Privacy & Consent

Google Privacy Sandbox: A Look at the Alternative to Third-Party Cookies

Pinterest LinkedIn Tumblr

As you probably know, following Safari’s and Mozilla’s lead, Chrome is also deprecating third-party cookies. Sure, it may take two years, but for publishers who rely on cookie-based tracking for behavioral targeting—it’s a huge shock to the system. It means discarding a mechanism that pretty much set the foundation for how personalized digital ads are delivered on the web.

In a recent study, Google found that, “digital publishers lose 52% of revenue on average when readers set their web browsers to block cookies.” Google is in a unique position of being one of the largest browser vendors and advertising vendors by market share—which means that blocking third-party cookies is going to hurt Google as well. The reason Google is taking such a hard stance nevertheless, is two-fold: (1) Recent regulatory crackdown on lax online privacy standards and (2) The prospect of losing browser market share to more privacy-focussed browsers.

Panic on the Sell-side

Meanwhile, the publishing community is struck with panic. “What will happen now? How will we track users? Can we survive on contextual targeting? How can we use our first-party data? Should we pivot to a subscription model?” These are some of the question running through every publisher’s mind right now.

As a direct consequence, industry publications and ad tech events have been busy covering some or the other variation of “surviving the cookiepocalypse”. (Full disclosure: We’re doing a webinar on it too, you can register for it here.)

Many initiatives are currently underway, and solutions being proposed, as a way to counteract the sudden loss of cookie-based data, including IAB’s Project Rearc, universal IDs, identity resolution, email hashing, contextual targeting, and many others. Only time will tell how effective these solutions are.

This might make you wonder, Google lit the fuse on this entire thing—what it is doing about it? Google does have a plan. And it’s called the Privacy Sandbox. In a blog post about the initiative, Justin Schuh, Director, Chrome Engineering, said:

We are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete.

Rendering third-party cookies obsolete is a tall claim to make for anyone right now. But if anyone can do it, it’s probably Google. So what exactly is the Privacy Sandbox?

Understanding the Privacy Sandbox

The underlying principle of the privacy sandbox is anonymizing user data, while still allowing advertisers to continue using behavioral targeting, without the pervasiveness associated with third-party cookies.

Google Privacy Sandbox

Since the Privacy Sandbox project is in its infancy, no actual platform or code currently exists for advertisers to test. The platform is proposed to run on several application programming interfaces (APIs) and additional features:

  • Trust tokens API: A alternative for CAPTCHA, the trust tokens API will be used to combat spam, fraud, and DoS attacks. Users will be required to fill out a CAPTCHA-like form once and in future instances, the anonymous trust tokens will automatically recognize the user as a real human.
  • Conversion measurement API: This is the replacement for cookies, and will allow advertisers to know whether or not a user saw their ad, and if yes, whether they landed on a promoted page or purchased a product or service.
  • Aggregated reporting API: This is intended to measure ad performance including total ad views and campaign reach, recognize users across the same domain, and configuring advanced features such as setting frequency caps.
  • Privacy budget: This will restrict the amount of user data that websites can glean from Google’s APIs by giving them a “budget”. This privacy budget might also be used to limit the type of signals that websites have access to.
  • Federated Learning of Cohorts (FLoC): A FLoC key is a short name shared by thousands of users with similar interests, derived from their browsing history, and organized using machine learning. This will allow users to be clubbed into interest groups without revealing personally identifiable information.
  • TURTLE-DOVE: Intended to record user browsing data from the server-side to the client-side. The idea is to restrict personal data from websites and vendors and instead allow advertisers to re-market based on interest groups.
  • First-party sets: Intended to enable publishers operating multiple domains to identify themselves as a same first-party, this will work by defining browser policies, based on which declared names will be considered as the same site.

In addition to announcing that third-party cookies will be blocked in the future, Google also changed the default state of SameSite Cookies, intended to separate first-party and third-party cookies. With both these changes, Google’s intention is to provide users more privacy and control by storing their data on the browser-level.

The data that powers the Privacy Sandbox is Google’s own first-party data, gathered from Chrome users logged into a Google account. This has some people worrying about Google’s walled garden expanding to unprecedented levels, while website owners and independent ad tech vendors are hung out to dry.

The good thing is that Google Privacy Sandbox is an open standard, which means that everyone in the industry can have a say and affect change. The World Wide Web Consortium has been working with Google on the development of the project, indicating that these standards could become consistent across browsers.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.