In this week’s episode, join special guest Greg Brunk, Head of Product at MetaRouter, and hosts Claudiu Murariu, CEO and Co-Founder of InnerTrends, and Arpit Choudhury, Founder of Data-led Academy, as they dive into server-side tracking: what it is, how server-side tracking has changed advertising, the risks involved in tracking advertising data and how marketers can avoid them, and the benefits of owning your own user data in today’s industry.
Welcome to The Data-led Professional Podcast: A podcast dedicated to helping folks become data-led to build better products and services.
Want to listen to the entire episode? Check it out here:
Subscribe on your favorite streaming platform for more episodes:Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts Listen on Stitcher
[G]: For the sake of expediency, let’s look at Facebook: Facebook’s pixel, and their library on the page, collects a number of different things. Even when users can control a level of consent, there’s still a lot that’s unregulated, that the third-party library is collecting from your page.
They collect all that you’d expect an advertiser to collect; if you run an ad campaign on Facebook, and then someone clicks through to your site and ultimately buys that product or signs up for your application, Facebook wants to collect that conversion. And in order to collect that conversion, they need to know what that person did and who they are. So cookies are very involved.
They’re also collecting all kinds of additional measurement data so that they can build audiences based on all of the things users do around the internet. So they’re interested in what products they’re looking at, what conversations they’re having, what groups they’re a part of.
They’re collecting all kinds of auxiliary or measurement data, and it allows them to retarget to these users when other advertisers are interested in selling to people who have similar interests to them on Facebook.
But Facebook does all kinds of additional crazy little things: They fingerprint from the page, so if users don’t give consent to hand over their identity, they’ll still try to figure out who they are by looking at cues from thebrowser, like IP address and user agent, to try to intuit who they are with a fuzzy match.
They also do some nefarious stuff like prefetching, which is where – if a user is scrolling through their Facebook feed, and Facebook anticipates that their intent is to click on an ad – they’ll prefetch the page that they might have clicked on. And if you, as the advertiser, don’t intentionally turn that prefetch data off, Facebook will actually count that as a conversion even if the users don’t click through. There’s stories of millions of dollars of fake conversion data being tracked and attributed as real purchases, even though users weren’t actually clicking through.
So there’s a number of things that the library does, without a lot of regulation on the page. I can understand why a legal department wouldn’t want Facebook on the page doing whatever they want.
[C]: Is Facebook doing that solely for our own benefit? Or is Facebook using the data they collect from the users that visit our website for the benefit of other companies?
[G]: It’s a combination of both.
Facebook has used the necessary requirements of dropping their library in order to track advertising conversions as a way to also collect data about the broad scope of the users on the internet. They’re running on a high majority of all pages. And they’re building a massive audience network, which is their primary value proposition.
So when I say, “Hey, I have a kayak store, I’d like to sell kayaks. I’d like to target kayak users,” the way they know that is not just what users do on Facebook. Anytime they’ve searched or looked at or participated in kayak communities across the internet, they add those users to an audience. They do that by scraping additional data from all of these places where they’re running, that doesn’t necessarily have anything to do with the conversion that you as the advertiser are interested in tracking.
So they’re definitely collecting a combination of data for their own purposes, and for your business’ purposes.
[G]: Yes – if you look at the network tab on any site where Facebook is running, you’ll see a number of context calls, you’ll see a number of explicit calls that the user actually wanted, they’re identifying with themselves all of the time. They’re passively collecting information constantly on the page. This is client-side tracking.
[G]: Server-side tracking is an emerging sector. There are two types of server-side tracking:
That’s a big part of what MetaRouter does – we run what’s called the sync injector, and it hits a specific ID sync endpoint at Facebook, it takes their former third party cookie and turns it into a first party cookie, and then we allow you to use that ID when you’re sending all your data server-side so that you can still actually attribute through those offline conversion APIs, the server-side APIs and not have to drop the pixel on the page at all.
[C]: Would this work on remarketing as well?
Retargeting and remarketing is an interesting space. The big players here – the TradeDesk, Mediamath, Xandr, etc. – are scrambling to try to figure out what they do with the increasing regulation on cookies that Google or Safari have been imposing, and that others are going to impose.
If you have an ad running on a specific website, and then they drive to your store, and the user makes a purchase, the only real way to understand who that user is, in both places, is a third-party cookie. It’s a cookie that is owned by, for example, Mediamath. They know who the user is on both sites because they can read that third-party cookie; that’s how they’re able to track the fact that the user saw the ad on one site, purchased the product on another site, and can count that conversion.
When Mediamath loses its ability to drop that third-party cookie, there’s not going to be any good, natural way to attribute that session in both spaces. So Mediamath, TradeDesk and a bunch of identity consortiums are scrambling to figure out a global ID solution, which is a single publisher and advertiser ID that can be used in sync across the internet for a particular user.
The problem is, the only way to really make that work is Personal Identifiable Information (PII), because the email address is the central thing that really doesn’t change for the user. So the email is like a key – which should be sent encrypted, so that it’s still relatively safe – which can be used to get access to that global ID that connects these cross-domain sessions.
But currently, there aren’t many solutions gaining traction that figure out how to solve this problem without the email. So increasingly, you’ll see these vendors and publishers starting to post an email wall requiring you to sign in or asking for an email, or you have the option of either enabling adblock, disabling ad blockers, or giving over your email. This is currently an important mechanism to try to handle the remarketing problem.
[G]: There are a couple of different implications of server-side tracking. We [MetaRouter] believe that the commercial entity that a user chooses to go into a relationship with – the application that they sign up for, or the e-commerce store that they choose to buy products on – is the best positioned to handle that data responsibly and safely. Because the user has chosen to enter into that relationship.
The reason we [MetaRouter] love server-side tracking so much is because you – as a business – take your first party data into your server-side ecosystem and establish the rules, cadence, order, parameters, and data points that you’re choosing to share with your third parties.
Rather than just letting Facebook run on the page and do whatever it wants, you are controlling the narrative. Businesses are in the best position to operate responsibly because when a user goes to your application, he’s choosing to communicate with you, not Facebook.
That’s a philosophical prerogative, for businesses to start operating responsibly with the data.
The second piece is the big bump in efficacy. There’s all kinds of noise on the browser – there’s ad-blockers, browser-side regulations, people clearing cookies, etc. So when you’re collecting a first party, off the browser, into your first party endpoint, you’re not going to experience nearly as much noise and disruption in the data. And you’re going to have a cleaner data set inside your ecosystem, so that when you send to Facebook and Google, you not only can control the rules of how that’s set from one place to another, but you can also ensure that there’s a greater consistency between those two platforms. So you gain a lot of performance and control when you’re in charge of the delivery mechanism.
[G]: There are always going to be Customer Data Platforms (CDPs) and audience-building mechanics inside of these advertising mechanisms that will expose an audience that you can buy from.
The efficacy of those audiences will degrade. As they lose the ability to attribute the things that users are doing across the internet, the audiences that you get from third parties, as they are regulated, will get worse.
The advantage is that you need to start owning more further downstream. You should try to start owning more of the customer data profile, the audiences; try to own more of that ecosystem. So that either means establishing the right relationships, or building an in-house CDP.
As companies try to give more privacy to the user, your ability to go after a user who hasn’t expressly been interested in you – you’re going to lose some efficacy there. But the advantage of building an in-house group, populating that data, and then trying to get look-alike models where and when you can from your relationships is the best path forward. You’ll work with a smaller but more specific data set.
This is going to be the new normal: owning more of the audience-building, more of the bidding, and more of the data feed.
[C]: That’s perfect, because today, advertising data is fully owned by Facebook and Google and all of the advertising companies. That’s why they sometimes get conversions counted, even if they never happened.
[G]: What we’re seeing, especially in the big enterprise space, is that instead of working with a bunch of auxiliary, direct partnerships with different CDPs and different advertisers, they’re starting to build in infrastructure databases. They’re using big data warehouses, and either importing outside data that they can get from the rest of the industry, or they’re importing data directly from their own sites, sources and apps. They’re starting to pull internally from those feeds, and use the appropriate mechanisms to send that audience out with a piece of creative.
Rather than telling Facebook, “I’m interested in people that are interested in kayaks; here’s my creative,” you’re saying: “Here’s an audience set. I want you to go into your market and target look-alikes to this set of audiences.”
By saying that, Facebook can’t take all of the raw data and do whatever they want with it. You’ve told them the persona you’re going after, and they can leverage their look-alike model to target that persona without giving them a ton of raw data about your users outside of their consent. That puts you in a position to still leverage their audience, which is really valuable for retargeting and remarketing. But you don’t have to hand over raw information about your users in order to make that happen. In the long run, that’s what’s best for your users.
It will take some time for this level of control to trickle down to the SMB market, but there’s already some cool in-house CDP, SMB market activity where this control is becoming possible as a SaaS tool.
[G]: We’ve talked a lot about server-side data feeds and sending your measurement or conversion data from the server on your terms. But the browser space is still critical, and it’s going through a lot of turmoil.
Safari is doing its Intelligent Tracking Prevention (ITP) blocking, which evolves seemingly every quarter into more instructor restrictions. They’re putting restrictions on first party data now, and Google will soon be launching its Privacy Sandbox, which is an excellent solution to the problem, but it’s tricky because it’s owned by the biggest advertiser in the world. You never really know what the intentions are there.
The server-side tracking piece we’ve already talked about is really important, but there’s a supplemental component to that that’s also really important: you’re taking more control of what’s happening on the browser.
When we talked about switching from allowing Facebook to just run wild on the page to interfacing with Facebook from the page the way you want to, on your terms, that’s the critical piece for you to start hedging against the risk coming from all of these private sector changes with browsers as well as government regulations coming through with CCPA and GDPR.
These restrictions and limitations are coming fast. One of the things that would be really smart to consider is putting mechanisms in place that allow you to control the rules on the page.
MetaRouter offers what we call a sync injector. The basic premise of that is, vendor by vendor by vendor, you are – on your own terms – establishing the relationship that you’re comfortable with for identity for your users. Ideally, you have a consent mechanism in front of that so your users have a single point at which they can choose: I don’t want to participate in this identity sync, and you turn that off. Now, instead of having to go to each individual tag and ask them to stop what they’re doing, you just shut off your control of that identity space.
Because you’ve done that, when Privacy Sandbox comes along and requires you to do certain things, all you have to do is change your one point of interface with Privacy Sandbox, and you can be in compliance with Google’s rule. You can also look at how that impacts the server-side tracking and what identities are going to be available when sending that server to server data. But you can’t just rip the tags off and start sending data server-side; you really need to invest in some way of managing those syncs and identity pieces, because that’s the only piece that really needs to remain on the page.
If you’re not comfortable building that internally, look for vendors like MetaRouter that have synching libraries that can control the individual rules with, vendor by vendor. That puts you in a great position of power to say, “I’m comfortable leveraging this ID, with the efficacy loss that I might have with this new anonymous ID, but at least I know it’s compliant.”
The old world of letting Tag Manager dump as many tags as it wants on the page is going to die. Not only because it’s really not allowed anymore, but because the increasing browser restrictions are going to make it ineffective. Those tags will lose efficacy, so you want to have a solution in place that allows you to choose when and where you want to maintain efficacy and operate according to your own rules.
Those two systems together, more client-side control and more server-side tracking, really puts you in a position to hedge against this impending death of cookies and see where the industry goes, and then adapt and adjust. That adaptability is really powerful in advertising.
Server-side integrations with marketing and ad tech tools:
Have any additional questions about the rise of server-side tracking and its impact on advertising, or any other topics you would like to hear covered on The Data-Led Professional Podcast? Comment below! We can’t wait to hear from you.
Subscribe for more episodes on your favorite streaming platform or subscribe for InnerTrends updates here.Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts Listen on Stitcher