Authenticated Identity: Addressability in a Post-Cookie World

Page 1

Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation

Authenticated Identity Addressability in a Post-Cookie World PREPARED BY

Katie Scott Client Strategy Director at Goodway Group July 2021

Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation


Introduction An abundance of consumer privacy regulations and new browser and mobile device protocols have left the digital marketing industry with a massive amount of homework to do when it comes to the future of identity. While both publishers and ad tech providers actively work to create and adopt the best identity alternatives that will allow marketers to effectively track, target and measure audiences (while keeping consumer privacy at the forefront), we’re cutting through the clutter to test and evaluate all options. Even though Google has delayed cookie deprecation until 2023, now is still the time to prioritize testing alternatives. In this piece, we’ll focus on one of the specific identity alternatives currently in development and testing: shared IDs, also known as authenticated or universal IDs. As with any industry or technology in transition, complexities and obstacles abound. However, more opportunities exist for alternatives that will allow marketers to maintain (and even enhance) performance and return on investment.

“You get one name tag, and everyone you meet can read your name tag. In the current web experience, it’s like everyone can only read the name tag they put on you. This means you, as the delegate (or consumer), end up having hundreds of different name tags all over you. That is annoying for users.” – Jordan Mitchell, formerly CEO of DigiTrust

© 2021 Goodway Group. All rights reserved. 21F-G1392676040

Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation


Defining Authenticated and Shared IDs Authenticated or shared ID is a user identifier created by an ad tech company or consortium to provide a shared user identity that can be utilized across the digital ad buying ecosystem without syncing cookies. Built upon consumer consent, shared IDs enable a direct and trusted relationship with users while enabling data-driven advertising across cookieless inventory. Shared IDs authenticate identity when a visitor logs in to a website or platform, verifying their identity and providing their consent to build a profile of their actions. Shared IDs gather a user’s information deterministically based on consumer-provided identifiers like an email address (most notably, by activating single sign-on [SSO]).

How Authenticated IDs Work If a website has adopted an authenticated ID solution, when a user submits an email or other Personally Identifiable Information (PII), that user’s data is then attached to an ID and stored in aggregate with other users in a central identity graph. The process ensures all data is captured and stored in a completely hashed and encrypted manner, free of any PII. The shared ID technology organizes and anonymizes each user’s data, then provides the publisher with a stamped version of the shared ID. The same ID is shared with other data providers and advertisers who have adopted the same authenticated ID protocol. Both the publisher and the advertiser have to have access to the corresponding ID, and consent from the user to use that ID, in order for it to be shared and transacted.

Authenticated ID providers will use varying methods to allow for the exchange of first-party data without exposing Personally Identifiable Information (PII). Encryption is the practice of scrambling information in a way that only someone with a corresponding key can decipher. Hashing is the practice of using an algorithm to map data of any size to a fixed length identifier, called a hash value. Whereas encryption is a two-way function, hashing is a one way function. Salting takes hashing one step further by ensuring the identifier is always unique. With hashing, the data input is transformed into a series of random numbers or letters. Due to the deterministic nature of the hash function, input values can have identical outputs. “Salting” the hashed values adds an additional numeric layer to ensure the final ID is always unique.

The fully anonymized IDs can then be used to target, track and measure audiences similarly to cookies. Publisher and Advertiser Have Consent to Match



Publisher provides user-level marketing data to universal ID provider via encrypted process.

ID provider anonymizes data and creates an individual ID tied to the data.




Demand-side platform Publisher/site (DSP)/tech provider receives universal ID. receives universal ID In some instances, provider as well, matching on can also match online and future bid requests. offline data and append.

© 2021 Goodway Group. All rights reserved. 21F-G1392676040

Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation


Avoid a One-Size-Fits-All Approach It’s imperative for advertisers to recognize there’s not a quick fix to solving for cookies and other privacy-first tracking changes. Rather, there’s an opportunity to grow beyond existing solutions and uncover alternatives that alone, or in combination, can improve audience identification and overall data strategy. For example, some universal IDs will solely use hard signals such as hashed email addresses and login alliance IDs while others will use a combination of hard and soft signals (IP address, timestamp, URLs, etc.) allowing for identification when no hard signals are available. The good news is that the ecosystem is hard at work on identity resolution, with a focus on bringing interoperability across multiple IDs. This means that publishers, advertisers and ad tech providers can utilize more than one authenticated ID to bring scale to the volume of users identified across the ecosystem.

Foremost, advertisers must build out their first-party data assets and test various alternatives specific to their digital marketing and business goals, centering efforts around the following framework: Audience


What IDs Work Best Within Those Platform(s)

Key Questions to Ask

Ecosystem Benefits Consumers Maintains consumer privacy while still showing relevant ads

Publishers & Advertisers Ability to show the most relevant ad to an interested consumer

SSP Ease of datasyncing between advertisers and third-party providers to match PII to publisher PII safely DSP Buyers are able to target known consented users across the open internet

• How am I utilizing and strengthening my first-party data? • What signals is my strategy currently acting on that are considered recognized data, non-consented, and third-party? How can I replace those with first-party data signals? • What platforms are most important for my industry, vertical and historical performance?

Data Provider Can turn offline data assets into consent-driven Shared IDs for buyers to target

“The objective has always been to go from many IDs to some IDs, not just to one.” – Tim Sims, Chief Revenue Officer at The Trade Desk

© 2021 Goodway Group. All rights reserved. 21F-G1392676040

Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation


Authenticated, Shared ID Benefits and Challenges B E N E F IT S


• First-party and offline data are being used for shared IDs

• Interoperability relies on matching different IDs introducing probabilistic modeling into a deterministic approach

• Secure technology as will be hashed and encrypted to prevent abuse; regular rotation of decryption keys will help enforce accountability

• Fragmented publisher adoption may impact the ease of use and scalability

• User transparency and privacy controls; consumers will be able to easily view and manage their preferences and opt out at any time

Goodway Testing is Already Underway

Originally spearheaded by The Trade Desk, this initiative is currently accepted by most major DSPs and SSPs, including all of Goodway’s preferred SSPs. As of February 2021,, the leading open source bidding solution and independent industry organization, will serve as the initiative’s operator.​ Prebid has implemented the necessary infrastructure to support UID 2.0 and is on track to be live mid-2021. In addition to managing UID 2.0’s hardware and software infrastructure, Prebid will also handle the email encryption and decryption process, ensuring the IDs are readable and will generally guarantee that the IDs are functioning properly.

In 2019, LiveRamp and Index Exchange partnered to provide Goodway Group a solution that matches contextually rich inventory with client-qualified leads, delivering greater reach against high-value audiences tied to a persistent cross-channel identity. In doing so, Goodway Group was able to provide meaningful interactions throughout the consideration phase and drive business outcomes for the client. 3X HIGHER UNIQUE REACH

© 2021 Goodway Group. All rights reserved. 21F-G1392676040



Identity Alternative Guide: Prepare for Privacy, Regulation and Cookie Deprecation


Glossary: Key Terms for Identity Understanding Cookies: Small text files that are dropped on a user’s browser (i.e., Google Chrome) by a website when they visit the site. Cookies utilized for digital marketing track data about users, such as their computer’s IP addresses and their browsing activity, enabling the site and other marketers to provide relevant ads to the user and identify and measure the best audiences for their efforts. Deterministic matching: Relies on using encrypted personally identifiable information (PII) such as email address or phone number to link devices to that identity. First-party data: Is data provided or collected directly from an audience or customer in a consented, opt-in manor such as email addresses submitted to a site or brand via an app or website. It can also include data on behaviors, actions or interests demonstrated throughout the consumer journey including website or app activity and online/in-store purchasing. Hashing and salting: A data input is transformed into a series of random numbers or letters. Due to the deterministic nature of the hash function, input values that are identical will have identical outputs. “Salting” the hashed values adds an additional numeric layer to ensures that the final hash is always unique. Identity resolution: Is the process of collecting and linking anonymous and unique identifiers across devices and touchpoints to build a cohesive, omnichannel view of an individual consumer. This enables advertisers to better understand audiences and match to desired attributes, creating robust customer profiles that allow them to deliver relevant, customized content throughout the customer journey. Open web: Accounting for approximately 30% of available digital audiences, the open web allows for audience identification, reach and tracking beyond walled gardens such as Google and Facebook, which operate a closed advertising tracking and measurement ecosystem. Personally identifiable information (PII): PII or Personally Identifiable Information is data that can be used to uniquely identify, contact and distinguish consumers. PII can include name, address, social security number or other identifying number or code, telephone number, email address, etc. It also includes data intended to identify specific individuals in conjunction with other data elements such as indirect identification (which may include a combination of gender, race, birth date, geographic indicator and other descriptors). Probabilistic matching: Use “soft signals” like device type, software version, screen resolution, OS, location and IP address to build an ID graph for users. Recognized identity: Pseudonymous data identifiers that identify someone without explicitly provided consent such as cookies and device IDs. Pseudonymous data is information that no longer allows the identification of an individual without the use of additional information that is kept separate from it. Pseudonymous data differs from anonymous data in that it still allows for some form of re-identification while anonymous data cannot be re-identified. Single sign-on (SSO): Enable users to log in across multiple domains using a single ID (most commonly an email address). Third-party data: Is data purchased from outside sources that are not the original collectors of that data. In digital, third-party data is information collected by an entity that does not have a direct relationship with the user on the platform or site where data is captured. It is often collected from a variety of websites and platforms and aggregated by a third-party data provider such as a DMP. These aggregators pay publishers and other data owners for their first-party data.

Get up-to-the-minute insights and information on the future of identity. © 2021 Goodway Group. All rights reserved. 21F-G1392676040

Sign Up Now