Identity Signals Explained
A field guide for the evolving advertising identity landscape
Trey Titone
December 12, 2024
Establishing a user's identity is an essential part of digital advertising. Advertisers rely on a mix of different identity signals to conduct audience targeting, measure the effectiveness of ads, or even frequency cap campaigns.
Anybody who has worked in digital advertising understands how crucial identity is — but they might not understand precisely how publishers establish identity in the first place or how ad platforms receive and use identity signals.
In this article, you will learn about:
Every identity signal used in digital advertising
How publishers collect each identity signal
The pros and cons of each identity signal
The future outlook of each identity signal
We'll start with basic explanations of identity signals and how buying platforms and advertisers use them. If you want to learn about a particular identity signal type, scroll down to the relevant section.
But first, what is an identity signal? And how do advertisers use them?
What is an identity signal?
An identity signal is a value assigned to a user's device, browser, or PII (Personally Identifiable Information - like an email or phone number) by operating systems, websites, publishers, or identity vendors.
In programmatic advertising, sellers share identity signals with buying platforms to facilitate advanced advertising features that require an understanding of an individual user.
The three most common use cases for identity signals are frequency capping, audience targeting, and measurement.
Audience targeting
If a user browses a snowboard website, that snowboard website could assign the value of "1234" to that user. The snowboard website publisher can then share this value with an advertiser who sells snowboards. This advertiser can load this association of user "1234" as a snowboard enthusiast into their buying platform of choice and choose to bid on the opportunity to serve them ads for snowboards.
The above is a highly simplified explanation, but if you want to learn more about audience targeting and how data providers or advertisers load audience data onto buying platforms, check out this Data Management Platform Explainer.
Audience targeting encompasses anything that facilitates targeting a user based on some collected behavior, attribute, or interest. Audience targeting can happen within a DSP or an SSP (curation, so hot right now).
Frequency Capping
But what if our snowboard advertiser doesn't want to repeatedly waste all their ad spend advertising on the same users? That's where frequency capping comes into play. If an ad platform can identify the individual user, it can now control how many times to show that user an ad in a set period, aka a "frequency cap."
You can learn more about this process in this Frequency Capping Explainer.
Measurement
So now our snowboard advertiser delivered a few ads to a user, and let's say the user clicked the ad and eventually bought a new snowboard.
The advertiser/snowboard dealer records that user 1234 bought a snowboard. They can then cross-reference the list of users who clicked their ad with those who purchased a snowboard — they will ultimately find user 1234 both clicked an ad and bought a snowboard, so they can record that their ad led to a conversion.
Tracking conversions is one form of measurement that is made much easier by establishing and exchanging identity signals between publishers and advertisers.
I have grossly oversimplified all three features above, but the examples should demonstrate why we need identity signals. These also are not the only use cases that leverage identity signals but are the most common.
Now that you know how advertisers can use identity signals, let's dive into each type. We will review:
Cookies
IP addresses
Device IDs
Hashed Email / Deterministic Identifiers
In each section below, we will review how publishers pick up, create, or assign each identifier and how publishers and their SSPs transmit them to buyers.
I am ordering each identity signal from least to most future-proofed. So, it's no surprise that we will start with everyone's least favorite yet the most enduring advertising identity signal: cookies.
It's a wonder that I even have to include this section in the year 2024 — but it looks like the granddaddy of all advertising identity signals is here to stay.
Cookies are text files your web browser creates and stored locally on your device. Ad platforms create and leverage third-party cookies to establish and exchange the identity of a user. Rather than the website you visit creating the cookie file (first-party cookie), ad platforms create third-party cookie files.
The file essentially contains a unique alphanumeric identifier assigned to a user, let's say, "SSP123". Then, when a publisher initiates an ad request, their SSP can read the cookie file, attach the user ID to an ad request, and pass this along in a bid request to a DSP.
Meanwhile, an advertiser works with their DSP or data management platform (DMP) to drop cookie files on users visiting their websites/online shops. For a simple retargeting use case, our previous snowboard shop owner could drop a cookie file with the user ID "DSP456."
Now, here's a little secret. User "SSP123" and user "DSP456" are the same person. So whenever the DSP sees user "SSP123," they can retarget them with snowboard ads. But how does the DSP know who SSP user "ABC123" is? They know this through the cockamamie process of cookie syncing.
If you want to learn about cookie syncing, I have the perfect Cookie Syncing Explainer for you. Go there if you're more interested in this process, which I thought I could erase from my brain by now.
Until recently, we all thought Google marked cookies for extinction until they raised them from the dead. I won't harp on the subject since the trades and thought leaders alike have beaten the topic into the ground. However, Chrome is the only remaining major browser that doesn't block third-party cookies by default. They planned to get rid of them by a target deadline that had moved back many times until they gave up on disabling them by default.
Instead, Google announced that it would implement a cookie consent system in Chrome. Now, we are all waiting on Google with bated breath for more details on the implementation of their consent workflow. Whichever way Chrome presents the choice of cookies to users will significantly affect the availability of this seemingly immortal identity signal.
Cookies get a bad rap for invading user privacy, mainly due to their surreptitious nature. For those outside ad tech, most ordinary users are blissfully unaware of these little devils facilitating cross-site tracking. But in reality, users can delete them and be "forgotten" whenever they want, so they offer more privacy control than the next identifier below.
IP Addresses
Now, let's review my least favorite identity signal, IP address. You know you are an ad tech nerd if you have a favorite and least favorite identity signal — but I have good reasons to put IP address low on my list.
What is an IP address?
To understand IP address as an identity signal, you need to know that there are two types of IP addresses: IPv4 and IPv6.
IPv4 addresses contain four numbers separated into "octets" divided by decimals:
192.168.0.1
IPv6 addresses contain eight sets of "hextets" separated by colons:
2001:0ac8:82a2:0000:0000:0000:0060:7239
Whether you get an IPv4 or an IPv6 depends on if your device and ISP support it. I distinguish between the two because some ad platforms can't handle IPv6, even though it now makes up almost half of all web traffic.
IPv6 addresses are device-specific, whereas IPv4 addresses are unique values assigned to your household or, more specifically, your network router. At first glance, you would think this means IPv6 addresses are better and more accurate identifiers — but given that they rotate every 1-2 days compared to every 2-4 weeks for IPv4, they are much less durable and practically unusable for many use cases.
If you want to learn more about IPv6, I wrote an article about how it could impact digital advertising.
Ad platforms can pick up IP addresses from devices in ad requests. Whenever a device initiates any HTTP request (including an ad request) to a server, the IP address is available for the server to read.
An IP address is typically referred to as a household identifier since every device in the house will transmit the same IP address (the entire IPv4 and the prefix of an IPv6 — more in my IPv6 article). This household-level distinction makes IPv4 addresses a less accurate identifier for targeting individuals. It is why you see ads for CPAP machines when your dad visits for Thanksgiving (true story).
However, since an IPv4 address and the prefix of an IPv6 is the same across every device in the house, it is inherently a cross-device identifier when those devices are inside the house, and it makes it easier to find users across devices with a cross-device graph (more on that later).
The cross-device nature of IP addresses makes it an ideal identifier for targeting and measuring connected TV since IP creates an easy linkage between CTV and other devices. The link between where users watch ads (CTV) and the devices from where users browse and purchase things (phone + computer) makes IP a powerful signal for any advertiser buying CTV.
An IP address is available on every ad request (except when a user leverages a VPN), so it is a useful fallback if no other identifiers are available.
The future outlook of IP address
An IP address is inherently a user-hostile identifier as it is an identifier that users have no control over without the use of third-party VPN services. Users may also not explicitly know when companies collect their IP addresses.
These privacy issues have led to the rise of VPN services that can cloak IP addresses. Companies like Apple have even begun to build IP-hiding services into their operating system, like iCloud Private Relay. Microsoft has built a similar service, and Google may roll it into a future version of Chrome.
The days of IP address as an unchecked, readily available, and useful cross-device identifier may be numbered as IP masking services and IPv6 continue to gain adoption, but it is unlikely that IP address as an identity signal will go anywhere soon.
Device IDs
A device ID is an alphanumeric identifier assigned to your device by its operating system. Native apps on mobile or CTV platforms can access these device IDs from the operating system.
People often refer to device IDs as IFAs (identifiers for advertising) or MAIDs (Mobile advertising IDs). But now that connected TVs usually have device IDs calling them MAIDs no longer makes much sense.
Apple thrust device identifiers into the public consciousness once they introduced their ATT (app tracking transparency) framework and started asking users if they wanted apps to track them on iOS. This single action transformed the viability of device IDs as an identity signal in advertising overnight and sent the stock of companies who heavily relied on the signal to target users or measure advertising success (like Meta) into a downward tailspin (that they've since spectacularly recovered from by investing time into alternative targeting and measurement methods).
Most companies eventually recovered from the cataclysm Apple introduced with ATT, and device ID endures as a beneficial and widely used identity signal across all other platforms or when it is available on iOS.
Every mobile and CTV operating system has a unique identifier tied to a device. Some examples:
Platform | Device ID |
|---|---|
iOS + tvOS (iPhone + Apple TV) | IDFA |
Android | GAID |
Amazon Fire OS | AFAI |
Roku | RIDA |
Samsung | TIFA |
Despite Apple's continued persistence in making device IDs out to be the devil, they do offer some privacy control as users typically have the option to reset their advertising ID whenever they want.
The future outlook of device IDs
Despite Apple's massive blow to device IDs, they continue to stick around and serve as a possible piece to the fabric of a user's identity. By effectively killing IDFA, Apple fulfilled its desire to cripple advertising on its platform and subsequently push more ad spend to its app store search ads (and play into its privacy-first marketing narrative).
CTV operating systems do not wield the same level of market power and, therefore, have no incentive to discontinue device IDs on their operating systems. Other operating systems may find helping advertising flourish on their platform is an ideal strategy and why device IDs are here to stay on those platforms.
But the reality is that Apple's IDFA and Android's GAID are much more valuable device IDs to retain, given that they are platforms where users both see ads and conduct the intended action advertisers desire — making it much easier to tie those events together. CTV platforms are only beginning to dabble in shoppable TV, but advertisers register most outcomes on other devices.
This separation of platforms of ad consumption and intended action is one reason IP addresses are the ID of choice on CTV, because advertisers can more easily tie together ad exposure on a TV and actions conducted (purchase, registration, etc) on another device to the same IP.
There is a (relatively) new identity signal on the block that can achieve the same cross-device benefits of IP while maintaining privacy controls.
Hashed Email / Deterministic Identifiers
When Google started threatening to yank third-party cookies from Chrome, everybody started scrambling for answers. One of those answers came in the form of first-party data collection and hashed email identifiers.
Without third-party cookies on the web, advertising platforms would lose the frictionless identity signal of cookies and buyer IDs. I say frictionless since it does not require a user to do anything for an ad platform to collect it. The solution that the industry rallied around would now require friction and the collection of users' email addresses via registrations.
The general idea of hashed email identifiers is for publishers and advertisers to collect email addresses from their users and customers and then use a third-party service or standardized protocol to convert those emails into a value that could stand as an identity signal or advertising identifier.
Some popular hashed email identity solutions include:
The Trade Desk Unified ID 2.0
LiveRamp ATS/RampID
Google PAIR
Yahoo ConnectID
Publishers or SSPs implement services that take PII and convert it into an encrypted value that publishers transmit in bid requests to DSPs that can then decrypt those values into useable identifiers that their clients can match to the data they collected. Each identity solution has pros and cons regarding technical complexity and data protection.
Some solutions can use other personally identifiable information like a phone number instead of an email address. You'll also hear these identifiers called universal identifiers or alternative identifiers.
Since users log into services across their devices with the same email address, hashed email-based identifiers gain the same cross-device benefits of an IP address — allowing advertisers to easily link ad exposures to conversion events even if they occurred on disparate devices.
These identity solutions also offer privacy features that put it above IP address, allowing users to opt-out. For example, The Trade Desk offers users a portal to opt out of UID2.
A big downside for these types of solutions is on iOS, where Apple has made it clear that if a user opts out of tracking, they will not only restrict an app's access to an IDFA but also prohibit an app owner from using any other type of identity solution like a hashed email identifier.
The other downside is that if users can leverage email burner services like iCloud's "hide my email" or other services to generate single-use email addresses, that eliminates the usefulness of this identifier type since it won't connect to any other collected data. However, publishers can check the email format to determine if it's a burner email and prevent users from using it when signing up.
Future outlook of deterministic identifiers
Hashed email identifiers are likely here to stay and only grow in adoption. The only question is which solution will come out on top. To yield the full benefit of this ID type across all DSPs, publishers must adopt multiple solutions based on which DSPs they work with. For example, TTD may prefer UID2s, Yahoo DSP wants ConnectIDs, Google DV360 needs PAIR, etc. Since LiveRamp is not a DSP, its RampID is DSP-agnostic, and many DSPs support it.
If these solutions become the new standard, it presents an insurmountable challenge for smaller or upstart publishers who may find it difficult to collect email addresses from their users. The real winners of these types of solutions are services with a critical mass of users that already require a login, like streaming services (Netflix, Disney+, etc.).
That does it for the primary set of identity signals, but there are some other honorable mentions worth quickly touching on.
Probabilistic Identifiers
All probabilistic-based identifiers suffer from the same shortcomings as IP addresses as an identity signal. They offer little user control, and it's unclear when users are subject to them.
Probabilistic identifiers collect multiple signals to form a sometimes shockingly accurate fingerprint of a user. An IP address is typically the baseline signal used to create a fingerprint. Other signals used to generate a fingerprint include your user agent, screen size, and even the unique combination of browser extensions or fonts installed on your device.
To learn more, check out this Device Fingerprinting Explainer I wrote.
PPIDs
Publisher-provided Identifiers are unique values assigned to a user by a publisher. These can be based on an email address or stored in a first-party cookie. PPIDs are typically used only by the publisher to activate their first-party data within their SSP or for frequency capping.
If you want to learn more, check out this PPID Explainer.
The future of identity signals
As you have learned, when it comes to identity, there is more than one game in town. Some IDs are usually always available (IP address), and some may be rare but increasingly available (Deterministic Identifiers). Some IDs offer privacy controls (cookies, device IDs, deterministic IDs), and others can be a moral affront to the very concept of privacy control (IP address, probabilistic IDs).
Each identity signal we reviewed today has pros and cons, and different types of companies prescribe varying business values and associated privacy risks to each one.
Some IDs are more readily available for certain types of services (like deterministic IDs for streaming services or cookies for web properties with few logged-in users), and it's for this reason that we will most likely continue to live in an ecosystem of many identifiers with no single solution taking off.
We will undoubtedly see shifts in value (e.g., from cookies to deterministic IDs) — but all these identifiers will continue to be around for as long as they offer some incremental value.
Reply