Here’s how TouchCR is tracking users in a Safari-compliant way

TouchCR, a Chicago-based personalization and ecommerce platform, has recently come out with its own solution for cookie-less tracking.

That’s the good news for advertisers freaked out by Apple’s recent moves against cookies in the newest Safari version.

The bad news: TouchCR’s solution is oriented toward first-party users, and the company’s chief technology innovation officer told me that “the third-party market is in real trouble.”

The growing sentiment among users, Ritchie Hale said, is “don’t follow us around.”

If you visit a web page for heavy wool socks, for instance, your browser can get loaded with cookies from third-party advertisers on that clothing site. Then, you see ads for snow boots as you travel to other sites, even though you’re interested in winter socks but not snow boots.

As Hale points out, many sites commonly bombard the visitor’s browser with third-party cookies, which can be used to serve retargeting ads that are unrelated to sites the user actually visited.

A visit to Macy’s site, he said, results in the deposit of 50 cookies, 29 of which are third-party.

Tilted toward first-party

Apple’s updated Safari allows cookies for a limited time, but it is tilted in favor of first-party cookies, since they represent sites users have visited and therefore shown interest in.

TouchCR’s solution allows websites to continuously track their own visitors, as first-party users. It has three components: device fingerprinting and local storage keys for anonymous users, and then identity resolution for registered users.

Device fingerprinting is a technique that employs the settings and other specific attributes of a user’s browser and device, such as browser version, plugins, device model, settings and many other specifics. If a user changes some attributes between the last visit and a new visit, like adding some plugins, the TouchCR platform tries to match all other characteristics to a given anonymous profile, and then update the fingerprint.

While device fingerprinting is increasingly common, TouchCR also adds a local storage key.

Hale explains that a browser has three storage mechanisms: cookies, sessions and local storage. Local storage, he noted, is employed to retrieve data only for a domain you’ve visited — that is, first-party — and it can store up to 10 megabytes. TouchCR creates and stores a hashed, anonymized key in the local storage, which Hale says can behave like a first-party cookie. But, unlike Safari’s treatment of first-party cookies (which expire after 30 days if there’s no new visit), the TouchCR local storage key remains indefinitely.

I asked why others are not commonly storing first-party keys in local storage, and Hale replied that he wasn’t sure why, but perhaps it’s because the code is “somewhat more complex” than other kinds of tracking.

Those two tracking factors — device fingerprinting and a local storage first-party key — allow a site using TouchCR to identify anonymous users when they return to the site, even if they haven’t registered with the site, and the user’s profile is regularly updated to include behavior on that original site. Hale said TouchCR can probabilistically identify the user as, say, User123 on a subsequent visit with accuracy of 95 percent or above.

GDPR requirements

If someone registers on the site to receive email, make a purchase or for another reason, the TouchCR platform then has the user’s email address to employ as a persistent identifier.

The email address is used to match with identity information in outside databases that show the same email address. The user is now deterministically identified as a real person with an identity and history beyond activity on the originating site, with a level of accuracy approaching 100 percent.

Hale didn’t rule out that TouchCR’s cookie-less tracking could be used for tracking a user outside of the originally visited site so that a followup retargeting ad could be deployed, but it could only happen on other sites that also used TouchCR’s new tracking platform. At the moment, he said, only a handful of sites do.

He noted that the fade-out of retargeting could be welcomed by many users, although it gives Facebook and Google an advantage because they still have the means to track users across many sites without cookies, because those users remain logged into their platforms.

While TouchCR’s solution solves the tracking problem posed by the newest Safari, its opt-out capabilities don’t yet satisfy all of the user data consent requirements of the upcoming General Data Protection Regulation (GDPR) from the European Union. Hale said his company is intending to make its cookie-less tracking solution fully GDPR-compliant.

TouchCR joins other efforts to track users without cookies. Segment, for instance, has also implemented a cookie-less tracking solution for its clients, and Sonobi offers a cookie-less ad marketplace. While device fingerprinting is growing in popularity, by itself device fingerprinting has issues of standards, accuracy and cross-device tracking.