Dynamic retargeting platform Criteo says it has developed a solution for personalized advertising that doesn’t require third-party cookies – which means it can run on Apple’s Safari browser on iOS devices, as well as other browsers that block third-party cookies by default.
The iPhone's default browser blocks third-party cookies, but Criteo thinks it has a way around this roadblock
Criteo’s solution enables advertisers to use retargeted ads on iPad and iPhone, as long as the user actively consents to receiving personalized ads.
Apple’s decision to block third-party cookies on its devices has been a major setback in mobile advertising, because it prevents advertisers from identifying incoming users and attaching data to them for targeting purposes. Better audience targeting is one of the key promises of programmatic, but Safari’s default Do Not Track settings mean a large segment of users are off-limits. The iPhone’s dominance of the smartphone market is the chief reason why, according to Casale Media, 63% of Canadian mobile web ads bought on exchanges don’t have cookies associated with them, compared to only 11% on desktop.
But Criteo may have found a solution – one that treads the fine line between respecting user privacy and delivering customized, relevant ads on mobile.
Targeting without third-party cookies
Cookies work the same way on desktop and mobile browsers. They’re bits of data inserted into the browser that websites use to keep track of who a given user is and tracks certain data points – like their shopping cart items, remembered passwords, or CRM data. Cookies can also tell advertisers which pages a user has visited, in case it wants to send them ads related to those pages (a.k.a. retargeting).
Cookies can only be read by the site that creates them. So in order to establish that a user who visits site A is the same user that visits site B, a cookie needs to be dropped by a third party that’s present on both sites (usually via a tiny link called a tracking pixel). Browsers that implement Do Not Track prevent third parties from dropping cookies on sites they don’t own, which makes it impossible to connect the user’s identity and data on site A with their identity on site B.
Criteo’s solution involves a simple but clever trick. When a user visits a Criteo client’s website, they’re directed to a notification page which asks for permission to deliver customized ads. But the notification page is hosted on a domain that Criteo operates, so if the user gives consent, Criteo can drop its cookie as a first-party cookie, as though it was a publisher, before directing the user back to the main site. When the user visits another Criteo client, they’re shown the notification again; if they say yes this time, Criteo can read the cookie it set on the previous notification page. So Criteo can verify that it’s the same user on both sites, much as it would with a third-party cookie on a non-DNT browser.
It’s essentially using a notification pop-up the same way sites typically use tracking pixels. But it’s also a two-birds-one-stone approach. By showing the notification, Criteo is both getting the user’s consent to deliver customized advertising and dropping the cookie it needs to serve those ads.
It also falls into a grey area between first-party and third-party cookie targeting. From a technical standpoint, the browser interprets Criteo cookies as first-party, since Criteo is dropping cookies on its own domain. But since Criteo is neither an advertiser nor a publisher, it doesn’t seem to fit the definition of a “first party” in the transaction between users, advertisers and publishers. So is Criteo respecting Do Not Track? Or is it just circumventing it?
Is Criteo a first party?
Unlike most third-party cookie tracking, consent is at the heart of Criteo’s solution. Its notification asks for the user’s consent not just once, but with a second, ‘Are you sure?’ page. Jason Morse, Criteo’s vice-president, mobile product, said the company came up with the double opt-out after reviewing privacy policies used by European publishers and privacy groups. The goal, he said, was to respect the intent of Apple’s cookie-blocking policy.
“We spoke with some of our advertisers, and we looked at the industry standard for cookies in Europe, and said ‘wouldn’t it make sense if we, as the ad technology provider on our advertiser websites, provided a notification that we were going to drop [a] first-party [cookie]?” he said. “And if the user is okay with that, we’re able to provide value to our advertiser clients and the user as well with more relevant advertising.”
In other words, Criteo is initiating its own direct conversation with the user, making it a first party in a new transaction between user and ad tech provider.
Of course, using a double opt-out form bears the practical risk that most users will just say no, and the solution won’t work. But Morse said that’s unlikely. “As far as the opt-out rates, we did talk with several of our publishers and advertisers to get a rough idea of what to expect, and it was very low.”
Criteo intends to use its cookies for behavioural retargeting only, rather than more ambitious targeting methods that use demographic data, purchase history, GPS coordinates or other personal information. Clear limits on what data is being collected, and what it can be used for, may help convince users to opt-in.
Morse said that in the tests the company has done with clients, “there was a real, immediate impact for our advertisers. We’ve been rolling it out steadily since, and have seen really strong results.”
