Not your average industry-head-nod kind of “hmm, interesting.” No, I mean actually think — the kind of uncomfortable, existential thinking that ruins your morning coffee and sends you down a multi-tab privacy spiral while muttering, “this can’t be legal… can it?”

Anthony, in that weary tone of a man who’s watched the same bad reboot of the adtech ecosystem for two decades straight, said something that stopped me cold: “Third-party cookies powered the interoperability of the web for 30 years.”

That’s not just a historical fact. That’s a eulogy.
And I couldn’t shake it.

Because buried in that sentence is the truth we’ve all been dodging:
The death of the cookie wasn’t the end of surveillance.

It was the upgrade.

Remember the parties? The obituaries? The “Dear Cookie, We Hardly Knew Ye” blog posts that flooded LinkedIn like marketers suddenly discovered morality?

We toasted the end of creepy banners and stalker ads. We made slide decks proclaiming the dawn of “privacy-first advertising.”
Somewhere, someone probably popped a bottle of Dom and declared this the beginning of ethical media.

But then... we kept tracking people.

Only now we call it “consented identity resolution” and “interoperable privacy ecosystems.”

Let me put it in less marketing-friendly terms:
We swapped out the cookie for something worse—something stickier, stealthier, and far more permanent.

The cookie was a symptom. The system is the disease.

Let’s talk brass tacks. Third-party cookies, for all their failings, had two redeeming features:

Now?

These aren’t trackers. These are tattoos.
And once they’re on you, they don’t wash off.

That’s the sleight of hand.

Adtech didn’t solve the privacy problem. It just learned to whisper.

Instead of loud, blunt-force retargeting powered by obvious tracking cookies, we now have:

The industry moved from pop-ups to proxies.
From being obnoxious… to being undetectable.

Remember cookie banners? Yes, they were annoying. Yes, everyone clicked “accept all.” But at least they existed.

Now, “consent” has been abstracted into the fine print.

It’s a checkbox hidden in a 3,000-word privacy policy that you definitely didn’t read but totally agreed to when you entered your email to get 10% off a phone case.

The language has shifted too. Nobody says “tracking” anymore. It’s “identity activation,” “audience stitching,” or my personal favorite: “deterministic cross-environment resolution.”

Sounds like a physics problem, not a privacy nightmare.

This isn’t about cookies. This is about control.

And here’s what the adtech industry really did:

All while telling the public, “Don’t worry. We fixed it.”

But ask yourself:
If the replacements are harder to detect, harder to delete, and more deeply tied to your real identity—did we actually gain privacy, or just lose the illusion of it?

This is the first in a five-part examination—of the modern “privacy-first” tracking ecosystem.

Part 2 – "Your Inbox Is Now a Surveillance Tool"
We’ll dive deep into the rise of email-based IDs, how hashed emails are sold as safe (but aren’t), and why you can’t scrub them from the web once they’ve been used to build an identity graph.

Part 3 – "Fingerprinting: The Tracker You Can’t See, Block, or Escape"
We’ll expose how invisible scripts are already profiling you in real time, and why clearing your cache does absolutely nothing to stop them.

Part 4 – "Data Clean Rooms: Privacy Theater with Better Lighting"
We’ll peek behind the sanitized marketing of clean rooms to uncover how “safe data collaboration” can still end with your identity leaking through the seams.

Part 5 – "Permanent Identity: When Privacy Becomes Performance"
We’ll tie it all together: the tech, the legal theater, the regulatory game of whack-a-mole, and why most of this is designed to maintain business as usual—only with less accountability.

We were promised a better system—one that respected users, championed privacy, and rebuilt trust.

What we got instead was an upgraded system of control. One where the identifiers are stronger, the tracking is subtler, and the opt-out button is basically symbolic.

In the end, the cookie didn’t die.
It evolved—into something much harder to find, and much harder to kill.

The digital advertising industry has never stood still for long, and with the slow sunset of third-party cookies, it’s once again in transition—this time toward a new class of identity infrastructure powered by hashed email addresses. In place of browser-based identifiers, companies are embracing email-centric frameworks like Unified ID 2.0 (UID 2.0) to maintain addressability in a landscape that’s growing more fragmented, regulated, and privacy-conscious.

Unlike third-party cookies, which could be deleted, blocked, or limited to a single session, email-based identifiers are inherently persistent. As a result, their adoption represents more than a technical upgrade—it marks a fundamental shift in how identity, consent, and user control are being redefined in digital advertising.

Launched by The Trade Desk and later spun off into an open-source initiative governed by Prebid.org, UID 2.0 is one of the most widely discussed replacements for third-party cookies. It allows publishers to collect users' email addresses—typically at login or sign-up—and then transform them into hashed and encrypted tokens that can be used for advertising purposes across web, mobile, and connected TV (CTV) environments.

While UID 2.0 and similar solutions emphasize user consent and transparency, their technical design enables a level of persistence that surpasses the limitations of legacy tracking methods.

At its core, the UID is a new kind of passport—portable, durable, and interoperable across the digital ecosystem.

The industry’s reliance on email as a universal identifier is not accidental. The email address sits at the center of most users’ digital lives. It’s used to log into streaming services, place e-commerce orders, register for social media, and sign up for loyalty programs. In this way, the email address offers two key benefits over cookies:

When hashed, an email address becomes a pseudo-anonymous identifier—at least in theory. In practice, however, the output is consistent and predictable: the same input will always generate the same hashed result, making it ideal for linking behaviors across the ecosystem.

Much of the industry's privacy narrative around UID 2.0 hinges on the idea that hashing and encryption transform sensitive identifiers into benign tokens. But hashing is not anonymization in any meaningful sense—it’s pseudonymization, and that distinction matters.

In other words, hashed email functions like a digital fingerprint—portable, stable, and highly linkable.

Here's a high-level look at how a single email address can be transformed and circulated through the adtech supply chain:

This lifecycle underscores how a single identifier—once collected—can be amplified across the ecosystem, forming the foundation of identity graphs that span digital and physical behaviors.

LiveRamp’s RampID leverages hashed emails to create durable people-based identities that tie together cookies, MAIDs, and offline PII. This allows brands to reach users across channels and measure engagement with precision. The company boasts one of the industry’s largest identity graphs, enabling audience enrichment, suppression, and analytics at scale.

Viant, operating under a people-based programmatic model, uses hashed emails to power its DSP and measurement platform. By connecting email-derived IDs with deterministic data—such as loyalty programs and login credentials—Viant aims to deliver household-level targeting across CTV and omnichannel campaigns.

Retailers are leveraging login-based data to link in-store and online behaviors, creating closed-loop systems. Hashed emails allow for omnichannel personalization—from digital coupons and personalized offers to post-purchase retargeting.

As more CTV platforms require authentication, hashed emails provide deterministic targeting across households. This reduces waste, enables better frequency management, and improves attribution by tying ad exposure to conversion events—both online and offline.

Despite promises of enhanced transparency, consent remains an opaque process in practice. The mechanisms through which users provide permission—usually privacy policies or Terms of Service—are rarely read and often structured to maximize opt-in by default.

This creates what some privacy advocates call "consent theater"—where legal compliance is maintained, but meaningful user control is minimal.

There is no question that email-based identifiers offer capabilities far beyond what third-party cookies ever provided. Their persistence, portability, and user-centric nature make them ideal for the current needs of a fragmented media ecosystem.

But those same features—particularly when deployed without robust user oversight—also introduce risk:

The shift to hashed email identifiers and systems like UID 2.0 is not inherently malicious—it reflects the industry's attempt to balance regulatory compliance, commercial needs, and technical feasibility. Yet it also reaffirms a familiar pattern: surveillance infrastructure evolving to preserve addressability, often with limited user awareness or power.

As privacy regulations evolve and consumer expectations rise, the future of email-based tracking will depend not just on technical safeguards, but on governance, transparency, and accountability.

What remains clear is this: while the cookie may be on its way out, the industry’s appetite for identity is only growing.

Let’s not play coy:
If you’re not in ADOTAT+, you’re working with half the intel and twice the BS.

You're getting the safe-for-LinkedIn version of the truth. The kind that gets scrubbed by PR teams and blessed by compliance officers. Meanwhile, in ADOTAT+, we’re handing out the real stuff—the kind whispered at the hotel bar after someone “accidentally” drops a slide deck marked CONFIDENTIAL.

Inside ADOTAT+:

This isn’t a newsletter. It’s a flashlight in a pitch-black room full of lawyers, grifters, and dashboards that lie.

Oh, and maybe you like laughing while your worldview collapses. We do that too.

Join ADOTAT+.
We go deeper. We name names.
And we do it with the kind of irreverence HR departments warn you about.