Life in the Sandbox
If you work in digital advertising, then you will have heard the dramatic exclamations of “Cookie-geddon” and “Cookie-pocalypse,” both referring to Google’s plans to depreciate all third-party cookies in Chrome in the second half of 2024.
The deprecation of the cookies on Chrome, and the development of Google's alternative, the Privacy Sandbox, raises fundamental privacy and competition questions.
Trying to predict the effects of the Privacy Sandbox on the competitive adtech landscape is hard. The Sandbox is replacing a working, if flawed, third-party cookie ecosystem with a series of experiments.
What’s in the box?
The Privacy Sandbox is Google’s initiative built on the premise of enhancing online privacy for Chrome and Android users. It seeks to introduce newer technologies that reduce individual tracking via third party cookies, while offering secure (Google controlled) alternatives to current methods, all while maintaining open and inclusive access for all users.
The Privacy Sandbox consists of the following APIs:
- Topic API for ad targeting across an initial 470 interest-based advertising cohorts.
- Protected Audiences API for a retargeting function.
- Attribution Reporting API for conversion measurement.
- CHIPs (Cookies Having Independent Partitioned State) for limited cross-site tracking like by an embedded payment tool.
It’s actually happening
Big G has been promising to deprecate third-party cookies since August of 1999. And like the little boy that cried “wolf” too many times, the ever-slipping deadline has convinced some in the industry that this new deadline might be yet another false alarm.
This time it seems that mounting pressure on adtech data collection across both sides of the Atlantic is pushing Google to follow through.
Case in point: the majority of Chrome users will begin stepping into the Sandbox early September, and Google plans to allow marketers to start testing on 1% of acquiescing users in early 2024.
Now, whether the Sandbox actually promotes privacy, or just puts it in the hands of a conflicted serial monopolist can be debated. At least from the standpoint of data leakage, one of the key concerns of advocates and regulators, the Sandbox will be privacy protective. But Sandbox can actually make things worse by incentivizing fingerprinting and other less visible and controllable tracking. (Remember Verizon’s zombie cookies?)
For this and related reasons the Electronic Frontier Foundation (EFF) has called the Sandbox a "terrible idea". EFF described Topics as a user-tracking technology that makes an ad network out of the world’s most popular browser – 63.45% of market share, according to Statcounter.
This is precisely why antitrust regulators have come to play.
CMA in the spotlight
The UK’s Competition and Markets Authority has been working with Google as part of a multistakeholder process to address competition concerns, and has been publishing quarterly updates on Google's implementation of its fair play commitments.
Key aspects of the CMA’s oversight include transparency in the development process, assessing the effectiveness of changes, ensuring testing periods, and monitoring Google’s neutrality. In short, ensuring that Chrome/Sandbox doesn’t skew towards Google DoubleClick at the expense of the rest of the independent, but cookie-dependent, adtech ecosystem.
Privacy castles in the sand
In a recent podcast, adtech privacy veteran Alan Chapell described Sandbox as Google’s way of “flipping over the proverbial table”. To expand, it is a strategy by which Google can future-proof its ad business by getting ahead of anti-cookie and pro-breakup regulatory sentiment. It’s even possible that Google is willing to sacrifice third-party cookies and DoubleClick to save Gmail with its valuable first-party emails in the event of a breakup order.
But back to privacy. Chapell noted how deprecated cookies also means regulators losing the auditability of digital data flows. Indeed, for anyone who used Ghostery or interacted with a cookie consent banner it’s relatively easy to see who is getting data and why. A move to Google’s black(sand)box and encrypted server-to-server connections would be a move to inscrutability.
Performance anxiety
This risk of opaqueness extends beyond compliance too. Case in point: a large swath of the ad industry can’t corroborate Google’s own test results. Others have raised an issue crucial to programmatic (real-time auction) advertisers – Sandbox’s latency.
A recent YouGov study commissioned by Adform found that more than half of marketers say they are not well prepared for the end of third-party cookies, and 57% of marketers say they are not “fully aware” of available solutions to replace third-party cookies. To that end the CMA has encouraged marketers to learn about and test Google alternatives.
Yet, the alternative ID solutions available today, notably those relying on users’ hashed emails, are weighed down by the challenges of adoption and scale, as well as persisting user choices across cookieless environments. (Read more here.)
Despite the angst no one wants to risk economic backlash by being the flea on Google’s back.
Living with the sandbox
The advertising landscape is evolving and marketers must adapt to new privacy-enhancing data strategies and technologies. So does Google.
Without a doubt, a fully operational Google Privacy Sandbox will reshape the online ad market. It’s difficult to know for sure at this early stage when this rubicon will be crossed and whether the other side will be paradise or Paradise Lost. As marketers begin their field tests in early 2024 we should expect to see clearer signs of Sandbox’s fitness and its effect on the adtech LUMAscape.
And while CMA’s involvement provides some sense of objectivity, and the watchdog promises to step in and delay Cookie-geddon should Sandbox fail on privacy or competition, a stark fact remains: Google’s advantage in search, first-party user relationships and browser installs is by design. There is a long term strategy at play that makes Google an unavoidable king of their sandy, post-cookie hill.