Close up of metal lock with keys in the sand showing proposed privacy sandbox to phase out third party cookies
Google's Proposed "Privacy Sandbox" Model Would Phase out Third Party Cookies in Two Years; Will It Improve User Privacy?

Google’s Proposed “Privacy Sandbox” Model Would Phase out Third Party Cookies in Two Years; Will It Improve User Privacy?

When Google announced its “Privacy Sandbox” API initiative in a company blog post this past August, it was met with a good deal of skepticism. After all, Google is and always has been the world’s biggest name in opaque user tracking. Critics such as the Electronic Frontier Foundation (EFF) and the Association of National Advertisers (ANA) pointed out that the company’s focus was more on tilting the playing field in the targeted advertising market toward its own developing technologies rather than anything to do with user privacy concerns. One of Google’s most controversial contentions was that the blocking of third party cookies was actually a regressive step for user privacy.

In the face of this criticism, Google appears to have shifted gears. A recent update to the privacy sandbox proposal claims that the company now plans to phase out third party cookies from the Google Chrome browser by 2022, and has laid out what is at least a theoretical roadmap to preserving the targeted ad industry without the major incursions into user privacy that are so common today.

The problem with third party cookies

From a digital advertising standpoint, third party cookies are used to record certain user activity while browsing websites in order to later deliver ads specifically targeted to that user’s demonstrated interest. For example, if you visit your favorite online store and browse their selection of Nintendo Switch games you may well see related video game ads appearing later on other sites.

The problem with third party cookies is aggregation of personal information. Over time all of these cookies gather a massive amount of information about individuals, which can then coalesce in disturbingly detailed databases. In addition to simply being a creepy invasion of privacy, these databases can be a security risk if they are hacked or leaked to the public; they are often a wealth of relevant information for criminals looking to commit identity theft or impersonation schemes. Use by government agencies to track individual movement and connections is another possibility.

Increasing public awareness of (and desire to opt out of) this tracking has driven the development of alternatives to third party cookies.

What’s in the Google Privacy Sandbox?

The initial strategy that Google announced in August was to make cookies more transparent and configurable to the end user in Chrome, while entirely blocking browser fingerprinting as an alternative. That focus has now shifted to entirely phasing out support for third party cookies, having advertisers perform an API call to the Privacy Sandbox to receive targeting information instead.

The idea is to have the Privacy Sandbox aggregate ad targeting data in a way that decouples it from individual user identities, at least as is visible to the advertiser.

The full details of the new strategy have not yet been announced, but a spokesperson for Google has provided a rough outline of how the company will get Privacy Sandbox data to advertisers without cookies in a way that protects user privacy.

Throughout 2020 the company will be testing a click-based conversion measure that is tracked within Chrome rather than by a cookie. The conversion value will be reported back to the advertiser without personally identifiable information attached to it.

At a later date, Google will begin testing ad tech ideas for providing interest-based options without the use of third party cookies. Some sandbox proposals being floated are having Chrome create groups of users that visit particular combinations of sites, or that tick a certain count of sites on a list that is pertinent to a particular advertising query. Users would be issued cryptographically protected “trust tokens” as a means of identification and verification of being an actual human Web surfer. The company is also looking into applying its extensive machine learning research to the Chrome browser.

From the advertiser’s end

Of course, publishers and advertisers are concerned that changes to the existing third party cookie structure will ultimately translate into drops in ad revenue. The Privacy Sandbox initiative attempts to balance this with the competing interest of user privacy. Whether these competing interest groups can be equally well-served remains to be seen.

Any Privacy Sandbox changes would impact marketers that make use of the Google Marketing Platform to run targeted ads that are delivered on sites not owned by Google to browsers using Chrome. It may also affect the use of Google Analytics to track user behavior on all sorts of websites.

Since Google plans to use their own first party cookies in the same way outside of the Privacy Sandbox, this does not appear to be something that would affect ad campaigns being run through the company’s own search results or on YouTube videos.

It is possible that the Privacy Sandbox could also create opportunities for marketing agencies and publishers that have collected their own in-house stores of user data.

Google’s motivations

All of this may simply stem from Google seeing the writing on the wall with strong personal data privacy legislation becoming normal around the world. The company was recently hit with a $170 million fee by the FTC for violating the US Children’s Online Privacy and Protection Act (COPPA) web standards due to their use of tracking cookies, and European data protection authorities are currently reviewing tracking protocols out of concern that they are not compliant with the GDPR.

There is also pressure from competing browsers such as Safari and Firefox, which have recently added aggressive measures to block third party cookies that are quite popular with the public.