“The Sell Sider” is a column written for the sell side of the digital media community.

Today’s column is written by Mathieu Roche, CEO of ID5.

The post-cookie identity debate is often presented as follows: users who authenticate themselves and provide their email address can be identified over time and across sites; all others are anonymous.

The above explanation is grossly simplistic and unrealistic because it doesn’t take into account the preferences and needs of three key stakeholders: users, publishers and brands:

• Most users are not ready to provide an email when visiting a website, and will see this requirement as far more privacy-invasive than other types of requirements based on a simple consent
• Most publishers are reluctant to create barriers to access their content, and cannot justify the additional effort to establish this type of relationship with their audiences
• Most brands don’t want to limit their targeting strategies to users they already know and have an email for. What’s more, only certain types of brands have a direct enough relationship with their consumers to collect their email address

For all these stakeholders, is there no solution beyond the login? Are they forced to forgo the benefits of personalization and granular performance measurement? How do they deal with large (80%+) pools of totally anonymous (and therefore undervalued) users? Must they resort to suboptimal methods like cohorts or panel-based measurement or contextual targeting to optimize their marketing activities? 

Logins are not the only solution

Fortunately, logins aren't the only way forward. Going back to the basic “brief” of personalization and measurement, we need to build a system that enables the individualization of users and devices in a transparent and controlled manner from two standpoints:

• The user, who must understand and accept being identified
• The publisher, who must control their users' identity and share it with whom they choose to protect their data assets

To address this identification challenge, we can use widely available information provided in HTTP requests, such as IP addresses, user agents and URLs, and combine them with first-party storage to individualize users and devices over some time, and across websites.

The F-word

I can already hear you say: "So you're basically talking about fingerprinting?!" In ad tech circles, fingerprinting is equally as insulting as the other F-word in primary school playgrounds. And so it should be, due to fingerprinting’s long-time association with intrusive, non-transparent, and uncontrollable practices applied. In dark corners of the ad tech world, fingerprinting is used to create persistent identifiers without users’ knowledge or approval and to steal data from publishers. 

But the fingerprinting approach that publishers and regulators fear happens on the buy side. The DSPs, ad networks and retargeting ad tech companies that are recipients of these signals, via HTTP requests or even via server-side protocols such as openRTB, create persistent user identifiers that neither end users nor publishers know about or control. This is the fingerprinting practice that, as an industry, we must combat. 

If such a probabilistic method is instead driven by publishers, it can create a common currency across the Open Web and enable brands to access inventory and audiences at scale. It is an entirely new way to create user identifiers.

The real challenge of user identification is to create a consistent ID available across domains and applications. Third-party cookies and MAIDs made this task easy by being accessible everywhere, but they are already, or will soon be, a thing of the past. 

It is therefore  up to publishers and app developers to create and store user identifiers, and in doing so, pass signals to identity providers who reconcile these IDs across domains 

User emails, hashed consistently, can provide this stable cross-domain signal - but as we have seen, their scale is  quite  limited. The next best thing, and  by far the most scalable approach, is to use a combination of "soft signals” (including IP address, user agent, page URL, page referrers, etc.) combined with first-party storage mechanisms like first-party cookies or local storage and powered by algorithmic processes. 

By applying this method on the sell-side, we can connect first-party identifiers and make them consistent (i.e., stable) across websites or applications, creating a currency on behalf of publishers. enabling them to make their audience identifiable to the brands they work with.

Transparency, consent and data protection

To be legitimate (or even legal in some countries), this process must be based on users' understanding and approval. 

Consent Management Platforms, which are now commonplace in Europe, provide publishers and users with a good infrastructure to handle this interaction. Website owners themselves (publishers and brands),      must initiate this identification process via technology solutions like Prebid and/or by engaging into direct contractual relationships with ID vendors. And last but not least, this approach must be protective of these sites' data assets and therefore be secured via encryption, and distinct from the distribution of user data itself. 

By implementing transparency, user consent, and data protection mechanisms at the core of user identification, we can expand above and beyond logins and create a truly scalable framework that works for users, publishers and brands. In doing so, we can maintain the advertising business model that makes the Internet a sustainable, vibrant and creative source of content and services. This is our challenge for 2021.