The CCPA, Cookiepocolypse & Apple’s IDFA Changes: What Marketers Need to Know

Several tracking and attribution challenges are confronting marketers: Apple’s IDFA deprecation is scheduled for early 2021, third-party cookies in Chrome will be eliminated by 2022, and California’s Privacy Rights Act (CPRA) will revise and expand the California Consumer Privacy Act (CCPA)—creating new industry requirements, consumer privacy rights, and enforcement mechanisms. 

Privacy regulations and security requirements are only growing bigger and more complex, and the longer you wait to address the issues head-on, the more likely you are to fall behind and lose relevance in an increasingly privacy-conscious world.

Our VP of Digital Intelligence, Simon Poulton, was invited to a Search Marketing Expo (SMX) event to discuss the implications of these latest updates, and how marketers can pivot by embracing a privacy-first future. He gave us his take on how marketers can work with—not against—upcoming and ongoing data privacy regulations with new methodologies that ensure campaign effectiveness and measurability.

The OS and Browser Wars: Predicting the Future of Digital Marketing

Not all web browsers have the same standards for user privacy, each falling on a different spot along the spectrum—ranging from “progressive” to “conservative.” On the progressive side, there are browsers like Brave, which blocks all ads and trackers by default. On the flip side, there’s Netscape, a company founded in the ‘90s, that invented the cookie. The more commonly used browsers fall somewhere in-between, with Safari and Firefox leaning more on the progressive side, and Chrome and Edge more towards “middle-conservative.”

For some time now, Google and other digital advertising companies have long ignored Do Not Track, so Apple decided to take things into their own hands. They created various cross-domain tracker blocking solutions designed to protect user privacy—purging most first-party cookies after 7 days and blocking all third-party cookies by default.

Additionally, within 12 months, Safari will implement the “Privacy-Preserving Ad Click Attribution Proposal,” which will send anonymized conversion data back to ad platforms between 24-48 hours after a conversion event occurs. This means marketers will lose time-specific conversion data as well as the ability to quickly adapt and change marketing campaigns due to not having consistent access to data.

Back in August, Google also revealed it will be taking a similar approach with its commitment to building a new “privacy sandbox” that intends to give consumers more choice and control over how their personal information is being used for ad-targeting purposes. The primary focus of Chromium’s “privacy sandbox” is to:

• Replace functionality served by cross-site tracking
• “Turn down” third-party cookies
• Mitigate workarounds (e.g. fingerprinting, cache inspection, network-level tracking)

Marketers, agencies, and ad-tech firms must be ready to face the loss of key tools in their marketing kit.

Apple’s IDFA changes postponed but implications remain

Back in June, Apple announced the launch of iOS 14. While many users may have been excited about new features and a more compact user interface, the new update also brought some changes to the IDFA which marketers need to be aware of. It also introduced the latest iteration of Apple’s Intelligent Tracking Prevention feature, ITP 2.4, with several new surprise features that target potential tracking workarounds.

Apple’s IDFA, or Identifier for Advertisers, is used by marketers to track and target users within iOS apps. It works similarly to web browser cookies and provides marketers with information regarding user interactions within an app. This information can be used to measure the effectiveness of targeted mobile ads and help marketers better allocate their ad dollars. With the growth of mobile activity among users, many marketers may have expected to reap the benefits with more hyper-targeted campaigns. However, Apple’s IDFA changes will impact the way brands gain access to their users’ IDFAs through a new process that’s more focused on transparency and user privacy.

Why marketers should be concerned

Apple delayed the enforcement of its new rules until early 2021, giving developers more time to get their apps in order. However, these changes are expected to have a major effect on all user acquisition activities—with the biggest impact on retargeting, identity stitching protections, and remarketing.

Marketers will have to look for new attribution models to determine the results of their campaigns. However, these new attribution models run the risk of being inaccurate and less effective than what was possible with IDFA. Another drawback is that you won’t be able to recognize the market value of an impression or plan for the long-term with measurements of return on ad spend (ROAS) and customer lifetime value (LTV). With less accurate measurements, marketers won’t have as much data, which will limit their ability to make forecasts and decide what changes are needed for their campaigns. 

How marketers can stay ahead

One way for marketers to attribute their ad spend and gauge the success of their marketing campaigns currently is the SKAdNetwork. Developed by Apple, the SKAdNetwork is an API that measures attribution of mobile ad campaigns for iOS apps, albeit in a less granular manner. Here’s what you should know about SkadNetwork: 

1. The loss of IDFA eliminates the concept of user-level tracking. 
2. Attribution Postbacks will be delivered by Apple directly to the endpoints defined by Ad Networks. This forces all networks to prepare and adapt to these changes immediately.
3. Each Ad Network must register directly with Apple and obtain an Ad Network ID. Each ID will be limited to 100 campaign IDs which will be used to track campaign performance down to publishers, placements, source IDs, etc. This reduces the level of granularity available with current setups.
4. No redirects will be allowed. This poses a significant challenge in terms of tracking real-time performance, delivery of campaigns, and detecting fraud.
5. Postbacks will be delayed by up to 24 hours, which eliminates the ability to measure click-to-install time or event time.

Google’s third-party cookie phaseout forecasts doom

Google stirred the pot when it announced it intends to block third-party cookies in Chrome web browsers by 2022. The move to phase out cookies isn’t unprecedented in the tech sector or even all that shocking, but the impact is tremendous: it would threaten to disrupt much of today’s internet ecosystem without providing any viable alternative, and consequently affect marketers and ad-tech vendors focused on improving personalization and returning to growth.

Why marketers should be concerned

Cookies have long been an essential pillar of online ad targeting, collecting small bits of personal data to inform marketers’ campaigns. But a harsher spotlight on data privacy has resulted in tighter regulations regarding how personal information is collected and used online. This, in turn, has caused a radical shift in marketing away from third-party data and toward a focus on first-party data.

How marketers can stay ahead

One alternative to hyper-targeted third-party ads is investing in content quality and keyword targeting in the hopes that contextual advertising will rise again. Second, brands need to transform their business models and introduce new solutions to acquire customer consent to build a clean, first-party data marketing strategy. Lastly, marketers may have to hope that a new tech solution solves this issue.

One such solution could be the Universal ID, a common identifier able to replace third-party cookies in cross-site tracking. But at the moment, no one has clearly explained how the Universal ID would sync different first-party data across domains. Moreover, should a privacy-friendly solution arise, the possibility for a single, universal standard seems unlikely due to the vast fragmentation of identity-resolution players in different markets.

California consumer rights under new CCPA amendments

The rights granted to consumers under CCPA are not dissimilar to the level of transparency provided to EU residents under the GDPR. This transparency involves the right to know what kind of data a company has collected about them, the different categories of data collected, the right to opt-out of the sale of that data, and the right to have that data deleted—all new fundamental protections for California citizens.

Why marketers should be concerned

California is not the only state with privacy legislation. Bills in New York and others are making their way through legislatures, all with similar yet nuanced provisions, protections, and breach notification requirements. More and more states are playing an active role in protecting their residents’ data; however, the burden on organizations to comply with 50 different sets of breach notification policies and potentially 50 different data privacy laws create a multilayered and complex problem.

How marketers can stay ahead

One of the principles of good data privacy is taking a minimum viable data approach: only collect data you can deliver value with rather than collecting as much data you can get your hands on. This method prevents you and your customers’ exposure in the event of a breach. A lean customer data strategy also helps brands better understand their target customers, their purchasing behavior, habits and preferences—which in turn enables marketers to deliver better customer experiences and relevant messaging/offers.

Building trust as part of your brand’s DNA

Too often do marketers view users simply as data points—tracking them in any way possible. Instead, organizations must view themselves as human entities and ask themselves, is this how I’d want to be treated as a consumer?

It’s time to unbury your head from the sand on privacy matters and spearhead the effort to privacy-first marketing with policies that work for you and your customers. Brands who embrace and value privacy before they are forced to with new legislation will likely gain more trust from their consumers and, in turn, be more likely to succeed in the future.

There’s more where that came from. Get the full picture of the State of the Data 2021: Preparing for Marketing Data Privacy Changes to learn how you can prepare for what comes next in a cookieless future.