containing certain provisions. The CaCPA uses the term “third party” to refer to entities that are neither business nor service providers.

Sensitive Data

GDPR: Per Article 9: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.

CaCPA: Sensitive data is not addressed.

Transfers of Personal Data

GDPR: Any transfer of personal data that are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the controller and processor comply with the conditions set forth in Articles 44-50. Transfers on the basis of an adequacy decision and methods such as Binding Corporate Rules, Contract Clauses, etc. or in the case of EU-US transfer, the Privacy Shield.

CaCPA: Cross-border data transfers are not restricted. All transfers to “service providers” require a written agreement containing certain provisions (that is, there is the CaCPA equivalent to Article 28 of the GDPR).

Data Portability

GDPR: Per Article 20, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided.

CaCPA: There is a limited recognition of this right under the CaCPA. Cal. Civ. Code Section 1798.100 provides that data subjects that exercise their right to access, must receive the data “by mail or electronically and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transit this information to another entity without hindrance.” There is a related and somewhat contradictory provision on this under Cal. Civ. Code Sec. 1798.130(a)(2).

Consent

GDPR: Opt-in approach requiring informed, freely given, and unambiguous consent

CaCPA: Opt-out approach (for data being sold to 3rd-parties) that doesn’t require consent for adults; however users can ask that their data be deleted

Penalties

GDPR: Under Article 83: • Up to 10 000 000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body. • Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc. • Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of the GDPR in particular for infringements that are not subject to Article 83, and can take all measures necessary to ensure that they are implemented.

CaCPA: No private right of action for most provisions with the AG of California taking the role of DPA and being able to impose civil penalties up to $7,500 for each violation with no maximum cap. Violators may avoid prosecution by curing alleged violations within 30 days of notification. For certain data breaches there is private right of action with statutory damages set between $100 and $750 per data subject per incident with a requirement to notify the AG before filing a lawsuit and refraining from pursuing the action if the AG office prosecutes within six months of the notification.

Thunder’s Role

Thunder Experience Cloud enables the advertising ecosystem to balance consumer interests in privacy with commercial interests in data-driven advertising. Thunder helps ad platforms prevent data leakage, consumers protect privacy, and advertisers obtain transparency through its anonymized people-based measurement solution. Ask us how to protect consumer data while supporting data-driven advertising if you’re interested to learn more.