3P Cookies v Benign Data v Cookies on Steroids

Google are pushing hard for website owners to adopt Enhanced Conversions – also referred to as “user-provided data” or “hashed first-party data“. Its part of the Google Privacy Sandbox initiative – their way of mitigating the loss of 3rd party cookies that they are being forced to do by EU privacy laws.

Make no mistake, this is very significant for Google – it’s a sea-change approach to their ad ecosystem. Without websites adopting this technology, Google will lose a great amount of data (and power) in their ability to target individuals for ads i.e. remarketing.

This post is for any website owner/responsible team interested in the implications of using Enhanced Conversions, its impact on customer trust, and the alternatives for data collection i.e. not just the Google way.

Google Privacy Sandbox

The Privacy Sandbox website contains a lot of content and changes for multiple stakeholders. This is Google’s official overview of what the privacy sandbox is about:

“Google’s Privacy Sandbox is an initiative led/driven by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without using third-party cookies.”

The bold highlights are my own to emphasise this is specifically about Google (and Android), Google Ads, and the closedown of third-party cookies in the Chrome browser. Other adTech players and browsers, such as Meta, Microsoft, Apple, LinkedIn etc., are not a part of Google’s Privacy Sandbox initiative.

(Note, others have commented on its impact to adTech intermediaries and publisher sites i.e. those business models that rely almost entirely on ads).

Third-Party Cookies

A lot has been written about the long awaited demise of 3P cookies by Google (this is a nice reminder). To be clear, all other major browsers have blocked or limited 3P cookies for sometime. But Google’s dominance in the online ad world has meant it had to balance the privacy requirement of GDPR and related privacy laws, with not destroying the myriad of ad reselling companies that rely on 3P cookies to profile and target users for their business model. Hence, Chrome as been delayed at removing 3P cookies due to oversight by the Competition and Markets Authority.

Rather than advocating “benign data” as an alternative to invasive data collection practices, Google are pushing for site owners to use Enhanced Conversions / hashed first-party data / user-provided data, as a panacea solution to privacy problems they face.

Remember these three terms refer to the same thing – a web feature that collects and hashes user personal data, such as email addresses, phones numbers, mail address etc. This allows Google to identify and track users as they navigate across across the web.

Many privacy experts disagree with Google’s approach and I outline here why. To do that, I first need to describe its exact opposite – benign data.

Benign Data

It can be hard to visualise what benign data is, so let’s use an offline analogy to illustrate it…:

Say I want to measure the road traffic near my a school for safety reasons. Over a one hour period, I count and record the number of vehicles passing the school gates; I have equipment to measure their speed; I note the type of vehicle (car, bus, truck etc.); I note if the vehicle is actually dropping off a child; I include other meta data such as weather conditions, visibility etc.

Those are all examples of aggregate and benign data. No clever technology, reverse engineering, or smoke and magic can ever discern who the owner/driver of each vehicle is, where they came from, or where they went to next. My traffic spreadsheet contains valuable information to help school and traffic planners without any concerns of privacy.

Benign data is also good for business

The above school study is a great example of data collection for public good. However, businesses also need such benign data in order to stay afloat. For example, knowing how many visitors come to a site, time of day, how long they stay, what pages are viewed, and probably the most important – what campaign or search query did they click on to arrive at the site etc.

These types of metrics are essential for any business – they would not survive for very long without them. The basics of growing a successful business relies on being able to predict stock levels, staff requirements, opening times, potential interest, recognising an existing customer, and so on. Consumers expect and even demand that businesses are on top of this type of fundamental and essential data. And people’s job security rely on it.

My key point is that a great deal of content, UX and marketing optimisation can be done with benign data i.e. not profiling your visitors. It’s the type of data the French, Spanish and Latvian data protection authorities are comfortable with – without even having an annoying consent popup banner.

First-Party User Data – Hashed and on Steroids

Continuing with my school road safety analogy, if I decided to also collect license plate details of each vehicle – a unique fingerprint of car ownership details – the data study now becomes personal. Even if I apply a cryptographic hash of the number plates so they are not human readable, the hash remains a unique identifier and one that is very hard to change. How often do you change your car?

Now imagine every road on the planet has a monitor that is hashing the license plate of every vehicle that passes. All you need to do is compare the hashes and you have tracked every movement of a person. And as soon as that person logs in to a service – their Google or Facebook account for example, that service knows who that hash belongs to.

Google Enhanced Conversions

Data hashing is a tool for security, not privacy. Using a unique hash of personal data for tracking, is akin to cookies on steroids.

Why steroids? Because accepting/deleting a regular cookie is something the user has complete control over and cookies rarely last more than a few months – due to ease of which browsers and plugins block and clear these out for you. Conversely, if you hash a user’s email, house address, telephone number, or license plate – that information rarely changes. In fact, a first party hash is likely to last many years. And there is no current mechanism for the user to delete it.

This is how Google Enhanced Conversions works – and Facebook with its Enhanced Match. It is how they can continue to target me with personalised/profiled ads when 3P cookies are gone for good. For example, if I purchase an item from site_1, then on another day purchase a different item from unrelated site_2 (both sites using the same tracking pixel), the tracker collecting and hashing my purchaser details can match both those hashes to me.

The Impact

Its important to realise that a site not using first party hashed identifiers can still collect visitor data in its analytics tool e.g. Google Analytics. Similarly, you can still run Google Ads campaigns and data will continue to flow from your site to adTech providers such as Google and Facebook. The difference is, personalised advertising becomes harder without hashed first party data. That is, adTech providers cannot stitch together different sessions of the same user as they move around the web, or return to your site. Without 3P cookies or first party hashed identifiers, personalised ads will not work.

So your customers and potential customers will receive ads that are less targeted from you. How much that impacts your business will depend on how reliant you are on such as Ads and what your margins are (ROI). For example, I would expect B2B sites to be less impacted.

To be clear, if your site/app has explicit and informed consent from your visitors, there is nothing illegal with tracking users via their hashed first party data and sending it to Google or Facebook for processing. But does your site really meet those two criteria? This is about customer trust.

Summary – What Difference Does Trust Make?

There are real privacy issues with substituting regular 3P cookies with first party hashed identifiers (cookies on steroids). A decision to use this should not be taken likely. Balance the benefits of such tracking against the privacy concerns of your customers i.e. their trust.

The “perceived” benefit of first party hashed identifiers is to maintain the effectiveness of the personalised/targeted ad ecosystem. Yet contextual ads – the stuff ironically Google pioneered in the early 2000s – have been shown to be just as effective, if not better, than targeted ads.

The major risk of going down the cookies_on_steroids path, is that once visitors are informed of this technique, they may prefer to opt-out of ALL tracking, than be profiled. Its about trust. That fragile, abstract idea that marketing is built on. Building trust with your customers is the only way forward to tackle the data challenges of privacy laws.

This post is built upon the points raised in a wider article published on LinkedIn. Op-Ed: Is There a Future for Web Analytics?


Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This