Back to Top

IAB Tech Lab proposes vision of a post-cookie ‘user token’ for web-based identity

With browsers and privacy regulators increasingly unhappy with third-party cookies, the Interactive Advertising Bureau (IAB) Tech Lab made a pitch this week for a new industry-wide initiative to come up with a different, privacy-compliant way for tracking identity on the web.

In a blog post and in a presentation to the W3C, the Tech Lab called on digital marketers to “rethink the cookie [and] embrace a new paradigm of clear privacy setting and consumer controls tied to a standardized identifier.”

The reason, IAB Tech Lab SVP Jordan Mitchell told ClickZ, is that “today, identity is not owned by the consumer.”

A non-cookie way

Although the call-to-arms lacks some key specifics, it makes a pitch for a new, non-cookie way of consented identity with several key features:

  • A standardized user token. Controlled by consumers, the token contains the user’s privacy settings and preferences and is broadcast to all participating parties. Mitchell said that exactly how and where this token operates is to be worked out with the browser makers and other parties. But the main idea is that, unlike cookies, it is not updated without user consent, there is only one and not dozens or hundreds, and it holds privacy preferences.
  • The token would only be accessible to companies who are what Mitchell calls “good actors” and have demonstrated their compliance with privacy preferences and rules.
  • A “standardized, controlled container for ad delivery” would surround ads presented by sites to users, as a guarantee that unwanted client-side code or unconsented user tracking do not occur.
  • And the standards would be set up as to-be-determined “public utilities,” subject to governmental regulations and governed jointly by the browser makers, along with the digital media and marketing industries.

Mitchell said that, while the Tech Lab is “not suggesting a specific tech,” it is envisioning that any system or tech would be simple, could be implemented fairly quickly and contains privacy preferences.

Cross-device identity

As for whether the user token would operate as a cross-device identity, Mitchell said he didn’t think the browser-makers support cross device identity.

However, while browsers’ buy-in to a token-based identity system is essential, it’s difficult to envision how a global identity would work without a cross-device unification, given the frequent shuffling between devices by users.

It’s also difficult to see how data providers wouldn’t immediately map each device-based token to each other, so that a single individual profile can be built from matching the same log-in across devices or other methods. Additionally, Mitchell said the token could share the device ID or a shared log-in, which would also assist the cross-device match.

While the token is intended to replace the third-party cookie, he added, it’s not meant as a substitute for a log-in. Although, of course, it could well serve that function.

There would also need to some integration with the IAB Tech Lab’s Consent String, issued during an inventory bid request. In fact, it’s possible that a user token could eventually replace the Consent String, which is just catching hold as part of the IAB’s recent Transparency and Consent Framework.

Comparable to AMP pages

Mitchell pointed to Google-developed AMP mobile pages as a model for the limitations that could be applied across the digital ad system, particularly with the proposed Ad Container. Like AMP, it could place limits, he said, such as limiting the use of JavaScript, the size of files, or the issuing of third-party requests, where ad/data companies call other ad/data companies.

Mitchell pointed out that this new system would likely replace third-party cookies, but it is not intended to affect first-party cookies. But, he agreed, such a new digital ad universe could help first-party cookies, particularly if it diminishes third-party cookies.

First-party cookies are those code snippets used by sites to track the preferences and behavior of their own visitors and customers and, like any cookie, can only be read by the domain that deposited it. Third-party cookies are ones deposited by outside parties, such as ad exchanges, and can be read by those vendors on many sites.

Earlier this year, Mitchell noted, the Tech Lab’s DigiTrust Working Group had been considering two other paths for non-cookie identity: a shared log-in system, and a device identity system for computers, similar to the IDFA ID for IOS-based mobile apps.

He said that the new user token concept could include the device ID concept, but that shared log-ins are a separate concept that would apply to groups of publishers. Additionally, he pointed out that this user token concept is currently only envisioned for the web, not for mobile apps or newer platforms, like smart TVs or connected cars.

The post IAB Tech Lab proposes vision of a post-cookie ‘user token’ for web-based identity appeared first on ClickZ.

Reblogged 2 months ago from www.clickz.com

Comments

Write a comment

*