Laptop displaying logo of Google Chrome showing privacy sandbox report from UK ICO

UK ICO: Google Privacy Sandbox Fundamentally Flawed, Numerous “Loopholes” Need to be Addresses

Google’s Privacy Sandbox project has been touted as the end of tracking cookies and creepy cross-site following, but it is facing regulatory trouble as the UK ICO has expressed concerns about a collection of “loopholes” that could be used to personally identify and track internet users.

UK ICO is not yet taking direct action on the issue but has shared its concerns with the Competition and Markets Authority (CMA), which has been conducting its own independent evaluation of the Privacy Sandbox rollout. The issue is serious enough that Google has pushed back its timeline for Chrome cookie deprecation, after prior delays due to a US state attorneys general antitrust lawsuit and complaints that sparked a European Commission investigation.

UK ICO draft report rattles Google

Privacy Sandbox’s big selling point is the end of tracking cookies and related practices such as browser and device fingerprinting, moving personalized advertising to an on-device process that places data subjects into “interest groups” that relevant ads are then served to. If the process works as it should, the advertiser sees nothing more than these interest groups.

The UK ICO’s draft report finds that the Privacy Sandbox system is not working as advertised. The draft report is not yet public, but was leaked to Wall Street Journal reporters. Specifics about the loopholes the UK ICO is concerned about remain thin, but they very likely line up with criticisms the Electronic Frontier Foundation and others have been levying since the projects was announced in 2019.

These include major questions about whether Privacy Sandbox can actually prevent fingerprinting, and if some of its qualities might actually assist it. Google’s former plan, the FLoC “Cohorts” system, had to be scrapped for exactly this reason; it would place users into groups of only a few thousand, making it relatively trivial for third parties to fingerprint. The new “Topics” system was meant to address this issue, but it is not entirely clear that Google will be able to stop fingerprinting via API calls.

There is perhaps even more concern from the UK ICO (and others) about Google sharing Privacy Sandbox information internally amongst its own array of services, as it appears that the same rules will not apply to the first-party data that it collects about users. Topics also cut down the proposed total categories of interests that people can be placed in from over 30,000 under Cohorts to just 350, but Google has said that is just a launch number and that the categories will eventually be expanded into “the thousands.” The system may sprawl over time to be similar in scope to Cohorts, and present the same issue of third-party API calls capturing this broad profile of interests for a specific user (which could then be combined to infer sensitive information).

Privacy sandbox concerns center as much (or more) on antitrust issues

While legitimate privacy concerns certainly remain, Privacy Sandbox has drawn more heat for its anti-competitive potential than anything else. The ultimate outcome of the UK ICO investigation may pale in comparison to consequences brought by the CMA. Google is also facing scrutiny over this in the US and EU.

Critics of Privacy Sandbox have noted that it is another attempt to force the entirety of the internet into a product and standard developed and owned by Google. The project is limited to Chrome at this point, but Google hopes to make an industry standard out of it that other browsers will adopt. For the most part, the adtech industry is not showing interest in following this plan. The Internet Advertising Bureau (IAB), one of the major adtech industry trade groups, recently came out against Privacy Sandbox by publishing an analysis of its deficiencies. Google has attempted to cast itself as the champion of privacy in response, claiming that these competitors simply want to keep doing things in the current invasive and intrusive manner.

Google might actually be forced back to the old ways itself, should antitrust regulators find that Privacy Sandbox would enhance its existing chokehold on the internet ad market. As to how the “old ways” might eventually be addressed by regulation, some have suggested that the adtech world has become so all-encompassing and potentially damaging that it needs its own special government body to directly oversee it.

The original plan for the Privacy Sandbox timeline was for cookies to be phased out of Chrome entirely sometime by the end of 2024, this has now been revised to somewhere in Q1 or Q2 2025 due to the UK ICO report. A very small percentage of Chrome users have already begun seeing the changeover since the beginning of 2024, something that is expected to continue at a very slow pace through the rest of the year.