What is a Privacy Sandbox and what would Google like to achieve with it?
Google Chrome Privacy Sandbox: this is what website operators will have to adjust to now
Table of contents
At a glance
As early as mid 2019, Google announced that it would implement measures in its Chrome browser to protect the privacy of website users – following the same path as Apple with its Safari browser (Intelligent Tracking Protection) and Mozilla with Firefox (Enhanced Tracking Protection by default).
Google tested to see if some of the new measures were working, and the initial results are promising. What is particularly exciting is that the conversion rate is 95% according to initial test results of the newly developed technologies, such as the FloC API. More tests are planned for the coming months.
And the countdown is on: by 2022, Google wants to implement all measures that would allow for a Third-party Cookie-free world. The dream is not only for advertisers, non-Google ad tech or website operators, but most importantly for users, to ensure them a high level of Data protection.
In this article, you will find out what this means for advertisers and consumers.
What is the Google Chrome Privacy Sandbox?
The Google Chrome Privacy Sandbox is a set of measures designed to make certain types of personalized advertising on the web impossible. Basically, respecting the privacy of website users (consumers) is the focal point – offering another alternative to third-party cookies.
Here’s how it works: all user Data is moved to the Chrome browser, where it is stored and processed. Thus, the Data remains on the user’s device.
The Goals of the Google Chrome Privacy Sandbox:
- Create a privacy sandbox with an open set of standards for tracking users while preserving their privacy (e.g., through new browser APIs such as “trust tokens”);
- Addressing current techniques for non-cookie based cross-site tracking, such as fingerprinting (identifying an individual without their knowledge and without the ability to opt-out using a device’s IP address);
- Replace cross-site tracking functionality with created APIs;
- Deletion of third-party cookies;
- Strengthening first-party Data strategies.
But what might an open, transparent, privacy-preserving digital world look like? One that relies largely on Personalized Advertising, but does so without the use of Third-Party Cookies? Is there really a way to equally protect the privacy of users and still play out targeted advertising? Before examining these questions, we should first take a closer look at the significance of third-party cookies.
The role of third-party cookies in the Google Chrome Privacy Sandbox
Basically, the concept of Cookies can be categorized into First-Party-Cookies and Third-Party-Cookies.
When visitors go on a website, First-Party Cookies are set by the website providers themselves. These are essentially cookies that are used to provide a smooth user experience, as they store passwords, simple Data about the website visitor, and other settings. A first-party cookie contains information regarding the user trail, how often the user visits your website, and other basic analytic Data.
Third-party cookies are tracking cookies that are placed on the website by parties other than the website operator itself. Third-party cookies allow the advertiser to get a detailed view of their users online behavior such as frequently visited websites, purchases and interests. These types of cookies have been used by advertisers for years to track website visitors and collect Data that can be used to serve ads to the correctly targeted individuals.
Today, Google Chrome’s Privacy Sandbox intervenes in this very area and replaces third-party cookies with five newly developed APIs .
These five APIs include:
- “Trust Token API” ( Anti-Spam, Anti-Fraud and Anti-DoS);
- “Federated Learning of Cohorts API” (interest-based aggregate targeting via clustering)
- “Fledge API” (retargeting)
- “Click through Conversion Measurement Event-Level API” (conversion measurement; currently under development);
- “Aggregated Reporting API” (conversion measurement; currently in development).
Although third-party cookies have seen better days, first-party cookies are not affected by these measures. Everyday, Third-party cookies are becoming soley a distant memory as the the future of digital advertising becomes First-Party Cookies and API.
Advertisers vs. website visitors: How can divergent interests be accommodated?
Google states that a users’ desire for more privacy, transparency, choice and control over how their Data is processed will be met with the introduction of APIs. However, a digital world entirely without advertising sounds pretty far-fetched, given that it is largely financed by it.
While the tracking of individual users will not be possible after the suspension of third-party cookies, this does not mean that it’s the end of personalized advertising on the web. Why? Because through the use of the various APIs, users are promised that their privacy will be maintained, and results continue to be delivered to advertisers. What does change, is that advertisers will not be provided with the same amount of user Data as in the past, through third-party cookies.
Through this, Google aims to protect the privacy of users while continuing to serve the interests of advertisers, website operators and non-Google ad tech ultimately created harmony between all parties.
Four things that advertisers and website provides should now keep in mind
1. The introduction of Google Chrome’s Privacy Sandbox measures only affects third-party cookies, first-party cookies remain unaffected:
So if you only intend to track your users’ behavior, preferences and simple demographics on your own website, you can do this via first-party cookies.
However, if you currently use third-party cookies to collect robust Data insights regarding the general online behavior of your users, we advise you to regularly follow the news in this area in the coming months. You can find all the news about it on the Google Ad Manager blog.
2. The expiration of third-party cookies doesn’t come as a surprise. Since the GDPR came into effect in 2018, the topic surrounding Data protection has been moving more and more into the forefront of policy issues. Having to adapt a privacy strategy in accordance with GDPR was only a matter of time and companies that acted quickly secured a competitive advantage by keeping an eye on this development.
3. Tracking users will stop for an individual basis, but with the introduction of the FloC API, tracking can continue on a group (in “clusters”).
4. APIs will introduce measures to detect and prevent fraud in online ads such as bots clicking on ads instead of real users.
But is the Google Chrome Privacy Sandbox “true” privacy for website users, or is it just a ploy to gain market power again?
Using the measures introduced via the Google Chrome Privacy Sandbox, online advertising will be played out to large groups of people – all this without any access to user-identifying Data from the browser.
In addition, users will continue to receive information regarding their passed-on Data. In accordance with the Data Minimization Principle of the GDPR, only the amount of information necessary to assign users to an advertising target group (“cluster”) is passed on. Consequently, conversion measurements will also be possible without individual user tracking for advertisers. The collection of user Data is done through browser APIs that maintain the anonymity of individual users.
As nice as all of this sounds, the situation can also be viewed quite critically for competitive advertisers. Let’s pause for a second. If Google stores the Data in its own browser, does it steadily increase its existing Data empire? Just some food for thought.
Google will not introduce its tracking alternative FLoC in Europe for the time being – the company announced at a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium (W3C) on March 23, 2021. The legal basis is to be clarified first, it was said. It will now be examined whether FLoC does violate the principles of the GDPR and possibly also the ePrivacy Directive.
These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer.
Author: Sibel Bayrak, Legal Team Usercentrics