Recently IAB published document calling out advertising use cases deficiencies in the new privacy sandbox. What's being lost in the conversation is about the strength of the paradigm shift toward leveraging the device as a source of truth.  The Adtech ecosystems should embrace this new paradigm. Difficult challenges still remain to be answered by chrome over ownership.  Page performance ramifications will be even higher.  

The last few months have been a wild ride! Starting mid-2023, Chrome began implementing a series of web and Android proposals aimed at providing the Ad industry a critical off-ramp against the (former) death of third-party cookies. These proposals were intended to maintain mainstream adtech use cases, with the goal of providing the industry pathways to effectively achieve the mission of sharing the right message to the right user at the right time.  

However, there’s a catch. Many of these proposals included a key paradigm shift wherein the device became the main mechanism for injecting privacy by facilitating interactions for workflows. Previously, these workflows were  managed server-side by third-party cookies. These new workflows loftily promise the Ad industry a pathway forward, whether cookies ever get deprecate or not.

However, a couple of recent key events threw cold water onto Google’s plan to fully deprecate third-party cookies, which led up to the eventual “de-deprecation.”  First, the Interactive Advertising Bureau (IAB) released a robust analysis of Google’s new API’s, calling out specific use case support for a variety of in-the-weeds publishing and advertising use cases.  This analysis highlights several gaps in current use cases. In addition, the Competition and Markets Authority (CMA), which is actively investigating the competition concerns around these new pathways, released a report detailing the concerns that Google needs to address

Why did Google originally want to remove third-party cookies and device ID? 

Originally, the proliferation of third-party cookies in ad tech use cases really took hold during the infancy of programmatic and real-time bidding (RTB). Both advertisers and publishers were incentivized to push for a better understanding of their users inside their broader ecosystem. On the advertising side, being able to effectively target users who had previously interacted with their brands (retargeting) as well as gain an understanding of how ad dollars moved the needle on conversion (attribution) was a critical maturation in digital marketing. On the publishing side, monetizing their users through more refined and differentiated targeting was key to driving high cost per mile (CPM) on inventory.

These drivers leveraged device mechanics in such a way that was supposed to keep user identifiers anonymous. However, these pathways were eventually misused by data brokers looking to build complex graphs, which often tied these anonymous profiles back to known identifiers and other data sets.  Due to the proliferation of marketing technology across the web, this created rich data sets of users’ browsing and app histories. These privacy undercurrents ultimately led the industry and regulators to recognize the need for new paradigms to empower these use cases including retargeting (private audiences), conversion tracking (attribution reporting), and interest based targeting (topics).

Interestingly, as we have marched toward the inevitable downfall of these anonymous technologies, several players in the industry have suggested the use of alternative identifiers. Several of these identifiers are persistently linked through personally identifiable information (PII), like hashed email, and operate under the pretense of user consent mechanics driving the privacy framework for the user. However, this approach is a significant step in the wrong direction for privacy advocates, as it represents a degradation from the anonymous UUID generated with 3PCs to a known identifier used in these alternative IDs. 

How does the Privacy Sandbox solve privacy concerns?

By shifting the work and control back to the device, the device now has the power to broker information on behalf of the user without needing to share excess identifiers with middlemen. This sounds vaguely like the utopian promises of Web3, where users have a greater degree of control. If this is done in a democratic and open way, it provides new pathways that enhance innovation in the market and remove walled garden barriers. Essentially, if the device becomes a store for anonymized user preference data and everyone has equal access to that data in a compliant and consented way, then data becomes ubiquitous and differentiation is achieved through the creative combination of datasets versus ability to access that data. It’s worth calling out here that this utopian viewpoint in its current iteration data access for many of the APIs still have priority gates like the protected audiences API where data is only accessible to specific domains.  

What comes next? 

While that all seems ideal for the privacy folks, it carries its own massive set of unknowns and challenges. First, it places the power in the hands of the device —in this case, Google with Android and Chrome. Because of the ownership and vested interest in these workflows, it’s fairly clear that there is a conflict of interest. Details still need to be fleshed out concerning the long-term roadmap and control that will be key toward the industry largely feeling comfortable moving forward.

Second, performance considerations are going to be critical. With the robust set of use cases articulated by the IAB, it’s clear that high-performance server-side ecosystems are critical for making fast decisions over large datasets. Even if Google has the desire to meet the IAB in the middle on use cases, the question still remains: How feasible are those use cases in the new paradigm and what effect does that have on user experience? Additionally, privacy concerns will arise if custom business logic must be exposed to be executed by the device. It’s also worth noting that efficacy is still very much in the air. The Topics API, for example, seems to carry much less efficacy for advertisers and publishers targeting in a contextual way to build audience extension if they don’t have a large enough first-party footprint. Finally, the speed of adoption will be key. It will be a fairly herculean feat to shift these flows under the aggressive timeline proposed by Google.  

Cautious optimism  

The large set of challenges outlined above shouldn’t discourage advertisers, publishers or even privacy advocates. Over the years, scare tactics have saber rattled on first-party data being the only solution to solve these needs. While first-party data is still certainly king, it's also clear that Google is attempting to meet the industry halfway in protecting anonymous use cases in new ways. If Google and the industry are truly committed toward achieving this goal, then there’s no reason to believe solutions can’t be found that achieve results where all parties can achieve positive outcomes.