Aug 31, 2020 5 min read

Google Privacy Sandbox Explained

Google Privacy Sandbox Explained

The decision by Apple and Mozilla to effectively kill third-party cookies in Safari and Firefox was probably an easy one.

Protecting user privacy is a core principle for Apple and a key selling point they advertise to sell their hardware. Mozilla's most recent financial statement reveals that it earns 95% of its revenue from royalties received from search engines paying to be featured in the Firefox browser.

Google, however, earned $134 billion in ad revenue in 2019, which represents over 83% of its total revenue, and a portion of this originated from ad campaigns placed by their buyers that require tracking users across the web.

It's easy to see why Apple and Firefox dropped third-party cookies without even a second thought. But Google has clear business-related motivations to take a more measured approach in phasing out cookies on its Chrome browser.

Cookies power conversion tracking, audience targeting, and frequency capping on desktop and mobile web. Advertisers could live with Apple and Mozilla's decision due to their minority market share, but Google's decision to phase out cookies on their 65% market share by 2022 sent shock waves through the ad tech industry.

Apple's recent decision to require users to opt-in to tracking on iOS 14 only adds to the pressure Google faces to adapt to a growing demand for user privacy.

This adaptation may come in the form of Google's Privacy Sandbox, a set of proposals meant to facilitate core advertising functionality in a privacy-compliant manner or as the Chrome team puts it, to “Create a thriving web ecosystem that is respectful of users and private by default", they also go on to say:

We believe that part of the magic of the web is that content creators can publish without any gatekeepers and that the web’s users can access that information freely because the content creators can fund themselves through online advertising.

Google will often reference this study they conducted on the impact of disabling personalized advertising for a set of users. The study found that revenue decreased 64% on average per publisher and user dissatisfaction increased 21% when personalized ads were disabled.

The fear is that advertisers will move their spend to channels that provide the table stakes features of ad tech that their campaigns require, like connected TV. CTV manufacturers are building out ecosystems supported by persistent user identifiers, and Google's footprint on this device type is close to non-existent compared to Roku and Amazon.

This is forcing Google to innovate quickly. They risk losing users if they don't implement privacy protections and they risk losing advertisers if they follow Apple and Mozilla and kill third-party cookies. Their answer to this riddle comes in the form of many different proposals, each meant to solve a key feature of advertising on desktop and mobile web that third-party cookies provided.

Google's plan is to implement a form of each proposal by their self-imposed 2022 deadline while also blocking all other methods of cross-site tracking like fingerprinting, cache inspection, link decoration, network tracking and Personally Identifiable Information (PII) joins.

The fundamental principles Google is taking into consideration are laid out in a "privacy model" that they have established. Key takeaways from this model are below.

Identity should be on a per-site basis

Users should not be subjected to having their identities joined by completely separate websites, and browsers should limit cookies and fingerprinting to combat this.

Some people believe this implies that companies like LiveRamp are in the crosshairs of Google since they offer the capability to enrich 1st party data sets by linking them with a shared data network. It is not clear if a browser could completely combat PII joins since LiveRamp already offers it's Authenticated Traffic Solution (ATS) as a cookieless workaround.

Third parties should be able to access a first party identity

The main reason for this is Google's recognition that utilizing third-party software is crucial to any publisher. It is unreasonable to expect a publisher to build their own ad server or analytics software.

However, publishers should have complete control over the third-parties accessing their first-party user identities and treat this access as a privilege and not a right. They believe browsers should enforce this access and not just make it available to anyone with access to the client via a script.

Some cross-site information should be made available in a privacy-compliant manner

This is where all the various proposals meant to replace third-party cookies come into play. There is a proposal for each core capability of advertising on the web that would be impacted by the removal of third-party cookies:

1. General Interest Targeting

Federated Learning of Cohorts (FLoC or "Flock") involves grouping sets of users by browsing habits into anonymized groups to attempt to establish shared meaning.

2. Click Tracking

The Conversion Measurement API could allow a signal that a conversion took place on a destination site without revealing any personal information. This is similar to Apple's SKAdNetwork.

3. Combatting Fraud

The Trust Token API will allow users to build up tokens of trust as they browse the web that can then be used to verify that they are actual users.

4. Reporting & Frequency Capping

An Aggregated Reporting API is proposed to allow for storing reporting data in the browser and then sending that data to an ad tech provider's reporting endpoint by a server-side aggregation service.

This is curious since reporting doesn't always require a cookie and can be executed through the use of HTTP calls. This may indicate other motivations to obfuscate methods of fingerprinting that can be extracted through client headers like IP address.

Google does not have an elegant privacy-compliant solution for frequency capping. Controlling the number of times an individual user sees an ad is a crucial component of advertiser media plans and preserves a positive user experience.

The proposal for frequency capping provides a method for building a frequency cap model by accessing aggregated storage to understand average ad exposure on a given site relative to total ads seen across all sites. This is not an ideal solution and is sure to draw criticism.

5. Retargeting

The Two Uncorrelated Requests, Then Locally-Executed Decision On Victory ("TURTLEDOVE") proposal offers a solution to cookie-based retargeting. An ad network would ask the browser to add a user to segment groups based on certain actions, like abandoning a shopping cart with a certain item. The advertiser can then serve ads based on the interest groups to which a user belongs.

The idea is to then send two separate ad requests on pages displaying retargeted ads: a contextual ad requests than can include the page URL and a separate request indicating the interest groups assigned to the user.

This will disentangle any current browsing habits of the user with previously assigned groups and ensure the two ad requests cannot be correlated to the same person.

The Chrome team has their work cut out for them as they continue to iterate on the proposals laid out in the Privacy Sandbox. It is no easy endeavor to completely reimagine so many core processes that the third-party cookie facilitated, nor is it a certainty that users will appreciate the changes.

The looming threat of antitrust regulation has thrust Google's approach to privacy in the limelight and competitors like Apple are putting privacy center-stage in user's minds.

If Google succeeds in preserving the tools that are required for advertisers in a privacy-compliant manner, publishers will be motivated to nudge users towards a "supported" browser (Chrome) over competitors like Safari and Firefox in order to win more ad buys. If Google wants to maintain its status as the default window to the web, the Chrome team will have to deliver a solution that privacy advocates and advertisers would both approve.

Trey Titone
Trey Titone
VP, Product Management at NBCUniversal & Author/Founder of Ad Tech Explained.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ad Tech Explained.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.