Guide for digital marketers: surviving TP & GDPR in a cookie-less world

Guide for digital marketers: surviving TP & GDPR in a cookie-less world

In response to high-profile data breaches like Equifax and Facebook, as well as numerous other recent incidents, state governments took decisive action to enhance internet personal data security by implementing GDPR and ITP.

Written by

Preet Singh


3 February 2020



Considering the massive user-credit details leak stemming from Equifax and Facebook’s data breach scandal – the two data-security breaches were probably the most susceptible to widespread media coverage.
However, these were only a mere few mishaps amongst the many other unfortunate data breaches that occurred recently.
The gravity of seriousness surrounding these globally dispersed data-protection failures (which were arguably also potential catalysts to the 2016 US election results and Brexit) – called for an equally formidable response.
So, state governments holistically embarked on their search for a way of improving the internet’s personal data security.
The resulting answer was two-fold: GDPR and ITP.

The General Data Protection Regulation (GDPR) sets up safety requirements concerning the collection, storage and transfer of data pertaining to businesses that process all European Union citizen personal details, regardless of where these businesses (or their websites) are based.

GDPR regulates not only sensitive user-data such as date of birth, social security number and political opinions, but also web-based data like IP addresses and cookies that are also considered ‘personal’.

For digital marketers, the direct implications of GDPR meant that the requirements for data ‘controllers’ and ‘processors’ now needed written consent when adding user email addresses to newsletter subscription lists. Furthermore, this meant that these details could only be utilised for the purpose of sending newsletters.

Certain website analytics restrictions were also posed such as a personally identifiable information collection ban which meant anonymising IP addresses. As well as user consent for using website analytics, with a right to opt-out or be forgotten.

This Regulation came into full effect as of May 2018, and is still considered as the most comprehensive piece of privacy legislation developed by any jurisdiction.

So, it comes as no surprise that it served as the global theoretical framework for basing further practical, technical regulations upon. A fine product example being Apple’s ITP – or Intelligent Tracking prevention.

ITP Evolution: Causes and Consequences

ITP is Apple’s Safari-released regulation, allowing the browser to block cross-domain tracking (specifically ad tracking) by deleting first and third-party cookies.

Safari was the first browser that implemented strict regulations to protect user privacy and stop ad-tech companies from tracking people on the internet. Other popular browsers followed by example and followed Apple’s regulatory endeavour by introducing similar restrictions.

Firefox has implemented Enhanced Tracking Prevention, which is very similar to ITP. Google has also announced privacy changes to its Chrome browser that will give users more transparent control over personalised advertising and control over which third-party cookies are created and stored on their devices.

Questionable practices by marketers are among the reasons behind enabling GDPR, ITP and regulations alike to impose restrictions. Personal data was initially obtained for improving user experience in the past, but unfortunately, it is also often misused. Email lists were placed for sale, which enabled automatic customer opt-ins and hence exposed to unwanted marketing communications. Furthermore, advertisers would neglect to provide users with clear instructions around un-subscription from multiple marketing newsletters or to have their data removed from such customer lists.

It’s usually when web users become unhappy that things get rather bleak for advertorial autonomy. And still – internet users remain concerned about their privacy with a greater demand for data and personal information protection. But the truth of the matter is also that they are simply fatigued by those creeping ads, pestering them wherever and whenever they browse around the web.

Here’s a short summary of the stages that went behind developing ITP since early 2018:

  • March 2018 – ITP 1.0 launched, specifically targeting the deletion of 3rd Party Cookies after 30 days of inactivity.
  • September 2018 – ITP 2.0 focused on first-party cookies, which mimicked the functionality of third-party cookies.
  • February 2019 – ITP 2.1 deleted all persistent 1st party, client-side cookies after seven days of inactivity.
  • April 2019 – The most recent update comes in the form of ITP 2.2. This update prompts the browser to delete all cookies after 24 hours – provided the following two conditions are true:
  • The traffic originated from a domain classified with cross-site tracking capabilities – including significant ad networks, Google and Facebook.
  • The final URL of the navigation has a query string and/or fragment identifier.

Without technical changes, the ITP 2.2 update means browsers now automatically get rid of cookies. As a repercussion, businesses will face shrinking their remarketing lists, which would partly be non-existent and no longer targetable.

Before 2018, the advertising industry was previously heavily reliant on cookies for their use towards creating targeted and retargeted ad campaigns.

Now after all the recent ITP updates, most online ad campaigns using this outdated cookie approach face restrictions with Safari and Mozilla browsers. Advertisers should hence gauge other approaches that appropriately attribute ad campaigns.

The negative impact of ITP on digital marketing could be divided into two main categories:

  • Cookie-based user targeting issues, or an inability to create re-marketing lists.
  • Reporting and attribution issues, or an increase in unattributed conversions.

Read about how other industry experts think cookie-less tracking will affect your marketing.

As noted above, cookie-based user targeting includes targeting remarketing lists.

ITP technology significantly shrinks these remarketing list sizes, transforming remarketing users into “ghosts”. Also, ad frequency capping cannot be controlled anymore as it is impossible to identify persons who have already viewed this ad and their viewing frequency.

Furthermore, standard bidding algorithms cannot recognise the conversion attribution to cookieless browser traffic. Therefore, it would be undervalued even if it is highly convertible.

Google devised several possible solutions for avoiding strong negative impacts on ad campaign performance.

The first recommendation was an extensive implementation of Customer Match technology, which is currently broadly available for many Google advertising formats.

Customer match allows displaying ads to customer lists (for e.g. from CRM systems), or to similar new users. However, this feature is not available on third-party sites in the Display Network.

Instead of remarketing, other types of Google audiences (for example, In-market, Custom Intent, Similar, etc.) could also minimise the negative impact of cookieless browsers. They are products of contextual and environmental signals amplified with machine learning. And hence, it can help to find the relevant audience suited to the product.

As for the problematic bidding issue, Google recommends switching to auto-bidding, which uses a wide range of contextual signals without using cookies.

Unfortunately, with Apple’s new restrictions for first-party cookies, overcoming conversion reporting and attribution issues remains unsolved. Google is yet to come up with an extensive solution to this.

Some developers recommend using other unique-click identifiers as a unique click ID (or visitor ID) in the URL to the destination website. Second-party data (or data cooperative) partnerships could also be an implementable workaround to ITP by syncing identifiers between sites.

Exchanging identifiers between sites (e.g. between partner sites and other domains owned by the same company) is made possible by passing the IDs via URLs and storing them in a server-based first-party cookie (i.e. server-side). This workaround limits remarketing between partners and further promotes the expansion of data co-operatives.

Another solution is creating an updated version of the cookie – a digital token, or a single identifier across multiple website publishers and online advertisers.

However, all these workarounds may very well be temporary solutions, doomed to prohibition by the next version of ITP. These solutions still strive for the same goals as the cookies before them. Therefore, it wouldn’t be a surprise that the browsers concerned about user privacy would prefer avoiding them.

Long-term workarounds: How to reach users in our ITP world

One of the solutions to adapt to our ‘ITP world’, could be to let each user decide the kind of advertising they prefer receiving. The type that is highly tailored and personalised to their unique needs. Or perhaps a more generic form? Or shockingly, even no advertising where it’s not needed?

Ultimately, as internet users, we all reserve our right to privacy and control over the amount of data we want to share and with whom. And a right to green-light sharing with the companies from those we encounter online – those potentially profiting from our personal information.

And as we now await the new disruptive solution – all we can do as an agency is count the “casualties” of this tracking “war.” Also – correctly assess the impact that those technological changes have on businesses.

Besides – ITP is also great for challenging marketers to develop new marketing tactics that facilitate quick 24-hour conversions. E.g. by interacting more with potential clients through a live chat functionality.

In addition to this, advertisers could also invest further towards developing strategies for effectively reaching users through contextual signals. As well as creating a new email-collection approach by placing the somewhat functional materials in front of potential clients. We don’t consider such conversions as ‘soft types’ anymore – but as an integral part of our advertising strategy for adapting to this ‘cookie-less world.’

If we want to re-target a particular customer, we should focus on earning their trust through an effortful provision of relevant, useful information. The information they deem valuable and worthy enough to disclose their email address in exchange for.

The dog and bone.
Subscribe and be the first to hear about news and events.

Written by

Preet Singh
The dog and bone.
Subscribe and be the first to hear about news and events.
View our last posts
Google Universal Analytics arrow to GA4

How to Overcome Universal Analytics’ Sunset & Looming Shutdown

Preet Singh - 5 min read
AI robot tutor helping a student with homework, they are sitting on the couch at home and reading a book

Unlocking the Power of Generative AI: Google’s 10 Free Courses

Tahlia Reynolds - 6 min read

Indago Leads IAB's New Search Working Group

Gary Nissim - 3 min read
Team members thinking together

Get in touch

Ready to get the ball rolling? Drop us a line.

First name*
Last name*
Email address*
Phone number*
Your message