Two Experts Weigh in on the Effects of Apple’s ITP and Privacy Regulations for Marketers

With Intelligent Tracking Prevention (ITP), Apple is attempting to put the Internet genie back in its bottle. The back-and-forth between browser developers (including Google and Mozilla, which joined Apple with their own changes) and marketers over how consumer behavior is tracked online and what happens to that data in the short and long-term.

Depending on where you stand on the issue, you may see Apple’s ITP and similar changes as “breaking the internet,” ruining advertising, “great for consumer privacy,” or part of an elaborate branding technique to sell “‘privacy as a luxury good.’” Nevertheless, here we are at ITP version 2.3. And Apple is taking enforcement increasingly serious, warning that it will view attempts to get around ITP “‘with the same seriousness as exploitation of security vulnerabilities.”

No matter where you stand on the issue, what’s clear is that ITP is transforming how marketers and web devs do their jobs— and it is just one part of a larger shift towards consumer privacy. With so much change, it can be hard to find a winning strategy. 

To help provide you some guidance, I spoke with two experts in the field to get their thoughts on the increasingly complicated world of consumer privacy and data collection. Before diving in, you may want to watch our webinar, “Is the End of Cookies Near? What ITP 2.x Is and How to Navigate” to understand the basics of what Apple has done this year.

Our first respondent is Cory Underwood, a Senior Programmer / Analyst with L.L. Bean who focuses on analytics. Previously, he held roles on Tagging, Personalization and A/B Testing with a combined 10 years of experience in the field.

Our second respondent is Ty Gavin, VP of Software Development at Tealium, who has spent his career in a multitude of roles including webmaster, marketing manager, implementation engineer, technical consultant, and business analyst.

Disclaimer: The following opinions belong to these individuals alone and do not necessarily represent the viewpoints of their employers as a whole.

Cookies, which help collect customer behavior data among other things, are under scrutiny thanks to digital privacy laws like GDPR and CCPA. Regional and global companies alike are now expected to deal with potentially overlapping and differing standards of privacy regulation.

A recent study cited in TechCrunch found that most cookie-consent notices in the EU are meaningless. Specifically, that “the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%).” That’s obviously a huge problem that’s only going to be compounded in the future. With the CCPA on the horizon, companies will have new data privacy consent rules to follow and implement in a meaningful way.

Question: How much of a problem are the overlapping regulations going to cause companies if they’re already having trouble with just one set?

Cory Underwood: It will depend on how in alignment the various laws are. If they agree in principal, then aligning to the strictest one is an easy option. If they differ on key points, then it’s likely to cause issues in implementation and handling of data, as the code will function differently for various countries, this may, depending on the laws, also result in an increase in infrastructure as data may be required to be geographically located in the country of collection.  So the specific laws being evaluated may drive the technical design, and that may end up being quite costly.

Ty Gavin: I don’t pretend to be a lawyer or understand exactly what is required to comply, but I can make a guess on this topic. Because privacy failures cost lots of money and result in bad press, website owners who understand this will likely pick from these two solutions:

1.  Find out where visitors are located and direct them to the website for that location.  That website will conform to local laws. For example, this appears to be how the BBC works.  I can’t seem to bring up bbc.co.uk URL while browsing here in the US, I always end up redirected to bbc.com.  They don’t explicitly ask me where I’m from so they must be using my IP address to find out where I am located.
2. Comply with all requirements or the strictest requirement when rules overlap.  For example, when Tealium’s utag.js sets a cookie, it complies with the global law strictest requirement of 1 year.  (As opposed to setting for 2 years in one country and 1 year in another). It’s difficult to automatically, quickly and precisely determine where someone originates from so it’s challenging to conditionally apply the laws.  The simple solution is to comply with the strictest one when the laws overlap. If everything is an opportunity, each new law allows a website to re-evaluate what they are doing today and plan for a better (more private) future.

Question: How can companies better connect the user experience (often through a consent management notification) and the necessary data infrastructure to follow through on those consent elections?

CU: Sadly, there is no easy answer here as it depends on the laws you care about and how the existing tech stack functions.  If I had one piece of advice it would be – “Don’t collect anything your lawyers are unwilling to defend in a court of law.”

TG:I think companies need to do a better job explaining the benefit of opting-in. Right now it seems they are saying, “Allow cookies, please. It’s not that bad, so just click ‘Accept’ button to remove this banner.”  But what is better is saying, “By opting in, you will receive X, Y, and Z.” This message is what you see when you are prompted by Apple or Google to give them product feedback (such as crash details) so they can improve their software product.  These are not privacy-related and personal information related, but they clearly state the intention and benefit to the user.

But back to the original question. The “how” is to leverage Tag Management and Consent Management together to solve for this.  The problem is that there will always be something more to do that takes some work. Unfortunately, there is no standard built-into-the-browser way of managing consent.  I expect there will be some day. As with anything, expect some custom code to be required as well. The benefit of a TMS is the ability to easily add and adjust custom code.

Question: In 2017, Apple’s Intelligent Tracking Prevention (ITP) set off a chain of events that have altered the way third (and now first)-party cookies work. Are the browsers providing more protections for consumer privacy than the companies who are complying with regulations?

CU: It’s hard to say, but I’d be inclined to say ‘No’ because the defenses they are providing are different than what a specific law may allow or require.  Mozilla, for example isn’t required by law to use Disconnect’s domain list and block certain domains from loading scripts. It addresses some concerns the browsers have (such as data leakage) without getting into the specifics on the kind of data and the usage of data that the laws tend to cover.

TG:  I think that if browsers can do this then everyone wins.  The problem is it is usually “all or nothing” with browser blocking.  Browsers are most likely to protect you from ‘malicious’ activity out there.  Legit website owners take a hit here when the browsers become more restrictive.  For example, a browser might make it easy to ‘block all’ cookies, when a website legitimately needs to set 1 or 2 cookies.  I still feel a website owner should be able to make a case for a client to authenticate for maximum benefit of their product or site.  At this point, a website should be able to know who you are and what your preferences are. It is a strange case that you have to give up privacy to get customized privacy.  Ideally, you are only giving up your identity to one business and that business can be trusted. A middle-ground would be giving up an anonymous identifier to certain sites that you specify and control in the browser.  I think that’s where we’ll end up.

Question: Will performance marketing fundamentally change for good?

CU: It’s definitely changing. I am not sure if that’s for ‘good’ or if a new technology will surface that reopens some of those doors. Even with everything the browsers are doing, you can still do the majority of that tracking server side, and that’s something the browsers can’t stop, that’s where the laws come in.  

TG: Yes, but luckily we have machine learning (ML) to the rescue. ML-powered pattern matching is the new personalization. And since this is real-time, we can infer your “type” right away. In a real-time-ML world, personalization platforms shouldn’t need to have a long history of your activity. 

Apple’s recent proposals (May 2019) appears to have some concessions for ad-attribution (click-through) tracking, but at first glance it seems goofy and painful to implement. I’m not sure it will catch on. It’s also strange when these software companies aren’t necessarily looking to make anyone’s life easier. They’re primarily going for other things like brand benefit and positive public perception.

Question: How should data professionals approach the ever-changing cookies landscape? Find short-term solutions or look towards long-term solutions?

CU: I’d advise talking with your development and legal teams, coming up with a likely long term plan, and aligning to that.  I suspect the next six to twelve months to be very ‘whack-a-mole’ with browsers trying to figure out what is ‘OK’ for privacy and data collection.  If you’re consistently adjusting all your tracking just for them to come along in two months and break it – it’s going to get expensive.  

TG: Find an Enterprise vendor that can pivot and adapt to the changing landscape. Tag Management solutions are standing by to help people make quick updates with the latest workarounds. Focus on a solution that does both client-side and server-side identity management well. 

Unfortunately, it feels like we are constantly planning for new worst-case scenarios because the scenarios keep changing.  The heavy-lifting now is understanding the laws. After we understand the laws and have a plan to comply, getting people to agree to ‘opt in’ to something is the second hurdle.  Then, there are specific technical challenges after that. Sometimes the technical challenge is the ‘opt in’ step when you have no ability to ask someone to ‘opt in’ in the first place (for example, your video is  loading while embedded in another site). Do you just hope they already agreed to something on a general IAB consent platform website? Or, do you cross your figures that the browser has this consent management built-in [someday]?

Question: What solutions would you recommend?

CU: I recommend taking a step back, figuring out what you actually need, figuring out if you can collect that legally and then figuring out how to do that technically in a way that is least likely to break as browsers find their footing. This may require you to move certain parts of your tech stack server side, or review / adjust contracts with vendors who can’t meet legal requirements you are subject to.

TG:  Before Apple released ITP 2.3, a quick-win solution to workaround Apple’s ITP client-side cookie limits was first-party storage such as using LocalStorage, but that has been removed as an option as well. Other than that, my best recommendation is to move your users to authenticate while simultaneously providing them with real value when they do authenticate.  Also, focus on your website privacy experience to be more than simply checking off a box for privacy – consumers should love your brand for the privacy transparency you offer them.  I imagine solutions that show a video of how your data is secured and protected and how it flows through the system. Educate the consumer on “what it means that we track anonymous visitor behavior data to improve our website.”  For example, the video should say, “When we see that many people are stuck in the website checkout step 1, then we look at the data. Website data reveals our ‘Next’ button isn’t the best color or is too far down the page to be seen.  Based on anonymous browsing data, we can make corrections that improve the experience on our website.”

Question: Now that consumers are more aware of what’s happening to their data online and the browsers are competing on the basis of privacy (with each company bringing their own version of ITP out), do you think that the issue of privacy will shake up the current browser landscape? Will consumers move away from one browser towards other options? Will privacy continue to dominate how browsers position themselves?

CU: I find this really hard to predict.  In 2017, the Harvard Business Review wrote an interesting article on the ‘Privacy Paradox,’ in which people who express concerns about privacy, still don’t refrain from risky behavior related to it.  Safari and Firefox have clearly taken the privacy aspect of their browsers as a brand position, however according to Netmarketshare.com both browsers combined on Desktop account for a less than 15% of all internet traffic observed.  

As secure as Safari may be, it’s a lot to ask consumers to spend roughly 3 to 4 times the amount on a MacBook, over a much more inexpensive Windows Laptop or Chromebook.  Firefox doesn’t ship as default on any hardware, so consumers have to actually seek out the software and install it, which isn’t something everyone feels comfortable doing.  As a result you end up with the two browsers most focused on privacy having the smallest market share.   

This loops back around to the paradox mentioned earlier – it seems a very small amount of people care enough about privacy to either pay more, or change the default behavior to ensure they have it, so while browsers can use it for positioning, I am not sure it’s going to actually cause a shift in the usage metrics for any specific browser.

TG: Yes, Apple is spending money on privacy ads.  The public is aware. Credit cards are stolen every day. Our phones are ringing off the hook with scams. If browsers can claim to solve/accomplish this then they will win the hearts of consumers. I would love to say to my parents, “Just install Firefox on your phone” and then know that they are completely safe. But my fear is this is more marketing than actual solution.  I still have to login to my credit card to keep an eye out for malicious use. Can I do that in my browser? Maybe some day.  

I think the missing message out there is, “Yes, we are using your data and we are also protecting your data and this to benefit both parties.”

There are the features to protect consumers from malicious activity and there are browser features to protect them from non-malicious activity.  The laws are for non-malicious software companies to be more transparent and allow more control of personal information. If the browser can provide this and provide for a standard for this, then maybe, just maybe the browser is the gateway to get this information or communicate preferences.  The challenge today is the same as the challenge with email spam. Every individual business provides email opt-out, but you still have to click “Unsubscribe” 1000 times. The browser providers are best-positioned to be the central communication solution (set preferences in one place) if it is going to happen.  Just like any piece of software, the first browser to do this well should win.

Question: Lastly, what is your 5-year prediction for the cookie? Will the cookie crumble to nothing? Or will we see pushback from the industries that are being severely impacted by these changes?

CU: In this article about killing Internet Explorer 11, the author does a good job pointing out what was required to phase out IE 6 and IE 8, and in both cases, upgrades to the security protocols likely played a role.  What is different when it comes to cookies is the browser and that cookies are required for things such as e-commerce, User Accounts, Online Banking etc. So we’d need a different technology to be adopted in widespread fashion in order to allow the client and server to maintain state.

Google has proposed some of these concepts so it may actually come to pass that such as system is in place in 5 years.  However the sunset period of cookies is likely to extend beyond 5 years which will leave these gaps in the underlying internet infrastructure.  So I predict in 5 years, we may have a new system, falling back to cookie use for older browsers still with sufficient usage numbers.  

TG: Sadly, the cookie as a resource for web developers is on the way out.  This is mainly because the cookie is sent with all HTTP requests and can be abused.   Browser controls will make the cookie less and less useful – the browser makes you more aware of who is setting what or providing flip-the-switch controls to block the cookies that are commonly blocked.  We see this today with Firefox’s partnership with Disconnect.me. Browsers will also have additional cookie-usage information with the “SameSite” requirement coming soon in Chrome. And there are plans for HTTP State Tokens which are designed to solve the persistent login use case – the last surviving use case to require cookies.

That said, I expect many of the same kinds of things done with cookies to be done with another technology.  Local Storage has the feature of being only client-side (not sent with HTTP requests like cookies). So, some of the same things cookies help do today can be done using Local Storage (with a few limitations).  The limitations are painful for developers, but the show must go on.

Thanks for reading! Learn more about ITP in our recent webinar on the topic here.