The technology industry was heaved into a convulsion of rumination last week by a blog post published by Google, from which two primary directives can be parsed. First, that the company won’t replace cookies with any other behavior-tracking implement, instead opting to use the tools developed for its Privacy Sandbox for cohort-based targeting. And second, that Google doesn’t believe that email-based identifiers — such as The Trade Desk’s Unified ID 2.0 — will withstand consumer and regulator scrutiny in the long term.
These ideas are important to reify, but they are not new. Given the amount of time and presumably resources invested into its Privacy Sandbox, it seemed unlikely that Google would simply replace third-party cookies in Chrome with some other user-centric targeting mechanic. To my mind, the stand-out passage from the blog post, which appears near the very bottom, is:
Developing strong relationships with customers has always been critical for brands to build a successful business, and this becomes even more vital in a privacy-first world. We will continue to support first-party relationships on our ad platforms for partners, in which they have direct connections with their own customers. And we’ll deepen our support for solutions that build on these direct relationships between consumers and the brands and publishers they engage with.
Google’s first-party ecosystem is vast: it encompasses a wide range of properties from email to maps to search, all of which are often used in a logged-in state. Google’s first-party data allows for identity-targeting that is perfectly adequate for Google: all the company is doing with the transition to the Chrome-based Privacy Sandbox is pulling up the identity drawbridge at their content fortress.
This is exactly the same strategy that Apple is deploying with ATT, as I describe in the presentation embedded above: by artificially defining “privacy” as the distinction between first- and third-party data usage, the largest platforms simply entrench their market positions. Google owns search and Chrome, and Apple owns the App Store. If first-party data is the commodity of empire for digital advertising, then Google and Apple and various other large platforms fortify their empires through the “first-party mandate”: the decree that the use of first-party data in ad targeting is privacy compliant but that the co-mingling of first- and third-party data for ad targeting is not.
In this way, “privacy” is a mirage: the largest platforms define privacy such that it is always just one big, sweeping change away from being achieved. The concept of privacy is being weaponized with platform-led privacy initiatives that strengthen their sponsors, weaken the competitive environment, and ignore the benefits that consumers glean from ads and product personalization. I discuss much of this in the above-linked podcast but also in this podcast and this post.
It’s worth noting here that I do find behavioral and device-level targeting to be problematic, as I lay out in The IDFA is the hydrocarbon of the mobile advertising ecosystem, which I published last September. My problem with the first-party mandate is that it simply re-shuffles terminology in a sort of shell game.


The reality is that digital privacy exists as a spectrum of tradeoffs between data collection and content relevance / product functionality. As I discuss in the presentation linked above, the false dichotomy that is being presented with mechanics like AppTrackingTransparency — in which privacy control options are packaged as delivering either total surveillance or total anonymity — doesn’t accurately describe the privacy reality of what the platforms are proposing to users.
In fact, the first-party mandate is a cyncical misrepresentation. If a user wants total anonymity, then using first-party data for ads targeting doesn’t accommodate that: if platforms want to offer a binary privacy choice, then they need to offer a “do not use any of my data to target or personalize ads” option, which they are not doing when they only use their own first-party data to target ads.

What’s missing in the arguments that support the privacy initiatives being presented by Big Tech — for instance, this well-intentioned-but-reality-adjacent piece in the New York Times — is that reigning in the excesses of Big Tech cannot be done by allowing Big Tech itself to author the privacy regulations that govern it. Privacy policy should exist to serve the consumer: deliver utility, allow flexibility, and maximize competition. What mechanics like AppTrackingTransparency do is reduce utility, force a false choice, and eliminate competition.
A comprehensive, productive, consumer-focused privacy policy would:
- Inform users of the tradeoffs that come with limiting the data to which they give products and ad platforms access;
- Clearly make the distinction between the co-mingling of third-party and first-party data, the use of only first-party data, and the use of no data for ads personalization;
- Present users with the option of selecting any of the three data collection and usage alternatives.
If the consequence of the first-party mandate is only that the companies with vast amounts of first-party data squeeze out competition, then consumer privacy is never improved and arguably becomes even more compromised. The first-party data mandate creates a privacy Maginot Line: a deficient line of defense that merely instills in consumers a false sense of security around how their data is safeguarded.
Photo by Ganapathy Kumar on Unsplash