Assessing the impact of Google's Privacy Sandbox

If Google has its way, 2024 will be the year we can all finally stop talking about cookies. 

That is if their friends at the UK's Competition and Markets Authority (CMA) give them the green light to phase out support for cookies in Q3 2024. Google must convince the regulatory group that the Privacy Sandbox protects user privacy adequately and does not give Google an unfair competitive advantage.

Why would the Privacy Sandbox give Google a competitive edge? Because, the concept calls for the excision of core pieces of legacy advertising technology.

Many companies lack the resources and capacity to completely transform how they buy, sell, or manage digital advertising transactions. But a company like Google, with virtually unlimited resources, can snap its fingers and summon a small army of engineers and product managers to maintain its pole position in digital advertising.

Additionally, Google sits in the enviable position of owning the world's most popular browser (Chrome) and mobile operating system (Android). Google also has enough spare change to buy its way into the pockets of anybody not on Android (They pay Apple $18 billion / year to be the default search engine on Apple's Safari). Did I mention they also own GAM, DV360, and Google Ads? Okay, you get the point. 

Google has its tendrils wrapped around every nook and cranny of the Internet, giving the company limitless opportunities to collect user first-party data. The rest of us are stuck with our minuscule (by comparison) first-party data sets or rely on exchanging or pooling data. 

But now that Google deactivated third-party cookies for 30 million Chrome users in early January of this year, we know they are totally super serious about this whole cookie deprecation thing.

The Impact of the Sandbox

I can hardly believe it's been over three years since I first wrote about the privacy sandbox. In that time, Google has been dragging along whoever will come with them to develop very complex APIs to maintain the core pieces of advertising we all know and love while replacing the technology built on the back of third-party cookies. 

When assessing the impact that the Privacy Sandbox will wreak, it's helpful to understand what you lose when Google removes third-party cookies and possibly obfuscates the IP addresses of Chrome users. Digital advertising is so effective because it allows companies to target an individual, but audience targeting and other core advertising features rely on having a user identifier readily available.

If Google removes cookies and IP addresses from Chrome, they remove the two passive methods for advertisers to identify users across the web individually. When I say "passive," I mean that it does not require any action from a user to create an identifier. Advertisers can drop cookies on a browser, or advertisers and ad tech companies can read user IP addresses, which provide a semi-stable identifier to identify a user later on.

The alternative to passive data collection is a first-party data strategy. Many publishers and advertisers are now collecting email addresses in preparation for a world with no other useable identifier. However, this requires a large user footprint and an alternative identifier strategy. It also needs direct action from the user (providing an email address) rather than a passive method of dropping a cookie or collecting an IP address in the background. 

However, not all publishers are so lucky to have a large enough audience that it would make sense to establish an alternative ID strategy. Some publishers may have a large enough audience but rely on passerby readers or logged-out users. Do you log into every news site you read an article on?

Assuming cookies and IP addresses are all some publishers have, what features break when cookies and IP addresses go away on Chrome? 

Retargeting / Custom Audience Targeting

Long ago, in the before times, someone somewhere decided that the best way to show a user a relevant ad on the web was to track their browsing behavior. Advertisers or ad tech vendors working on their behalf would drop cookies on a user's browser — tiny little text files that contain a unique user identifier.

Let's pretend for a second that I was browsing around the web on Chrome for a new snowboard. I visited some blogs reviewing the best new snowboards or visited REI.com or Evo.com and checked out their wares. Each of these touchpoints allowed someone to drop a cookie on my browser. 

But why would someone want to do that? Money, the answer is always money. Companies could reap monetary gain from my desire to purchase a new snowboard in myriad ways. Those blogs reviewing snowboards could sell data to Burton, Jones, or any snowboard company to help them find prospective snowboard buyers in the future. REI or Evo may want to show me ads as I browse the web, reminding me about the snowboards I viewed.

Companies aggregate my user identifier and many others into targetable audience segments within their DSP. They can use this data to show me ads about snowboards or use even more advanced techniques to show me ads about the individual products I viewed — these are the "creepy" ads that follow you around the Internet, sometimes also referred to as retargeting ads, remarketing ads, or serving ads to custom audiences.

Not only do companies store data about me on their servers, but they also can share this data with other parties — which I may or may not have permitted to do so. The dark magic of third-party cookies and a process known as cookie syncing facilitates this unchecked sharing of my data.

In its endless benevolence and care for user privacy (or possibly its endless greed), Google has decided this is a problem. They do not want companies to be able to store and share data about Chrome users — either because they care about you or because they want to handicap the rest of the digital advertising industry to reap outsized profits. 

Which do you think it is? The UK's Competition and Markets Authority (CMA) is trying to answer this question.

Demographic / Interest-based targeting

Advertisers often refine their targeting by finding the most suitable audience for their marketing messages. Advertisers can target by gender (female), age group (18-34), interests (pickleball enthusiasts), or intent (in-market car buyers), and much more.

Advertisers or data brokers drop cookies on your browser or record your IP address to place you into these groups as you browse the web. Advertisers collect this data themselves, or data brokers aggregate it through agreements with website owners. 

Based on browsing behavior, companies will sort cookies and IP addresses into demographic or interest segments. If I keep browsing for snowboards, then one could assume I am an "outdoor enthusiast." If I end up reading an article titled "How to not break my hip snowboarding," one may be able to infer I am not in the 18-34 age group.

DSPs or advertisers can license these data sets to enhance their targeting capabilities by layering on audience segments to their campaigns. There is no way to do this passively without cookies or IP addresses.

Frequency Capping

Don't you hate when you see the same ad over and over? You might have to get used to that in Google's brave new world. 

Frequency capping is a setting in an ad-serving platform that controls how often an individual user should see an advertisement. Advertisers typically want to cap the number of times a user can see a particular ad or creative to control budget or limit ad fatigue for a user.

Advertisers apply frequency capping on the web by recording which ads a particular user has seen and storing that information alongside a recorded cookie ID. No cookies = no frequency capping.

Attribution Reporting

Performance advertisers need to know if their campaigns lead to user conversions, either in the form of an action or a purchase. 

The most straightforward way to explain this is that advertisers record a user's cookie ID or IP address when a user views or clicks an ad. Advertisers also record a user's cookie ID or IP address when they perform a desired action (like a checkout in an online shop). 

Advertisers can then check if the same user who bought something also saw a particular ad — then they can record that the user "converted" and even the amount they spent in that conversion. They can use this data to measure KPIs like ROAS (return on ad spend), which will tell them how much direct revenue they brought in due to a particular advertising budget. 

Rest assured that someone tracks your every move and aggregates and compiles your behavior into some KPI used to measure advertising effectiveness.

Geotargeting

Targeting users by location is a core feature of digital advertising that breaks if Google obfuscates IP addresses. Advertising platforms enlist geolocation vendors' services to provide locations by IP address. If Chrome starts passing along bogus proxy IP addresses (see Google's IP Protection proposal), we will have incorrect geolocations of users.

Without IP geolocation, you cannot target by country, state, DMA, city, etc., and it would also break any dynamic creative solutions that serve specific creatives to users in a particular location (think auto ads that include local auto dealership information).

So what now?

Fear not, my concerned ad tech citizen, for Google has all the answers. Google has proposed a Privacy Sandbox API to tackle each use case above:

Retargeting: Protected Audiences API

Demographic / Interest-based targeting: Topics API

Frequency Capping: Shared Storage API

Attribution Reporting: Attribution Reporting API

And supposedly, Google is looking into assigning "IP addresses that represent the user's coarse location, including country." with the IP Protection proposal, so at least Germans won't see political ads for the next American presidential election.  

So, who's ready to completely rewrite their entire technology stack to accommodate the whims of Google?! Joking aside, integrating all these APIs is a monumental task and will require considerable resources if anybody wants to target passive users on Chrome effectively. 

I have spent many hours discussing the privacy sandbox with people across the industry, and it is shocking how little people understand about it. Even the very technology companies who will need to integrate the APIs! The clock is ticking, and we only have a little time left unless many are resigned to apathy and have chosen to relinquish web advertising to Google. 

Unfortunately, we will likely see an immediate shift in spend from open web advertising into other platforms (CTV + Mobile) or straight into the hands of the social platforms and walled gardens (great for Google).

Eric Seufert astutely pointed out that Google's margins are much higher on its owned and operated channels relative to its network business, which serves ads on third-party websites and apps: "Google's margin on Network revenue is 10%, while it's 15% for YouTube and 55% for Search". We may witness Google self-sabotage its network business and the open web to push spend towards its higher-margin channels.

The migration of spend to Google O&Os, walled gardens, and more effective platforms may continue as advertisers, publishers, and their technology providers try to figure out how to integrate the sandbox into their technology and strategy.

In the worst-case scenario, we may see a permanent departure of advertising on the web for more effective platforms that maintain the status quo of identity.