Alex Langshur, Cardinal Path – Navigating a Post-Cookie Marketing World

January 16, 2020

Alex Langshur, Co-CEO at Cardinal Path, discusses how regulations inhibit companies' ability to use cookies for tracking visitors. Specifically, Langshur speaks about how to:

  • Navigate anti-cookie privacy legislation and consumer expectations
  • Balance data privacy with increasing revenue

Fill out the form to watch the session on-demand.

Hi everybody and welcome to the Virtual Analytics Summit's session on navigating a post cookie marketing world. I'm excited to be here and I want to say thanks to the ObservePoint team for inviting Cardinal Path to participate in VAS. This is I think a number of times we've been here and found it to be really useful and really a great opportunity to engage with the community. A little bit by way of introduction, my name is Alex Langshur, I'm a founder and co-CEO at Cardinal Path and I'll be talking to you today about the marketing and post-cookie world, which is something that we at Cardinal Path are spending a lot of time thinking through and talking to our clients about it because we're entering into a really unique period in the analytics industry and just in the web in general as we're seeing some fundamental changes to the way that we've been measuring previously, which are going to impact us, and particular, markers going forward.

So let's focus in and talk a little bit, share with you the agenda for for our, our conversation today. There are three things that I want to go through with you. The first one is this idea about why cookies are dying and what does that really mean? We've heard about it, there's been a lot of talk about it. There's a sense that it's not going to be good. We're kind of going to unpack a little bit about what that is, why that's happening and what the nuts and bolts and tactical impacts, as well as the strategic impacts, are going to be to you as marketers. We're then going to move into the next thing, which is this idea about identities. So if we know that cookies are going away, what will replace them or even how we as marketers can be able to understand who is engaging with us online and how can we move from our existing means of trying to identify people to a new identity model. And then throughout this entire session there'll be a live Q and A. So if you have a question, you should feel free to ask it and we'll try and answer it as we go along. All right, well let's begin. 

So the death of cookies talked about a lot. People are aware that there's this thing going on. They get it, that this is probably gonna have a bit of impact. But what exactly does it mean? And what I'd like to say to you is there are a few moments that we have in our lives actually where we're able to know ahead of time that something is happening and what those impacts are going to be. In other words, peering into the future. And right now, today we know that cookies as a means of being able to identify visitors and stitch those visits to previous business to develop a map of people's engagement with us across our digital assets is disappearing. Furthermore, cookies have been used extensively for third parties for ads and ad trafficking, and that's going to disappear as well. And so this is a major pivot point for us in this industry and we know that it's coming. So our job as marketers is to anticipate what these impacts are going to be and through that inspiration, make appropriate strategies to deal with it going forward. And my hope is today at the end of the talk that you know, you'll have some of those strategies going forward. 

So let's go back to and first understand a little bit about cookies, right? So let's just all kind of go back through the mists of time. And you know, these are simply a little bit of texts that are placed in the bios, or cookies were never really designed to be able to use the traffic or to understand ads or traffic across sites, but it was it was be able to be exploited to the needs that we have to be able to make that happen. And there are essentially two types of cookies, right? There's a first party cookie, which is, you visit my site, mydomain.com and mydomain.com places this little bit of text on your browser. And then it uses that to say, all right, you person A with cookie A have been to my site. Third party cookies are those that are set by some other entity via your visit on my site. So when you're scrolling through and they place a cookie on your browser that's delivered by them through my site and it tracks you while you're visiting my site. And those can be placed mostly by ad services, the ones that we know, a general idea, or you can think about it, a Facebook pixel and etc. These are third party cookies and those are going to be severely impacted as a result of these changes, and first party as well.

So let's try and understand why that's happening. Why are people focusing in on cookies and whatever happened to create this situation where people are saying, "All right, cookies are, are a synonymous with some form of invasion of privacy. And so we need to be cautious about that." Well, the way I look at it is that there's a number of really big trends that are out there, right? So the first one is this idea that in society, right, consumer's trust is eroding in the ability of large organizations to manage data about me. We hear constantly about data leaks that are going on out there. There's this sense of people not wanting to be interrupted in all of these ads and banner blindness that's out there. So, and you know, Apple first won with its intelligent tracking protocol, it was kinda the first one on this bandwagon of saying, "Okay, you know what, we're going to try and help out the user and try and position this within the framework of privacy." And individuals are also taking action on their own when we've seen a lot of ad blockers that are out there and a lot of concerns around privacy. So there's this societal drive towards it. You can also think of the rise of Tor and other browsers which are designed to not allow you to track, or to provide anonymity when you're browsing experience. As a result of some societal change, we've seen legislative initiatives from governments, right? So governments have gotten involved in this. They passed laws in Europe, the GDPR law, in California, CCPA, Vermont is also passed a law. Canada has its own law. So these are all things that are kind of rooted in this sense of, you know, governments need to step in and kind of Wild West of data that's out there, kind of put some, some guide rails in therew And the data brokers and modelers are the ones that have really kind of created a lot of this because they'd been collecting all those information Willy nilly, selling it back to anybody that wants to buy it and enabling behaviors from brands, which kind of step beyond being helpful to a little bit more into the creepy zone. And I have my own personal experience of that, of having gone to a website for a nonprofit organization wanting to buy a map but forgot about it, and left my cart abandoned and like the next hour receiving an email from that organization. I was completely anonymous in my browsing. And that's all done on the back end through matching, and it doesn't leave people with a good sense when things like that happen. 

And then finally we've also seen that the big players, the Amazons, the Googles, the Facebooks, the Pinterest, the Twitter, they're all building their walled gardens. And they're kind of saying that, you know, if you want to play, if you want to do transact ads, you've got to use our tools, you've got to use our systems. We're not going to allow you to come in here with just anything. So these wall gardens are getting higher and higher and it's getting more and more difficult to either get data in or out from those walled gardens and the players, right? If you think about Apple and all their kind of jumping on this bandwagon of protecting privacy and a lot of the decisions that are being made around protecting privacy from some of the larger industry players also are a little bit self serving because they play to their strengths, but be that as it may. 

So that's a little bit what's going on. All of that's converging to say that at the core of all of this, the one thing that really is kind of central is first party data. And the ability for organizations to collect information about the people that engage with them across their digital assets in a way that's driven by consent, that involves a value exchange. So people are willing to give this information up and on which I have also control or how that's used. So first party data, the collection of first party data and the management of first party data takes on a new level of importance because it's this one thing that you can say, well, you know, I, if you visited me, I can then ask you for consent to use that information about your visit and about you and then keep that.

And as long as, again, I've gotten your consent as to how I will manage and leverage that information that you gave me. So first party data is critical because it's stuff that you can make the ask to own and to use. So with this a lot of focus is going to be around organizations and the ability to collect manage and store first party data and then leverage it. 

Just want to give you a little example here of this trend in operation. Duck, Duck Go is a search engine that was probably on nobody's radar a year and a half ago. And you're now looking at, it's a volume of a search growth and it's, we're seeing the bottom end of, or the start really of the inflection point in exponential growth. This goes to January 2020, which is obviously a projection, but what we're really noticing here is that there's a demand that's growing for this ability to do search on other things which are in an anonymous, anonymous way and that protect people's privacy.

So this trend is not going away. This concern about privacy is not going away. And we don't know where governments are going to go, but there's a, you know, we do know that there's been some fines that have been levied. And my general experience is that when governments make legislation quickly, they generally make it poorly. But we know that governments are getting involved and as we mentioned before, CCPA, GDPR, are two tangible examples of that. 

So how does intelligent tracking protocol work? And this is what the Safari and Apple released and there's enhanced tracking protocol from Mozilla and others, but they essentially worked this way. Here you've got your third party and first party cookies, which I previously explained. As a general rule, third party cookies blocked, completely blocked. Those don't work anymore. So now we're  onto first party cookies.

Now server side, first party cookies. That's a little bit of technical stuff that's required to that. It's beyond the scope of this presentation. You can speak to people about that and I'm happy to answer questions about that later on. But that's where we set those cookies on the server side. Currently right now there's no exploration allowed but that might get blocked in the future. But for those cookies which are set on the client side, i.e. at the browser level, if you come directly to mydomain.com, those are currently allowed with a seven day expiration. if you come from any other site, they're allowed with a one day expiration. That's as it is right now. But let's take a look at what that actually means for you in the Safari environment. And the Safari environment is actually very important environment to look at because, as most of you are probably aware, the mobile environment is exceptionally important to commerce today and into the online world today. And if you were to look at mobile users and they're, most of them will not most but a large percentage of them are on Safari because they're Apple device, iOS based devices. So understanding what's happening for Safari is actually a nontrivial requirement for us as marketers because Safari and Apple are leading the charge here in a lot of cases. And so as they go, so goes the industry, and I'll show you an example that in a second, but before ITP2.X if you visited on day one your first visit on day zero, you get an account created in Google Analytics or a new user is created an account in Google Analytics, I should say a cookie is dropped. You come back, you're recognized. The journey is stitched together, and I've got those two visits on that same day. I come back a period of time in the future, three, four, five, six, eight, nine, ten days in the future. The cookie, the user's recognized via the cookie all the additional data from those visits together. And I'm now building not just the journey map, but also a profile of interest for that individual. That's, that's how it was. Now with ITP2.X and ETP, which is an enhanced tracking protocol from Mozilla, still the same thing I visit on the first day and a new user's created in GA, i's the lower line in here, if I come back on the same day for a second visit there's a cookie there. It's recognized the visits are stitched together and for that period of time, a journey map is created. Now, if I go to the next day, day one or seven under ITP2.1 or 2.2. We should really talk about 2.2, because it's only going to increase from there, it may be deleted. That cookie may be deleted and certainly if it's come from across the main link, it'll be deleted. So the thing is that at that point if it's deleted then there's no way to stitch it together, the previous visit. So it certainly under ITP.1 would be deleted after seven days of inactivity. But here's the kicker, if you come back for the third visit on day eight, i.e. seven days post your first visit, that cookie's gone, it's deleted. And so the user's not recognized for all intents and purposes within GA or any of the other tools that you use cookies for tracking, at least on the client side, you will be considered a new visitor. And so we should expect that if we have a long sales cycle time or we have people that come in to visit us on a non recurring basis or non daily basis that we're going to see our new user accounts jump.

So what this looks like is if you look at 2017, 2018, you have got this various browser shares that are out there in 2017, when Apple first started to block third party cookies, you know, you could do a lot of retargeting, but you know, you lost all of those visitors when third party cookies were blocked in iOS and Safari. And now with Google Mozilla doing that, we're getting even more blocking going on. And therefore, you know, you're losing a lot of your ability to understand your full audience base and how they are engaging with you, and this is only going to increase going forward. So again, as marketers, we have to understand that we're not seeing data like we used to see. And that has profound implications, because if we're not seeing data like we used to see, all right, if we're not able to say, well, I can expect that the tools are collecting and sorting and aggregating information in the way that I had been accustomed to. If I now have to think that  prior to ITP2.1/2.2, there's variations in the user behavior that are there. What's basically being said to us as marketers is that effective really 2019 and beyond, we're having what I'm calling the great digital unconformity, and that is that the data prior to this does not match up with the data after this. So everything post ITP,  ETP doesn't map backwards easily. So you're looking here at a picture by the way of the great unconformity, which is the place that James Hutton the one of the geologists in Scotland back in the 17 hundreds first recognized that there was a great gap in time cause the rocks on the bottom are pointed vertically. You see the layers going vertically, the rocks on the top of the layers are going somewhat horizontally. But between the two is a great gap of time where there had to be folding and erosion that was going on and it made him realize how old the earth was. So it's the same thing for us right now. We are now seeing a similar type of great digital unconformity. The data prior to ETP/ITP does not match up with post data. What does that mean? Year over year data? Useless month over month, kind of meaningless. Week over week because it's a seven day, probably not really good. Quarter over quarter. Anything that you've been conditionally used to looking at timeframe or time series analysis of behaviors is essentially going to become extremely problematic and that has a lot of implications for us. 

What are they? Well, first of all, all of your metrics that you're looking at and if you're trying to understand that change of how people are behaving over time, you have to recognize that at the individual or the user level that's going to be virtually impossible to do. So our metrics are going to have to shift as a result of that because we have to rethink what these things mean, right? When we're not able to stitch user behavior over multiple sessions. If you think about retargeting, which has been an incredibly powerful and effective tool for a lot of different sectors, that's going to go away as well because my third party cookie is no longer being accepted and the initial cookie is being vaporized after seven days. So what that also means is if I come to a site and the site recognizes me cause I've already been here and then you've got some personalization that's going on through back end that's going to disappear as well because you're now unable to know that that person has previously been there and they like pictures of kittens to be shown preferentially as opposed to pictures of dogs, if you've got something on your side or what have you, or they like pink as opposed to blue for a color. 

Secondly you know, we're going to want to be thinking about logins, right? And we think we're going to talk about identity and logins, but one of the things that we all love as a feature of the browser is that it recognizes we've been to this site and it fills it in auto fill, off we go. Well if that's based within the browser at a cookie level that's going to disappear as well. 

And the last thing, and there's many, many others, but I'm just trying to put together three that are really present in for a lot of us to think about, but the other thing is attribution. So I've been in this game long enough to know that one of the things that people are always honest about is to try and help them understand how well the dollars being spent. And certainly digital has made that an easier thing than others. Difficult when you're trying to do offline to online, possible but hard. But now with the loss of cookies as a means of understanding, particularly for any organization or any entity or any sector that has a particularly long lead cycle, right, so if it's like a 30 to 60 day or even less, a more than an eight day lead cycle between idea and buy, attribution's going to become really, really problematic, really problematic. And the big asterix here is unless you're kind of in walled garden world. 

I want to just take a second and just let you know about CCPA. One of the things that our take is that this is, you know, you haven't been planning about it. You really do want to be planning about it. It's an opt out regime so that has some very important implications. Whereas GDPR is an opt in, I have to opt in to let you use my data, whereas this is, I have to opt out. I have to specifically say, "No, you can't." The data transfer in ad serving, well that's going to be a big thing cause right now most people don't even know that that type of trafficking is happening on the back of, so you'll have to upfront disclose that. Like GDPR, you have to make data available to consumers so they can say, "Well, I'd like to know what you know about me." And if I don't want you to share my data with anybody, then I need to be able to have a button that says that, and you need to be able to respect that. The solution, just some of the things that are about CCPA, there's a lot more stuff that you should know about it, but fundamentally there's nothing in CCPA that says that I can't continue with consent to track and do the things that I typically do, but it does mean you need to really think through your approach towards capturing that consent and managing consent and attach that managed consent to data.

So this is why we believe that identity is really the new gold and that as, as marketers, we're going to have to have an identity strategy. So one of the simplest things that we can think about is the logged in state, right? If somebody decides that they want to log in with you, well that's fantastic because it resolves all the issue surrounding consent, as long as you're clear about what we're going to be collecting. It allows you to, you know, build those rich customer profiles and journey maps of people because they're logging in each time. And that login enables you to know that. Because it's a login, it stays a little bit more future proof. You don't have to worry that maybe if I move to this a service side cookies thing, that it will get stopped and there was fingerprinting which has been stopped and other stuff. So it's just a lot more future proof because, you know, you have the right to ask people to log in and if they do and create an account, well then that's off to the races for you. 

But we do recognize that not all industries and not all sectors, and certainly not all sites really have a value proposition, which is beneficial to the user, which says, "You know, you really should log in. You really should make that happen." So how we do that becomes a new challenge for marketers as they think through their customer experience and their journeys, those customer journeys, to create you know, progressive value exchange so that people will willingly exchange data with you. And this fact about creating whether it's, you know, creating that logged in state, the whole purpose behind that really is about the collection of first party data. And if you take a look at the Google marketing platform's schematic, which was released at the, it's about eight months a year old right now, if you look to the upper left and I've blown it up for you right here and generally we look from a upper left towards the right. So what's important is typically up there, you'll see that Google has said that all of the marketer data is going to be really critical. And that means how do we collect it as marketers in our own CRMs and then interact with Google's data sets using our data sets and Google's data sets to prospect into that unknown universe of people that are like the people that I already know. So Google is kind of telegraphing to us very, very clearly that you should be collecting information in a consent driven way within your CRM systems about people that matter to you. And if you're doing that, we will provide you with an integration into the marketing platforms. So again, this really happens best if you're in a logged in state because as I said before, it really alleviates any of the issues surrounding first party data, sorry, first party cookies, third party cookies. 

So if we take a look at you as a marker you've got your private graph, right? So you've got, if you've got the logged in state, you're going to get probably an email address, you'll be able to start to map that to device IDs that they might have logged in across a number of different devices. You'll be able to bring in any kind of other attributes and then start to make some models of different audiences than that, and then possibly link that out to publisher graphs. But basically you control all this. This is stuff that you can do because you start to collect this first party information and through some common key, whatever that compliment key may be. In this case I'm just using email address. You then get access to the entirety of publisher graph, right? So you'd be able to take your data, refine it underneath the rules that you've established through your consent, when you collected that data, and then be able to push that into the publisher world. Now, really what we're looking at here, just to kind of bring you back to this, this is kind of what's old is what's new again, right? So if you think back to direct marketing, it was about collecting information about people knowing where they were located, using DMAs and zip codes and then you know, sending out tons of mail to those specific addresses. And this is kind of where we're going right now is that these large tech firms who have these massive logged in user bases, because since they are developing person ID based targeting, right? They know a lot about us because we've logged in and we log in with them a lot, and they've developed a lot of information around us and surrounding us. And if you start to think about those marketplaces of addressable IDs, you start to realize that really, and I mentioned this earlier on, these walled gardens, there's three big, big, big dogs in this space. People who have created products and tools which are so important to us that we willingly give information to them. and we have an effective logged in state, which is persistent. And as a result these are audiences that can be reached on an ongoing basis across all these tools. And it's not for any reason that other than that, that Google, Facebook and Amazon are the top two or 60%, but these are the big ones. If you look over at Verizon, Verizon is oath and they've collected a lot of these other entities and bowled them together, try and create their own publisher, addressable marketplace where you can then advertise on. But these top five are taking all of the US digital advertising dollar and the top three in 2020, 2019 are going to take a close to 70%. 

So it's quite clear where this is going. So what do we need to do to future proof our marketing, right? So we are breaking it into these three things. You need to own, what do you need to build or partner with and where you can activate. So the first one is you've really got to have a first party engaged strategy. As marketers, we need to make sure that we're doing everything that we can to understand that people who engage with us and to create a customer experience, which promotes some form of a logged in state through the exchange of value, which is done on an incremental and ongoing basis. So we don't ask for more than we need and when we need more or would like more, we do so in exchange for value to the customer. So it's one that's really built on consent and trust. And that helps us to build our ID graph and puts in place a lot of these addresses that we're going to need to be able to then leverage with other entities that are out there such as Merkel or Epsilon or Axiom or who have these very large, or Google in fact, and Amazon, I think it's gonna have some, certainly Facebook where we can match our IDs to theirs through a common key. And then we can activate across those networks, right? Because they have the access to the clients that we don't know about. We're modeling those things out and we're uploading into their systems, our audiences that are both, our known audiences and our modeled audiences and trying to map them against their sets of audiences. 

So this is the direction that that's going in. And it's all predicated entirely on your ability to collect first party data. So what would be your next steps. Well, first off is identify what you have, how is it being collected, how much of that has been collected with proper consent attached to it? And what are the systems that you have to manage both that consent and that data. All right? 

Secondly if you're not collecting that data in a systematic, first-party in a systematic matter, then you may want, and if you are, you may really want to start to think about as part of your first party data strategy. How are you going to create the login and the value proposition around that that's going to promote people and incentivize them to log in with you. And you're going to have to have all those systems and tools in place to be able to manage that at scale. 

Thirdly, you're going to have to recognize that there is a big digital unconformity that's out there. Your pre and post ITP metrics won't match up. You're going to have to educate people within the organization, both who report to you and who you report to because there's going to be a lot of head-scratching that's going to go on and it's better that you're in front of it now because those metrics are going to shift. And if you really want to see how they shift, just do a poll of your data and take a look at Safari, a new versus returning user counts going back 2017 to 2019 and you'll see it yourself. You'll see exactly where the inflection point occurs. 

And the last thing is I believe that the role of a consent based third party data brokers who can help you with identity resolution is going to be a critical requirement for large marketers going forward. Because while you know the people, you know, cause you've collected that first party data, it's the people you don't know that you want to market to. So being able to tap into those addressable markets is going to be contingent upon you having that larger model of the universe that's out there. 

And so that I want to conclude and say that, you know, we welcome your questions. They are always interesting and I am sure that there'll be no shortage of them cause this is actually a really a nontrivial subject. Now, I also would like to say thank you to the ObservePoint team for putting on these analytics summits. We appreciate the opportunity to be invited and hope that you found that this has been useful and interesting for all of you.

Previous Video
Chris O'Neill, ObservePoint – Perfecting Release Validation: Catch Errors Before they Destroy Your Data
Chris O'Neill, ObservePoint – Perfecting Release Validation: Catch Errors Before they Destroy Your Data

Learn how to use release validation to identify analytics errors in a staging environment before going live.

Next Video
Andrew Geddes, ObservePoint – Take Back Your Time: How to Automate Even More with ObservePoint
Andrew Geddes, ObservePoint – Take Back Your Time: How to Automate Even More with ObservePoint

Learn from Andrew Geddes, Sr. Manager of Consulting at ObservePoint, how to make the power of ObservePoint ...