Tomorrow marks exactly one year since Google announced it would end support for third-party cookies on its Chrome browser “within two years”. The announcement set a two year deadline for the industry to effectively reinvent how many parts of web-based advertising currently work, including targeting, measurement, and attribution. Google said there was no need to panic – privacy-safe alternatives to cookies would emerge within its ‘privacy sandbox’, Google’s incubator for new privacy-focused browser tools.
Others in the industry haven’t shared Google’s optimism. Members of the World Wide Web Consortium (W3C), chosen by Google as the forum for stakeholders to discuss sandbox proposals, complained over the summer that progress was too slow.
In recent months however, the pace seems to have somewhat picked up as we have seen a number of new proposals and experiments added to the sandbox. These cover a range of use cases including behavioural targeting, measurement, and frequency capping.
Chetna Bindra, senior product manager, user trust and privacy at Google said this progress “gives us the confidence that with continued iteration and feedback, privacy-preserving mechanisms can sustain a healthy, ad-supported web without third party cookies”.
And there have been signs that Google’s engineers have been listening to industry feedback. Last summer French ad tech company Criteo released SPARROW, an alternative to Google’s own TURTLEDOVE proposal. And Google responded, releasing the Dovekey proposal which built upon SPARROW’s principles.
“I would say Google is negotiating in good faith on several items,” said Zach Edwards, founder of analytics and optimisation firm Victory Medium. “And you can see that based on their feedback to the Criteo proposals.”
Are the sandbox birds ready to fly?
But those VAN spoke with showed varying degrees of scepticism around whether sandbox proposals will be ready for use in one year’s time.
Myles Younger, senior director, data practice at digital media consultancy MightyHive, said some of the proposals committed to Github “seem frankly more like blog posts than actual software.”
Younger said that some of the original proposals, like the Federated Learning of Cohorts (FLoC) proposal, are fairly in depth, and have actual code to show for them. “But as time goes on, we’re seeing new bird proposals which keep coming out on Github, and it seems increasingly unlikely that those will ever see the light of day,” he said.
Younger added that there are important use cases which don’t yet seem to be covered by existing sandbox proposals. As things stand, Younger believes that view through attribution, reach and frequency measurement, and A/B testing will all become more difficult next year, as sandbox proposals have not yet been released which sufficiently cover these areas.
Mathieu Roche, CEO of identity specialist ID5, suspects that conflicts of interest between Google’s different teams are slowing down progress. Google Chrome is facing competitive pressure to improve privacy protections, while Google Ads products still rely on the ability to reliably identify individuals. Roche suspects this tension is creating a deadlock.
Roche said he doesn’t believe the proposals we’ve seen so far offer a viable alternative for publishers and advertisers. “They simply reinforce Google’s stranglehold on the industry by allowing the tech giant to decide how “user segmentation” should be handled,” he said.
And Roche is sceptical whether the ‘cohorts’ approach taken by many of the sandbox proposals (where users with similar interests are grouped together) actually improves privacy. Individual users will be harder to identify from anonymised data, but it could also be more difficult for users to understand how their data is collected and used.
Victory Medium’s Edwards meanwhile said that Google appears to have already decided which sandbox proposals it will move forward with, without clearly communicating that fact to the industry.
“Google already has over 5,800 references to FLoC across the Chromium code base, and there are new additions every week. And you can see that these additions are coming from different teams,” he said. “So right now, in everyone’s Chrome browser, there are already hundreds of lines of FLoC code.”
Will the sandbox proposals be delayed?
For those worried that the sandbox won’t be ready for 2022, there’s always a chance Google may choose to push back the deadline.
The 2022 deadline was somewhat arbitrary in the first place, chosen because Google expected the sandbox would have rendered the third-party cookie obsolete by then anyway. But the disruption of the pandemic has directed the industry’s attentions elsewhere, slowing progress. And if sandbox tools aren’t ready to replace the cookie in a year’s time, it would make perfect sense to push the deadline back.
Some are hopeful that antitrust authorities might force Google to delay the sandbox rollout. Last week the UK’s Competition and Markets Authority (CMA) announced it will investigate the sandbox and cookie changes.
Potential advantages for larger players
James Rosewell, director of Marketers for an Open Web, a coalition of tech and media companies which petitioned the CMA to investigate the sandbox, outlined some of the antitrust concerns.
“It concerns me when I see the removal of the third party cookie, but a proposal within the sandbox called ‘first-party sets’ which groups together different domains so they’re all treated as first-parties when dealing with one another,” said Rosewell. “That proposal seems to be sized to a company that might operate 50 or so domains, and wants to share data across those domains. You can imagine the sort of company that those tools would be useful to! And it would allow some to keep using something akin to a third-party cookie, but not others.”
Rosewell hopes that the CMA will force Google to hold back the privacy sandbox until legislators have their say. “What we’re asking for is interim measures, an injunction effectively, to prevent Google from the mass deployment of privacy sandbox until legislation has been implemented, so competitive risks can be addressed.”
Victory Medium’s Edwards is sceptical whether this antitrust angle holds, since he believes Google’s privacy sandbox moves do represent a legitimate response to privacy legislation.
“Imagine that GDPR authorities told Google that their post-auction ID syncing isn’t GDPR compliant, because they’re creating a portable ID for a user and sharing it with multiple companies,” said Edwards. “And GDPR authorities could absolutely do that, because there are already multiple GDPR complaints filed against Google relating to its auction.”
He continued, “If Google were required to no longer share the same user ID with multiple companies, Google would have no alternative in the bag for any of their partners. So when I look at the privacy sandbox proposals, I don’t see it as an anticompetitive decision, it’s a competitive decision. If Google don’t do this now and just wait for a GDPR ruling, they’re walking all of their partners right up to this precipice, with the risk that one day every auction globally breaks, and there are no alternatives,” he added.
But Edwards does expect Google to delay its deadline. He pointed to Google’s SameSite cookie update within Chrome last year, which changed how companies label cookies.
Google initially set a hard deadline for February last year. But in January, Microsoft warned that a number of sites and applications would break down if the update was introduced, and that more time was needed. And Google relented, delaying the update until August.
Edwards believes that Google’s real deadline is January 1st 2023, the date the California Privacy Rights Act (CPRA) comes into force. The CPRA will place new restrictions on data sharing, which Google’ current cookie-based data sharing would likely contravene.
“The 2022 deadline is illusory,” said Edwards. “Google will push that deadline month and months ahead, right up until that January 1st 2023 deadline.”