KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called „Topics API“.
Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called „Topics API“.
Your DNS server knows what websites you use, what the name of your mail server is, and which corporate services you use while working from your home office. And there are even broader challenges when it comes to protecting sensitive personal data in that context. Alexei Balaganski and Matthias continue their conversation about a fundamental Internet resource, the Domain Name System, this time walking the fine line between technology and trust.
Annie and Matthias continue their conversation on the COVID-related trends in 2021. They conversate about different technology and internet usage trends, and also mention some potential topics that will become more prominent in the future as a learning from these trends.
On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy between the European and the US regions.
Secure Collaboration solutions focus on enabling data-centric security to facilitate virtual collaboration. Annie Bailey talks with Matthias about this market segment that provides increasingly flexible, interoperable, and therefore even more secure solutions.
Matthias invites John Tolbert to discuss Fraud Reduction Intelligence Platforms (FRIP) with him. Discover the evolving landscape of fraud prevention and detection, the key technologies used in FRIPs, and their broader applications beyond fraud reduction.
Gain valuable insights from the latest edition of KuppingerCole's Leadership Compass and explore how these platforms are shaping the future of identity assurance and security.
Roy Adar, Vice President of Product Management, Cyber-Ark
Dr. Nigel Cameron, CEO, Center for Policy on Emerging Technologies
Martin Kuppinger, KuppingerCole
Shirief Nosseir, Marketing Manager, CA Technologies
Jim Taylor, VP Identity and Security Management, NetIQ
April 17, 2012 15:40
Annie Bailey and Matthias continue their conversation around privacy, targeted marketing and the end of the era of the 3rd party cookie, that they started two weeks ago. They discuss the characteristics and the pros and cons of upcoming approaches, while this technology area is still continuing to evolve.
"Privacy and Consent Management" is an exciting topic in a continuously changing market. Annie Bailey has just completed her latest Leadership Compass, which researches this market segment. To mark the release of this document, she joined Matthias for an Analyst Chat episode where she talks about the innovations and current developments.
In A Nutshell
In the episode 108 “Privacy & Consent Management” Matthias hosts Anne Bailey.
Q: “From a definition point of view, what do we need to think of when we talk about privacy and consent management?”
Anne: “Yeah. So this is one of those terms where you could spin it in a lot of different ways, you know, privacy is so much in the public discourse that it doesn't really have a concrete definition anymore. So I thought it might be useful to get us all on the same page before we talk any more about it. So the way at least I have defined privacy and consent management in this most recent report. It's, of course, considering organizations and it's their administrative and governance capabilities over data privacy within their organization and of course, the tools and the solutions that are there to make that happen. So you could think of it then in a simplified manner about the capabilities that such a tool or a solution would have to the first group of capabilities, would then to be able to manage any incoming signals about privacy and consent. So these are things like being able to manage cookies and trackers that are on websites, being able to accept and then implement those consent or preference choices that an end user would make. And that would be over the range of different channels. So on a smart TV, on a mobile device, on a website, over the phone, via email in person interactions as well, should be considered. So that's all about managing the incoming signals. But what's also very important as well is the organization's ability to take care of their own internal management of privacy. So being able to govern sensitive data, which is in the organization and private data, being able to document their steps towards compliance and something which is a buzzword in this most recent report is being able to operationalize privacy.”
Q: “Recently, you published an updated version of your Leadership Compass report, which compares providers and services. What are the changes in the market that you can observe that you want to share with us?”
Anne: “Yeah. So this is an especially dynamic market area. Things are always changing. And so we can see some pretty big market changes between the report which published 18 months ago or so and the one which just came out this week. And that's in the types of vendors that were interested in participating. So what we saw in the last report were a lot of vendors that really focused on being able to manage those incoming signals, so being very focused on cookie management, on being able to collect consents and preferences and make sure that those are all able to be implemented in the many different connected systems within an organization and all the downstream vendors that may impact. Very focused on this incoming flow of information from end users. And what we saw, which was different in this report, is that there were more vendors that are really focused on data governance and using that as a foundation for privacy. So being able to operationalize and take action within the organization to further their privacy goals. And so we could think of that as an example. So being able to identify a privacy weakness of some sort in a process and then from that same administrative screen, then be able to do something to address that weakness. I guess we could go into more concrete details on what that could be. So, you know, if there was a scan done on a database and that scan returns the notification that there is private information in this database, there would then be the chance to leverage automation to go and anonymize those sensitive fields. So you're then connecting information about the status of privacy in the organization with an action to then improve it. So that was something that we noticed among several of the vendors that they're moving more in this direction. And that also does connect back to the relationship between the end user and the organization. So there was a big focus on being able to provide support for data subject requests and being able to process those. So in the same way of operationalizing privacy, if a consumer then submits a data subject request, the administrator would then be able to scan and automatically compile a report containing their personal information rather than needing to do that manually.”
Q: “Vendors offer products and services globally. Do you think they can catch up with changing privacy and consent requirements?”
Anne: “Mm-Hmm. Yeah. And frankly, this is really hard to stay up to date with because given our very globalized presence on the internet and connection with consumers all around the world, many organizations do have to stay up to date with the regulations that are not just for their own jurisdiction and in the region where they reside, but they have to pay attention to where their customers are, where any of their downstream suppliers or, you know, MarTech partners may reside and where this data is moving. So they have to be aware of a much wider legal domain than they've been used to before. And as I mentioned before, this is a really dynamic space. And part of that is because there are many privacy regulations which are being released all around the world. So this is something that we've identified as a really key capability in privacy and consent management tools, is that having some basis, some support from legal experts in-house to be able to keep up with all of these changing regulations and be able to pass that knowledge down to their customers is a really valuable thing.”
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Senior Analyst and Lead Advisor with KuppingerCole Analysts. My guest today is a Senior Analyst for KuppingerCole as well. Annie Bailey. Hi. Good to see you. Hi. Good to be back. Great to have you back. And back is the right term because we are back at a topic that we covered way back when there was no video in that podcast. When we talked about the end of the third party cookie and an initiative, a concept created by Google that was called FLoC.
And we looked at that, yeah, at that time and what that meant for privacy, for ad surfing, for business on the Web in general. So if we start with that topic and we wrap up because we want to continue the story here, what are third-party cookies and why do we want to get rid of them still? Yeah. So this idea of third-party cookies, of course, comes from the idea of cookies, which began as a functional aspect to interacting on the web. So you can think of it most easily and e-commerce situations where you need to have a shopping cart and the decisions that follow you from screen to screen.
So a cookie allows that to happen. And these do have legitimate purposes for this functionality for analytics. And third party cookies sometimes also enable this, but also really get a bad rep for enabling cross-site tracking, for retargeting of personalized ads, and for actually serving those ads. And so there are several privacy issues with the overuse of third-party cookies and the third very pervasive tracking, which happens with that. And so back in March of 2021, Google did announce that they would be phasing out the support for third-party cookies on their browser on Chrome.
And yeah, this is where we stood back then. And that's still, for the most part, the status quo. Google's still looking at phasing out those cookies. And we're back to talk about it. Right. So why would a company which heavily relies on its business model on ad serving, on understanding their users, why would Google want to do this at all? Why do they want to do that? Yeah, that's an interesting question. I perhaps take a pretty skeptical or cynical look at this, but I see it as a great publicity stunt, you know. Third-party cookies, they're very much in the public eye.
And it's a concept that people can easily get their feathers ruffled about it and demand change. So this is something that Google does have influence over. Their search engine and YouTube are just two monstrous examples of how much dominance they have in the space for individuals to be searching and then be interacting with cookies. What the interesting thing is, is they have more than enough space to host their own first-party cookies. And most of their revenue would come from that. The revenue which comes from third-party cookies is relatively small, is likely microscopic.
And they're in the position to then redesign the replacement of third-party cookies. So they can probably maintain that revenue that would have been lost by third-party cookies. All right. So when we think back to the last episode that we did around that topic, there was this first proposal around which was called FLoC. And I have looked to look it up, federated learning of cohorts, and we looked at the privacy implications of that. And since then, this has been rejected, I assume, and there was a new proposal.
But if you can give a short overview of these two alternatives, what did they look like, and what was the idea behind that to make it more privacy friendly? Maybe? Mm-hmm. Yeah. So the concept was to enable interest-based advertising instead of tracking. And its goal was then to not track but observe the recent browsing history of users and then to group them into cohorts based on similar interests.
These new, new cohorts would be assigned weekly, would be very current, but it would be using cumulative browser history. So as time goes on, it becomes only more and more accurate. There were some or there were many complaints from privacy advocates about this, especially that it would become only ever more accurate and not work with identifiers for individuals. But over time, the fear and the prediction was that these cohorts would be good enough to very accurately identify an individual which then puts their privacy at a very large risk. Right.
So but what is then the new approach that they're proposing as of now? So the new approach can sound very similar. It's called Topics API based, where the browser again learns about the user based on their browsing behavior. But this is done in a three-week chunk. And from this, it would assign a user to a topic. And now differing from FLoC, their previous solution, the topics are predefined. So this is not a group which is becoming only ever more and more accurate based on characteristics, but it's things like travel or running or technology.
So there are things that are less specific and this is then kept at a less specific level because when a site supports this topic API for ad serving, the browser would then pull three topics that that user has been placed in at random from their top five. And then the website would share these topics with advertisers for ad serving.
And yeah, this is the new proposal. It's planning to become available out of their privacy sandbox in Q4 of 2022. Right. So you've mentioned it already. It can sound very similar to FLoC. So we are still assigning users to a kind of group, a kind of topic.
Well, so why is it supposed to be better? Where are the differences? Yeah. So the similarities are in that; the user browsing history is still observed and the decision of how to categorize that user is still based on their recent browsing history. The differences come in how specific that topic is, hence the name or if it's more general...
excuse me, that the topic is much more general rather than the very specialized cohorts. They're really customized and ever being shaped to the individuals who were placed in there. So you can think of it as, as cohorts looking at characteristics of tendencies of ideas of sensibilities rather than a topic which is just itself, a topic, theoretically you shouldn't be able to cross identify an individual just by the different topics that they're in.
If only the top three topics are being shared with a website, it's going to be things like travel and cooking and perhaps you're shopping for a new car. Then yeah, who knows, a Porsche. So with that information should be much less likely to identify an individual based on their topic. Another difference between FLoC and topics is the fact that they're cumulative versus non-cumulative grouping. What you mean by that is that FLoC tended to be a cumulative decision based on the entire browsing history.
And so that would take in the sensibilities over time as a person branched from one interest to another. This would span the different shopping seasons for different holidays, different seasons, different needs, different ideas that come over time, different reactions to current events. So you can see that a cumulative view of a person really does give a much more holistic view and therefore much more personalized. It's very useful to advertisement or advertisers for giving a personalized experience, but that is encroaching on the privacy of those users.
When we move to a non-cumulative decision to place a user under a topic, it's of a very short period, relatively three weeks. And so this cut off that long-term view of who a person is based on their browsing history. And we've heard hints of this and we'll see what it looks like when topics is released. But users should have the ability to see what topics they are associated with and even to remove topics permanently so that they cannot be associated with certain topics. So that is... that promise of user control is a really interesting advancement here. It could go even farther.
To my opinion, it would be really useful and much a different take on privacy if users would be able to indicate topics that they actually would like to see advertisements for. You know, if you happen to be in the market for new tennis shoes at an individual user. Wouldn't it be great if all of a sudden you could start to see deals and offers on the thing which you are interested in? So if they're out there and they hear us, perhaps they'll think about adding that functionality. Right.
So talking about privacy, I think from what you've described and what this concept contains, I think it could be an improvement when it comes to the privacy implications of this mechanism compared to FLoC and compared to the third-party cookie. If I'm reduced to say three topics, and that is based on my browsing history for the last three weeks. What does that mean for privacy on the one hand, and what does that mean for those who are doing business based upon this limited information? Yeah. So on a privacy aspect, this is a step forward.
It's going to be much less likely to re-identify a user just based on their topics. And that will always be changing and again, changing at a general level, not continuously improving in their specificity. The question is, is what happens to the ad providers and those who are then depending on this topic API to deliver personalized ad experiences or any other functionality. Because this does keep the information at a very generalized level. And you could take it a couple of different ways.
You could call it obfuscating and obscuring, rather or you could call it just overly simplified views of individual people. And it's hard to deliver that personalized experience to an overly simplified person. So in a sense, likely ad observers and the ad industry is going to have a difficult time with this, which could only solidify Google's position as a monopoly over this space since their main revenue area is very well protected. So they may be weeding out the competition here with this Right.
If you look at these topics and you've mentioned that they are very generic, very general if we look at those. Nevertheless, I think that would be an option to have topics that cover sexuality, political views, maybe gender, race, any kind of this. Does that not also lay open too much, disclose too much information about the person when it comes to making sure that, I don't want to know the advertiser, to know anything about that? Yeah. So from where we stand today, topics will exclude these sensitive categories of gender, of race. But the question is, how far is that extended?
You know, what is going to be determined as a sensitive category, and will not some be left out? You know, there's hope that with these user controls, an individual would then be able to look through and adjust and make sure that they're not disclosing information that they don't want anybody to know. But this combination of topics may still indicate, you know if you have if we're sticking completely to stereotypes. But if your topics are in, you know, children, makeup, and health food, then perhaps it's clear what your gender is, even though you haven't communicated it.
And so the use of this and the way that this information may be combined to then not go to the extreme of cohorts, but to create cohorts at a more generalized level, that's still information which can be used. So this may end up with spinoff attempts to profile individuals. And I think that over time, there could be a collection of information because the browser ID won't change. And if you add these different types of topics over time, you might want to get to a more complete picture of a person.
One thing that strikes me is, that it's again Google that is providing this next approach for solving the third-party cookie challenge. Is Google the only player that is big enough to change this market? Why Google? Well, Google is an incredibly strong player here and since most people end up using Google as a search engine, although others exist, they tend to make the news on this with larger splashes than perhaps others. But they are, of course, not the first. And in fact, they could be considered lagging in taking a position on third-party cookies.
Firefox did this in 2019, Safari from Apple, iOS took a stand on this in 2020. So if Google has only started this in 2021 it's a very reactionary position. They did react to the pushback from the privacy community regarding FLoC. So on the question, if Google is the only one who's big enough to change the market, perhaps you're entering more of a conversation now that the optimistic look at this is that there could be an effect and a voice loud enough that Google would hear on this. So we'll see.
There are ways that this could be improved overall, we mentioned just briefly earlier on these user controls. Wouldn't it be nice for a user to indicate what they would like to see instead of just passively saying, no, I don't want to be identified with that topic?
You know, if we could move a bit more towards really communicating a user's intention and seeing a reaction from the Internet back to that would be a really, really interesting direction to go. But it looks like we have to wait a little bit longer for that Right. And we will have, of course, a continued look at this development, because last year we were also kind of critical towards the privacy implications of FLoC way back then already. And that has been then stopped and no longer been pursued.
Now we have these topics and let's wait and see when they come out for the general public and whether they are adopted by other browser vendors as well, and whether this is a concept that is more privacy-friendly. So we will have a look at that and continue this evaluation. For the time being, Annie, that was really interesting to learn more about this new privacy-related and tracking-related information regarding what other browser vendors already have driven these ad serving organizations, too by saying, Okay, we do no longer accept by default the use of third-party cookies.
So that has changed and that has driven organizations like Google to find new solutions. Let's wait and see whether they will stand the test of real-life for ad serving. Any final thoughts before we close down? My final thought would be, Let's wait and see. These are early days for topics and we need to see, as you rightly say, who adopts this and who decides that it has no place in their ecosystem as publishers may choose to do. WordPress had decided FLoC was not welcome and they would not be accepting that API. So we'll see who adopts and who doesn't. Right.
So maybe next year at the same time, the next approach. So looking forward anyway to talk to you soon again regarding your topics. And thank you very much for being my guest today. Thanks for having me. Thank you. And bye-bye.