When authentication falls short: Myths and realities in advertising ID solutions

Recently, the IAB Tech Lab sought to develop standards and specifications to provide the industry with much needed clarity and guidance. The IAB Tech Lab’s ID solutions guide, published a few weeks ago, brings clarity to the landscape by breaking down the scope and scale of various ID solutions. This standardization simplifies the evaluation process by focusing on eight key criteria.

While all eight criteria provide greater insight, there are a few areas that most need clarifying due to the numerous misconceptions surrounding them. In particular, approaches to privacy and reconciliation methodologies in alternative IDs.

Demystifying a long-standing myth

The ability to protect people’s data in compliance with privacy regulations is unquestionably one of the primary criteria for evaluating identity partners. Consequently, data protection has become a key argument that solution providers use to elevate their ID from the competition.

However, effective evaluation of solutions requires separating facts and hearsay, especially when it comes to crucial aspects such as privacy compliance.

A common misconception is that certain signals or methodologies, namely authenticated signals are inherently more privacy-safe than others.

An authenticated or deterministic ID solution (the name is often used interchangeably) relies upon data that is usually provided by the user, such as email addresses to reconcile the user’s identity across media properties.

The assumption that such solutions are more privacy compliant is rooted in the idea that logging into a website implies consent to be identified, a claim that fails to recognize that authentication and consent are separate notions. One does not imply the other.

The world’s most comprehensive privacy regulation doesn’t leave room for interpretation on this matter. The EU’s General Data Protection Regulation (GDPR) requires solution providers to obtain consent to collect and process personal data whether or not a user has logged into a website or app. This regulation (and others modeled on it) doesn’t differentiate between signals or require any piece of personal information used for identification purposes to be collected and processed transparently with the person’s agreement.

Therefore, the type of methodology or signals used does not determine if a solution is more or less compliant. Instead, evaluation should focus on the technology and mechanism used to capture and relay a user’s preferences.

Determining an identity solution’s credibility

The IAB Tech Lab ID Solutions guide offers guidance on this process and highlights the importance of evaluating how an identity provider helps comply with regulatory requirements and how they prioritize people’s rights to transparency and control.

Examining the origin of a solution provider can reveal insights into its compliance capabilities.

To operate in such a regulated region, European-born ID providers have had to implement robust consent collection mechanisms and systems that ensure transparency and control for consumers.

ID5 exemplifies this approach, having been established alongside the GDPR. From its inception, ID5 had to adapt to stringent regulations, developing privacy-by-design technology that respects and enforces people’s privacy preferences in the advertising value chain. This means that all signals used to address people in Europe are collected with explicit consent. To enforce these preferences, ID5 encrypts its IDs, ensuring they are only shared and used by authorized parties.

When signals and methodology really matter

While methodology does not determine an ID solution’s compliance with privacy regulations, it plays a crucial role when assessing its reach. This is where the difference between an ID that only leverages authenticated signals compared to others becomes apparent.

The reality is that while deterministic signals are valuable, the volume of authenticated traffic is low. Over the past three years, ID5 has surveyed hundreds of publishers to track the percentage of logged-in users. The findings have been consistent. In H2 2023, 41% of publishers reported having less than 10% of users logged in. 20% said they have between 10 and 20%.

This means that buyers can’t rely on authenticated signals alone to run effective top-of-funnel campaigns, which require a larger pool of audience. The consequences are even bleaker for media owners. Publishers risk significant revenue loss, as much of their traffic remains unaddressable and less valuable. This narrow approach limits their ability to fully capitalize on their audience, leading to missed revenue opportunities.

ID5 addresses this challenge by adopting a unique approach to identification. By establishing direct relationships with media owners, ID5 accesses a variety of consented signals, powering addressability for authenticated and non-authenticated audiences. This approach provides accuracy and scale, supporting publishers' and buyers’ needs across different use cases, and overcoming the limitations associated with reliance on deterministic signals alone.

Cutting through the clutter

With the availability of official resources offering clear guidance, it is now easier to distinguish between substantiated claims and marketing hype, particularly on critical issues like privacy compliance. Google's decision to leave cookie removal in the hands of consumers provides an extended window to thoroughly test potential solutions. Use this time to collaborate closely with your privacy team to evaluate each vendor against the regulatory requirements of your operating jurisdictions. Once compliance is assured, you can then focus on selecting the methodologies that best align with your organization's goals and needs.

Learn more about how ID5 meets privacy standards and scales effectively.