6 Alternatives to Third-Party Cookies and Mobile IDs in AdTech
Ever since Google Chrome announced in January 2020 that it would be shutting off support for third-party cookies within a few years, companies operating in the programmatic advertising industry have been searching for reliable and effective alternatives to keep their core processes running.
The truth is that third-party cookies had already been losing ground well before that announcement. Both Safari and Firefox block third-party cookies by default and have placed restrictions on other identification methods to prevent cross-site tracking — which is the primary purpose of third-party cookies in programmatic advertising.
More recently, Apple introduced changes to its mobile advertising identifier (IDFA) to strengthen user privacy across iOS, iPadOS, and tvOS. Google has also signalled that it will be restricting access to its advertising ID on Android (GAID) as part of its Privacy Sandbox initiative for Android-powered devices.
This article explains the role third-party cookies and mobile advertising IDs play in programmatic advertising, outlines the privacy changes introduced over the past several years and their impact on the industry, and covers the six main alternatives that have emerged.
Key Points
- Third-party cookies are a storage mechanism in web browsers. When created, they can store various types of information, but for programmatic advertising purposes they typically contain a unique identifier (ID).
- Mobile IDs are used on mobile devices to identify individuals inside mobile apps.
- Both cookie IDs and mobile IDs are used to identify individuals as they move across different websites and mobile apps.
- When an AdTech company can identify a user, it can use that ID to power key advertising processes, including behavioural targeting, audience targeting, retargeting, frequency capping, measurement, and attribution.
- Over the years, privacy legislation from governments and policy changes from companies like Google and Apple have made creating and using third-party cookies and mobile IDs significantly more difficult.
Understanding Third-Party Cookies and Mobile Advertising IDs in Programmatic Advertising
What Are Third-Party Cookies and What Role Do They Play in AdTech?
Third-party cookies are a storage mechanism in web browsers. When created, they can store different types of information, but for programmatic advertising purposes, they typically contain a unique identifier (ID).
That ID is then used to identify individuals as they visit different websites across the internet.
There are two main types of cookies worth distinguishing:
- First-party cookies are created by the website the user is currently visiting.
- Third-party cookies are created by websites other than the one the user is visiting.
From a purely technical standpoint, both types are identical — the only difference is the relationship between the cookie's origin and the user's current context.
First-party cookies are created by the website the user is visiting, whereas third-party cookies are created by other websites.
Third-party cookies have been the backbone of programmatic advertising for well over a decade. Typically, an AdTech company — such as a supply-side platform (SSP) or demand-side platform (DSP) — creates a third-party cookie either by placing its code on a website or via a process called piggybacking.
Once the AdTech company has created a cookie for a user, it can recognize that same user when they visit another website carrying the company's code, or again through piggybacking.
When an AdTech company can identify a user, it can use the ID in that cookie to power key advertising processes, including:
- Behavioural targeting
- Audience targeting
- Retargeting
- Frequency capping
- Measurement
- Attribution
What's Happening With Third-Party Cookies?
Although third-party cookies power critical programmatic advertising processes and enable advertisers to reach target audiences while helping publishers earn ad revenue, they raise significant privacy concerns.
When AdTech companies began using third-party cookies in the 2000s, the process of creating and sharing cookie IDs went largely unnoticed. It wasn't until mainstream media picked up on the mass collection of user data and cross-site tracking that internet users, privacy advocates, and governments began paying attention.
The European Union was the first government to act. In 2009, the EU amended its 2002 ePrivacy Directive in what became commonly known as the cookie law. A key requirement was that websites had to display a banner informing visitors that a cookie would be created during their session.
Since then, privacy legislation has continued to tighten, and major technology companies have independently made changes to their products to further reduce cross-site tracking. Both forces have steadily eroded the availability of third-party cookies.
The reason is straightforward: the most direct way to increase user privacy on the internet is to make it harder for companies to identify individuals — and identifying individuals across different websites is the core function of third-party cookies.
Here is an overview of the major changes that have affected the availability of third-party cookies:
1994: Lou Montulli and John Giannandrea invent cookies while working at Netscape.
2006: Adblock Plus, one of the most widely adopted ad-blocking tools, launches.
2016: The European Union publishes the General Data Protection Regulation (GDPR), beginning a two-year countdown to enforcement.
2017: Apple releases its Intelligent Tracking Prevention (ITP) feature.
2018: The EU's GDPR goes into force on May 25, 2018.
2019: Firefox releases its Enhanced Tracking Prevention (ETP) feature.
2020: Google Chrome announces it will deprecate third-party cookies by 2022.
2021: Google Chrome announces a delay, pushing the deprecation to 2023.
2022: Google Chrome announces a further delay, pushing the deprecation to 2024.
What Are Mobile IDs?
Mobile IDs — also called mobile advertising IDs — are identifiers associated with a user's mobile device, such as a smartphone or tablet. Because practically every mobile device carries a mobile ID, they are more persistent than web cookies. Users cannot disable or remove these IDs the way they can with cookies, but they can reset them at any time.
What's Happening With Mobile IDs?
Industry attention has historically focused on third-party cookies, but mobile IDs are now under equal scrutiny.
At its annual Worldwide Developers Conference (WWDC) in June 2020, Apple announced changes to how app developers and AdTech companies can access an iOS user's mobile ID — known as the ID for Advertising (IDFA). The changes require app developers to obtain explicit opt-in consent from users before accessing the IDFA on a given device. To facilitate this, Apple introduced the AppTrackingTransparency (ATT) framework.
These changes have had a significant impact on app developers and their ad revenue, as identifying individual iOS users and serving them personalized ads became considerably harder. For advertisers, reaching target audiences and measuring the performance of in-app mobile campaigns became a more difficult task.
Google has also made changes to how its Google Advertising ID (GAID) is accessed on Android devices. If an Android user opts out of personalized advertising, their GAID is not passed to the app developer. This has had a more limited impact than Apple's changes, since users must actively change the setting themselves rather than responding to a mandatory prompt.
Google has signalled that further GAID changes are coming as it plans to introduce its Privacy Sandbox standard on Android-powered devices.
What This Means for the Industry
When third-party cookies and mobile IDs are unavailable, identifying individuals becomes significantly harder. That makes it more difficult to serve relevant ads, measure campaign performance, and attribute ad views to conversions.
For advertisers, this translates to lower-performing campaigns, wasted spend, and reduced ROI. For publishers, it means lower ad revenue.
These pressures have driven the search for alternative solutions capable of powering the key processes that third-party cookies and mobile IDs previously handled.
6 Alternatives to Third-Party Cookies and Mobile IDs
| Alternative | Advantages | Disadvantages |
|---|---|---|
| Universal IDs | They are the closest thing to third-party cookie IDs and mobile IDs. They allow publishers and advertisers to identify individual users. They offer accurate targeting and measurement. | Even though they can identify individuals, the match rates are lower than with third-party cookie IDs and mobile IDs. They raise similar privacy concerns to that of third-party cookie IDs and mobile IDs — i.e. individual users are still being identified. In order for the universal IDs to work, many companies across the ecosystem need to adopt them. |
| Data clean rooms | They offer a highly privacy-friendly option for activating first-party data across two or more parties (e.g. a publisher and a brand). | They require deterministic data (e.g. an email address) to match two data sets together, which can produce low match rates. |
| Google's Privacy Sandbox | Provides a more privacy-friendly option for audience targeting and measurement compared to ID-based alternatives. | Accuracy in terms of both targeting and measurement will be lower compared to ID-based alternatives. |
| The IAB Tech Lab's Seller Defined Audiences (SDA) | Similar to Google's Topics API proposal (part of Privacy Sandbox), SDA is a privacy-friendly alternative to ID-based audience targeting. | Because the seller-defined audiences are created by publishers, advertisers have no control over how they are created — they can only state the pre-defined audiences they want to target. |
| Self-serve ad platforms | Allow publishers to provide advertisers with direct access to their audiences without having to share any data with them. | For advertisers, having to create and run campaigns across various publishers (i.e. via their self-serve ad platforms) is tedious and time consuming. |
| Contextual targeting | It's more privacy friendly compared to behavioral targeting (e.g. via IDs) as it allows advertisers to reach their audiences without needing to use user-level data. | With pure contextual targeting, advertisers can only show ads based on the context of the page, meaning they can't use any user-level data to power the targeting, which can cause them to show ads that aren't relevant to users. |
1. Universal IDs and Device Graphs
A universal ID is a unique identifier that allows AdTech companies to recognize users across different websites and devices. Universal IDs are created using probabilistic data (e.g., IP address, browser type and model, user-agent string), deterministic data (e.g., email address or phone number), or a combination of both.
Some universal ID solutions operate within a single environment, such as web browsers. Others aim to identify users across multiple environments — for example, bridging web browsers and mobile devices. For cross-environment identification, device graphs are commonly used to match the IDs generated in web browsers with those generated on other devices, such as mobile IDs on smartphones.
Universal IDs emerged directly in response to the blocking of third-party cookies in Safari and Firefox, and the planned deprecation of third-party cookies in Google Chrome. They perform the same core functions as third-party cookies; the key difference lies in how the ID is created and maintained.
Many universal ID solutions also include a user ID or device ID graph. These graphs work by combining IDs and attributes collected from multiple sources — web browsers, mobile devices, and others — to power ID resolution services.
2. Data Clean Rooms
A data clean room is a software environment that allows two companies — for example, a publisher and an advertiser — to match their data together without either party gaining direct access to the other's underlying data. This secure data collaboration can power a range of programmatic advertising processes, including ad targeting and measurement.
There are two main types of data clean rooms: centralized and decentralized.
- Centralized data clean rooms store data in a single location.
- Decentralized data clean rooms store data in separate locations (e.g., on different servers).
Here is the basic flow for a decentralized data clean room:
- Both parties — for example, a publisher and an advertiser — encrypt their first-party data and upload it to the clean room environment.
- The clean room identifies similarities between the two data sets, such as hashed email addresses, hashed phone numbers, or hashed mobile IDs, and matches them together.
- The matched data can then be used for ad targeting, measurement, and analysis.
Unlike data partnerships where companies directly exchange user-level data (cookie IDs, device IDs, or IDs derived from hashed email addresses), data clean rooms match first-party data from both parties while preventing any user-level data from being exposed outside the clean room environment. Data is encrypted before being added, and all first-party data remains within the clean room rather than being shared externally.
3. Google Chrome's Privacy Sandbox
Google Chrome's Privacy Sandbox, first announced on August 22, 2019, is a set of open standards designed to improve user privacy while maintaining an ad-supported web.
Similar to the concept of sandboxing in computer security, Privacy Sandbox executes advertising processes within a restricted environment — a significant departure from how those processes work today.
Privacy Sandbox consists of three parts:
- Replacing cross-site tracking processes — specifically those currently powered by third-party cookies.
- Phasing out third-party cookies by separating first-party and third-party cookies via the SameSite attribute and turning off support for third-party cookies entirely.
- Mitigating workarounds such as browser fingerprinting.
The main standards being developed within Privacy Sandbox include:
- Topics API — for running personalized advertising campaigns based on topics a user is interested in, derived from their web-browsing history.
- FLEDGE — for running retargeting and audience-targeting campaigns.
- Attribution Reporting API — for measuring the performance of ad campaigns, including attributing ad views and clicks to conversions.
These standards are being developed collaboratively between AdTech companies, agencies, publishers, the Google Chrome team, and Google's ad teams via the W3C Improving Web Advertising Business Group.
While still evolving, Privacy Sandbox represents a fundamentally different model for how online advertising operates.
4. The IAB Tech Lab's Seller Defined Audiences (SDA)
On February 24, 2022, the IAB Tech Lab released the first addressability specification from its Project Rearc initiative: Seller Defined Audiences (SDA).
SDA is designed to help publishers monetize their first-party data by creating audience cohorts that can be passed to demand partners (DSPs) via the OpenRTB protocol and Prebid. The specification builds on other IAB Tech Lab standards, including Audience Taxonomy, the IAB Tech Lab Data Transparency Standard, and the IAB Tech Lab Transparency Center.
SDA is intentionally designed to integrate with existing media-buying workflows and standards. The process works as follows:
- The publisher creates audience segments based on its first-party data.
- The publisher passes SDA IDs to DSPs via OpenRTB.
- DSPs evaluate the segment IDs and decide whether to bid on the impression.
This approach keeps the publisher in control of its audience data while still making that data actionable for demand-side buyers through familiar programmatic infrastructure.
5. Self-Serve Ad Platforms
One notable outcome of increased privacy regulation and technical restrictions is that publishers have regained meaningful control over their audiences.
By collecting and activating first-party data, publishers can continue monetizing their properties even as third-party cookies disappear from Google Chrome. While universal IDs and Seller Defined Audiences are two routes for activating that data, publishers can also give advertisers direct access to their audiences through a self-serve ad platform.
Rather than selling inventory exclusively through an ad server or SSP, a self-serve ad platform lets advertisers build and run campaigns directly against a publisher's audience. These platforms typically integrate with data platforms such as a DMP or CDP to enable audience creation, and connect with an AdTech platform (such as an ad server) to handle ad delivery and targeting.
The benefit for publishers is that no audience data needs to be shared with advertisers through RTB auctions. The benefit for advertisers and agencies is that they can reach a specific, known audience directly — without relying on programmatic targeting that may or may not align with their desired segments.
6. Contextual Targeting
Contextual targeting allows advertisers to display relevant ads based on the content of the webpage rather than data about the individual visitor.
The concept is not new. Before the internet existed, contextual targeting was a standard practice in magazine and newspaper advertising. A full-page SUV advertisement placed next to a feature article on off-road driving is a classic example — the ad is relevant because of the surrounding content, not because of anything known about the specific reader.
Over the years, the growth of the internet and behavioural ad technology allowed advertisers to move away from contextual approaches in favour of audience segmentation based on behaviour and interests. However, many print publishers never fully abandoned contextual targeting, and for good reason — it remains highly effective for certain types of content.
Today, contextual targeting is regaining traction across digital advertising as well. With less dependence on personal data, it sidesteps many of the privacy constraints that are limiting other targeting approaches. While less granular than behavioural or audience-based methods, contextual targeting offers a durable and privacy-compatible option for reaching relevant users at scale.
The six alternatives outlined here — universal IDs and device graphs, data clean rooms, Privacy Sandbox, Seller Defined Audiences, self-serve ad platforms, and contextual targeting — each address the identity gap in different ways, with different trade-offs in terms of scale, privacy compliance, technical complexity, and effectiveness. In practice, most publishers and advertisers are likely to rely on a combination of several of these approaches rather than a single replacement for third-party cookies.