blog: Don Marti


Attribution and consent

26 January 2020

(update 8 Apr 2020: added numbers to levels.)

Attribution, so hot right now. some background: WTF is multi-touch attribution?, Confessions of a former agency exec on attribution scamming. Big unresolved questions on how the post-creepy web ad business will handle the measurement of ad effectiveness when third-party cookies are absent, and fingerprinting is a game of Whac-A-Mole with all the browser powerhouses busy whacking and only the small fry of the Lumascape still busy mole-feeding.

Building better systems for ad placement and attribution will depend on a solid chain of consent from web activity to action. No attribution tracking is going to work if consent is missing or sketchy on any link in the chain, because browsers, competing to implement people's preferences on how their data is used, will drop attribution data on the floor if it doesn't have solid "provenance" in the form of good enough consent.

Of course, most of the stuff covered in a "consent" dialog isn't really consent. IMHO there is consent that's meaningful enough for a browser or other software to pay attention to, and fake consent where the best way to implement the user's intent is either to rewrite the consent bits, or to block tracking. Consent is hard to define.

Levels of consent, best to worst.

  • 5: philosophical ideal of consent. Philosophers are still working on this, so no need to implement in software yet.

  • 4: informed consent that's good enough to get you signed up as a human subject for university-run research. Institutional Review Board approval, so software should respect, because Science!

  • 3: consent as part of an understandable transaction (You have consent to use my address to ship me the package I ordered). This is kind of like the spawn of consent and legitimate interest. Software must implement this kind of consent, or people won't be able to order stuff or log in or anything, and they will rage-quit the software that's stopping them.

  • 2: consent implied as part of a transaction such as a registration wall with an email address, or SSO with a clearly labeled button. This level is where the action is. Can user research show that expectations on both sides are compatible? If so, this is a win! Opportunity for software to help users by doing this right, and a big opportunity for sites that people choose to trust. The Site Engagement Service in Chromium is likely to be increasingly important here, along with related metrics for how much the a user probably trusts a site,

  • 1: consent buried in the fine print or in dark UX patterns is clearly not good enough, and worth the effort for software to block data transfer even in the presence of "consent." Blocking bogus consent, and telling it apart from consent that's just good enough not to block, is going to be a user research win, just like blocking other creepy stuff.

  • 0: consent fraud is common, just more stuff to filter or block.

Attribution schemes will work as long as everyone who touches attribution data also has consent, which implies a bigger role for publishers in the audience data market.

Today, the Trident Era Ends

(A Few) Ops Lessons We All Learn the Hard Way

U.S. Media Polarization and the 2020 Election: A Nation Divided

Newsonomics: Here are 20 epiphanies for the news business of the 2020s

Curious case of privacy bug in Intelligent Tracking Prevention

How publishers are planning for the end of the third-party cookie

Browsers are interesting again

WTF is Google’s Privacy Sandbox?

Axel Springer pushes on in its legal fight against ad blocking

The browser wars are back, but it’s different this time