Google’s Privacy Sandbox: What you need to know
Get the latest on Google's plan to protect user privacy in the advertising ecosystem. Updated with the latest concerns from the U.K. CMA.
We’ve updated our article on Google’s Privacy Sandbox to include the latest competitive concerns raised by the U.K.’s CMA.
Google’s Privacy Sandbox is a space where a series of complex proposals to protect user privacy have been developed and are undergoing (or have undergone) extensive testing. In short, Privacy Sandbox is an attempt to fill in the many gaps that were expected to open up in the advertising ecosystem with third-party cookies being deprecated in the Chrome browser. (In fact, Google now says it will not deprecate third-party cookies after all. The announcement, by Google’s Anthony Chavez, VP, Privacy Sandbox can be found here.)
One key proposal is to replace tracking of individual users with Topics, assigning them (temporarily and in a way that does not identify them) topics of interest based on their browsing.
But it’s not just about the Chrome Browser and it’s not just about Topics. There’s also a Privacy Sandbox for Android that explores ways of preserving the app advertising ecosystem once users can opt out of being tracked (as they already can on iOS).
Table of contents
- Where are we now?
- Third-party cookies will not be deprecated
- CMA report more than doubles the number of Google Sandbox problems
- Google’s thankless transparency
- Final IAB Tech Lab Privacy Sandbox Fit Gap Analysis
- UK’s Information Commissioner’s Office (ICO) stepped in
- Ad industry is now acting
- Concerns about adequacy of Privacy Sandbox testing
- Some ad industry players don’t care about cookies
- The main alternatives to third-party cookies
- What you need to know about Privacy Sandbox for Android
- Privacy Sandbox faces continued competitive concerns in the U.K.
Where are we now?
Almost three months after Google’s pivot, “88% of industry professionals feel Google’s decision to reverse the phase-out of third-party cookies has caused major confusion in digital advertising.” That’s according to a study from the IAB. The IAB’s Angelina Eng wrote for MarTech:
Many companies invested heavily in preparing for a cookieless future, so this shift feels like an unexpected detour after years of planning. While Google’s new focus on user choice gives users more control over their web browsing, it has left the industry uncertain about how to move forward.
Google has also not explained how these changes will affect Android devices, creating uncertainty about how privacy will be handled across its ecosystem. This lack of clarity makes it harder for companies to plan effective cross-platform strategies.
Third-party cookies will not be deprecated
Google repeatedly delayed the complete deprecation of third-party cookies, although at the beginning of 2024 it did roll out the option to opt out to some 1% of Chrome users worldwide. Then, on July 22, 2024, Google announced it will not deprecate third-party cookies on Chrome after all. Instead, it will continue to develop Privacy Sandbox alternatives and allow users to make an “informed choice” about whether or not to accept cookies.
Dig deeper: Google is rolling out Topics-based tracking for Chrome
CMA report more than doubles the number of Google Sandbox problems
On April 26, 2024, the U.K. Competition and Markets Authority (CMA), which has primarily been looking at anti-competitive issues arising from Privacy Sandbox, issued a new report listing around many more potential problems that need to be addressed than identified in its previous report in January.
Among other things, it appears that the CMA has adopted wholesale the concerns of the Information Commissioner’s Office, a U.K. data regulator, regarding the preservation of use privacy (see below). Google likely saw this coming over the horizon as they pushed back the cookie deprecation deadline again earlier the same week.
There is a sense that Google is slipping further behind when it comes to resolving regulators’ concerns.
Google’s thankless transparency
Throughout the multi-year lifespan of the Sandbox, Google has — on the face of it — gone out of its way to offer transparency into its proposals and timeline (here’s the Web timeline as of April 2024). It has worked with the CMA on antitrust issues since 2021 and has collaborated with the IAB Tech Lab industry consortium to refine Privacy Sandbox proposals.
Google might feel that the transparency has not been appreciated. The CMA’s concerns have not yet been resolved and in a scathing report released in February, 2024, the Tech Lab said:
“(T)he changes mandated by Privacy Sandbox will require substantial development and infrastructure investment costs for both buy and sell-side technology companies. Additionally, operational, business, financial, and legal processes for brands, agencies, and media companies will need extensive reworking
IAB Tech Lab slams Google Privacy Sandbox
Google was not slow to clap back:
“(T)he analysis contains many misunderstandings and inaccuracies, which we consider important to correct in order to provide accurate information to the ecosystem. Overall, the report appears to ignore the broader objective of Privacy Sandbox to enhance user privacy while supporting effective digital advertising.”
IAB Tech Lab slams Google Privacy Sandbox
Final IAB Tech Lab Privacy Sandbox Fit Gap Analysis
The IAB Tech Lab’s Privacy Sandbox Task Force issued their last deliverable, the final version of the Fit Gap Analysis, on June 27, 2024. Its conclusions were no more comforting for Google — or indeed the ad ecosystem — than the February report.
“The Task Force’s concerns with the Privacy Sandbox remain unchanged. We maintain that it falls well short of what is needed to support a robust open web by balancing advertising utility for brands against media companies’ ability to maximize revenues. In its current form, the Privacy Sandbox will restrict the digital media industry’s ability to deliver relevant, effective advertising, placing smaller media companies and brands at significant risk. The lack of functionality will throttle their ability to compete, ultimately impacting the industry’s growth.”
Blog post accompanying report
The full analysis can be accessed here.
UK’s Information Commissioner’s Office (ICO) stepped in
The Privacy Sandbox was being challenged by another U.K. regulator responsible for information rights and public privacy. The ICO is an executive non-departmental public body, sponsored by the U.K. government’s Department for Science, Innovation and Technology.
Concerns are being raised about adequate protection for user privacy within the protocols being developed by Privacy Sandbox, according to documents obtained by the Wall Street Journal. It believes there are loopholes that could be exploited to track users — something Google was set on eliminating. The ICO has shared its concernes with the CMA.
Ad industry is now acting
After a lengthy period of prevarication, strongly recalling the run-up to GDPR, the ad industry has begun taking steps to prepare for cookie deprecation. It is making major investments in order to adapt to the new privacy-by-design ecosystem, according to an IAB survey of 500 advertising and data experts at brands, agencies and publishers.
The 2024 edition of the IAB’s annual “State of Data” report shows how the industry is addressing the new privacy-by-design ecosystem in which the deprecation of third-party cookies and other privacy-protective measures are expected to lead to significant signal loss. In particular, the new environment is expected to put obstacles in the way of targeting, personalization and measurement.
More than half those surveyed anticipate challenges in tracking conversions, attributing conversions to campaign or channel performance, measuring ROI and optimizing campaigns; almost 50% expect to struggle to measure reach.
Against this background, some 90% are shifting their personalization tactics, their ad spend, and the balance of first- and third-party data in their ad strategy. Eighty percent are planning to train their staff on privacy-related issues, while many expect to create dedicated teams or employ external experts to work on these issues.
Brands, agencies, and publishers are planning to grow their first party data-sets at a rate almost double two years ago (71% vs. 41%). In other words, we will see an attempt to leverage first-party (and zero-party) data as a replacement for the third-party data collected through covert tracking. There are two concerns however. The first is that, due to the comparatively limited quantity of first-party data, this approach just won’t achieve the results seen with third-party cookies. The second is that using first-party data means addressing only existing customers (or subscribers, or members, etc.). Other tactics will be needed to support acquisition.
Concerns about adequacy of Privacy Sandbox testing
The protocols in the Privacy Sandbox became available for testing in January this year. The problem that some experts see is that it requires large-scale adoption within the ad ecosystem for the results of the testing to be reliable. While it may be possible to test whether something technically works on this scale, it’s hard to evaluate the effects it would have when adopted across the ecosystem.
“There’s some really good ideas in there to protect privacy and continue with advertising, but they need to be tested properly. From the second an ad is created to when it is delivered, there are many “hops” and those “hops” have been created over 20 years and each one provides, or should provide, value. All the companies in this ecosystem need to be connected in order for Privacy Sandbox to work and not everyone has done that work yet. Everyone has to connect to the framework to test it properly,” said Quantcast CMO Amit Kotecha.
Said Ken Weiner, CTO at contextual advertising platform GumGum, “Some people have prototyped it and what I’ve heard is, it’s kind of working but the CPMs are lower. But when more people adopt it, we might get back up to normal levels.”
Data clean room and collaboration platform Optable has a direct integration with Privacy Sandbox and is one of the organizations involved in testing its capabilities. Bosko Milekic, co-founder and chief product officer, said: “We have some sense that it works for audience targeting; it’s designed to enable that kind of campaign to continue to run once cookies are gone. It’s still difficult to draw conclusions on performance, the reason being that the amount of inventory currently available to bidders such as Optable through the Privacy Sandbox mechanisms is quite limited.”
Optable is finding that the targeting and measurement mechanisms work. “But it’s still to early to draw definitive conclusions as to broad performance,” said Milekic.
By Q3, the 1% testing period will be over and Google will be able (CMA permitting) to roll out cookie deprecation everywhere without a clear idea of what will happen when it goes from 1% to 100%.
Some ad industry players don’t care about cookies
There are some members of the advertising ecosystem that are not just resigned to the loss of third-party cookies, but aren’t even mourning it.
GumGum, with its stake in contextual advertising, is one. Another is marketing analytics firm ChannelMix. “We have a solution that doesn’t rely on cookies,” said Michelle Jacobs, ChannelMix’s President and co-founder, “so it doesn’t really matter to us what Google ends up doing.” Nevertheless, she views the Privacy Sandbox proposals as a step backwards. “Marketers aren’t going to be able to execute media like they’re doing today.”
Jacobs’ co-founder and ChannelMix CEO Matt Hertig believes that “straight-line attribution” based on cookie-tracking has actually been dead for years. “We’re excited because this is forcing the industry to adopt practical measurement strategies based around first-party data.”
Another agnostic player is Optable, the data collaboration and clean room vendor that was created in conscious anticipation of the deprecation of third-party cookies on Chrome. “We created Optable specifically to make it possible to do relevant advertising effectively without third-party cookies,” said Milekic.
The main alternatives to third-party cookies
Although there seem to be countless proposed alternatives to cookies out there, they generally fall into one of the following categories: reliance on first-party (and zero-party) data, contextual advertising, identity resolution (including data clean rooms) or purported substitutes like Privacy Sandbox’s Topics.
“I think there are going to be lots of different tactics to get through this,” said Tara DeZao, product marketing director for adtech and martech at Pega . “Brands that don’t have a lot of first-party data — say, for example, CPG brands — are going to rely on their retail media partners, the Targets and the Walmarts, to get them the reach that they need. In terms of other industries, there are lots of first-party data options available.”
First-party (and zero-party) data
“Consumers are amenable to giving you their data as long as there’s a value exchange there,” said DeZao. “I think brands haven’t cracked the code 100% on what the value exchange is going to be.”
Closely associated with first-party data is zero-party data, data that is not personally identifying but which is offered up by the consumer through engagements like quizzes. One example we wrote about was an online temporary tattoo brand that collected information about a visitor’s style preferences and showed them relevant products; collecting first-party data could wait.
Contextual advertising
In a sense, contextual advertising goes back to the days of soap opera when Madison Avenue confidently identified the demographic watching daytime television dramas as the demographic responsible for buying soap powder. But there are new forms of contextual advertising out there.
“Context is going to be huge,” said DeZao. “As someone working for an AI company, we know that consumers are moving so rapidly through all their channels and devices, so you need real-time data and information. Context is one of those categories where you can get the freshest take on what your consumer is doing in the moment.” In other words, regardless of identity, consumers scrolling through camping websites might like to see ads for tents.
Identity resolution
There are many vendors today offering identity resolution solutions that — largely probabilistically — stitch identifiers like postal or email address to transaction activity or other trackable behaviors. Some of these solutions are interoperable — for example, The Trade Desk’s UID is interoperable with LiveRamp’s RampID. Does that bring benefits?
“If you look at our marketing stacks today they’re so, so bloated,” said DeZao. “We’re actually using less of the stack than we ever did, but we’re continuing to add things into it. So I think, when a brand is looking for new solutions — and it’s going to be multiple, because there’s not one solution to replace this functionality — they need to be reducing the number of vendors they have versus adding. Consider technologies that are interoperable with each other.”
Google Topics
The winning alternative to cookies that has emerged from Privacy Sandbox is Topics, a browser-based approach that assigns a rotating and limited number of topics to a browser based on activity.
“It’s a seven-day cadence,” DeZao explained, “and I think there’s something like 460 or 470 categories, and they’re not super granular. Criteo is a Google partner; they’ve been testing Topics and a year ago they found that Topics was five times less effective than cookies. They have added a hundred or so categories since then but the granularity is not there.”
“Topics is not going to have demographic information or categories,” she said. “Your first-party data is your best bet. If you’re in industries like finance, telecoms and potentially arts and entertainment, you’re going to want that demographic info.”
If DeZao had to place a dollar on which solution will ultimately win out? It sounds like she’s bet on contextual advertising. “Contextuality and real-time data — like, the freshest possible data.”
What you need to know about Privacy Sandbox for Android
Most discussion of Google’s Privacy Sandbox proposals have focused on what they mean for the Chrome browser. After all, it’s Chrome’s deprecation of cookies that has seemed to be the motivating force for the Sandbox and for proposals like Topics and Protected Audiences. But it raises significant issues for mobile marketing too.
Privacy Sandbox for Android will deprecate identifiers just as Apple’s iOS already has. “Privacy Sandbox is introducing APIs and solutions that basically remove the Android Advertising ID, a unique identifier at device level that is consistent across all apps on that device,” said said Itai Cohen, SVP marketing and strategy at Digital Turbine. It is possible to reset the ID, but Cohen expects only a minority of tech-savvy users to do that. Consent is easier on iOS, but consent rates are still below 20%.
Having already lost identifiers on iOS, mobile marketers should know what to expect. Losing the device identifier meant losing two things: The database becomes far less useful for gauging the right level of bidding, and attribution becomes highly problematic. “Once you can’t close the loop between purchase and user acquisition spend, measuring marketing efficacy is significantly hindered,” said Cohen.
The major difference between Apple’s and Google’s approaches is that users on iOS receive a prompt from each individual app where they can choose to actively opt-in to share their device identifier (albeit consent rates are still below 20%), whereas Google’s Privacy Sandbox aims to remove user-level identifiers altogether and replace them with a set of APIs that support various advertising use-cases without relying on identifiers.
Said Cohen, “While Chrome Privacy Sandbox is challenging to implement, mobile will be a much bigger lift. The IAB had a strong response to the Chrome Privacy Sandbox, and that was an easier process compared to the mobile side.”
Dig deeper: More details on Privacy Sandbox for Android
Privacy Sandbox faces continued competitive concerns in the U.K.
The U.K.’s Competition and Markets Authority (CMA) continues to closely monitoring Google’s evolving Privacy Sandbox initiative despite the tech giant’s major strategy shift to allow users to whether nor not to accept third-party cookies.
In its latest assessment published Nov. 11, 2024, the CMA revealed that competition concerns around the Privacy Sandbox persist, even with Google’s revised approach. The regulator is now working with Google to update the existing commitments to address these ongoing issues.
Key details:
- The CMA says its “view is that competition concerns remain under Google’s revised approach” and wants to ensure any changes support continued competition in digital advertising.
- Specific areas of concern include Google’s control over the Topics API taxonomy, auction dynamics in the Protected Audience API, and limitations in the Attribution Reporting API.
Read more about Privacy Sandbox and the CMA from Anu Adegbola on Search Engine Land.
Related stories