Marketing and Data Science in the Post-Tracking Age

Cross-domain tracking is the practice of collating information about a specific user from a variety of different websites, apps and interfaces, in order to build up a profile of the user that's more complete than any one site or app would be likely to yield.

Historically, this has occurred through the use of 'third-party' cookies — long-term hidden browser preferences that follow the user across a number of websites and report back interaction data from each domain to a central processing framework that also receives information from other sources.

The method is arguably too effective: headlines over the last ten years have decried the intrusiveness of ads that exploited gender issues¹; disclosed pregnancies²; advertised funeral services to the just-bereaved³; and that apparently eavesdrop on users' conversations in order to serve them apposite ads⁴ (against denials from the software creators⁵), and even track their offline activity⁶.

When Apple began to prohibit or limit the use of third-party cookies with Intelligent Tracking Prevention in 2019, WebKit, the upstream open-source browser for Apple's Safari, began to implement an alternative tracking method, Ad Click Attribution¹⁷, via the SKAdNetwork SDK.

Ad Click Attribution is effectively a 'firewall' for user data, wherein a limited amount of data reporting on the user is allowed, and semi-anonymized cross-tracking permitted so long as the nodes in the event path are sites that the user actually visits.

A rudimentary conversion funnel can be delivered to advertisers, without specifying the user:

The above image visualizes the three processes of WebKit's Ad Click Attribution.  

First (top), the user's ad click sends general information to the store about the origin of the click, together with a campaign ID with a maximum ID of #64, so that complex ID-based tracking is theoretically impossible.

Secondly (middle), the browser uses a common campaign ID linked to the domain mapping to identify one of four 'conversion events':

• The addition of an item to a shopping cart.
• Subscription to a service.
• Entering of shipping and payment information.
• Purchase of an item. 

Finally (bottom of image), as the user converts, the browser schedules a POST request, timed to trigger anywhere between 24 and 48 hours later, that notifies the ad-bearing site that a conversion has occurred. This programmed delay prevents the originating site/s from identifying users that click on ads and then convert rapidly.

The domains involved are subject to a 'privacy budget' (though this term was coined by Google's later adaptation, FLoC, as we'll see), which limits the number of data points about the user that can be passed in requests. Thus the advertiser may not have enough 'budget' left to request, for instance, both the user's geolocation and the time of day that the purchase was made.

There are many more caveats to this process than we have space to list here, but they include:

• The information is sent in Private Browsing Mode, avoiding persistent storage, even where the user is not browsing in Private Mode.
• No cookies, client certificates, or potentially semi-permanent data exchange are supported.
• The initial ad click data is only stored for a week, so that no long-term monitoring or 're-identification' through campaign entropy is theoretically possible. 

Neither the website where the ad click event occurs nor the site where the conversion occurs have any knowledge of the interstitial storage or processes. Instead, the originating ad site receives conversion information as a kind of 'blind event', allowing some basic monitoring of the efficacy of ad campaigns.

Though Apple provides documentation for setting up Ad Click Attribution, it does not provide any platform equivalent to DoubleClick or existing simplified frameworks. It has been argued in marketing forums that small publishers are unlikely to have the development acumen to set up campaign workflows under this new regime¹⁸.

However, this does leave a potential gap in the market for service providers who wish to develop new platforms for omnichannel marketing to streamline the process affordably and at scale. A slowly growing number of providers offer dedicated support for the WebKit/Safari SKAdNetwork system, including Singular¹⁹ and Kochava²⁰.

With Safari occupying approximately 20% of the general browser market²¹, and not quite 25% of mobile browser share²², heavy investment in Ad Click Attribution would currently need to be justified with campaigns that can effectively target the superior spending power of Apple users²³.  

However, if SKAdNetwork ultimately receives better public support than FLoC over the next two years, this may strengthen its long-term viability as a platform for data science consulting.

Both Ad Click Attribution and App Tracking Transparency (ATT, which will require explicit user consent to enable or re-enable app-based tracking) are currently set to go live 'sometime in spring' of 2021, though the launch of iOS 14.5, which is able to fully activate these systems, has been confirmed for April 2021²⁴.

SKAdNetwork can be implemented in Facebook, and the social giant provides some information for businesses about integrating it into Facebook events management, with the caveat that a maximum of 63 events can be programmed per app²⁵.

A report from mobile ad platform Moloco in March 2021 declared that the percentage of bid requests over the SKAdNetwork rose from 14.5% to 20% in the last two weeks of February 2021²⁶ (though this is likely due to mounting pressure over the vague 'spring' deadline). Anurag Agrawal, Moloco's VP of Product, also observed that in some countries bid requests tripled in a matter of days in that period, and that usage will likely rise as the launch nears.

SKAdNetwork's privacy budget is forcing developers to choose between salient data points for conversion funnels. This is a trickier decision to make than it appears, since not every app that supports the system is obliged to make all the possible SKAdNetwork signals available.

It seems likely that the entire summer and fall of 2021 will prove an arduous testing ground for the framework, and that clarification on practical usage will be added to the documentation eventually, based on user feedback.

Whether FLoC prospers or falls may depend as much on industry adoption as consumer acceptance. If the tech community fails to convince the average Chrome user of the evils of FLoC, and ad-supported media sees FLoC as the only route out of an existential crisis, the current furor may not achieve its goals.

According to an HTML code search in NerdyData, as of mid-April 2021, only six .com websites in the US are disabling FLoC — and two of those are DuckDuckGo and Brave, each with a stake in the issue³⁹. In the same period, the PublicWWW source code search engine identifies just 20 web pages with any domain suffix (out of 522 million indexed pages) that actively block FLoC.

Obviously, the media is likely awaiting some kind of public consensus around FLoC as the trial progresses into the summer, and in the meantime can enjoy a neutral stance.

At this time, the architecture of FLoC is subject to change as trial results emerge, and headlines continue to harangue the technology. Therefore, FLoC lacks the same platform support that is emerging for SKAdNetwork, not least because all of Apple's privacy initiatives are being finalized and implemented in the spring and summer of 2021, whereas Chrome will not be disabling third-party cookies until 2022.

This leaves marketing companies with SKAdNetwork in the immediate future, and whatever FLoC transitions into in the longer term. Though Apple's system offers fewer users, those users can be more valuable, and the system itself is nearer usable deployment than FLoC.

If nothing else, SKAdNetwork may become a proving ground in 2021-22 for the central concept of cohorts-based advertising, generating insights that could inform the development of FLoC, which has already drawn heavily on Apple's initiative.

Besides this downgraded version of cross-tracking, marketing companies may revive the long-abandoned practice of contextual advertising, where ad categories are defined not by the user but by the content that they're consuming. Likewise for demographic advertising, long relegated to second position during the cross-tracking years, but a method nonetheless that has produced results for centuries.

Finally, the revived importance of first-party information may lead to the re-emergence of domains and consumer environments where the user, paid or free, must log in via local systems of authentication, instead of OAuth, Facebook, and Google tokens, since those methods co-opt a great deal of the user's data for themselves. However, this would likely lead to a resurgence of data breaches, as the domains would need to implement their own security frameworks once again.