Google’s Privacy Sandbox: What you need to know

Update: The U.K. Competition and Markets Authority published a new report, adopting the concerns of the Information Commissioner’s Office and raising the number of issues that need to be addressed from 39 to 79. No wonder Google pushed cookie deprecation to 2025 earlier the same week.

Google’s Privacy Sandbox is a space where a series of complex proposals to protect user privacy have been developed and are undergoing (or have undergone) extensive testing. In short, Privacy Sandbox is an attempt to fill in the many gaps that will open up in the advertising ecosystem when third-party cookies are deprecated in the Chrome browser.

One key proposal is to replace tracking of indivdual users with Topics, assigning them (temporarily and in a way that does not identify them) topics of interest based on their browsing.

But it’s not just about the Chrome Browser and it’s not just about Topics. There’s also a Privacy Sandbox for Android that explores ways of preserving the app advertising ecosystem once users can opt out of being tracked (as they already can on iOS).

Google has repeatedly delayed the complete deprecation of third-party cookies, although at the beginning of 2024 it did roll out the option to opt out to some 1% of Chrome users worldwide. It had maintained that cookies will be gone by the end of the year (but that’s changed — see below). Regulators have warned it not to act before anti-competitive concerns have been resolved.

New CMA report more than doubles the number of problems

On April 26, 2024, the U.K. Competition and Markets Authority (CMA), which has primarily been looking at anti-competitive issues arising from Privacy Sandbox, issued a new report listing around 80 potential problems that need to be addressed. As recently as January, it has listed about half that number.

Among other things, it appears that the CMA has adopted wholesale the concerns of the Information Commissioner’s Office, a U.K. data regulator, regarding the preservation of use privacy (see below). Google likely saw this coming over the horizon as they pushed back the cookie deprecation deadline again earlier the same week.

There is a sense that Google is slipping further behind when it comes to resolving regulators’ concerns.

The latest delay: Maybe 2025

On April 23, Google announced yet another delay to third-party cookie deprecation:

We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators and developers, and will continue to engage closely with the entire ecosystem. It’s also critical that the CMA has sufficient time to review all evidence including results from industry tests, which the CMA has asked market participants to provide by the end of June. Given both of these significant considerations, we will not complete third-party cookie deprecation during the second half of Q4. We remain committed to engaging closely with the CMA and ICO and we hope to conclude that process this year. Assuming we can reach an agreement, we envision proceeding with third-party cookie deprecation starting early next year.

Privacy Sandbox update

See below for more on the ICO’s intervention.

Dig deeper: Google is rolling out Topics-based tracking for Chrome

Google’s thankless transparency

Throughout the multi-year lifespan of the Sandbox, Google has — on the face of it — gone out of its way to offer transparency into its proposals and timeline (here’s the Web timeline as of April 2024). It has worked with the CMA on antitrust issues since 2021 and has collaborated with the IAB Tech Lab industry consortium to refine Privacy Sandbox proposals.

Google might feel that the transparency has not been appreciated. The CMA’s concerns have not yet been resolved and in a scathing report released in February, 2024, the Tech Lab said:

“(T)he changes mandated by Privacy Sandbox will require substantial development and infrastructure investment costs for both buy and sell-side technology companies. Additionally, operational, business, financial, and legal processes for brands, agencies, and media companies will need extensive reworking

IAB Tech Lab slams Google Privacy Sandbox

Google was not slow to clap back:

“(T)he analysis contains many misunderstandings and inaccuracies, which we consider important to correct in order to provide accurate information to the ecosystem. Overall, the report appears to ignore the broader objective of Privacy Sandbox to enhance user privacy while supporting effective digital advertising.”

IAB Tech Lab slams Google Privacy Sandbox

UK’s Information Commissioner’s Office (ICO) steps in

In a recent development, the Privacy Sandbox is now being challenged by another U.K. regulator responsible for information rights and public privacy. The ICO is an executive non-departmental public body, sponsored by the U.K. government’s Department for Science, Innovation and Technology.

Concerns are being raised about adequate protection for user privacy within the protocols being developed by Privacy Sandbox, according to documents obtained by the Wall Street Journal. It believes there are loopholes that could be exploited to track users — something Google was set on eliminating. The ICO has shared its concernes with the CMA.

Ad industry is now acting

After a lengthy period of prevarication, strongly recalling the run-up to GDPR, the ad industry has begun taking steps to prepare for cookie deprecation. It is making major investments in order to adapt to the new privacy-by-design ecosystem, according to an IAB survey of 500 advertising and data experts at brands, agencies and publishers.

The 2024 edition of the IAB’s annual “State of Data” report shows how the industry is addressing the new privacy-by-design ecosystem in which the deprecation of third-party cookies and other privacy-protective measures are expected to lead to significant signal loss. In particular, the new environment is expected to put obstacles in the way of targeting, personalization and measurement.

More than half those surveyed anticipate challenges in tracking conversions, attributing conversions to campaign or channel performance, measuring ROI and optimizing campaigns; almost 50% expect to struggle to measure reach.

Against this background, some 90% are shifting their personalization tactics, their ad spend, and the balance of first- and third-party data in their ad strategy. Eighty percent are planning to train their staff on privacy-related issues, while many expect to create dedicated teams or employ external experts to work on these issues.

Brands, agencies, and publishers are planning to grow their first party data-sets at a rate almost double two years ago (71% vs. 41%). In other words, we will see an attempt to leverage first-party (and zero-party) data as a replacement for the third-party data collected through covert tracking. There are two concerns however. The first is that, due to the comparatively limited quantity of first-party data, this approach just won’t achieve the results seen with third-party cookies. The second is that using first-party data means addressing only existing customers (or subscribers, or members, etc.). Other tactics will be needed to support acquisition.

Concerns about adequacy of Privacy Sandbox testing

The protocols in the Privacy Sandbox became available for testing in January this year. The problem that some experts see is that it requires large-scale adoption within the ad ecosystem for the results of the testing to be reliable. While it may be possible to test whether something technically works on this scale, it’s hard to evaluate the effects it would have when adopted across the ecosystem.

Said Ken Weiner, CTO at contextual advertising platform GumGum, “Some people have prototyped it and what I’ve heard is, it’s kind of working but the CPMs are lower. But when more people adopt it, we might get back up to normal levels.”

Data clean room and collaboration platform Optable has a direct integration with Privacy Sandbox and is one of the organizations involved in testing its capabilities. Bosko Milekic, co-founder and chief product officer, said: “We have some sense that it works for audience targeting; it’s designed to enable that kind of campaign to continue to run once cookies are gone. It’s still difficult to draw conclusions on performance, the reason being that the amount of inventory currently available to bidders such as Optable through the Privacy Sandbox mechanisms is quite limited.”

Optable is finding that the targeting and measurement mechanisms work. “But it’s still to early to draw definitive conclusions as to broad performance,” said Milekic.

By Q3, the 1% testing period will be over and Google will be able (CMA permitting) to roll out cookie deprecation everywhere without a clear idea of what will happen when it goes from 1% to 100%.

Some don’t care about cookies

There are some members of the advertising ecosystem that are not just resigned to the loss of third-party cookies, but aren’t even mourning it.

GumGum, with its stake in contextual advertising, is one. Another is marketing analytics firm ChannelMix. “We have a solution that doesn’t rely on cookies,” said Michelle Jacobs, ChannelMix’s President and co-founder, “so it doesn’t really matter to us what Google ends up doing.” Nevertheless, she views the Privacy Sandbox proposals as a step backwards. “Marketers aren’t going to be able to execute media like they’re doing today.”

Jacobs’ co-founder and ChannelMix CEO Matt Hertig believes that “straight-line attribution” based on cookie-tracking has actually been dead for years. “We’re excited because this is forcing the industry to adopt practical measurement strategies based around first-party data.”

Another agnostic player is Optable, the data collaboration and clean room vendor that was created in conscious anticipation of the deprecation of third-party cookies on Chrome. “We created Optable specifically to make it possible to do relevant advertising effectively without third-party cookies,” said Milekic.

The main alternatives to third-party cookies

Although there seem to be countless proposed alternatives to cookies out there, they generally fall into one of the following categories: reliance on first-party (and zero-party) data, contextual advertising, identity resolution (including data clean rooms) or purported substitutes like Privacy Sandbox’s Topics.

“I think there are going to be lots of different tactics to get through this,” said Tara DeZao, product marketing director for adtech and martech at Pega . “Brands that don’t have a lot of first-party data — say, for example, CPG brands — are going to rely on their retail media partners, the Targets and the Walmarts, to get them the reach that they need. In terms of other industries, there are lots of first-party data options available.”

First-party (and zero-party) data

“Consumers are amenable to giving you their data as long as there’s a value exchange there,” said DeZao. “I think brands haven’t cracked the code 100% on what the value exchange is going to be.”

Closely associated with first-party data is zero-party data, data that is not personally identifying but which is offered up by the consumer through engagements like quizzes. One example we wrote about was an online temporary tattoo brand that collected information about a visitor’s style preferences and showed them relevant products; collecting first-party data could wait.

Contextual advertising

In a sense, contextual advertising goes back to the days of soap opera when Madison Avenue confidently identified the demographic watching daytime television dramas as the demographic responsible for buying soap powder. But there are new forms of contextual advertising out there.

“Context is going to be huge,” said DeZao. “As someone working for an AI company, we know that consumers are moving so rapidly through all their channels and devices, so you need real-time data and information. Context is one of those categories where you can get the freshest take on what your consumer is doing in the moment.” In other words, regardless of identity, consumers scrolling through camping websites might like to see ads for tents.

Identity resolution

There are many vendors today offering identity resolution solutions that — largely probabilistically — stitch identifiers like postal or email address to transaction activity or other trackable behaviors. Some of these solutions are interoperable — for example, The Trade Desk’s UID is interoperable with LiveRamp’s RampID. Does that bring benefits?

“If you look at our marketing stacks today they’re so, so bloated,” said DeZao. “We’re actually using less of the stack than we ever did, but we’re continuing to add things into it. So I think, when a brand is looking for new solutions — and it’s going to be multiple, because there’s not one solution to replace this functionality — they need to be reducing the number of vendors they have versus adding. Consider technologies that are interoperable with each other.”

Google Topics

The winning alternative to cookies that has emerged from Privacy Sandbox is Topics, a browser-based approach that assigns a rotating and limited number of topics to a browser based on activity.

“It’s a seven-day cadence,” DeZao explained, “and I think there’s something like 460 or 470 categories, and they’re not super granular. Criteo is a Google partner; they’ve been testing Topics and a year ago they found that Topics was five times less effective than cookies. They have added a hundred or so categories since then but the granularity is not there.”

“Topics is not going to have demographic information or categories,” she said. “Your first-party data is your best bet. If you’re in industries like finance, telecoms and potentially arts and entertainment, you’re going to want that demographic info.”

If DeZao had to place a dollar on which solution will ultimately win out? It sounds like she’s bet on contextual advertising. “Contextuality and real-time data — like, the freshest possible data.”

What you need to know about Privacy Sandbox for Android

Most discussion of Google’s Privacy Sandbox proposals have focused on what they mean for the Chrome browser. After all, it’s Chrome’s deprecation of cookies that has seemed to be the motivating force for the Sandbox and for proposals like Topics and Protected Audiences. But it raises significant issues for mobile marketing too.

Privacy Sandbox for Android will deprecate identifiers just as Apple’s iOS already has. “Privacy Sandbox is introducing APIs and solutions that basically remove the Android Advertising ID, a unique identifier at device level that is consistent across all apps on that device,” said said Itai Cohen, SVP marketing and strategy at Digital Turbine. It is possible to reset the ID, but Cohen expects only a minority of tech-savvy users to do that. Consent is easier on iOS, but consent rates are still below 20%.

Having already lost identifiers on iOS, mobile marketers should know what to expect. Losing the device identifier meant losing two things: The database becomes far less useful for gauging the right level of bidding, and attribution becomes highly problematic. “Once you can’t close the loop between purchase and user acquisition spend, measuring marketing efficacy is significantly hindered,” said Cohen.

The major difference between Apple’s and Google’s approaches is that users on iOS receive a prompt from each individual app where they can choose to actively opt-in to share their device identifier (albeit consent rates are still below 20%), whereas Google’s Privacy Sandbox aims to remove user-level identifiers altogether and replace them with a set of APIs that support various advertising use-cases without relying on identifiers.

Said Cohen, “While Chrome Privacy Sandbox is challenging to implement, mobile will be a much bigger lift. The IAB had a strong response to the Chrome Privacy Sandbox, and that was an easier process compared to the mobile side.”

Dig deeper: More details on Privacy Sandbox for Android