Navigating the Impacts of Google’s Privacy Sandbox on Digital Advertising
If you’re an advertiser, a digital agency, or a digital publisher involved in the digital ecosystem in any way, you should be paying close attention to what Google’s doing and proposing to do with their Privacy Sandbox. Google’s Privacy Sandbox is the centerpiece of their proposed approach for complying with privacy laws while attempting to preserve core functionality. For Google, core functionality means advertising, which is 80% of their revenue. The Privacy Sandbox isn’t in production yet, but it is available for review and testing, and two key reports were issued over the past month that shed light on some serious concerns about what Google’s doing.
First, the UK’s Competition and Markets Authority, or the CMA, issued a report that declared that Google, “Cannot proceed with third-party cookie deprecation because of issues with their Privacy Sandbox.” The CMA is the UK’s principal authority on Competition and Consumer Protection. So, you can think of it as kind of a combination between the FTC and the Justice Department, so their edicts have the weight of regulatory authority. Then, just a day later, the IAB Tech Lab released what they accurately called an in-depth analysis of Google’s Privacy Sandbox. They tested 45 common digital advertising use cases and discovered that only a few remained feasible using the Privacy Sandbox.
I’m sure you all recall that Google announced their intention to fully deprecate support for third-party cookies by the end of 2024. In January, they began suppressing third-party cookies support for 1% of Chrome users, and they’ve announced their intention to fully deprecate by the end of the year. Firefox and Safari already blocked third-party cookies. Given that the entire digital advertising ecosystem has relied on third-party cookies, this is a very big deal. And, the IAB Tech Lab agrees. They say the changes related to Google’s Privacy Sandbox, “necessitates widespread adjustments across technical, procedural, and strategic dimensions for media companies, advertisers, and their supporting infrastructure. It requires deep collaboration among a broad spectrum of internal stakeholders, including legal, finance, compliance, ad operations, and product development and engineering.” As you might already have gathered, IAB Tech Lab’s view is that Google definitely has not collaborated deeply with stakeholders or considered the widespread adjustments that their Privacy Sandbox will require. But, I’m getting ahead of myself. What even is Google’s Privacy Sandbox?
What is Google’s Privacy Sandbox?
Historically, the digital advertising ecosystem has relied on third-party tracking to enable targeting and performance reporting. Typically, JavaScript implemented on the sites where advertising is served, executes when a user visits, and is served an ad depositing a cookie in the user’s browser. The cookie records user behavior and shares it with the platform that served the ad. The information that’s shared may not be limited to the site on which the ad is served. In fact, in most cases, tracking extends to other sites visited and other user behavior. It’s also helpful to keep in mind that most consumer sites include dozens of tracking tags. So, the problem has become that increasingly third-party tracking has meant that third parties have amassed a lot of information about web and mobile users. For big platforms like Meta and Google, what they learn through a particular user journey can then be combined with what they already know about these users and are subsequently learned. Other websites that user visits – location of the user, age, gender, places they visit, forms completed, including the data entered on those forms, you know, name, email address, phone number – that data has been used for ad targeting. Sometimes the platforms shared it, sometimes they sold it, and sometimes it was stolen in data breaches. Consumers are rightly frustrated and happy, and so to where their regulators, so here come privacy regulations.
We have GDPR in Europe, we have state laws, such as CCPA in California, and in fact, we have 13 states with their own privacy laws. We have HIPAA in the United States, including new guidance issued in late 2022. That effectively renders all third-party tracking solutions to be HIPAA violations, which triggered a raft of class action lawsuits against health care providers and those same platforms. So clearly, Google and every other global platform needed a global solution. That Privacy Sandbox is central to Google’s response.
Their stated goals for the Privacy Sandbox for the web are to fight spam and fraud on the web, show relevant content and ads, measure digital ads, strengthen cross site privacy boundaries, and limit covert tracking. They also state similar but more limited goals for the Android environments and mobile environment. Google will provide targeting data for advertisers, but it’s going to be aggregated and not individual, something Google is calling differential anonymity. Advertisers will still be able to target interest groups, but this targeting will be based on behavior on a single site, or a small group of sites, if a publisher makes that designation, but not across multiple sites and user sessions.
Concerns from the UK’s Competition and Markets Authority (CMA)
Now we get to the rub for the UK’s Competition and Markets Authority. The CMA expressed many concerns in the report, but the most serious concerns are related to potential self-dealing on the part of Google. The problem is that this is Google’s Privacy Sandbox. They get to know what’s in it, and by their own rules, they definitely aren’t going to share with others. The CMA report says it this way – Google may continue to benefit from user activity data while limiting competitors access to the same data. Google’s ability to control the inclusion of ad tech rivals on the list of those who have access to the data could advantage its own advertising technology services, and publishers and advertisers may be less able to effectively identify fraudulent activity. The report concludes that further progress is still needed by Google to resolve competition concerns. Ahead of the removal of third-party cookies, the CMA stated they’ll attempt to resolve these concerns in the next three months through discussions with Google. Meanwhile, among other things, the CMA is strongly encouraging advertisers to test the Privacy Sandbox tools, which is exactly what the IAB Tech Labs Privacy Sandbox task force did.
IAB Tech Lab’s Analysis and Findings
Like the CMA, the IAB Tech Lab did not become fans of Google’s Privacy Sandbox. They recruited senior ad tech leaders from 65 companies to create a task force whose mission was to evaluate and test the Sandbox and to determine how or if foundational use cases are supported. They repeatedly tested 45 common use cases over a period of months and issued a detailed, 106-page report in early February. Their findings were only a few common use cases remain feasible using the Privacy Sandbox. Use cases that are no longer feasible are foundational and critical to digital advertising, including budgeting and pacing, exclusion, targeting frequency and recency capital, attribution reporting, and multi-touch attribution. More on that in a moment, but first what or who is the IAB Tech Lab?
The Tech Lab is related to an independent from the Interactive Advertising Bureau, was established in 2014, and it’s a nonprofit global consortium made up of digital publishers, ad tech firms, agencies, and marketers. Their focus is on privacy addressability and privacy enhancing technology, advanced television and supply chain, and on measurement. Aspects of the Privacy Sandbox they evaluated include audience management, auction dynamics, creative rendering, reported technology and interoperability, and business impact.
Test results were classified into one of five designations: supported, meaning the use case will continue to work using the Privacy Sandbox; temporarily supported, meaning works now but relies on Sandbox features that Google has already said they’re removing, or on some unapproved work around; degraded, use cases that partially work, but they’re missing such significant functionality that they’re really not worthwhile and don’t work well; and impractical, meaning, technically possible, but so hard to implement that only the most well-resourced and sophisticated companies could pull it off; and then finally, just not supported at all. I’ll put the results for each of the use case tests on the screen, but I want to highlight a few that really jumped out at me, particularly from the unsupported, degraded, and temporarily supported classifications or designations.
First, budget and pacing, which is temporarily supported, meaning works now but it’s not going to work once the Sandbox goes into production. The ability to budget and pace campaigns effectively is absolutely foundational and critical for performance marketing. Currently, we can do this across multiple campaigns at an account level, which means that we can efficiently manage very large campaign sets for large accounts and big advertisers. The Privacy Sandbox is going to require budget settings and pacing for every “interest group,” which really amounts to separate budgeting and pacing for every campaign. If, like us, you have clients with hundreds of campaigns, the overhead associated with this change is potentially enormous and unwieldy.
Exclusion targeting is also unsupported. Exclusion targeting is fundamental to effective digital advertising. For example, we may have an advertiser that wants to be focused on new customer acquisition, and they want to exclude users who have already interacted with the brand. We can do that quite easily right now. We won’t be able to do that at all using the Privacy Sandbox. Attribution reporting is supported, but very seriously degraded. Historically, conversion attribution has relied on third-party cookies. An ad served, and the iframe or the JavaScript that renders the ad, sets a third-party cookie, typically from a DSP in the case of programmatic advertising, the cookie includes the time the ad was shown, and any click information, and then each subsequent ad impressions or click updates the cookie. As long as a conversion page also includes a conversion pixel from the third-party that served the ad, then the conversion is recorded server side and it’s tied back to that initial ad impression and all the data that was collected by the cookie. This is how conversion attribution generally works today.
The Privacy Sandbox is going to support two new types of conversion or attribution reporting. One is event level reports. The other is summary level reports. According to the IAB Tech Lab, neither of these work well or provide accurate attribution reporting. Event level reports will include the page and impression or click occurred on, and the brand a conversion that occurred on, but will not include the value or the time of the conversion, which is pretty fundamental to attribution reporting. In addition, Google is going to add what they’re calling “noise” to the reports, meaning made up data is going to be included, and conversion values will be approximate.
To cite an example in the IAB Tech Lab report, the number two [2] could be reported as representing all purchases between one cent and $50. And of course, none of this is going to work in Safari, Firefox, Edge, or any other browser. Summary reporting aggregates conversions by campaign site or region. A report might show that campaign X on a particular website generated 10 conversions worth $10,000, but you’re not going to know the value of individual conversions and once again, “noise” will be added to the data, so made up information is going to be added to that data, so you’ll have both summarized and inexact attribution reporting. This makes multi-touch attribution even more problematic. Add to that, that in a multi-touch context, only the last or the highest priority event is going to be reported. So, by definition, multi-touch attribution will not be possible. Add to that the elimination of cross domain tracking, and you can see a litany of problems associated with multi-touch attribution. User conversion measurement is also not supported. Now in the report, this is labeled as “billable metrics – CPA,” but this is view-through conversion measurement. Per Google’s documentation, they’re going to add “noise” to the data to these reports, which means again, you’re going to have an inaccurate data set that won’t work for view-through conversion reporting.
Key Issues with Google’s Privacy Sandbox
In addition to the worrying results of IAB Tech Lab’s testing, their report also includes concerns and questions in several key areas, most of which were cited as well by the CMA.
Fragmented Documentation
First, fragmented documentation, as any of us who tried to use Google’s technical products know their documentation is often a mess. That seems to be the case here. The Privacy Sandbox task force indicated the documentation was poorly organized, incomplete, scattered across a number of sources, and without a coherent structure guide.
Lack of Consideration for Commercial Requirements
We also have a lack of consideration for commercial requirements. In effect, the Privacy Sandbox creates an ad exchange and an ad server in the Chrome browser. So, it takes that server-to-server advertising ecosystem architecture that’s existed for years and tries to shift it entirely to the browser to create a privacy centric environment, but they’re doing this without accounting for contractual and business relationships that govern the current advertising ecosystem. We also have the absence of third-party audits.
Absence of Third-Party Audits
Google’s position regarding the Privacy Sandbox seems to be, well, “we know we have all the data and you have none, but just trust us.” So far, there’s no mechanism to audit and verify answering or performance. Nothing’s been offered by Google, which is going to make it pretty difficult for advertisers, agencies, and publishers to have confidence in Google’s notably opaque reports. Compounding that is a lack of standard industry accreditation.
Lack of Standard Industry Accreditation
Other ad platforms are reviewed and accredited by accepted industry bodies. Google’s Privacy Sandbox is not; they’ve made no noise or indication that they’re going to submit for accreditation, which again, compounds this lack of transparency and potential lack of trust.
Scalability and Performance Concerns
The IAB Tech Lab also cites scalability and performance concerns related to the Privacy Sandbox. The digital advertising supply chain was built on a server-to-server architecture to support the volume and velocity of interactions and transactions that take place on a second-by-second, minute-by-minute, and hour-by-hour basis. Collectively, for example, the programmatic ecosystem processes billions of daily transactions in the form of millions of auction queries per second. Web browsers, conversely, are very limited in processing power and memory compared to server environments. As the Privacy Sandbox scales, these limitations are going to become a really big deal, especially for applications requiring intensive computations or handling large data sets. Server architectures are designed for this sort of thing, for multiple requests concurrently, leveraging multithreading, distributed computing, but browsers are not. They have much more limited scope for parallel processing, which could hinder the Privacy Sandbox ability to scale up as volumes increase.
Chrome Transparency
On a related note, the IAB Tech Lab has real concerns around Chrome transparency. There’s general agreement that the Privacy Sandbox is going to be challenged with resource constraints, as we just described. There’s going to be a range of storage network processor constraints due to differences in hardware platforms and operating conditions that the browser is going to have to manage. As a consequence, the Chrome browser is going to be making decisions with regard to which thing to prioritize and how to allocate resources. These resources will directly impact the ability of users of the Privacy Sandbox to execute campaigns successfully. It’s clear the browser is going to have to make these decisions, but what is not clear is on what basis the decisions are going to be made, and without transparency regarding how those decisions will be made, that will erode trust and make it very difficult for folks to have confidence in the Privacy Sandbox.
Future Governance
Finally, we have concerns related to future governance. Relying on a proprietary system for critical industry functions creates risk of vendor lock-in, which I would assume is part of Google’s strategy; it has been historically. In this context, of course, switching costs are going to be high, and alternatives are limited; I think Google is probably banking on this. This dependency reduces bargaining power for anyone but Google – for advertisers, for publishers, and the advertising technology ecosystem. But, the digital advertising industry is subject to complex regulations. Everyone involved in that supply chain is subject to complex regulations, including data protection laws like GDPR, HIPAA, or CCPA. A Privacy Sandbox with unclear governance, in partnership with a digital advertising industry, could complicate compliance efforts and certainly creates risk for all stakeholders up and down the chain.
Why This Matters and What You Can Do
So why does any of this matter to us? Well, as I said at the outset, if you’re an advertiser, a digital agency, a digital publisher, or if you’re involved in the digital ecosystem in any way, you should really be paying close attention. These changes are profound, and they will be imposed upon all of us if we don’t actively participate in shaping our own destiny. Right now, I’d suggest that there are two critical ways to do this. The first is to make sure your agency or your internal digital team understands what is being proposed through Google’s Privacy Sandbox, and that they’re testing the Sandbox. Second, make sure you’re building and activating a first-party data strategy. We can debate whether Google will or will not deprecate third-party cookie support this year, but what is certain is that it will happen, so all that third-party data that is informed and fueled our digital strategies is going away. Don’t be left with compromised data crumbs that Google and other platform providers choose to feed you – take control of your own privacy centric first-party data strategy. The reality is that you don’t have to look far to see that first-party data is also the number one pillar for Google’s own ad strategy. It’s smart for them, but it’s critical for all of us. I hope this has been helpful.
Related Links
CMA Q4 2023 update report on implementation of the Privacy Sandbox commitments
IAB Tech Lab Privacy Sandbox Fit Gap Analysis for Digital Advertising
Google’s Privacy Sandbox documentation
Questions or comments
Questions or comments
Please let us know if you have questions or suggestions for other topics that would be valuable for us to cover in this area by emailing intros@wheelhousedmg.com.