Guidesidentity resolutionprogrammatic advertising

Identity in AdTech: Understanding the ID Problem

third-party cookiescookie syncinguniversal IDs (UIDs)deterministic dataprobabilistic dataGDPRCCPAATT (App Tracking Transparency)IDFAGAIDPrivacy Sandboxcontextual advertisingfirst-party datadevice graphscookie match rateCTVretail mediaDSPSSPDMPwalled gardensGAMA

When advertising moved online from the print world in the late 1990s, the biggest opportunity for advertisers was the ability to reach people on an individual basis.

They no longer had to rely solely on contextual targeting. Advertisers could now build audiences based on interests, behaviour, and location, then serve ads to those audiences as they moved around the web.

This capability became the backbone of online advertising — yet despite two decades of technological advancement across platforms (DSPs, SSPs) and processes (RTB), one challenge has never been fully resolved: identity.

The identity problem in AdTech comes down to three core tensions:

  • Every player in the online advertising ecosystem depends on accurate user identification. Publishers need it to earn ad revenue; advertisers and agencies need it to run targeted, relevant campaigns; AdTech vendors need it to justify their platforms to buyers and sellers alike.
  • There is no persistent ID in web browsers, making consistent identification genuinely difficult to achieve. To bridge the gap between platforms, the industry has relied on cookie syncing — a process that is now becoming obsolete as major browsers drop support for third-party cookies. This shift is opening the door to alternative solutions, most notably universal IDs. But universal IDs carry their own limitations: they are difficult to scale and raise legitimate ethical concerns around detailed user profiling.
  • The walled gardens — Google, Apple, Meta, and Amazon (collectively referred to as GAMA) — sit on vast stores of deterministic first-party data that allow them to identify users across the web and across devices with high accuracy. This is a significant competitive advantage that independent AdTech vendors, publishers, and media companies struggle to match.

Each of these tensions is worth unpacking in detail.

1. Why Identifying Users Across Websites and Devices Matters

The ability to identify an individual browsing the internet is foundational to the entire online advertising system:

1. Monetization for publishers

The more a publisher knows about a visitor, the higher the ad revenue it can attract. Advertisers bid more aggressively when they can verify that a visitor belongs to their target audience.

2. Revenue for advertisers

Advertisers want to reach specific audiences. When a member of that audience lands on a publisher's page, the advertiser will submit a higher bid to win that impression. Accurate identification is what makes that precision possible.

3. Relevance for users

Although most people are understandably uncomfortable with ads that follow them around the web, many users will engage with an ad when it is genuinely relevant — an upcoming Metallica concert at CenturyLink Field, for instance, would reasonably interest a heavy-metal fan living in Seattle.

4. Measurement and attribution

This dimension of the identity problem is frequently underestimated. Global digital ad spend is estimated to reach $870 billion in 2027. Without a reliable way to identify users as they move across the internet and devices, tracking performance and allocating budgets accurately becomes extremely difficult.

Bottom line: The online advertising industry is structurally dependent on identification.

2. The Problem With Cookies on Desktop Web Browsers

Despite the rise of newer channels like retail media and CTV, display advertising on web browsers remains a significant part of the advertising mix. The challenge is that accurate user identification across browsers is constrained by a fundamental limitation of cookies: a cookie created by one domain (say, an SSP) cannot be read by a different domain (say, a DSP).

This means there is no shared common ID for a given user across the different platforms and websites involved in any given ad transaction — leading to missed opportunities on both sides of the marketplace.

The industry's historical workaround has been cookie syncing: matching the cookies belonging to different AdTech platforms in order to establish a shared understanding of who a given user is.

Here is a high-level overview of how cookie syncing works between a DSP and a DMP:

While cookie syncing works in theory, in practice it is a time-consuming process that increases page-load times, degrades user experience, and creates gaps in data for both publishers and advertisers.

Match rates between different platforms are also inherently imperfect. A 40–60% match rate is generally considered acceptable — but the more platforms involved in the syncing chain, the lower that rate tends to fall.

This degradation is partly attributable to cookie churn: cookies lost because users delete them, block third-party tags, or browse in incognito/private mode. Browser-level privacy features, such as Safari's Intelligent Tracking Prevention (ITP), compound the problem further.

The End of Third-Party Cookies and the Rise of Universal IDs

Third-party cookies synced between platforms have long been the default mechanism for tracking behaviour across sites and enabling targeted advertising. Over time, however, privacy concerns have accumulated — and regulation has followed.

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both introduced requirements that constrain how user data can be collected. Under GDPR, websites must obtain explicit consent before setting any cookies that process personal data. That consent must be informed, freely given, specific, and unambiguous.

Browser makers have acted in parallel. Safari and Mozilla block third-party cookies by default. Google Chrome remains the last major browser still supporting them — but that support is scheduled to end in 2025.

The downstream effects of losing third-party cookies are significant:

  • Reduced ability to recognize users across devices and websites
  • Less effective campaign measurement and attribution
  • Degraded targeting precision
  • A less personalized experience for users

In response, advertisers and marketers have been exploring alternatives:

Contextual advertising: Displaying ads that are relevant to the surrounding page content, rather than to a known user profile.

Zero- and first-party data collection: Gathering data directly from customers and prospects to build owned audiences available for targeting.

Data clean rooms: Secure environments that allow publishers and advertisers to collaborate on data analysis without exchanging raw user data.

Universal IDs (UIDs): Hashed and encrypted user identifiers built from deterministic data — such as an email address or phone number — that can be securely shared and matched between companies.

How Universal IDs Work

Universal IDs are not a new concept, but they have gained considerable momentum as the industry moves toward a post-third-party-cookie environment.

A universal ID is a unique identifier that enables AdTech companies to recognize users across various websites and devices. These IDs are typically generated using deterministic and/or probabilistic data and are often stored in first-party cookies.

Probabilistic data examples: IP address, browser type and model, user-agent string.

Deterministic data examples: Email address, phone number.

Universal IDs can function within a single environment (such as a web browser) or across multiple environments (such as web browsers and mobile apps). In cross-environment cases, device graphs are used to correlate IDs from web browsers with IDs from other devices — for example, mobile advertising IDs from smartphones.

With universal IDs, companies can leverage consented user data to continue delivering targeted advertising.

IDs in In-App Mobile Advertising

The cookie-based identification model described above applies to web browsers — including mobile browsers on smartphones and tablets. But when it comes to identifying users across native mobile apps, the mechanism is different: companies rely on the device's mobile advertising ID.

When an ad request is sent from a native app on a smartphone or tablet, the device ID is passed directly in the bid request. Unlike web cookies, mobile device IDs are deleted far less frequently, making them a more reliable persistent identifier.

Both Apple and Google have developed their own device identifiers to support advertising while navigating user privacy concerns.

Apple's Identifier for Advertisers (IDFA) is a randomly assigned device ID given to each Apple device. It allows advertisers to track user activity and measure ad performance across apps. With the introduction of iOS 14.5, Apple significantly strengthened user privacy through its App Tracking Transparency (ATT) framework, which requires third-party apps to obtain explicit user consent before accessing the IDFA.

Google's Advertising ID (GAID), introduced in 2014, performs a similar function for Android devices — enabling advertisers and developers to analyze ad performance and user interactions, roughly analogous to how cookies work on web browsers.

Google is planning to phase out GAID in favour of its Privacy Sandbox on Android, a broader initiative aimed at preserving user privacy while maintaining support for targeted advertising. Under this framework, the functions currently powered by GAID would be handled by dedicated APIs:

  • The SDK Runtime for sandboxing SDKs
  • The Topics API for ad targeting
  • The Protected Audiences API (formerly FLEDGE) for audience-based and remarketing use cases
  • The Attribution Reporting API for attribution reporting

Bottom line: Third-party cookies are on their way out. Universal IDs are the most viable near-term alternative — but compared to third-party cookies, their scale and reach will be more limited, at least initially.

3. The Walled Gardens

Alongside the broader industry debate over identity solutions, a structural competitive tension persists between the walled gardens — Google, Apple, Meta, and Amazon (GAMA) — and the hundreds of independent AdTech vendors competing for a share of advertiser budgets.

GAMA is expected to capture almost two-thirds of US digital advertising spend in 2024. Newer walled gardens in CTV and retail media are also accumulating large proprietary data assets, adding further competitive pressure on independent AdTech.

The connection to identity is direct: a company that can accurately identify users across websites, browsers, and devices can offer advertisers more precise targeting. The closed ecosystems of the walled gardens, which collect vast volumes of detailed first-party user data, give them a targeting capability that independent AdTech platforms find difficult to match.

Bottom line: Independent AdTech companies need to solve the identity problem in order to compete meaningfully with the walled gardens and give advertisers and publishers a compelling reason to diversify their spending.

How ID Solutions Work

Traditional ID Solutions (Pre-Universal IDs)

The original identity infrastructure in programmatic advertising rested on three pillars: third-party cookies, cookie syncing, and mobile device IDs.

Third-party cookies are small data files set by websites to track behaviour across multiple sites, enable ad targeting, and build user profiles. Privacy regulation and browser policy changes have steadily eroded their viability. Safari and Firefox blocked them by default years ago; Chrome is set to follow.

Cookie syncing, as described above, was the workaround for aligning cookie-based IDs across platforms. It was always inefficient — introducing latency and degrading match rates — and it will become functionally obsolete once Chrome removes third-party cookie support entirely.

Mobile device IDs — Apple's IDFA and Google's GAID — offered a more durable alternative on the mobile side. Both are being constrained by privacy changes: Apple's ATT framework has significantly limited IDFA access, and Google's Privacy Sandbox for Android is expected to eventually replace GAID.

Modern Universal IDs

In response to the end of third-party cookies, a range of AdTech, data, and identity companies have developed modern universal ID solutions (sometimes called "alt IDs").

These solutions use probabilistic and/or deterministic data — email addresses, phone numbers, IP addresses, and similar signals — to generate persistent identifiers that can be used to:

  • Run behavioural and audience-based targeted advertising campaigns
  • Build and maintain user profiles
  • Execute retargeted ad campaigns
  • Perform measurement and attribution

Despite their potential, universal IDs carry meaningful limitations:

  • Market fragmentation: There are many universal ID vendors operating without a common standard. Each uses its own methods for collecting and processing data, which complicates interoperability.
  • Scale constraints: Universal IDs depend on the availability of first-party data, such as email addresses. Because that data is less universally available than browser cookies once were, universal IDs do not scale as broadly. There is also a risk that browsers could introduce further privacy constraints that limit or block universal ID creation.

The diagram below illustrates how The Trade Desk's Unified ID 2.0 (UID 2.0) works:

Full UID 2.0 documentation is available here.

The Future of ID Solutions in AdTech

As with most structural shifts in AdTech, the success of identity solutions will depend on broad adoption across the ecosystem.

The history of universal IDs illustrates just how complex this space is. Early projects have been restructured, discontinued, or superseded. DigiTrust, one of the first universal ID initiatives, was phased out after failing to adapt to evolving privacy norms. Unified ID 2.0 and RampID subsequently evolved to better align with both industry requirements and regulatory expectations, with a stronger emphasis on transparency and user control. The European Universal ID (EUID) has emerged as a regional variant of this approach.

Google's ongoing difficulties with its third-party cookie deprecation timeline underscore the broader challenge of balancing user privacy with the commercial mechanics of digital advertising. The plan has faced multiple delays, and the eventual launch of Privacy Sandbox is partly contingent on decisions by the UK's Competition and Markets Authority (CMA).

Through all of this turbulence, one directional signal is clear: first-party data is becoming increasingly valuable. Advertisers, publishers, and media companies that invest in first-party data collection and infrastructure will be better positioned to navigate whatever identity landscape ultimately emerges.

<Related />