Thursday, January 23, 2025
HomeAdvertisingThe Evolution of Google's Privacy Sandbox

The Evolution of Google’s Privacy Sandbox


The biggest web browser in the world, Google Chrome, is developing the Privacy Sandbox to create a cookieless, user- and advertiser-friendly environment. However, the initiative is being scrutinized for several reasons, including gaining a dominant position in the AdTech market. Thus, the Privacy Sandbox project needs to evolve to adapt to market requirements.

When Google Announced its Privacy Sandbox

In August 2019, Alphabet Inc.’s subsidiary, Google Chrome, launched its Privacy Sandbox initiative to develop a set of open standards to enhance privacy on the web. The company asked the AdTech industry for feedback.

The initial reactions were mixed. While some stakeholders welcomed the initiative as a necessary step toward protecting user privacy, others expressed concerns about its potential impact on the advertising ecosystem.

Industry groups such as the Interactive Advertising Bureau (IAB) and various digital marketing firms worried that the Privacy Sandbox could limit their ability to track users effectively, thereby reducing the precision and profitability of targeted advertising.

On January 7, 2021, the British Competition and Markets Authority (CMA) launched an investigation into Google’s project to prevent Google from gaining a dominant position in the AdTech market. The investigation is backed up by the Competition Act 1998.

Alphabet’s companies committed to cooperating with the CMA in scrutinizing and overseeing Google’s Privacy Sandbox proposals. Over the next three years, each quarter, the CMA has published its latest update report on the implementation of Google’s Privacy Sandbox commitments.

The British body welcomed the industry to participate in open consultations.

All of these factors added up to Privacy Sandbox’s evolution, especially in terms of providing proper tech solutions. 

Here’s how it went.

The Evolution of Advertising Solutions in Google’s Privacy Sandbox

Google’s Privacy Sandbox includes several key APIs designed to enhance privacy while maintaining functionality for advertisers. Ever since the project was launched, the APIs have been evolving.

  • Topics API: Allows for interest-based advertising.
  • Protected Audience API: Supports remarketing and custom audience creation and use cases without third-party cross-site tracking.
  • Attribution Reporting API: Allows companies to measure ad campaign effectiveness without third-party cross-site tracking.
  • Private Aggregation API: Aggregates and reports on cross-site data in a privacy-preserving manner.

The two APIs at the top of the list went the longest way in terms of aligning them with the market’s requirements.

FLoC Criticized and Replaced by Topics API

On January 14, 2020, Chrome published an intention to implement a Federated Learning of Cohorts (FLoC) API, the original solution designed for ad targeting in the Privacy Sandbox. Its concept was to group users into cohorts based on similar browsing behaviors, allowing interest-based advertising without individual tracking. 

In January 2021, Google claimed that FLoC was at least 95% as effective as third-party cookies for tracking.

However, AdExchanger reported skepticism within the AdTech industry about Google’s claim and its methodology. FLoC aimed to democratize access to user browsing history by grouping users into cohorts, which would be shared with every website they visit instead of using individual tracking techniques.

The Electronic Frontier Foundation (EFF) also criticized FLoC, calling it a breach of user trust. The EFF’s Cory Doctorow acknowledged the benefit of removing third-party cookies but opinioned FLoC for potentially making Google a gatekeeper of user privacy.

In April 2021, DuckDuckGo advised against using Chrome, highlighting that users could be included in FLoC without their consent. The company emphasized that any behavioral tracking mechanism should be opt-in and free of dark patterns. DuckDuckGo updated its Chrome extension to block FLoC interactions.

Brave, another Chromium-based browser, announced it would disable FLoC and criticized Google’s approach as insufficient for genuine privacy protection. Major browsers, including Microsoft Edge, Vivaldi, and Opera, also declined to implement FLoC.

Additionally, several companies, such as GitHub, Drupal, and Amazon, opted to disable FLoC by using specific HTTP headers.

Also, The Economist reported concerns about FLoC potentially grouping people by sensitive characteristics like race or sexuality.

The initial version of FLoC ran from Chrome 89 to 91 and ended on July 14, 2021. On January 25, 2022, Google introduced FLoC’s replacement: the Topics API.

FLoC vs Topics API

FLoC grouped users into cohorts based on similar browsing behaviors. Each cohort represented a cluster of users with similar interests and browsing patterns.

The Topics API assigns users to general-interest categories (e.g., sports, travel, technology) based on their browsing history over a short period. Only a few recent topics are shared with websites, and these topics are rotated periodically to protect user privacy. 

The Topics API aims to address the primary FLoC concerns, such as fingerprinting and lack of transparency. This approach has received a more favorable response from privacy advocates and the AdTech industry stakeholders.

TURTLEDOVE Modified Into Protected Audience API

The evolution of frameworks for remarketing and custom audience creation started with the method called TURTLEDOVE — Two Uncorrelated Requests, Then Locally-Executed Decision On Victory.

TURTLEDOVE’s main feature was that all auction choices would be made in the browser, not on ad servers. Excluding data sharing would, in theory, prevent malicious actors from stealing bidstream data and using it to create user profiles. 

However, Google had to change its proposal due to the industry’s criticism:

  • Limiting bandwidth in the web browser.
  • Unclear processes for A/B testing, frequency capping and brand safety.
  • As Google owns Chrome, it casts a shadow on the ethics of the TURTLEDOVE engine.

TURTLEDOVE’s follower was FLEDGE — First Locally-Executed Decision over Groups Experiment.

FLEDGE is partly built on the TURTLEDOVE method. It enables on-device auctions run in the browser to choose relevant ads from websites the user has previously visited, but it also introduces additional capabilities like custom audiences, more complex auction logic, and the use of a trusted server for specific functions.

FLEDGE was rebranded in April 2023 to Protected Audience, and Google is further working on enhancing the solution. The latest update, from January 10, 2024, mentions transitioning away from event-level reporting and requiring the use of Fenced Frames no sooner than in 2026.

Will Google’s Privacy Sandbox Ever Go Live?

Google still develops Privacy Sandbox standards. The company believes that Internet technology has and will evolve, and it’s not necessary to deliver complete technical designs but to improve them along the way. 

The road to the point where Google will be certain about going live with the Privacy Sandbox is rather bumpy. Google’s key announcements illustrate the complexities of the project:

  • August 22, 2019: Google announced the Privacy Sandbox initiative.
  • January 14, 2020: Google announced to kill off third-party cookies by 2022.
  • June 11, 2021: Google committed to collaborate with the UK’s CMA. The regulator body filed against the Privacy Sandbox. On November 26, 2021, Google updated its commitments.
  • June 24, 2021: Google extended its plan to shut off third-party cookies by an extra 2 years (2024).
  • July 14, 2021: The development of FLoC stopped.
  • January 25, 2022: Google introduced Topics API.
  • February 16, 2022: Google announced the Privacy Sandbox on Android.
  • July 27, 2022: Google postponed phasing out third-party cookies until the second half of 2024 and expanded testing windows for the Privacy Sandbox APIs.
  • June 15, 2023: Google informed about Topics API enhancements. The next update was on November 8, 2023.
  • August 3, 2023: Google published its plans on shipping the Privacy Sandbox relevance and measurement APIs.
  • September 7, 2023: Google stated that the measurement and relevance APIs for the Privacy Sandbox for the Web have reached “general availability” on Chrome.
  • December 14, 2023: Google announced that it will block third-party cookies by default for 1% of Chrome users as a test.
  • January 4, 2024: In addition to testing cookieless Chrome, Google rolled out Tracking Protection, a feature for limiting cross-site tracking.
  • February 14, 2023: Google rolled out the first Beta for the Privacy Sandbox on Android.
  • February 15, 2024: Google responded to IAB Tech Lab’s Fit Gap Analysis for Digital Advertising.
  • April 23, 2024: Google postponed phasing out third-party cookies till early 2025.
  • July 16, 2024: Google published industry feedback regarding the Privacy Sandbox. Four key areas need to be addressed to deliver satisfactory results to publishers, advertisers, and AdTech companies.
  • July 22, 2024: Google retreated from killing third-party cookies and announced introducing an option to disable cookies for users. The company also introduced IP Protection into Chrome’s Incognito mode.

As a result of the CMA’s involvement in the Privacy Sandbox project, Criteo’s tests on the Privacy Sandbox from 2024, and IAB Tech Lab’s report criticizing Privacy Sandbox functionality and claiming the industry “isn’t ready” for the shift, Google eventually redesigned an idea for introducing the Privacy Sandbox on the web.

What Impact on AdTech Does the Privacy Sandbox Have?

The simultaneous introduction of Google’s Privacy Sandbox and the phasing out of third-party cookies was to mark a shift in how data collection and usage would be managed within the digital advertising ecosystem. 

However, Google eventually announced that it would no longer deprecate cookies.

Nonetheless, the AdTech industry was expecting big changes. The key advertising technologies of Topics, Protected Audience, Attribution Reporting, and Private Aggregation were to shake the ground of digital advertising. 

With the narration of safeguarding privacy, publishers, ad agencies, advertisers, AdTech companies and other entities reliant on third-party cookies were to feel disruptive changes. 

The enforced cookieless environment was to shorten the lives of platforms explicitly leveraging data stored in third-party cookies, i.e., demand-side platforms (DSPs), ad exchanges, and data management platforms (DMPs). If Google’s original intent had come to fruition, these businesses would struggle to maintain their current models and would need to pivot to alternative tracking technologies or data sources.

Data brokers aggregate and sell user data, often collected via third-party cookies. With limited or no access to third-party data, their business models could be disrupted, forcing them as well as DSPs and other DMPs to adopt new business models.

Also, publishers who rely on third-party cookies for ad revenue would notice decreased ad effectiveness and lower revenue. 

Google, however, announced that it will give users the choice of whether to allow tracking. Moreover, the company encourages publishers to prepare their websites for browsing without third-party cookies.

In the upcoming years, the industry will probably move towards first-party data strategies, contextual advertising, and alternative monetization methods, like subscription models, as the whole advertising ecosystem is now following privacy-enhancing trends. Privacy Sandbox aims to build new standards but to reach a satisfactory level of privacy and effectiveness, the initiative still needs to adhere to the market’s demands.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Skip to toolbar