Bye-Bye, Cookie Monster? What Do Pending Digital-Ad Ecosystem Changes Mean for Email Marketing?


Internet advertising started with email. In 1978, a Digital Equipment Corp employee sent an Arpanet email promoting DEC computers. It was successful but didn’t open an advertising flood. This may have been because the National Science Foundation’s officially-unofficial position into the early 1990’s was that commercial activity on the Internet was forbidden.

So perhaps we can blame lawyers for Internet advertising; the first massive commercial message was a Usenet blast from a small husband-and-wife law firm — it’s known as the “Green Card Spam.” (They went into — or started — the commercial spam business; he was disbarred a few years later.) The genie was out of the bottle, though, and it grew magically; digital advertising eclipsed “traditional” advertising (TV, print, radio) sometime in 2019.

Digital advertising was, and is, different from those traditional media for several fundamental reasons. Simplifying a bunch, in addition to free global media distribution (pesky little detail), digital provides far more and far better feedback data, and comes much closer to 1:1 ‘targeting.’ Nearly everyone has had the experience of looking at a product, only to be chased by ads for similar products nearly instantaneously. That’s not feasible with the previous generation of media.

The digital ad ecosystem is about to change, though, due to the intersection of at least 3 factors.

  1. Apple will require apps to get user permission to share data
  2. Google will phase out 3rd party cookies in the Chrome browser
  3. Dominant digital companies — especially Facebook — are facing high-level scrutiny and Federal action

It’s possible that this will push additional marketing activity to email. My aim in this post is to summarize the changes as succinctly and well as possible, and to speculate on the opportunities these changes open for email.

Mobile: Apple, Device IDs & Privacy

In December of 2020, Facebook took out a series of full-page ads in leading national daily publications. They gave themselves (paid) credit for “standing up to Apple for small businesses.” Their claim was that Apple’s proposed changes for apps would be devastating for small businesses. Statements like “Apple is behaving anti-competitively by using their control of the App Store to benefit their bottom line at the expense of creators and small businesses” were thrown out in supporting calls.

What’s Apple actually doing?

As mobile exploded, Apple and Google both provided device-specific identifiers to apps on their respective iOS and Android operating systems. Both Apple’s UDID (Unique Device Identifier), and Google’s AAID (Advertising ID) deliver a device-specific identifier. Both are permanent to a device. That’s an unprecedented level of down-to-the-gizmo accuracy to drive advertising. IDs could be linked to specific users and shared with 3rd parties.

Apple phased the UDID out, circa 2012, and replaced it with the IDFA. IDFA is a random device ID, assigned to a device by Apple. Users can — in theory — “turn off” IDFA tracking or reset the IDFA assigned to them for a fresh start.

Apple has announced that they will be giving users the ability to confirm their approval for tracking, app-by-app. It hasn’t happened yet; speculation generally points to “sometime this spring.” The details of the confirmation process will matter a great deal; “you can turn off this preference” and “you must make a decision” are nigh onto polar opposites in terms of user take-up.

Look at this change from the point of view of an advertiser — oh, let’s say, Facebook — to see the impact. If you’re gathering trillions of data points, making them coalesce into targetable segments for advertisers is a massive challenge — unless you’ve got a built-in ID that’s doing the job for you.

“Facebook’s got an SDK in basically every single app that exists, and that SDK has total transparency into what users do in that app.” —Eric Seufert of Mobile Dev Memo in Stratechery interview, 2-4-21.

If you have 14 apps on your mobile device, and all 14 are “feeding” data to a 3rd party (Facebook), the job of tying all of those actions and events to ‘you’ becomes a ton easier if they’re all passing along the same unique ID.

Apple’s going to put the ID controller in the user’s hands. If the confirmation process interrupts users to make a yes-or-no choice, there’s a very real possibility that a lot of people will lean towards “no.”

Facebook is at particular risk of ad-targeting becoming much less effective because of the ‘ecosystem’ approach they have. Facebook launched their platform and APIs in 2006 — notably, before the first iPhone. They made a bet that looked a little crazy at the time but looks brilliant in the rear-view — rather than trying to keep everybody inside the Facebook ‘walled garden’ (AOL’s strategy), they sold “gardening tools” to anyone and everyone, in the form of SDKs and APIs. Want to make sign-in easier? Use this Facebook button. Want to know something about your visitors? Implement this API. Who sat in the middle of the web? (Web?) You get it.

The explosion of mobile, with those convenient user IDs, must have looked like a firehose of cash. It also threw off privacy disasters like Cambridge Analytica, but all in all, it’s tough to imagine a better scenario for digital advertising to thrive. In the last decade or so, we’ve all become glued to our smartphones, and they’ve been dutifully feeding darn near everything back to the advertising matrix. All of your clicks, taps, opens and scrolls on apps using Facebook’s SDKs flow through to them, all nicely wrapped up with a bow labeled “My Phone.”

Apple is having second thoughts, finally. Tim Cook, Apple CEO, had this to say in late January 2021:

“Technology does not need vast troves of personal data stitched together across dozens of websites and apps in order to succeed. Advertising existed and thrived for decades without it, and we're here today because the path of least resistance is rarely the path of wisdom.

If a business is built on misleading users on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform.”

I’m OK with a company changing its mind, even on big things. They should; over time, actions make brands. Apple has astonishing customer loyalty, and if they’ve earned some of that by taking more user-first, privacy-first positions than advertiser-first — fair enough. You don’t have to buy an Apple smartphone.

Sidebar: It’s worth stepping back and making note of something in that mobile timeline. Apple has aligned themselves on the side of user privacy, and generally acted on that more vigorously than, say, Google. But Apple did provide the UDID in the first place. They replaced it with the IDFA, but they haven’t put that controller in the user’s hands yet. I find myself rooting for Apple on this latest dust-up, but I don’t want to give them full credit because they had a hand in creating the problem, too! Apple also receives $8-$12 billion a year from Google for default-search-engine placement. QED Apple is also in the advertising business.

Google: Pay No Attention to That Android Behind the Curtain

Google’s position in all of this is a bit different. Over 80% of Google’s revenue comes from advertising. I know of no pending announcements about a phase-out of the Android AAID identifier, so they’re apparently not following Apple’s move on mobile. (Perhaps user opt-out from apps, and non-permanent identifiers, should be a Federal requirement for devices?)

Google has focused their announcement on cookies instead.

Cookies — those crummy little data identifiers dropped inside your browser — can be used to identify browsers/users. It’s similar to the role AAID/UDID/IDFAs serve for apps, although as I understand it, less “unified.’ If you use several browsers on a desktop — Firefox, Chrome, Safari — each may be cookied but there’s not necessarily a unifying ID that joins those cookies. (If you sign into an account — e.g., a Google account — on multiple browsers, there’s a logical opportunity to deliver a cookie value that’s in common. We’ll come back to this point.)

Who brings cookies to a party? Glad you asked. Let’s chew on that for just a moment.

  • First-party cookies: stored directly on your browser by the domain (website) you are visiting.
  • Third-party cookies: created and stored by domains other than the one you are visiting directly.
  • Second-party cookies: kind of obscure and controversial, but in theory, a first-party company could transfer cookie values to another company. “Here’s the file with names, emails and cookies, partner.”

Say you visit to learn more about real-time email content. If you fill in an opt-in form, the site could (in theory) store that information — plus attributes from the browser request, such as your preferred language, city/state/postal code, latitude and longitude, and time zone. Your browser would accept a save-this-cookie request — that’s a first-party cookie, coming from the domain being browsed.

On a subsequent visit, the site could use the saved cookie to look up that data to personalize your experience. Basic stuff, right?

Problem is, the average web site these days also fires over 20 requests to other domains — 3rd parties. Currently, in the most widely used web browser (Google Chrome), each of those 3rd party domains can ask the browser to store a cookie. Among others, these might include website analytics, social-media networks, live-chat services, and of course advertising services.

1st-Party Cookie

3rd-Party Cookie


Domain being browsed

Other domains, via Javascript


By original domain

Any other website that also loads 3rd party domain

When you browse around for stainless-steel BBQs, an ad network (Google or Doubleclick, for example) might capture that activity on Five minutes later, when you’re patio-furniture reviews, the ads on the side show...stainless-steel BBQs. Simplifying a bunch, those 3rd-party cookies are the connector.

The reason for this side-trip into the cookie factory is this: Google has announced that they will be “phasing out” support for 3rd party cookies in the Chrome browser. Other browsers — Safari, Firefox, and Brave for starters — are already there, but Chrome commands nearly 66% of the browser market!

Google’s in the digital ad business. Why would they do this?

It’s pure speculation on my part, but a few points stick out. Google’s 1st-party footprint is pretty darn big; (search), Gmail, GSuite, Google Analytics. Their advertising competitors have much smaller feet. QED, Google’s 1st-party-cookie-driven advertising could benefit from edging out competitors. No doubt Google is also eyeing the Federal action against Facebook; vague commitments to “phase out” 3rd party cookies is decent air-cover.

Google is researching alternatives to cookies. In late January 2021, they announced test results for an API called Federated Learning of Cohorts (FLoC). FLoC uses machine learning to group people, based on sites visited. In theory, you might end up in the BBQ enthusiasts “flock” for a while, without direct 3rd-party cookies tracking your individual browsing activity. More private? Less invasive? We’ll see. Wouldn’t want to be DoubleClick at the moment.

Google’s strategic position is remarkably strong. They can decide on the default behavior for 2/3rds of browsers. They own the 2 most-visited websites and YouTube. For perspective, Google + YouTube garner 127 Billion monthly visits; #3, Facebook, clocks in at 26 Billion. (The three combined have more visits than the next 47 sites in the top 50 list — several of which are also Google-owned.)

That summary of their strategic position also underlines that focusing attention on browsers and cookies is pretty darn good sleight-of-hand.

You may recall (weeks ago, at the top of this absurdly long post) that Google-owned Android dishes up a permanent AAID on devices. 3rd party cookie handling has no bearing on that tracking ID. (Android has about 40% market share in the US, and about 73% worldwide.) Google may get the ‘Strategy Credit’ in the public mind for ‘doing something about cookies, but they’re skipping action on the mobile ID-and-tracking problem in the meantime.

Sidebar: While cookies have their issues, regardless of N-party affiliation, it’s critical to note that cookies are an open Internet standard. Eliminating 3rd party cookies — especially if a Google-proprietary API like FLoC becomes the de facto replacement — makes browser digital ads dependent on a proprietary standard.
Wired’s latest headline on this issue: “Chrome’s Cookie Update Is Bad for Advertisers but Good for Google.”


Facebook’s position in the face of these changes is structurally weak, I think. Without control over mobile OSs or browsers, Facebook will be materially affected by these changes, but has little direct influence on them.

02 MD 3Paying for nationwide ads about the plight of small businesses, for one, looks like a weak-position maneuver. If you’re so worried about small businesses, skip the newspaper spend and just lower your small-business ad rates, perhaps??

Facebook’s API-driven ecosystem was a brilliant move in 2006, which earned them a rocket ride on the back of mobile, apps and device IDs. They didn’t manage to break out of that structural middle-man spot in the intervening years, though, despite a few attempts to do so. (Facebook took a shot at a Facebook-first version of Android years back, as I recall...they also tried to kill email.)

Facebook is not going to go out of business, though; with control over about 30% of digital ad spend, and the #3 traffic spot (on the Web; perhaps higher on mobile??), this is hardly an existential crisis.

I doubt that Facebook will succeed in deflecting Apple from the IDFA/user-approval move.

The latest salvo in this battle — literally, on the headlines this morning in drafting this post — is Facebook’s decision to roll out an in-app iOS prompt to “educate” users about the handling of their data. “People deserve the additional context.” I wouldn’t be surprised to see Facebook standardize the prompt across mobile apps that feed additional data to them.

But prompts aren’t preferences; the decisive button-click will be the Apple prompt. My guess is that the tide has shifted and that a substantial number of people will say “no, thanks.”

So All This Traffic Will Go to Email. Right?

That’s a very brief 5¢ tour through the big changes shaping up for the digital advertising space. Global digital ad spend was $333 Billion in 2020 (according to Emarketer). Does that mean that billions of dollars are going to flow back into email marketing instead? Are we going to return to 1978, metaphorically speaking?

I’ve seen articles here and there suggesting that with these structural changes — mobile ID permissions and 3rd party cookies crumbling — the email address will become the de facto user ID.

That seems to me more wishful thinking than reality. The cookie/mobileID advertising ecosystem operates mainly on protocols and in sandboxes that don’t directly involve email. The invisible web of Javascript HTTP calls powering those 3rd-party networks, and of native app operations moving device IDs around, don’t have automatic access to email addresses to substitute for cookies and other IDs.

If any company might be in a position to give the email address a new role in digital advertising, it would be Google. Relatively high market share with Gmail is a dandy start; Gmail + Chrome + the aforementioned websites are a pretty potent mix.

But the obstacles aren’t trivial. The risk of breaking the laws of more privacy-centric nations (EU for example) by using email addresses for other purposes seems pretty high to me. Would an EU court say that you can regard your GSuite email address as “personal information”? I’d bet they would, regardless of the fact that Google provides the service.

If Google did start making more use of email addresses for advertising purposes, I’d expect them to handle them cryptographically, and I’d expect them to keep the ‘new cookies’ to themselves — at least for a while. The risk of a public-relations misfire with “email” and “privacy breach” in the same sentence is high, and the costs would be steep. We think of email addresses as highly personal.

Technology obstacles aside, will marketers divert digital advertising spend into email marketing en masse?

I’ll go out on a limb here and say “Not as much as they could.”

I don’t doubt that some companies will pull back on ad spend, re-examine the ROI of email marketing and divert more resources there. I’m optimistic that the agencies that really understand how to rock email marketing will pick up some business. But I think those shifts in spending will be distributed quite arbitrarily. Company A will do it; their neighbor won’t.


My take on it, which I’ve touched in a past OI post (“Got Milk?”): email’s position and email’s brand are weak, fuzzy and more than a bit haphazard. I think email deserves better, although I’m not sure how to go about changing it.

There’s a particular charm to “email people.” They’re enthusiastic, genial, generous and altogether nicer than the folks in most other tech sectors. (Sampling set of 1 - me - but I’ve worked in a LOT of industries.) They’re also unduly modest and — to put it as nicely as possible — usually a bit prickly and defensive about the field.

Try it. Poke an email guy with a stick or tell them “email is dead.” They’ll start rattling off statistics about email. Yada 38% ROI. Yada your email list is your #1 asset. They’re a bit like pre-2004 Red Sox fans, doggedly loyal to The Team despite never going to the Series. Their average age is definitely over 30 and recruiting younger fans and keeping them on the team — sorry, in the field — seems to be a challenge.

(I should say “We”, because I’m right there with y’all. Just trying to get your goat in a blog post ;-)

Here’s the point. When a marketing VP is considering where to divert $X million of their digital ad spend, is their email program a first-class contender for that spend? I really wonder. I have no disagreement that it should be — my point is more that the mental category and “brand attributes” of email are all over the map.

That may, in part, be a consequence of market structure. Email doesn’t have dominant “gatekeeper” companies in the kind of structurally critical positions that Apple and Google have in the fray above. Yes, there are a ton of Gmail inboxes, but it’s not a “must.” An email advertiser — e.g., a newsletter publisher — is running on the rails of open standards (SMTP addresses, etc.), not on some massive could-be-a-competitor’s proprietary toll road. But consequently, there’s not really a giga-monopoly with wads of cash to throw at marketing “look how sexy email is.” (The 200-lb chimp in Atlanta isn’t really an option for that hypothetical marketing veep, right?)

So, my take on it is that email marketing will probably pick up some momentum in this shift, but it’ll be a bit piecemeal.

We don’t have a “Got Milk Mail?” industry-association campaign to go with those vanishing cookies. Maybe it’s time.