Email addresses sit at the heart of the IAB’s Project Rearc, an industry initiative designed to guide the development of alternatives to third-party cookies. And some of the more popular universal ID solutions, like The Trade Desk’s Unified ID 2.0 and LiveRamp’s IdentityLink, are based on email.
Third-party cookies have long served as a way for advertisers to track their customers across different websites, giving a clearer overall picture of customers’’ behaviour. Cookies help ad tech companies identify who is browsing a particular website, allowing them to overlay their own user data relating to that individual. And cookies are also useful for things like retargeting and frequency capping.
But with support for third-party cookies on Google Chrome set to expire in just over a year, an alternative is needed.
Many identity vendors already use emails to help identify their users. But some believe that with sufficient tweaking of ad tech infrastructure, emails can replace cookies as the lifeblood of digital advertising, helping brands identify who they’re advertising to and target their ads appropriately. Instead of cookies being passed between parties to signal who is viewing an impression, email addresses would be passed around instead.
The Technical Details
But it’s not just a case of buyers and sellers combining their email databases in order to share data, or ad tech companies passing on email addresses whenever they would usually pass on a cookie.
Email addresses themselves are considered personally-identifiable information, which means they can’t just be freely traded between buyers, sellers and ad tech companies without consent.
To solve this, marketers can use ‘hashed emails’. Hashed emails have been passed through an algorithm which converts them from a readable email address to a 32 digit long string of numbers called a hexadecimal string.
The hashing algorithm always produces the same hexadecimal string for the same email. So if both a buyer and a seller have access to the same user’s email, they will both produce the same hexadecimal string. This means they can tell they’re talking about the same individual, without knowing who that individual is.
Crucially, the hashing process can’t be reversed, meaning neither side can look at that hexadecimal string and tell which email it came from.
This hashed email can be used to tie together other identifiers in the open market. So for example if a publisher works with universal identity vendor A and an advertiser works with universal identity vendor B, hashed emails could join the dots between those different identifiers.
Some vendors meanwhile will use hashed emails and other login data to directly match brands and publishers’ data sets. This in essence is how the ‘clean room’’ vendors like InfoSum and Snowflake work. Both an advertiser and a publisher can upload all their first-part data to a clean room, and hashed or encrypted emails can be used to match these datasets in a way which doesn’t compromise privacy
And hashed emails can be used as an identifier in their own right. The IAB’s Project Rearc proposes that hashed emails themselves could be passed through programmatic pipes, from publisher to supply-side platform to demand-side platform to advertiser. This would let the publisher signal who is viewing the impression, allowing the marketer to combine their own data on that individual and decide whether they want to bid on or buy an impression to show that user.
Project Rearc isn’t itself a technical solution, but a way for the industry to exchange ideas on how an email-based universal identifier could work. But several identity providers have followed Rearc’s lead, putting email at the centre of their own plans.
The Pros and Cons
There are two key reasons why email addresses can be useful as identifiers. Firstly, just about everyone who uses the internet will have an email address. And secondly, if an advertiser, publisher or broadcaster has any sort of personal data about their customers, it’s likely that they have their email addresses.
Emails are usually used to log in to on-demand streaming services and publishers’ apps or websites. And while not all brands will have direct relationships with their customers, any relationship they do have will often be based around email, which they might collect through ecommerce stores, promotional offers, surveys or other means.
With third-party cookies expected to be retired, companies on both the buy and the sell side have been stepping up efforts to collect email addresses through registering their users. ITV for example set itself a target of registering 30 million users by 2021 (which it reached late last year). And The Guardian earlier this year began testing a registration wall (where users have to register and sign in to access content).
But email-based identifiers do have their drawbacks too.
Firstly, it hasn’t been completely proven that they can work effectively as a like-for-like replacement for cookies. As mentioned, Project Rearc is more of a set of guidelines for how an identifier might work, rather than a technical solution itself. And The Trade Desk’s Unified ID 2.0 is still in development. The company has not yet fleshed out exactly how the new solution will work.
And these solutions might not be applicable for all publishers and advertisers. Established broadcasters and publishers might be able to persuade their audiences to register and log in, in exchange for content. But for longtail sites, visitors might choose to click away rather than going through the hassle of signing up and logging in. And on the advertiser side, it’s harder for some brands than others to build a direct relationship with their audiences. How does a cleaning product brand for example, whose products would usually be bought from a third-party retailer, persuade their customers to hand over their email addresses?
Finally, hashed emails might find themselves in the crosshairs of privacy advocates, browsers and regulators. Apple for example has already explicitly said that it won’t accept hashed emails as an alternative for its in-app advertising identifier, the IDFA.
Hashed emails won’t face the exact same threat from browsers as third-party cookies. Since cookies are stored on the browser, those who own the major browsers (like Apple and Google) have significant power over them. But this same power won’t hold for hashed emails, which aren’t stored on the browser.
Nonetheless, if regulators do perceive hashed emails as too much of a privacy threat, they could become the target of privacy legislation further down the line.