In an unexpected and dramatic move (but really, not all that surprising), Google has announced it will abandon its plans to deprecate third-party cookies in Chrome, the world’s most popular web browser. The decision, which comes after years of pivots and setbacks, sent shockwaves through the digital advertising ecosystem. Those in the industry who weren’t left reeling have been scrambling to reassess their strategies.

Unpacking the Shock

Google’s about-face comes after years of preparation for a cookieless future, during which advertisers, publishers, and technology companies have invested heavily in developing alternative solutions. The shock is not just about the abrupt change in Google’s stance, but also about the timing. Plenty of tech providers and brands have started to implement new tracking technologies and adjust their data privacy practices, only to find that the old methods will still be in play.

What Publishers and Brands Should Care About

1. Data Privacy and Compliance

• Concern: With third-party cookies still in use, the onus remains on publishers and brands to ensure compliance with stringent data privacy laws such as GDPR and CCPA.
• Action: Continue developing and implementing privacy-first strategies. Invest in technologies that enhance user consent management and data protection. Lean on first-party cookies where possible.

2. Consumer Trust

• Concern: Consumers are increasingly aware of and concerned about their online privacy — and how different companies acknowledge and respect it. Google’s back-and-forth decisions can create confusion and potentially erode trust.
• Action: Maintain transparency with consumers about data usage. Reinforce your commitment to privacy through clear communication and privacy policies that put the consumer first.

3. Ad Spend and ROI

• Concern: The uncertainty around cookie deprecation has made it challenging to allocate ad budgets effectively and measure ROI accurately. In addition, the transition from Universal Analytics to Google Analytics 4 has many still learning and adjusting to the new reality of analyzing performance in Chrome.
• Action: Use this extended period to test and refine new tracking solutions, specifically server-side methodologies like postback tracking. Diversify your ad strategies to include first-party data and contextual advertising.

4. Technological Adaptation

• Concern: The industry has been caught in a state of flux, investing in new technologies while still relying on the old.
• Action: Balance your investment in emerging privacy-preserving technologies with the optimization of existing cookie-based systems. Leverage server-side tracking and advanced analytics to prepare for future changes.

Moving Forward with TUNE

At TUNE, we understand the frustration and confusion this decision may cause. (Oh, do we ever.) Our previous analysis highlighted the importance of preparing for a cookieless future despite Google’s delays. As we stated in our August 2022 blog post, “Google Delays Third-Party Cookie Deprecation Again to Late 2024,” the landscape of digital advertising is constantly evolving, and flexibility is key.

Our commitment is to provide you with the industry’s most advanced, privacy-friendly tracking solutions. With this extended timeline, we encourage our customers and partners to continue adopting innovative methods for data tracking and analysis. As always, we strongly recommend using server-side postback tracking over pixel tracking, as postback tracking does not require cookies and works on mobile and desktop. You can learn about the pros and cons of postback tracking and other conversion tracking methods in our free e-book.

Where Will the Cookie Saga Take Us Next?

While Google’s decision to retain third-party cookies may provide a temporary reprieve, it underscores the importance of continued innovation and adaptation. Publishers and brands must remain vigilant and proactive in their privacy practices and tracking technologies. TUNE is here to support you through these changes and ensure your marketing efforts remain effective and compliant.

For more details on Google’s decision and its implications, read the full article on The Drum.

By staying ahead of these changes and continuously evolving our platform, TUNE aims to provide our customers and partners with the tools and insights they need to thrive in a rapidly changing digital landscape.

Questions? Get in touch with us at partnermarketing@tune.com.

In today’s digital age, the internet has made it easier for people to connect, share information, and conduct business. However, it has also opened new avenues for scammers and fraudsters to prey on unsuspecting victims.

At TUNE, we take security seriously, and we want to help you stay safe online. Unfortunately, some scammers use legitimate company names and logos to trick people into giving away their personal information. We have noticed one method, called an impersonation scam, popping up more and more over the last few months.

What Is an Impersonation Scam?

One of the most common types of online scams is impersonation scams. In this type of scam, fraudsters pose as legitimate individuals or companies to gain access to sensitive information or money.

One of the most persistent types of deception in this scenario is when a malicious actor acquires a domain that is similar in name to a legitimate website (e.g., g00gle.com). The bad actor then tries to get users to click into the false website without the user realizing they are not on the website they intended to visit. This way, a malicious actor can serve harmful content to the user, such as links to scams or pages that prompt them to enter passwords.

What’s more, the recent rise of artificial intelligence has made it easier to execute these scams. Some bad actors are taking advantage of the breakthrough of generative AI tools such as ChatGPT to create rather convincing fraudulent campaigns. These tools can be used to create more legitimate-looking emails as well as website content. Malicious generative AIs are making their own space in the market, which may prove to be increasingly dangerous, as they’re not limited by the ethical boundaries that are usually defined for their legitimate counterparts.

Main Types of Domain Spoofing in Impersonation Scams

Email Spoofing

With email spoofing scams, attackers send emails that appear to come from a familiar or legitimate sender, such as a friend, business, or government agency. The fraudulent emails may contain a malicious download or link, lure the recipient to a fraudulent website, or redirect the user to a website they did not wish to visit.

Website Spoofing

In this scenario, attackers register a domain that is similar to a legitimate domain. They can then use this domain to create a website that nearly replicates the legitimate site it’s based on and send spoofed emails to lure victims. Once on the spoofed site, users may be offered malicious downloads or asked to provide their personal information, such as login credentials or banking information.

Spoofed websites can also be used to commit advertising fraud. The scammer submits the false domain to an ad exchange in order to trick advertisers into bidding for space on the spoofed site instead of on the legitimate website.

Impersonation Scams: A Case Study

Like many companies that provide their services online, we have faced bad actors with fraudulent websites that attempt to impersonate TUNE.

One of these, tuneratings.com, is a website that claims to offer discounts for leaving ratings and reviews of different products; this process includes paying a certain amount to them. This website is not associated with TUNE and should not be trusted or visited for any reason.

Actors associated with this fraudulent site have recently reached out to customers of TUNE, attempting to have them sign up for unrelated services. Based on reports provided to us, it appears the malicious actors have primarily targeted regions in Southeast Asia. In these cases, the malicious actors tried luring people in by claiming to offer a “part-time job,” and usually used Telegram as their messaging platform of choice.

We’re posting a conversation we had with a potential victim below to spread awareness about this scam and to help others identify and avoid these bad actors:

How to Protect Yourself Against Scams

It’s essential to stay vigilant and take steps to protect yourself against potential bad actors. If you come across this or any other impersonation scam, or even a website or email you think may be a scam, there are a few things you can do. Here are some tips to help you spot and avoid these kinds of scams:

1. Be wary of unsolicited emails or messages. Scammers often use phishing emails or social media messages to trick you into clicking on a link or downloading a file. If you don’t recognize the sender, don’t open the message.
2. Check the website’s URL. If you receive an email or message from a company asking you to log in to your account, double-check the website’s URL to make sure it’s legitimate. Scammers often create fake websites with similar URLs to trick you into giving away your login information.
3. Look for the classic signs of a scam. Scammers often use urgent or threatening language to pressure you into acting quickly. They may also offer rewards or discounts that sound too good to be true.
4. Use two-factor authentication. Many online accounts now offer two-factor authentication, which requires you to enter a code sent to your phone or email, use an authentication app, or provide a backup code to log in. This extra layer of security can help prevent scammers from accessing your account.

Remember: If something seems too good to be true, it probably is. Be cautious when sharing personal information online, and always double-check the legitimacy of a website or message before taking any action.

What to Do If You Suspect a Scam

If you are the victim or target of a scam, or spot one in the wild, we encourage you to inform the company being misrepresented through their official channels. Provide all the relevant information you can, and do your best to spread awareness among your circle to look out for the scam and anyone associated with it.

If you suspect any misrepresentation of TUNE circulating around the internet, we ask that you immediately report it to our team by sending an email with all relevant evidence to support@tune.com. This will allow our security team to investigate as soon as possible and better protect you and all TUNE customers. Thank you!

While the Vision Pro headset stole all the headlines at Apple’s Worldwide Developers Conference 2023, TUNE was laser-focused on the raft of new privacy and security features — specifically updates to advanced fingerprinting and tracking protection. As Craig Federighi, Apple’s senior vice president of Software Engineering said, “We are focused on keeping our users in the driver’s seat when it comes to their data by continuing to provide industry-leading privacy features and the best data security in the world.”

TUNE is committed to adapting to the rapidly evolving privacy landscape and embracing privacy-friendly measurement. We’re eager to dig further into the developer preview resources and learn more about how Apple plans to implement the proposed changes. Right now, we are working on surfacing more information on how Apple categorizes tracking query parameters as user-identifiable and whether they have long-term plans for expanding their Link Tracking Protection (LTP) functionality beyond Private Browsing mode. We will also be keeping an eye out for whether other browsers follow suit.

In the meantime, see below for our summary of the most relevant news from WWDC23 and our advice on how to prepare for changes coming this fall.

Link Tracking Protection in Messages, Mail, and Safari Private Browsing

Apple is adding Link Tracking Protection (LTP) to Messages, Mail, and Safari Private Browsing. Here is the exact language from the announcement article:

“Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing.”

Essentially, LTP removes tracking query parameters as part of browser navigation and when copying a link. The changes will apply automatically to links shared through Messages, Mail, and while the user has Private Browsing enabled in Safari.

These new tracking protection features from Apple are a significant step forward in protecting user privacy. They will make it more difficult for websites and apps to track users across the web, and will help give users more control over their privacy.

What You Can Do Right Now to Prepare for These Changes

There’s still a lot we don’t know about how these changes will be implemented. Based on the information available to us as of the time of writing, here are some ideas on how TUNE customers could adapt to the proposed changes:

Promo Codes

Promo codes are a method for attributing conversions to a partner without requiring a tracking link to be clicked by the end user. Using promo codes, TUNE customers can still track the success of their campaigns while respecting users who have tracking protection features enabled.

Tiny URLs

Tiny URLs offer a method to shorten URLs with attribution information stored within TUNE, removing the need for URL parameters conceal additional tracking parameters. We believe that this should help adapt to the automatic parameter removal. Caveat: We will be able to assert this with more confidence once we’ve had the opportunity to run tests with the developer preview.

Final Thoughts

These privacy updates are expected to roll out to users as part of iOS 17, iPadOS 17, and macOS Sonoma releases in Fall 2023. TUNE is actively monitoring the situation, and we are always striving to stay ahead of the curve to ensure the best possible experience for our customers.

Affiliate marketing is a low-risk, high-reward channel that has seen its popularity skyrocket in recent years. However, low risk isn’t the same as no risk. With more than 80% of advertisers and publishers including affiliate partnerships in their marketing strategy, fraud is an unfortunate and unavoidable fact of life. 

As affiliate marketing grew into what it is today, so did bad actors and their numerous technologies to “game the system.” Some of these practices fall into a gray category where they aren’t necessarily illegal, while others are a blatant breach of contract.

Below, we’ve outlined the practices that account for why this channel has historically gained a bad reputation in the marketing industry. Here are the top ways we see publishers break the rules, how they do it, and how you can identify affiliate fraud like it in your own program. 

What Affiliate Fraud Looks Like 

Pop-Unders 

The opposite of a pop-up, a pop-under is an ad that pops open behind (or “under”) a browser window. 

When It’s OK  

A number of publishers still utilize pop-unders as a part of their advertising efforts, and that in itself is relatively benign. However, this practice is considered old school and typically does not add value to the user experience. How often have you seen a pop-under and said, “Oh great, I can’t wait to click on this!” Instead, it’s more like, “Where the hell did this come from?”

Some advertisers may not want this experience to be included as part of their program, while others might not mind, so it’s best the parties involved discuss this practice upfront.   

When It’s Bad 

Pop-unders can be set up to assist in cookie stuffing without the user knowing. It’s bad practice if the pop-under is for something completely irrelevant to what the user is searching for, or if the user did not take an action (click) to cause the ad to fire. 

A common practice for very large retailers or campaigns is to force an affiliate click on a pop-under where there is no immediate relevance for the consumer in the hope that they will purchase (think Expedia) or sign up (H&R Block). A red flag for this type of tactic would be an extreme spike in clicks from a masked referring URL with low conversion rates. 

Cookie Stuffing/Cookie Dropping  

Also known as attribution theft, cookie stuffing is always fraudulent. 

When It’s OK 

Never. 

When It’s Bad 

Cookies are little data bites that capture the parameters we all use in our tracking links. These data bites include important values like your affiliates’ information (name, ID number, etc.), and they track the touchpoints in a consumer journey.

Cookie stuffing happens when a third party, such as a publisher or CPA network, drops multiple cookies on a user’s browser before they take an action so the third party can get continuous credit for a sale. You may be able to tell if one of the partners in your program is doing this if their actions spike but they have very few clicks, behavior that TUNE’s Time-to-Action Report can help you identify. 

TM+ Bidding 

TM+ stands for “trademark plus,” or when a third party bids on your branded name(s) plus additional keywords. 

When It’s OK  

Trademark plus campaigns, when run through the affiliate channel with trusted partners, can help bolster performance and support advertisers by pushing competitors lower in search results. They also offer a means to get supplemental media in exchange for TM+ rights, which can be a win/win depending on the goals of a particular partnership.  

When It’s Bad 

Trademark bidding is part of paid search marketing, which means most brands will have a team that focuses on this and pays search engines to place their ads at the top of relevant pages. When unauthorized parties bid on trademarked terms, it not only drives up costs for your paid search team, but it can also result in completely inaccurate information, stolen sales, and poor user experiences.  

URL Redirection 

This happens when you navigate to a specific URL and instead of ending up there, you are rerouted to a different destination URL. 

When It’s OK 

There are a few reputable auto-redirecting publishers who scrape the web for misspelled domain entries and redirect them to advertisers’ sites. Some notable companies that do this are Resilion, NameSpace, and ProtectedBrand. 

When It’s Bad 

URL redirection is bad if it is set up with the intent to disguise itself and take users away from their intended destination. This can be done in tandem with website cloning, and it is another form of theft in affiliate marketing. Auto-redirecting works by using a protocol that remains hidden and enables click fraud.  

Bots/Web Crawling 

A search engine algorithm that organizes information. 

When It’s OK 

Fun fact: About 42% of internet traffic consists of bots scanning content, interacting with webpages, chatting with users, or looking for suspicious behavior. Some bots are useful, such as search engine bots that index content for search results or customer service bots that help users. A web crawler bot is like someone who goes through all the books in a disorganized library and puts together a card catalog, so that anyone who visits the library can quickly and easily find the information they need. 

When It’s Bad 

Like any technology, bots can be built with bad intent. Because it’s automated technology, bots can assist with most of the malevolent practices mentioned in this post. They can be programmed to break into user accounts, scan the web for contact information for sending spam, set up to perform click fraud, or stuff cookies.

If you have access to a tool like TUNE’s Time-to-Action Report and see an unprecedented number of clicks come through in a short period of time, that could indicate a bot is performing click fraud on a partner’s site.  

Website Cloning 

This practice is exactly what it sounds like: duplicating information and visuals from one site to create a copy of it somewhere else. 

When It’s OK 

Never. 

When It’s Bad 

I’ve seen this happen to brands when a third party purchases similar domain names and replicates the website imagery and content to dupe visitors and get the affiliate payout on those sales. The plagiarized sites abuse the way Google ranks content by sending fake organic traffic to themselves. This is why it’s so important to actually look at potential partner websites and do the research before accepting just anyone into your affiliate program. 

Toolbar Auto-Redirection 

When a toolbar, plugin, or other browser extension takes an action without the user’s knowledge and/or consent.

When It’s OK 

Never. 

When It’s Bad 

Some browser toolbars, plugins, and extensions automatically drop an affiliate click when a user (who has it installed) visits an advertiser’s website in order to generate an action that will give the user cash back. Many times, the consumer doesn’t know they have the toolbar installed and never get the cash back. See the post we wrote about Chrome extensions caught cookie stuffing for an example of this practice in action. 

We recommend requiring that any toolbar or browser plugin adheres to an “affirmative click” policy, where the user has to opt in to receive cash back (and subsequently allow the affiliate to receive commission). The major toolbars that do this are Shop At Home, BeFrugal, and WeCare. 

Tools to Detect Affiliate Fraud 

As affiliate fraud has expanded, so have tools to help brands and program managers fight back. Some platforms offer fraud protection built in, but most charge an additional fee for their solution or a third-party integration. TUNE provides both, allowing you the freedom to use our built-in proactive fraud prevention suite that’s powered by Fraudlogix, or integrate your preferred third-party solution. 

“TUNE’s customers depend on the platform to help them fight fraud and the data we are providing enables them to block fraudulent actions before they affect campaigns,” Fraudlogix CEO Hagai Shechter said in our post announcing the feature. “This saves TUNE’s customers time and has real implications on ROI.” 

Another TUNE technology partner, TrafficGuard, sees that on average across affiliate programs, between 10-15% of commission payouts go to fraudulent affiliate partners. Here’s how they explain it: 

“When we look at ad fraud in the affiliate channel what we are really looking at is misattribution. Tactics like cookie stuffing are designed to misattribute a conversion away from its real origin to a fraudulent affiliate. That means you are then either paying that affiliate for something that you should have got for free, or are paying the wrong affiliate. When it comes to scaling your affiliate program, this can cause you to actually scale into the bad actor, as it appears they are driving the most growth.” 
—Kalen Bushe, TrafficGuard

Keeping Affiliate Fraud Out of Your Program 

These days, affiliate fraud is just a reality brands must face. With the right platform and tools, however, it becomes a manageable part of any program.  

Visit our blog post on TUNE’s Proactive Fraud Prevention to learn more. 

Download our 10 Mistakes to Avoid When Starting an Affiliate Program e-book to get tips from industry experts on what they got wrong — like ignoring the warning signs of affiliate fraud — and how you can get it right in your program.   

Affiliate marketers live and die by their data. Conversion details, credit card numbers, contact information — it all flows through the performance ecosystem, every second of every day.  

At TUNE, we respect the responsibility that comes with this data. We also recognize how important it is to our customers to ensure it is accurate, secure, and confidential.  

We are therefore pleased to announce TUNE has completed another successful audit of our system and organization controls, assuring the availability, processing integrity, security, confidentiality, and privacy of customer data. This latest audit marks the fifth consecutive year TUNE has earned SOC 2 Type II certification, and the third consecutive year TUNE has earned SOC 1 Type II certification. 

SOC 2 Type II Certification Defined 

SOC stands for System and Organization Controls, a suite of services provided as part of the American Institute of CPAs’ (AICPA) reporting platform. 

In layman’s terms, SOC 2 audits examine and evaluate the operational controls of a business. They require a company to document and comply with comprehensive information security policies and procedures, among other responsibilities. The resulting report gives interested parties the information and insight needed to make a decision about working with that business.  

From the AICPA website: 

“SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” 

—AICPA

SOC 1 Type II Certification Defined 

SOC 1 audits focus on user entities, testing their relevant internal controls over financial reporting system design and operating effectiveness. We see the feedback loop from periodic third-party reviews such as these, especially when they address both the TUNE platform and TUNE Pay, our payments system, as the best way to enhance our current product and operations. 

To earn a Type II report, a company must undergo testing over an extended period of time. (Type I reports test only a single moment in time.) TUNE’s usual audit period for SOC 2 and SOC 1 covers 12 months, demonstrating our ongoing effort to uphold the Trust Services Principles. 

Starting with our first audit, we have always voluntarily pursued the more demanding and comprehensive Type II report, rather than the Type I report. Type II reports for both audits signal that our customers can expect high standards across TUNE’s operational, data security, and privacy practices, as well as stringent change management controls throughout our software development life cycle.

Our Commitment to Quality 

Using an independent third-party to audit these controls is an investment companies do not take lightly. A SOC audit is, by its nature, an invasive, arduous process designed to compel a company on a variety of levels, requiring active employee engagement and diligence across a broad swath of the organization. It’s a process we are proud to undertake. 

As with our prior SOC audits, TUNE’s auditors determined that our controls were effectively designed and followed throughout the audit period. We intend to sustain our investments in customer-centric compliance in the years to come.

Relevant portions of both reports are available upon request to security@tune.com for TUNE customers as well as prospects under a current non-disclosure agreement. 

Editor’s note: This post is a collaboration between Matt Miltenberger and Connor Sliva. 

2023 is here, and it’s starting off with a bang. The back half of last year was a rollercoaster for the global economy, resulting in plenty of ups and downs for the digital advertising ecosystem. Through it all, affiliate marketing has continued to expand its influence, both with brands that are enjoying the ride and those that are holding on for dear life.  

As we look to the weeks and months ahead, we see a few major trends on the horizon. Keep a watchful eye on the following, and you’ll be prepared for any twists and turns that may lie ahead. 

First-Party Data Takes Center Stage  

Today, the entire digital marketing industry is making a strong push towards protecting the data privacy of individuals, which results in less data ownership for brands and more control for the major digital players. We are seeing a similar trend in partner marketing and affiliate programs, as this not only affects what data brands have ownership of and access to for optimization purposes, but also who your program data is being shared with.  

Traditionally, affiliate networks are the owners of the data collected; the brands get access to a subset of their channel data, which allows affiliate networks to use the data for their benefit. This could be something as innocent as an e-book on verticalized trends, created by aggregating and anonymizing their client data. Or, this could be potentially damaging if the network is using the data to recommend program tactics and successful partners to competing brands.  

Brands like Amazon saw this trend coming from a mile away and separated themselves from the traditional affiliate networks in favor of running their own direct partner and affiliate program. TUNE’s data pledge is that our brands take full ownership of every data point we collect on their behalf, and that we will never use our client data for our benefit. This allows brands to break free from the corporate data overlords and run their own direct, privacy compliant partner and affiliate programs, without needing to build a completely custom partner management, tracking, reporting, and payment platform from scratch.  

Postback Is King and Why Privacy Matters  

Last year brought big changes to how partner and affiliate programs tracked consumers. In the past, most affiliate networks relied on cookies to track, and the major browsers have all started the process to limit their effectiveness. These changes resulted in major issues for brands who were using this outdated tracking approach, putting them on their heels to modernize their approach.  

Most networks moved to a cookieless client-side tracking approach, which removed the limitation of cookies, but doesn’t completely mitigate the future risk of future browser policy changes. Looking at 2023, the general sentiment is that consumer privacy is the goal, and more changes are bound to be coming.  

While TUNE offers similar cookieless client-side tracking options, we have been a true believer in server-side tracking since our inception and even coined the common term “postback” in the early days of the industry. This tracking method gives brands a lightweight, flexible approach to measurement, which works with both in-session conversions and delayed conversion events, like down-funnel goals, recurring subscriptions, and lifetime value for a true view of ROAS. It also works with mobile affiliate marketing, which is an area that many brands have yet to leverage.

Brands Shifting to Private, More Strategic Programs  

Many of the tracking solutions available for brands to manage their partner marketing program have been built off the backs of their predecessors. Some innovation has taken place over the last few years, but there are still several hurdles and workflow limitations that brands are up against.   

One common theme we’ve heard is how groups want to have a more competitive approach with the partners they work with — including not broadcasting those partners to other brands who might be running affiliate campaigns. Traditional platforms offer a marketplace of partners that any of their advertisers can access, but this creates a challenge for brands who source and manage unique partners they want to keep private.  

Brands also need better daily efficiency. Getting better real-time data and the ability to activate a new partner in about thirty seconds are huge time savers. Program hygiene and keeping traffic quality high have also been more commonly discussed, and leveraging tools like our automation rules is an easy way to combat that issue. Brands have started shifting their attention to technologies like TUNE, that offer more control and freedom.   

This year we’ll see brands spend time evaluating this approach more closely. The immediate change can seem overwhelming, but this is a critical strategic move in the long run. A solution that can scale with your business indefinitely, where future growth truly has no limitation.   

A Future-Proof Channel in a (Potential) Recession 

The affiliate channel is arguably one of the most resilient channels brands can leverage. Historically, this has been due to the pay for performance nature of the channel and discounting efforts by brands. However, in recent years the maturation of this channel has pushed publishers to innovate their media offerings to advertisers and bring new opportunities to the table. Yes, this is still a massively strong direct response channel, but more importantly, it’s the diversity in the channel that allows businesses to thrive when the macroeconomic impact is questionable.   

Offering consumers a targeted incentive, or simply aligning brand and personal values at the right time, can hold buying interest and keep brands top of mind when shoppers are more selective. Discounting certainly plays a role when flexible income has evaporated for a lot of folks. Leverage the range of your partners this year. Work with your content partners to build a commerce strategy and position your goods or service with a compelling story. Partner with your discount-focused publishers to drive higher-intent consumers. Test into short-form video or dip into podcasting.   

This year, we’ll see brands invest more budget and resourcing into the partner ecosystem. Overall media costs will likely increase, but we’ll continue to see publishers bring more creativity to their offerings. Content commerce will continue to eat away at traditional buying paths for consumers, and maintaining a competitive edge will be critical. Affiliate is a massively efficient channel when programs are managed the right way.   

In Conclusion 

It’s been an interesting six months across the broader technology space, and while it’s hard to predict where this year will take us, there is no doubt that partner marketing channels will see sizable growth. Whatever happens, it’s sure to be an exciting ride. 

What trends do you predict for the affiliate marketing industry in 2023? Let us know in the comments below! 

There is a Hacker News article that came out a couple months ago that recently resurfaced and started making the rounds in TUNE’s Slack channels. The article states that McAfee researchers found four imposter extensions for Google’s Chrome browser had generated 1.4 million installs. The malicious extensions were rather unrelated in nature, being two Netflix group watching extensions, a coupon extension, and a website screenshot extension. But they all had one thing in common: They were tracking the website activity of users and injecting malicious code, a fraudulent practice known as cookie stuffing, in order to profit from retail affiliate programs. 

But the story didn’t have to end that way for those retail brands. If they had been using TUNE, this might not be a story at all. Here’s why. 

How Cookie Stuffing Works 

Cookie stuffing is a type of ad fraud that’s all too common today. Cookie stuffing occurs when fraudsters — in this case, malicious extensions masquerading as legitimate ones — generate clicks for affiliate programs without having an actual human being click on anything. The user, who has downloaded the fake extension thinking they have the real deal, has zero knowledge of being used in this ploy.  

When the user visits a website, a tracking session is started; if they eventually purchase a product, the extension claims credit for the conversion and gets a commission for the purchase, even though it had nothing to do with the consumer finding and buying that product. The retail brand running the affiliate program is unaware they are paying out for fraudulent activity, since the extension is disguising itself as a legitimate publisher in the program. Usually, this type of fraud targets the affiliate programs of large, popular brands, as there is a better chance for a higher volume of people to convert. 

How to Flip the Script 

One way to combat this style of cookie stuffing is to have strict partner management and vetting practices. These practices should require affiliates to be transparent about their placements and how they drive traffic. They should also include constant audits to ensure quality, even when the quality looks good on paper.  

All of these controls, plus many more, are available in the TUNE Partner Marketing Platform.  

Fight Fraud with Time-to-Action Tools

In addition, TUNE also offers Time-to-Action rules and reports that can help notify brands of suspicious conversion patterns in their traffic. In this scenario, where fraudsters are waiting until a user gets to your website before firing fake clicks, you can set various thresholds to alert you if traffic volume is performing out of scope when it comes to the amount of time it takes from a click to a purchase.  

Here’s a step-by-step example of how you could use TUNE’s time-to-action tools to identify and prevent this type of fraud. 

1. Look at the Time-to-Action Report in TUNE to determine your average time-to-action, or how long it takes a user to convert (e.g., purchase a product) after an affiliate link has been clicked. You may want to exclude certain partners from this analysis depending on the composition of your program.
   1. If you have a small number of trusted cashback or coupon partners, it’s a good idea to exclude them here, as they could skew the average time it takes to convert. 
   2. It’s helpful to compare your affiliate traffic versus other forms of paid media to get a clearer picture of your users’ traffic patterns. Users coming from fraudsters like malicious extensions will not interact with your site in a manner consistent with affiliate traffic, as the “click” that sent them to you does not originate from a valid affiliate partner. 
2. Once you have your average time-to-action, expand the time range until it includes 50% of your conversions (sales, registrations, etc.).
   1. Example: If your average time-to-action is 25 minutes, start widening the time range until it covers half of all conversions. Let’s say that is 15 minutes to 1 hour and 30 minutes. 
3. Set your Time-to-Action threshold in TUNE to notify your partner manager if any affiliate has more than 50% of their traffic that converts outside of the 15 minute to 1 hour and 30 minute threshold. You can now spend some time digging into the traffic patterns and working with your partner to determine the true quality of this traffic. 
4. Set your Time-to-Action threshold in TUNE to block partner traffic when more than 75% of their traffic converts outside of the same 15 minute to 1 hour and 30 minute threshold.
   1. Traffic will be blocked and both your partner and partner manager will be notified. 
   2. You can also block, or be notified of, traffic down to the sub-source level, so you don’t have to block traffic at the overall partner level.  

Now you have some thresholds in place to combat fraudsters using this method of cookie stuffing.  

Visualize Data to Identify Suspicious Activity

Another way to leverage TUNE’s time-to-action functionality for similar fraudulent activities is to translate visual data. A close cousin of cookie stuffing is the practice of starting a tracking session at any point in time, as opposed to starting it when a user goes to the intended website. This can be done in the form of pop-unders (where the user may eventually realize they have been redirected to the brand’s site, but most likely won’t notice for a while), or via server-side clicks, or clicks that do not technically send the user anywhere, but still start a tracking session. You can use TUNE’s visual reporting to see evidence of these practices. 

Below is a view of a normal Time-to-Action curve. It looks much like a bell curve and shows that the natural intent of this traffic is to convert between X-X minutes.

This means that users who are interacting with these partner links are most likely finding value in the content presented and then having some reasonable probability of converting. 

Here we have another example of a Time-To-Action curve, but one that has no obvious intent curve. The flatter the curve, the more concerning the traffic may be.

It’s obvious that one of a few scenarios is happening: either users are confused with what is being promoted via the links, they are being marketed something that is not appearing as genuine on the brand’s site (for example, offering a 50% discount when none is available), or there is something malicious going on (like the pop-unders or server-side clicks we previously mentioned).   

Protect Your Program with TUNE 

Situations like this one don’t have to spell doom for a program. With the TUNE Partner Marketing Platform, you can safeguard your investments against bad actors using the tools we covered above. But these aren’t the only features and functionality we offer to help combat fraudulent activity. If you’d like to hear about the rest of them, drop us a line at sales@tune.com or request a demo today. 

Once again, Google has pushed back its deadline to deprecate third-party cookies in Chrome, this time until 2024.  

Google originally announced they would phase out cross-site tracking cookies in early 2022. Last year, that plan was delayed to 2023 with the introduction of Topics, which replaced FLoC as their alternative solution. On July 27, 2022, the search giant postponed again, announcing the death of the third-party cookie in Chrome has been rescheduled for the second half of 2024. (Mark your calendar.) 

Chrome’s Third-Party Cookies Will Stay … for Now 

In a blog post, Google’s VP of the Privacy Sandbox Anthony Chavez wrote that the delay was spurred on by “input from developers, publishers, marketers, and regulators” across the industry: 

“The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA [the UK’s Competition and Markets Authority] to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. … For these reasons, we are expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome.” 

– Anthony Chavez, VP of the Privacy Sandbox at Google

Google’s Updated Timeline 

It’s clear both Google and the ecosystem at large were feeling the pressure of the looming deadline. Now, both developers and the public will have more time to test the new privacy features Google has been building as part of its Privacy Sandbox initiative.  

Here’s a summary of Google’s updated timeline and what it entails:  

1. August 2022 – Privacy Sandbox trials expand to millions of Chrome users globally (they are already available to developers for testing) 

2. Q3 2022 through Q2 2023 – Trial populations are gradually increased  

3. Q3 2023 – Privacy Sandbox APIs are launched and generally available in Chrome 

4. Second half of 2024 – Third-party cookies will begin to be phased out in Chrome 

What’s Next for Partner Marketing? 

As an advertiser, the most important thing to remember is this: the death of the third-party cookie has not been cancelled — only delayed. If you are not prepared for the cookieless future, then you just caught a lucky break. But the end is still coming, and you will need a privacy-centric solution if you want to measure your marketing efforts in the years ahead. 

That’s where we come in.

The TUNE Partner Marketing Platform provides native server-side tracking solutions that allow marketers to get granular without invading anyone’s privacy. You can learn the basics about server-side tracking in our pixels vs postbacks article. For an in-depth look at this and other cookieless methods, download our guide to tracking marketing campaigns. Or simply click here to chat with us, and we’ll be happy to walk you through it. 

The death of the third-party cookie is inevitable. Now there’s just a little more time to prepare for it. 

Google didn’t even wait a month into 2022 to stir up the online advertising industry again, this time with more news about Chrome’s slow depreciation of third-party tracking cookies. The main takeaway? Google is abandoning its previous cookie replacement solution, Federated Learning of Cohorts (FLoC), in favor of a new solution called Topics. Their new timeline for phasing out support for third-party cookies is late 2023, but, like all things cookie-related, this is also subject to change.

If you’re feeling a bit of whiplash thanks to all of this back-and-forth, you’re not alone. In this post, we’ll review what performance marketers need to know right now to prepare for the future of tracking on Chrome.

Goodbye, FLoC

Back in March 2021, Google announced it would be testing a new, privacy-preserving way to aggregate, anonymize, and process individual data for advertising purposes. Known as FLoC, this framework was designed to “hide individuals within large crowds of people with common interests.” FLoC, along with the rest of Google’s Privacy Sandbox initiatives, would allow the tech giant to meet its goal of phasing out third-party cookies by the end of 2022. 

Turns out, FLoC wasn’t all that great at protecting users’ privacy. While the framework did group users into cohorts for targeting purposes, it still collected (and shared) granular, sensitive demographic information about those users. Theoretically, that meant it would be possible to use fingerprinting techniques to identify individuals within a given cohort. Privacy advocates had other concerns about FLoC as well, but this potential for fingerprinting seems to have been a deal breaker.

Hello, Google Topics

Enter Google’s Topics API. Unlike FLoC, Topics keeps users separate for targeting purposes. Based on their browsing behavior, each user is assigned specific “topics” related to their interests. There are currently 300 topics on Google’s list, and they cover a range of generic categories — cars, literature, rock music, team sports, and so on. According to The Drum, here’s how they work for advertising: 

“When a user reaches a site that supports Topics for ad purposes, the browser will pull three topics that the user is interested in from the past three weeks – chosen at random from the user’s top five topics each week – and allow the website to share these topics with advertisers. This information will be used to help advertisers determine which ads to display, without allowing access to granular user data or identifiers.”

The idea is that, by sharing these broad categories — and only these categories — with websites and advertisers, Google will be able to better protect individuals’ privacy while still providing marketers with the information needed to serve relevant ads. 

Consequences for Partner Marketing

Like we said in our previous post about FLoC, these changes don’t spell disaster for partner marketing. Not by a long shot. 

The partner marketing industry is built on first-party relationships. In a way, Google’s Topics is simply recreating what publishers, affiliates, and other marketing partners have been doing for years: engaging audiences with content they want. It’s clear this approach is working, as more brands turn to the guaranteed ROI of partner marketing over the same old retargeting tactics.  

And while tracking will still need to exist without the third-party cookie, there are already privacy-friendly methods available for advertisers and publishers to use. The one we have always recommended at TUNE is postback tracking, a server-side method that is completely independent from web browsers. No cookies? No problem.

For more information on the future of tracking and the current methods available to advertisers, download our guide to tracking marketing campaigns.

Questions about postback tracking, partner marketing, or how the TUNE platform could benefit your business? Email us at partnermarketing@tune.com. 

Apple’s privacy updates shipping with iOS 15 could mean the end of “opens” as a viable email marketing engagement metric. But as anyone who has been paying attention to the email marketing space knows, opens may already be one of the most unreliable engagement metrics. This update from Apple will force many email marketers to rethink the way they measure success — and that’s a good thing.

Changes to Mail in iOS 15

iOS 15 will include what Apple is calling Mail Privacy Protection, which will nullify email tracking pixels. This means email service providers (ESPs) will no longer be able to accurately track email opens. They also won’t be able to track geographic information, which is typically based on the IP address of the user that opened the email.

Worst case? Every email sent to an Apple Mail inbox could be reported as opened.

What This Means for Open Rates

Open rate is the number one email metric used by email marketers to define success. Open rates often drive powerful drip campaigns and are the backbone of list hygiene. Geographic information from IP addresses drives dynamic content widgets in more advanced campaigns. On the surface, with Apple Mail making up almost 50% of email client market share, this sounds like a huge loss.

Open Rates Were Already Suspect

However, open rates have been unreliable for a long time. Gmail has been caching email tracking pixels since at least 2013 as a way to speed up the email viewing experience for the end user. Gmail’s caching practice can take the form of tracking pixels being downloaded at point of delivery, even if the recipient never opens the email. Similar issues exist with geographical tracking based on IP address. If your ESP offers a map of recipients that have opened your email, all recipients using Gmail have been known to be grouped in Mountain View, California.

As of this writing, Gmail makes up almost 30% of email client market share. That means up to 30% of your audience’s open data could be inaccurate today.

There’s Still a Lot to Learn

Until iOS 15 rolls out, we won’t truly know the impact these changes will have on the way we measure engagement with email. It appears users will have the option to opt-in to Apple’s Mail Privacy Protection until users begin updating to iOS 15, we just don’t know how many people will adopt these changes. Keep in mind that changes come quickly, and it’s possible Apple will choose to automatically opt-in users to this service in the future.

Embrace Change: Double Down on More Tangible Metrics

To get ahead of the changes coming with the iOS 15 release, marketers can begin to shift the way they define a successful campaign. Focusing more on click rate will paint a better picture of your most engaged audience members. Personalizing content to individual recipients will drive email engagement higher. Even better, coupling your email campaigns with a platform like TUNE can give you engagement metrics beyond email, all the way to the point of conversion.

Privacy protection is a good thing for all of us. As marketers, it’s up to us to stay ahead of market trends and be the smartest marketers we can be. Start crafting a plan to modify your marketing strategy now to ensure your audience will receive the most relevant information from your brand.

When Apple announced iOS 15 at WWDC in June, they stirred up quite the fervor with the latest privacy updates (a predictable pattern for the last couple of years). “No more IP address in Safari” seemed to be the big takeaway. Now that we’re getting closer to the September release of iOS 15, some of the details are becoming clearer. Using the iOS 15 public beta, I was able to test out some of these new capabilities. Here’s what I found. 

Safari Will Hide IP Addresses for “Trackers” Whether You Have iCloud+ or Not in iOS 15

In the settings for Safari, there are three options to hide your IP address: 

• Trackers and Websites 
• Trackers Only 
• Off 

The default setting is “Trackers Only,” and this does not require a subscription to iCloud+ to use. If you choose “Trackers and Websites,” you’ll be prompted to subscribe to iCloud+ and enable Private Relay. Although it does not specify here what a tracker is, I can only assume it will use the same on-device machine learning algorithm employed by Intelligent Tracking Protection (ITP) since 2017. 

There Are Two Settings for IP Address Location with Private Relay 

When iCloud+ Private Relay is active, there are two settings for IP Address location:  

• Maintain General Location 
• Use Country and Time Zone 

I believe the first option is meant to be more granular, and the second option is much broader. Unfortunately, these options were not fully operational in the beta test I ran. Even when I chose “Maintain General Location” (the default), Private Relay gave me an IP address in El Cajon, CA, which is quite far from my actual location in Seattle, WA. I fully expect this to change when iOS 15 is released. 

TUNE Postback Tracking Will Still Function Over Private Relay 

While I didn’t expect Private Relay to have any effect on our postback tracking, I tested it to make sure. I clicked a TUNE tracking link with Private Relay enabled, then triggered a conversion by visiting a confirmation page. The transaction ID was passed as normal, and the conversion fired.

Since server-side tracking doesn’t rely on a cookie or the user’s IP address, Private Relay should not cause any issues to your offers using postbacks.  

Messaging Around AppTrackingTransparency Continues to Be Frustrating 

Various wording in the tracking settings has changed with iOS 15, and it highlights the stark difference between Apple’s description of their own tracking practices versus the AppTrackingTransparency (ATT) prompt for all other developers. 

As you can see above, in Apple’s own prompt, they clearly frame personalized ads as a good thing. What’s more, they highlight the fact that opting out of personalized ads does not reduce the number of ads you receive. I think this is one of the biggest misconceptions about ATT: the average consumer likely believes that opting out of tracking will reduce the number of ads. 

In the ATT prompt on the right, the difference is night and day. They put it on developers to mention anything about personalized ads (as DoorDash has done in this example) and use aggressive anti-tracking language that makes it sound very bad. 

The Only Constant Is Change 

In such a fast-moving industry, the only thing we can count on is that it will keep changing. Many businesses are caught in the crossfire between tech giants like Apple and their endless jockeying for position, so we’ll do our best to keep reporting on the changes and their impact on partner marketing. 

Questions or comments about iOS 15? Let us know in the comment section below or reach out to us at partnermarketing@tune.com.  

Yesterday at WWDC21, Apple’s annual developer-focused (or rather software-focused) conference, they announced new versions of their operating systems as well as some interesting privacy updates. While I’m excited about some of the features in iOS 15, such as Live Text for capturing whiteboard notes from the camera, the privacy measures have me a bit more concerned.

No More Tracking Pixels in Email

Craig Federighi, Apple’s Senior Vice President of Software Engineering, started the Privacy section of the keynote by talking about the Mail app. Email tracking pixels will soon be blocked by Mail. This means email view/email open notifications for platforms like HubSpot or Marketo will be disabled, which seems like a reasonable measure. Furthermore, Mail will hide your IP address. I don’t use the Mail app, but I would be fine with these updates if I did.

No More IP Addresses in Safari?

However, Craig then mentioned that Safari would be obscuring IP addresses as well. My first question was how, exactly, is Apple planning to do that?

After doing a bit of digging, it’s still unclear to me whether Safari is going to obscure IP addresses for all traffic, or whether that requires the use of Private Relay (more on that below). 

This is where I’m a bit concerned. If IP address is truly obfuscated for all Safari traffic, it would make it much more difficult to do fingerprinting or probabilistic matching for mobile attribution. Apple has been quiet on fingerprinting since the release of iOS 14.5, perhaps because they knew this update was coming. IP obfuscation scope and functionality will be a key question to answer in the coming weeks.

Private Relay: The Apple VPN

Finally, they announced Private Relay, part of the new iCloud Plus service. While it sounds like a VPN at first glance, it’s actually doing quite a bit more work.

According to the iCloud Private Relay deep dive video, the service adds multiple secure proxies to help route user traffic and keep it private. The proxies are run by separate entities — one is Apple, and one is a content provider.

When someone uses Private Relay to access the internet, only the client IP address is visible to both the network provider and to the first proxy. The second proxy only sees the name the user is requesting and uses that to build the connection to the server. They claim that no one in the chain, not even Apple, can see both the client IP address and what the user is accessing. 

In Summary 

As usual, there are more questions than answers regarding these new privacy features. The reaction online has been largely positive from the tech press, and skeptical from industry press. The only constant is change, and we’ll keep our eyes open for new details as they arrive.