Google's most vocal critics have caused a schism among the ad-tech community: One group led by Brave, a rival web browser, claims to have analyzed Google's ad exchange and found sneaky data-sharing with partners. Meanwhile, Google's defenders say rivals are being alarmist about a common industry practice known as “cookie matching,” which is a fundamental component of harnessing data to power internet ad auctions.
At the center of the dispute is a study released last week by Brave, which claimed that Google was creating “secret” web pages to share data with its ad-exchange partners. One of those partners, OpenX, has now weighed in saying the study was flawed after it was accused of creating “workarounds” to share data with its partners.
What’s not up for debate, though, is that even if “cookie matching” is not new, the practice is being challenged under the EU’s General Data Protection Regulation. If it is forbidden it would have serious consequences for “real-time bidding,” which is the most common way ads get served online.
“Cookie matching is definitely essential for real-time bidding to make sense,” says Christoph Tavan, chief technology officer at Content Pass, a Berlin-based company that helps digital publishers develop new paths to making money as the web becomes tougher terrain.
The EU is investigating whether Google is in compliance with its rules, which mandate that companies have direct consent from the end user to collect their data. Some argue that Google’s system of tracking users online through websites that use its ad software does not constitute a direct relationship. At the same time other companies like Apple and Firefox are limiting cookies’ power to track online behavior.
So, is Google’s cookie-matching common practice or is there a deeper privacy concern with the ad business? Here is what we know, so far:
Last week, The Financial Times reported on Brave's study of Google’s ad auctions, which run on millions of web pages because the company’s ad technology sells publishers’ inventory.
Some of the allegations in the study sounded damning, describing forms of cookie matching that create “secret” web pages where the different parties bidding on Google ads could exchange data about users. “The new evidence reveals a surreptitious mechanism that raises additional data protection concerns,” Brave wrote in a blog post outlining the study.
Is that bad?
Google and ad tech veterans like Tavan say the practice is not new or out of the ordinary. Tavan says what the study described was basic cookie matching. “Framing the whole thing as a GDPR workaround is a really strong PR move by Brave to make Google look bad,” Tavan says.
What is cookie matching, anyway?
“If two companies want to talk about a user, they somehow have to establish a match,” Tavan says. “There are hundreds of players in digital advertising and they all know the same users by different identifiers.”
A cookie is software code that a website drops on people’s web browsers to identify the users later when they visit again or to serve them ads elsewhere online. A cookie can contain information about a person’s web habits, the articles they read, clothes they buy, health issues they browse and more. Cookie matching is simply identifying when a cookie in one database is the same user as a cookie in another database, so that consumer can be served an ad.
Google and the websites that use Google’s ad managing software have one set of cookies for their online visitors, while all the companies competing in the auctions have different sets of cookies for those same users.
What are ‘secret’ web pages?
Tavan describes the hidden web pages as pop-up internet domains, built by Google, that live under the main pages of publishers' sites. The page is a security layer to transfer data and vet ads before loading them on a publisher’s website, according to Tavan.
What do the critics say?
Zach Edwards, a data scientist who worked on the study with MetaX for Brave, says that not all these practices are common. “We found a workaround in cookie syncing infrastructure,” Edwards says, during a phone interview.
Edwards says that Google has made changes to how its ad system works since EU’s data protections were implemented last year. And even named a partner, OpenX, as exploiting the “workaround.”
OpenX was allegedly making matches with Google’s cookies and creating one of those "secret" pages to share data with its partners.
Did OpenX do that?
Not according to OpenX, which said it found a flaw in the Brave and MetaX study. It said the exploit only worked because the data scientists used the wrong cookie coding to run the test, and it was a type of code Google's ad exchange does not use. “We are in 100 percent in compliance with Google’s cookie matching policies,” a spokesman for OpenX said in an e-mail statement. “This report is fundamentally flawed and highlights a real misunderstanding of how cookie syncing works. It is a very complex issue and it is understandable that someone could make these errors. Fundamentally, the methodology used altered the code being tested and delivered inaccurate results.”
So, what’s the big deal?
Even if cookie matching and the underlying web technology that enables it are common, the EU is still deciding on exactly what it will allow under GDPR. If the EU, or the U.S. in any future privacy legislation, says cookies invade privacy, that will drastically alter the online ad landscape.
Google and partners like OpenX say they have direct consent from consumers to run personalized ads based on their web behavior. “We have always been transparent about how our real-time bidding process works, and per GDPR requirements, we do not serve personalized ads or send bid requests to bidders without user consent," Google said in an e-mail statement. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated.”