“The Sell Sider” is a column written by the sell side of the digital media community.
Today’s column is written by Kevin Mullen, chief product officer at Roq.ad.
Update 1/19/23: This column originally named a company in a hypothetical example about how CNAME is used for identity resolution. Since that company doesn’t actually use CNAME, that company name has been updated to “IDco.”
We know the third-party cookie apocalypse is coming. Good. Cookie syncs are a pain.
One alternative approach is called domain sharing or CNAME access. Some of the largest, most well-established “universal identity” providers are relying on CNAME to magically transform a third-party cookie on a user’s browser into a first-party cookie.
CNAME was originally built to support single sign-on (SSO) tools, such as OneLogin and Okta, to allow a user to log in to multiple systems automatically. Until a couple of years ago, they were the only ones that used CNAME.
If you work for a company that supports SSO, you might notice that your initial login screen is actually on a page listed as “salesforce.okta.com.” That way, Okta can get full access to the browser and is able to log in the user to Salesforce securely.
But with the rise of universal ID providers, there has been growing recognition that CNAME could fill the gap created by the loss of third-party cookies as a way to distribute those “universal IDs.”
There’s a problem, though: CNAME access is likely to be deprecated, and it might happen quite soon – maybe even before third-party cookies are deprecated.
If CNAME access and third-party cookies go away, identity companies – and most of their clients and partners – are going to get hurt.
Badly.
The DL on CNAME
How exactly is CNAME access (aka domain sharing) used for identity resolution?
- I give IDco access with a redirect.
- I redirect everyone who lands on my site “idco.sfgate.com.” This gives IDco first-party cookie access.
- IDco can now read and write cookies because it “owns” the domain. (IDco can even read the third-party cookie they dropped six weeks ago.)
- IDco can read and write and distribute its IDco ID to sfgate.com.
- My site (sfgate.com) can continue to use the IDco ID in the bidstream.
Everyone is happy, right?
But what some folks call “CNAME access,” other folks call “CNAME cloaking.”
WebKit, an open source web content engine that builds browser tools (and is the basis for Apple’s Safari browser), says they’ve built a way to give single sign-on providers access to the cookie store without using CNAME.
The new method uses third-party cookies instead, but only if the user is engaging with their login tool via the iframe that’s on that page.
WebKit’s proposal effectively removes the need for CNAME in the context of SSO. Why? Ask yourself: Who are the only other people using CNAME?
Ad tech companies! Specifically, universal identity providers.
If the browser makers no longer need CNAME for SSO, do you think they’ll allow ad tech vendors to use it for their own purposes?
Actually, we don’t have to wonder, because Mozilla and Google have already told us they intend to close loopholes that allow the use of CNAME in passing universal IDs.
A rocky road ahead
Unless identity providers start making plans and building new features now, they’re in trouble. If there is no way to distribute those universal IDs to publishers, they will start slowly losing their universal ID audience as cookies churn and people get new devices.
And with no way to distribute the universal IDs to the new devices, the data pool passing through the bidstream will fall, too, generating less value for DSPs and advertisers … and, eventually, collapsing all of those universal identity players.
Their publisher partners must succeed at getting email addresses directly if they want to survive. But most publishers won’t be able to get the logins and the emails they need, at least not at scale.
Outside of probabilistically matching IDs using machine learning, no one has an answer for what happens if (or, rather, when) CNAME goes away. That is why the time to start making plans for third-party cookie-less and CNAME-less identity resolution is now.
Follow Roq.ad (@Roqad_official) and AdExchanger (@adexchanger) on Twitter.
For more articles featuring Kevin Mullen, click here.
