How to Survive TP & GDPR in a Cookieless World

How to Survive TP & GDPR in a Cookieless World

In response to high-profile data breaches like Equifax and Facebook, as well as numerous other recent incidents, state governments took decisive action to enhance internet personal data security by implementing GDPR and ITP.

Written by

Preet Singh


3 February 2020



Considering the massive user-credit details leak stemming from Equifax and Facebook’s data breach scandal – the two data-security breaches were probably the most susceptible to widespread media coverage.
However, these were only a mere few mishaps amongst the many other unfortunate data breaches that occurred recently.
The gravity of seriousness surrounding these globally dispersed data-protection failures (which were arguably also potential catalysts to the 2016 US election results and Brexit) – called for an equally formidable response.
So, state governments holistically embarked on their search for a way of improving the internet’s personal data security.
The resulting answer was two-fold: GDPR and ITP.

The General Data Protection Regulation (GDPR) sets up safety requirements concerning the collection, storage and transfer of data pertaining to businesses that process all European Union citizens personal details, regardless of where these businesses (or their websites) are based.

GDPR regulates not only sensitive user data such as date of birth, social security number and political opinions, but also web-based data like IP addresses and cookies that are also considered ‘personal’.

For digital marketers, the direct implications of GDPR meant that the requirements for data ‘controllers’ and ‘processors’ now needed written consent when adding user email addresses to newsletter subscription lists. Furthermore, this meant that these details could only be utilised for the purpose of sending newsletters.

Certain website analytics restrictions were also posed, such as a personally identifiable information collection ban, which meant anonymising IP addresses and user consent for using website analytics, with a right to opt out or be forgotten.

This regulation came into full effect in May 2018 and is still considered the most comprehensive piece of privacy legislation developed by any jurisdiction.

So, it is no surprise that it served as the global theoretical framework upon which to base further practical, technical regulations. A fine product example is Apple’s ITP – or Intelligent Tracking prevention.

ITP Evolution: Causes and Consequences

ITP is Apple’s Safari-released regulation, allowing the browser to block cross-domain tracking (specifically ad tracking) by deleting first and third-party cookies.

Safari was the first browser that implemented strict regulations to protect user privacy and stop ad-tech companies from tracking people online. Other popular browsers followed by example and followed Apple’s regulatory endeavour by introducing similar restrictions.

Firefox has implemented Enhanced Tracking Prevention, which is very similar to ITP. Google has also announced privacy changes to its Chrome browser that will give users more transparent control over personalised advertising and control over which third-party cookies are created and stored on their devices.

Questionable practices by marketers are among the reasons behind enabling GDPR, ITP and regulations alike to impose restrictions. Personal data was initially obtained to improve user experience in the past, but unfortunately, it is also often misused. Email lists were placed for sale, which enabled automatic customer opt-ins and hence exposed to unwanted marketing communications. Furthermore, advertisers would neglect to provide users with clear instructions about unsubscribing to multiple marketing newsletters or having their data removed from such customer lists.

It’s usually when web users become unhappy that things get rather bleak for advertorial autonomy. And still – internet users remain concerned about their privacy with a greater demand for data and personal information protection. But the truth is also that they are simply fatigued by those creeping ads, pestering them wherever and whenever they browse the web.

Here’s a summary of the stages that went behind developing ITP since early 2018:

  • March 2018 – ITP 1.0 launched, specifically targeting the deletion of 3rd Party Cookies after 30 days of inactivity.
  • September 2018 – ITP 2.0 focused on first-party cookies, which mimicked the functionality of third-party cookies.
  • February 2019 – ITP 2.1 deleted all persistent 1st party, client-side cookies after seven days of inactivity.
  • April 2019 – The most recent update comes in the form of ITP 2.2. This update prompts the browser to delete all cookies after 24 hours – provided the following two conditions are true:
  • The traffic originated from a domain classified with cross-site tracking capabilities – including significant ad networks, Google and Facebook.
  • The final URL of the navigation has a query string and/or fragment identifier.

Without technical changes, the ITP 2.2 update means browsers now automatically get rid of cookies. As a repercussion, businesses will face shrinking their remarketing lists, which would partly be non-existent and no longer targetable.

Before 2018, the advertising industry was heavily reliant on cookies for their use towards creating targeted and retargeted ad campaigns.

Now after all the recent ITP updates, most online ad campaigns using this outdated cookie approach face restrictions with Safari and Mozilla browsers. Advertisers should hence gauge other approaches that appropriately attribute ad campaigns.

The negative impact of ITP on digital marketing could be divided into two main categories:

  • Cookie-based user targeting issues, or an inability to create re-marketing lists.
  • Reporting and attribution issues or an increase in unattributed conversions.

Read about how other industry experts think cookie-less tracking will affect your marketing.

As noted above, cookie-based user targeting includes targeting remarketing lists.

ITP technology significantly shrinks these remarketing list sizes, transforming remarketing users into “ghosts”. Also, ad frequency capping cannot be controlled anymore as it is impossible to identify persons who have already viewed this ad and their viewing frequency.

Furthermore, standard bidding algorithms cannot recognise the conversion attribution to cookieless browser traffic. Therefore, it would be undervalued even if it is highly convertible.

Google devised several possible solutions for avoiding strong negative impacts on ad campaign performance.

The first recommendation was an extensive implementation of Customer Match technology, which is currently broadly available for many Google advertising formats.

Customer match allows displaying ads to customer lists (for e.g. from CRM systems), or to similar new users. However, this feature is unavailable on third-party Display Network sites.

Instead of remarketing, other types of Google audiences (for example, In-market, Custom Intent, Similar, etc.) could also minimise the negative impact of cookieless browsers. They are products of contextual and environmental signals amplified with machine learning. Hence, it can help find the relevant audience suited to the product.

As for the problematic bidding issue, Google recommends switching to auto-bidding, which uses a wide range of contextual signals without using cookies.

Unfortunately, with Apple’s new restrictions for first-party cookies, overcoming conversion reporting and attribution issues remains unsolved. Google is yet to come up with an extensive solution to this.

Some developers recommend using other unique-click identifiers as a unique click ID (or visitor ID) in the URL to the destination website. Second-party data (or data cooperative) partnerships could also be an implementable workaround to ITP by syncing identifiers between sites.

Exchanging identifiers between sites (e.g. between partner sites and other domains owned by the same company) is made possible by passing the IDs via URLs and storing them in a server-based first-party cookie (i.e. server-side). This workaround limits remarketing between partners and further promotes the expansion of data cooperatives.

Another solution is creating an updated version of the cookie – a digital token, or a single identifier across multiple website publishers and online advertisers.

However, all these workarounds may be temporary solutions, doomed to prohibition by the next version of ITP. These solutions still strive for the same goals as the cookies before them. Therefore, it wouldn’t be a surprise that the browsers concerned about user privacy would prefer avoiding them.

Long-term workarounds: How to reach users in our ITP world

One of the solutions to adapt to our ‘ITP world’, could be to let each user decide the kind of advertising they prefer receiving. The type that is highly tailored and personalised to their unique needs. Or perhaps a more generic form? Or shockingly, even no advertising where it’s not needed?

Ultimately, as internet users, we all reserve our right to privacy and control over the amount of data we want to share and with whom. And a right to green-light sharing with the companies from those we encounter online – those potentially profiting from our personal information.

And as we now await the new disruptive solution – all we can do as an agency is count the “casualties” of this tracking “war.” Also – correctly assess the impact that those technological changes have on businesses.

Besides – ITP is also great for challenging marketers to develop new marketing tactics that facilitate quick 24-hour conversions. E.g. by interacting more with potential clients through a live chat functionality.

In addition to this, advertisers could also invest further towards developing strategies for effectively reaching users through contextual signals. As well as creating a new email-collection approach by placing the somewhat functional materials in front of potential clients. We no longer consider such conversions as ‘soft types’ but as an integral part of our advertising strategy for adapting to this ‘cookie-less world.’

Suppose we want to re-target a particular customer. In that case, we should focus on earning their trust by providing relevant, useful information—the information they deem valuable and worthy enough to disclose their email address in exchange for.

The dog and bone.
Subscribe and be the first to hear about news and events.

Written by

Preet Singh
The dog and bone.
Subscribe and be the first to hear about news and events.
View our last posts
Young businesswoman thinking drawing an enterprise content marketing strategy on a whiteboard.

5 Insider Tips For Enterprise Content Marketing

Elizabeth Htwe - 9 min read
Man doing coding and doing technical SEO for huge website.

How to Do Technical SEO for a Huge Website

Roy Zhai - 10 min read
Female Chief Analyst Holds Meeting Presentation for a Team of Economists. She Shows Digital Interactive Whiteboard with Growth Analysis, Charts, Statistics and Data. People Work in Creative Office.

5 Enterprise SEO Tips to Kickstart Your Success

Jarrett Crawford - 8 min read
Team members thinking together
Get in touch
Ready to get the ball rolling? Drop us a line.
First name*
Last name*
Email address*
Phone number*
Your message