Every advertising network, if you are able to use custom UTM parameters on the link click, you can back-append that social network/ad network’s targeting data into your own user database without the consent or knowledge of users — and it’s extremely common for enterprise orgs.

On Twitter, the standards are…loose.. (ditto for Facebook) so I like to urge folks to click on ads occasionally and/or grab the full URL, and take a look at the UTM parameters + values that are in the URL.

For bigger brands or aggressive buyers, you’ll see targeting codes or direct references to which the native ad network targeting criteria was used to bring you to the website. If you then signup on that website or click additional links, oftentimes your Twitter interests will be appended into a custom field associated with your new user profile on whatever business you’ve just signed up on through 1st party cookie to querystring joins and other “transparently non-compliant data sharing tactics.”

Here’s a URL I just got for Dove Body Wash here on Twitter ads, i’ll breakdown the UTM fields – and how targeting on Twitter flows all the way to Walmart.

https://attach.mikmak.tv/8f447b74/da913ded-e68f-404f-a9e5-8e4df9c61213?channelType=social&trafficType=paid&attachCampaignName=dove-defense-2021&handle=dove&platformType=twitter&adPlacementType=in-feed&adUnitType=static-and-video&paidAudienceType=hygiene-conscious&adUnitCreative=defense-hygiene-conscious&campaignObjectiveType=consideration&utm_source=Twitter.com&utm_medium=1076441909&utm_campaign=UNE_DEF_002_Defense%2520SknCln%2520%28Dove%29_Dove%2520Defense%25202021_CN003865

Ad Targeting Parameters Appended via URL Querystrings & Session-Stitching Breakdown

Landing page via @
https://attach.mikmak.tv/8f447b74/da913ded-e68f-404f-a9e5-8e4df9c61213

Appending params @

paidAudienceType=hygiene-conscious
adUnitCreative=defense-hygiene-conscious
platformType=twitter

Optimization params @

channelType=social
trafficType=paid
attachCampaignName=dove-defense-2021
handle=dove
adPlacementType=in-feed
adUnitType=static-and-video
utm_source=Twitter.com
utm_medium=1076441909
utm_campaign=UNE_DEF_002_Defense%2520SknCln%2520%28Dove%29_Dove%2520Defense%25202021_CN003865
campaignObjectiveType=consideration

On the mikmak.tv landing page, a 1st party cookie value is created that will start with “amplitude_id” – a base64 string (image above of the cookie value in my test session) encodes both the “sessionID” and several other fields — if you click on any of the marketing links to purchase the Dove Body wash, like the Walmart link, the landing page URL will be customized so that your session ID cookie value from the ads landing page domain is then passed into Walmart’s domain, and enough fields of data are passed to Walmart so that there is a financial incentive for Walmart and other companies receiving this data to then purchase “more data” from the landing page companies who purchased the original Twitter ads.

Not all companies do this full cycle of data appending (with a direct sale on the backend) – and I’m not alleging that in this exact instance, this is exactly what is happening – but even without money being exchanged directly for user data, the session-stitching + Twitter targeting criteria being appended/shared via these join keys, crosses a “value transfer” that could equate this type of “ad targeting appending” into being categorized as a data sale. It’s unclear when regulators will catch up with data appending practitioners, but this is a too-common strategy.

If you click the Walmart link on the original landing page, you’ll be sent to a URL like:

https://www.walmart.com/ip/Dove-Care-Protect-Body-Wash-22-oz/943188318?irgwc=1&sourceid=imp_Wdl2BaWHdxyLUbdwUx0Mo36dUkB0%3A8wRMWaZRs0&veh=aff&wmlspartner=imp_1975889&clickid=Wdl2BaWHdxyLUbdwUx0Mo36dUkB0%3A8wRMWaZRs0&sharedid=sessionId%3D1619567918411&affiliates_ad_id=565706&campaign_id=9383&utm_campaign=UNE_DEF_002_Defense%20SknCln%20%28Dove%29_Dove%20Defense%202021_CN003865&utm_medium=1076441909&utm_source=Twitter.com

Landing page via @

https://www.walmart.com/ip/Dove-Care-Protect-Body-Wash-22-oz/943188318

Appending params @

sourceid=imp_Wdl2BaWHdxyLUbdwUx0Mo36dUkB0%3AY25MWaZRs0
wmlspartner=imp_1975889
clickid=Wdl2BaWHdxyLUbdwUx0Mo36dUkB0%3AY25MWaZRs0
sharedid=sessionId%3D1619567918411 (This is the cookie value from the landing page, passed into a querystring for Walmart)
utm_source=mikmak

Optimization params @

irgwc=1
veh=aff
affiliates_ad_id=565706
campaign_id=9383
utm_campaign=da913ded-e68f-404f-a9e5-8e4df9c61213_desktop_browser
utm_source=mikmak

On the original ads landing page, if you clicked on the Amazon or Target links instead of the Walmart link, the querystrings are slightly different, and it seems as though the cookie value “shareDID” is not being given to either of these companies — only Walmart.

Does this mean that there is some special data deal? Who knows…

Is this just another very common example of an enterprise company scraping the ad targeting data of another network through careful UTM building + 1st party cookie value sharing across domains? Yup!

Feel free to send me any URLs with fun UTM querystrings at badurls@victorymedium.com or over on Twitter @thezedwards