The Cookie Mullet

How adtech went from a Data Fro to the Cookie Mullet

Feb 08, 2023

Cookie Mullet is my way to characterize how adtech companies have solved for the “cookie apocalypse” by moving their 3rd party identity and data methods behind new 1st party adtech, continuing to power their companies with shared, opaquely opted-in, hashed email as a persistent identifier. Until the recent cookie apocalypse adtech was free to share user identities and data via 3rd party cookies.

Note, when I say “cookies” I’m including all cross-domain linkage of anonymous user identity and transit of user data, including mobile and CTV applications.

Background

I was running Snickelways, an ecommerce web agency, in the mid-90s when cookies were introduced. Pre adtech websites needed cookies to solve two user problems. First, to save users' preferences and shopping carts. Second, to facilitate auto-logins. Early adtech companies and Netscape asked the WC3 if they could get website owners permission to “piggyback” 3rd party cookies on 1st party sessions to do things like count impressions. Seemed benign at the time so we agreed. Then adtech drove a Mack truck of 3rd party cookies through what was essentially a loophole. In fact, 3rd parties even allowed 4th parties to join the cookie party. This led to adtech companies “cookie bombing” users with 30-50 cookies per session. I kinda visualize it as a “Data Fro”.

Me at Wayland Central School

This “cookie-bombing” slowed websites to a snail's pace so adtech invented tag management which solved latency but exacerbated the privacy problem. Fast forward to 2017 when Apple seized the opportunity to end the party in its App Store and on Safari. Additional privacy momentum came from government, privacy groups and adblock companies all of which were looking to make hay from user privacy. Apple saw a twofold opportunity. First, Apple could appear more virtuous by protecting their customer’s privacy by eliminating 3rd party cross domain user pseudonym sharing (a.k.a., cookies). Second, Apple could harm their competitors with little risk to itself as none of their core businesses relied on cookies. This would force Google to follow and eliminate 3rd party cookies, further hampering Google’s ad business.

When you compare the $400 billion in big tech ad revenue (Google, Meta, Amazon) to the $200 million in small-adtech revenue, split among thousands of companies, it becomes clear that small-adtech is fodder in a tectonic war between tech giants. But since small adtech is almost completely reliant on 3rd party cookies, the impact will be more profound.

Why the Cookie Mullet?

The adtech industry is famously fragmented with over 9,000 companies and lacks a centralized technical ability to come up with a long term solution for cookies. Change would require industry wide data tech standardization which would mean rewriting legacy applications and would most likely expose redundancy and waste in many adtech companies business models. If you do the math (waste, fraud, etc.) it becomes obvious that many adtech companies' profits rely on inherent friction and fragmentation. Simply put, strategic, consumer-oriented privacy would mean less adtech profit.

So, adtech came up with the “#HEMcookie”, a hashed email pseudonym, as a substitution for 3rd party cookies. Now, when users go to a publisher they are asked in the foreground for permission to use their data. The publisher, lacking the enterprise tech, provides an adtech vendor, invisible to consumers, with a hashed email address (HEM) and then uses a back end, server-to-server API to link the HEMcookie to that user’s identity in other adtech companies with similar arrangements with other publishers. So the HEMcookie ID along with the user’s data is proliferated around adtech (just like before). The big change is that the technology is hidden from users behind the publisher’s 1st party domain, so the user’s machine can’t see it.

That’s what makes it a “Cookie Mullet”- 1st party business in the front and the same old 3rd party in the back.

Me at NYU

The Good, Bad and Ugly of the Cookie Mullet

The Good:

Cookies are good because they are technically simple, easy to generate and utilize. Cookies enabled programmatic advertising to develop quickly which vastly increased the efficiency of buying and selling digital advertising.

The Bad:

As I first said 10 years ago 3rd party cookies are bad because although cookies are easy to generate, they are inherently weak computing mechanisms. They are not regulated or standardized. They are invasive to consumers and prone to fraud. After adtech took off there was no financial motivation to standardized true, transparent user data privacy so the consumers never got a seat at the table.

Today the focus on privacy in big tech is omnipresent. Apple has kneecapped Facebook and the rest of adtech in the process, and put Google on the spot. Now Google will have to respond, restricting use of 3rd party cookies which will make Apple respond further and so on.

The Ugly:

There’s no such thing as “cookieless.” The HEMcookie is anchored to a user’s email, making it a Super Cookie, something that users (and regulators) have long feared. A user that is told to opt-in, give an email address in exchange for content that used to be “free” doesn’t realize their email has been turned into a pseudonym and trafficked all over the internet, just like 3rd party cookies.

Publishers are now at risk because they’re the ones offering the consumer opt-in which opens the door to privacy criticism and claims.

The Cookie Mullet is a tourniquet. Publishers are already seeing 50% revenue losses because of reduced identity resolution and reach. The Cookie Mullet is yielding pubs 20-30% of the reach they used to have. Laws are changing quickly and pubs are more liable for non-transparent data trafficking. While the Cookie Mullet is legal right now, it may not be for long.

What should folks do now?

Brands and publishers need to focus on building 1st party audience assets and intelligence. Gather data like you're a hoarder, including all advertising touch point data.

Treat it like a next generation panel. Panels used to be thousands but can now be millions, providing segmentation like scale and fidelity. This also allows for better data integration and better machine learning results.

Start building machine learning methods. Proprietary algorithms that find new prospects, enrich customers relationships and help brands. In other words #OYOA - own your own algorithms.

What’s next?

The Cookie Mullet is temporary. Web3 is going beyond the 2D legacy web. Web3 is about decentralization and distributed AI. Decentralization, not just of money (crypto) but of information, including the elimination of centralized non-transparent user databases. I’ve been calling this next phase “son of blockchain” because current blockchain tech is too slow for adtech business cases. I have seen signs that a faster, distributed blockchain-esqe alternative to the Cookie Mullet is coming, given Moore’s Law and the needs of businesses big and small in modern commerce.

Stay tuned…