Breaking down the post-cookie solutions: Unified ID 2.0

Alterations to online advertising practices, including opt-in mobile tracking and the deprecation of the third-party cookie, are leading adtech firms, agencies, platforms and publishers to develop alternative solutions to target consumers and measure advertising online.

There's no shortage of choice for advertisers. Currently more than 100 different identity and contextual solutions are in development, according to continuing analysis by MMA Global and Prohaska Consulting, combined with several proposals under Google's Privacy Sandbox and publisher first-party data solutions.

Each of these solutions works in very different ways, with variance in their technological processes, data granularity, consent mechanisms and governance structures. Some have scale limitations in their ability to reach across the internet. Others are more heavily limited by user consent. All will face different obstacles as they seek to scale across regions, including navigating the strict regulatory environment of Europe and the challenges of reaching Asia-Pacific's majority mobile users.

The industry is not expecting one solution or currency to define the future of online advertising. Rather there will be several interoperable solutions that meet different objectives. But a contraction is expected, which will see advertisers align behind a handful of the strongest proposals.

So how do these solutions stack up against one another? Which have the biggest obstacles to overcome? And which are most primed for success? In an attempt to demystify the future of online ad targeting, we’ll break down the biggest solutions across the following measures: scale and efficacy for advertisers; transparency and user intrusiveness; and tech and regulatory challenges.

It’s important to note these solutions remain in development and could change considerably over the coming months. This is a temperature check, rather than a concrete guide.

Without further ado, onto the first solution in this series, which is currently the biggest in terms of industry colloboration: Unified ID 2.0.

How does it work

Unified ID 2.0 (UID 2.0) is an identity framework that enables the same cross-site targeting and attribution as third-party cookies, but with stricter processes and controls. Initially developed by demand-side platform The Trade Desk, it is an open-source initiative that is non-commercial. It will work by using a single sign-on to capture a user’s email address and consent once they visit a publisher’s page that supports UID 2.0. The single sign-on element means that a user only needs to consent once to receive targeted advertising across all publishers within the UID 2.0 network. Once the user logs in and consents, an identifier is created that is hashed and encrypted. The publisher maps that ID to the page and sends an encrypted value, known as the UID2 Token, into the bidstream for verified DSPs to decrypt and bid on. There will be multiple service providers responsible for providing credentials that enable participants to engage with the system, including handing out decryption keys for DSPs and API keys for advertisers and data providers. Prebid has agreed to serve as an operator of UID 2.0, responsible for managing encryption keys and the technical infrastructure of UID 2.0.

Scale and efficacy for advertisers

There’s no question that Unified ID 2.0 will be a hit with advertisers. Since it replicates the capabilities of a third-party cookie, it doesn’t require advertisers to learn new processes when it comes to targeting and attribution.

The biggest challenge facing UID 2.0 is gaining enough user consent to meet advertisers' campaign objectives. Gaining consent will require users to understand the value exchange of the free internet enough that they are willing to give up their PII in exchange for targeted advertising. A strong indicator of this will be seen in the number of users who opt-in to being tracked by apps as part of Apple's recent ATT update. Early analysis is worrying—some estimates suggest just 4% of users in the US have enabled tracking, according to data from Verizon-owned analytics firm Flurry.

Partners involved in UID 2.0 are hoping to sign up 15% to 20% of the global internet population within a year. This, we’re told, is a statistically strong enough share to model the remainder of internet users. While the solution is still in beta testing, The Trade Desk claims it has a base of 170 million reachable unique devices, up from 50 million in March. This is through both publisher adoption and cross-device partners.

It’s a strong start, but a greater challenge lies beyond the US. In Asia-Pacific, as internet penetration has grown mobile-first, mobile phone numbers are more commonly used to sign in to services than email addresses. Enabling phone numbers as the identity key is simple technical addition, but partners involved in UID 2.0 are worried about the willingness of users to give up such a private piece of data. As a consequence, penetration rates in APAC are expected to be incredibly low.

Meanwhile, a strict regulatory environment under GDPR is expected to hamper publisher uptake of a PII-based system in Europe. At present, most publishers involved in UID 2.0 are US-based, including AMC Networks, BuzzFeed, The Los Angeles Times and The Washington Post. In Asia-Pacific, where UID 2.0 recently entered beta testing phase, it has signed up Australian publishers ARN and Southern Cross Austereo.

Tech and regulatory challenges

UID 2.0 is being built by some of adtech’s brightest and best, so there’s little concern about the tech. It was initially created by The Trade Desk, the world’s largest independent demand-side platform. Prebid, chaired by Magnite’s CTO Tom Kershaw, will run the technical infrastructure that will power UID 2.0 and has begun work building the processes to send IDs and decryption keys to eligible entities. Criteo has started testing the single sign-on (SSO) solution, called OpenPass, that will serve as the consumer-facing component of Unified ID 2.0.

But the administration process of UID 2.0 is still not defined, and this is a critical gap. PII-based solutions require a huge amount of policy management, and there are concerns that hashed email addresses are easy to decrypt, opening the door for security breaches. Partners are working on several tech updates to address this, including salting the email addresses after they are hashed, a process which adds a random string of digits to the hash to prevent any party with access to emails from reverse engineering the mapping of UID2.

There are also concerns that unethical practices could start to emerge if advertising partners find ways to combine interest-based information with an ID. For example, a DSP could in theory map a user’s anonymised interest-based FLoC information to their UID and build an unconsented interest graph, if both pieces of information were contained in the same bid request. This is not a challenge only for UID 2.0, but could apply to all IDs. To address such concerns, partners involved in UID 2.0 are working on encryption permissions that would allow publishers to enable only specific DSPs to have access to the UID2 value and other fields.

Establishing a governance system which grants keys to authorised parties and penalises bad actors will be essential in ensuring user privacy is not compromised, thereby staying on the right side of regulators. And it’s expected that UID 2.0 won’t reach critical mass with publishers—who bear the brunt of blame when user privacy is breached—until a solid governance structure is established. An administrator would have to be an impartial body that represents both buyers and sellers, so the IAB Tech Lab is expected to take on this role. The Trade Desk confirmed with Campaign Asia-Pacific that administration of UID 2.0 will be governed independently and is actively working with industry groups to determine the best path.

Transparency and user intrusiveness

Google appeared to sow doubt in identity solutions, including UID 2.0, when it announced in March it would not use email addresses or other identifiers to track users across the web within its ad products (namely DV360) once Chrome has phased out third-party cookies. It wasn’t a surprising announcement—no one was expecting Google itself to partake in UID 2.0 while it was pushing its own industry initiatives through the Privacy Sandbox. But at the heart of the move, according to Google’s blog post, were concerns about whether ID-based solutions honoured user’s expectations of privacy, and whether such solutions would stand up to tightening regulations. Instead, Google is pushing advertisers away from individual targeting and towards cohorts, mapped on behaviours and look-a-like characteristics. It's worth noting that not everyone sees the move as one geared toward sowing doubt in identity, rather than one concerned with protecting Google's own data.

Back to UID 2.0, of particular concern is the single sign-on solution that will collect user consent for the identity framework. Such solutions allow users to easily sign in without being repeatedly asked for consent, but don’t always make it explicitly clear to users how many parties will have access to their data when they consent, and how their data will be used. Apple tackled this head on when it created a ‘Sign In with Apple’ login for users last year, an alternative to social logins such as those offered by Facebook and Google that requires users to give permission for the platforms to track their behaviour.