Google Chrome Privacy Sandbox: new standards for web privacy

In mid 2019, Google announced that it would implement measures in its Chrome browser to protect the privacy of website users. This follows the same path as Apple with its Safari browser (Intelligent Tracking Protection) and Mozilla with the Firefox browser (Enhanced Tracking Protection by default). 

Google tested to see if the new measures were working, and the initial results were promising. What is particularly exciting is that according to initial test results of the newly developed technologies, such as the FLoC API, the conversion rate was 95%. More testing is underway.

The countdown is on: by late 2023, Google wants to implement all measures that would usher in an online landscape free of third-party cookies. The plan is not only for advertisers, non-Google adtech or website operators, but most importantly for users, to ensure a high level of data protection.

In this article, you will find out what this means for advertisers and consumers.

The Google Chrome Privacy Sandbox is a set of measures designed to make certain types of personalized advertising on the web impossible. Respecting the privacy of website visitors is the focal point, by offering an alternative to third-party cookies.

Here’s how it works: all user data is moved to the Chrome browser, where it is stored (in the Privacy Sandbox) and processed. Thus, the data remains on the user’s device and identifying information is not sent to Google or third parties.

The Goals of the Google Chrome Privacy Sandbox:

1. Create a privacy sandbox with an open set of standards for tracking users while preserving their privacy (e.g., through new browser APIs such as “trust tokens”);
2. Address current techniques for non-cookie-based cross-site tracking, such as fingerprinting (i.e. identifying an individual using a device’s IP address without their knowledge and without the ability to opt out);
3. Replace cross-site tracking functionality with created APIs;
4. Delete of third-party cookies;
5. Strengthen first-party data strategies.

But what might an open, transparent, privacy-preserving digital world look like? One that relies largely on personalized advertising, but does so without the use of third-party cookies? Is there really a way to equally protect the privacy of users while still delivering targeted advertising? Before examining these questions, we should first take a closer look at the significance of third-party cookies.

Cookie technology can be categorized into first-partyand third-party.

First-party cookies 

When visitors go to a website, first-party cookies are set in the browser by the website provider. These cookies are used to provide a smooth user experience, as they can store information like passwords, and basic analytics data like  how often the user visits your website. 

Third-party cookies

Third-party cookies are tracking technology, placed on the website by parties other than the website operator. Third-party cookies enable the advertiser to get a detailed view of users’ online behavior,  such as frequently visited websites, purchases and interests. These types of cookies have been used by advertisers for years to track website visitors and collect data that can be used to serve targeted ads. 

Google Chrome’s Privacy Sandbox intervenes in this area and replaces third-party cookies with five newly developed APIs.

1. “Trust Token API” (nti-Spam, anti-Fraud and anti-DoS);
2. “Federated Learning of Cohorts API” (interest-based aggregate targeting via clustering)
3. “Fledge API” (retargeting);
4. “Click-through Conversion Measurement Event-Level API” (conversion measurement; currently under development);
5. “Aggregated Reporting API” (conversion measurement; currently in development).

Google states that a users’ desire for more privacy, transparency, choice and control over how their data is processed will be met with the introduction of APIs. However, a digital world possibly without advertising sounds pretty far-fetched, given that advertising finances many of the platforms and services we use daily. 

While the tracking of individual users will not be possible after the suspension of third-party cookies, this does not mean that it’s the end of personalized advertising on the web. Why? Because through the use of the various APIs, users are promised that their privacy will be maintained, and advertisers are promised that results will continue to be delivered. What does change is that third-party cookies will not provide advertisers with the same amount of user data as in the past.

Google aims to protect the privacy of users while continuing to serve the interests of advertisers, website operators and non-Google adtech, with the goal of creating harmony among all parties.

However, these proposed changes have not been universally lauded. Federated Learning of Cohorts (FLoC), for example, has been controversial and has had its share of detractors since it was announced. Read our FLoC article for the full story.

1. The introduction of Google Chrome’s Privacy Sandbox measures only affect third-party cookies, and first-party cookies remain unaffected:

• If you only intend to track users’ behavior, preferences and simple demographics on your own website, you can do this via first-party cookies.
• If you currently use third-party cookies to collect robust data insights regarding the online behavior of website visitors more broadly, we advise you to regularly follow the news in this area for the next couple of years at least. You can find all the news about this evolution on the Google Ad Manager blog.

2. The deprecation of third-party cookies doesn’t come as a surprise. Since the GDPR came into effect in 2018, the topic of data protection has been moving more and more to the forefront of policy issues. Having to adapt a privacy strategy to GDPR requirements was only a matter of time, and companies that have kept an eye on these developments and have acted quickly have secured a competitive advantage.

3. Tracking users will stop on an individual basis, but with the introduction of the FloC API, tracking can continue on a group basis (in “clusters”).

4. APIs will introduce measures to detect and prevent fraud in online ads, such as bots clicking on ads instead of real users.

Using the measures introduced via the Google Chrome Privacy Sandbox, online advertising will play out to large groups of people. All without any access to user-identifying data from the browser.

In addition, users will continue to receive information regarding their shared data. In accordance with the Data Minimization Principle of the GDPR, only the amount of information necessary to assign users to an advertising target group (“cluster”) is passed on. Consequently, conversion measurements will also be possible for advertisers without individual user tracking. The collection of user data is done through browser APIs that maintain the anonymity of individual users. 

As nice as all of this sounds, for competitive advertisers the situation can also be viewed quite critically. Let’s consider: if Google stores the data in its own browser, does that just steadily increase its existing data empire? Some food for thought.

Disclaimer:

These statements do not constitute legal advice. If you have any legal questions, you should consult a specialist lawyer.