Privacy Sandbox: Separating Fact from Fiction

Privacy Sandbox: Separating Fact from Fiction

Third-party cookie deprecation (3PCD) in Google Chrome -- the final step into the so-called “cookieless future” -- is all but upon us. Google deprecated third-party cookies for 1% of Chrome users in January 2024, but many organizations are still confused about what they can do to prepare for the post-cookie world. At this point, the industry has been talking about 3PCD in Chrome for over four years, and many organizations now understand that key pillars like media targeting and attribution will be majorly disrupted. However, information available to advertisers remains sparse, vague, or requires a tech translator when attempting to use resources like Google’s Privacy Sandbox developer blogs.

To help organizations better understand the Privacy Sandbox and how to prepare to utilize it, we put together a list of questions and answers to help dispel fact from fiction -- and to help organizations understand specific steps they can be taking now to prepare for 3PCD.

Is Chrome still on track to phase out 3PCs by the second half of 2024?

That is the plan, but sticking to this timeline depends on multiple factors like approval from the Competition and Markets Authority (CMA) in the UK, as well as successful implementation of technologies such as the Privacy Sandbox. Having said that, the plan for now is to gradually phase out third-party cookies beginning in Q3 of this year. It’s worth noting that this timeline is updated monthly by the Chrome team on the Privacy Sandbox website.

This month, Google received significant critiques of the Privacy Sandbox from both the CMA and the Interactive Advertising Bureau. How do you think that affects Chrome’s timeline?

The IAB and CMA are both worried that the Sandbox doesn’t support enough digital advertising use cases and could negatively impact the industry by potentially driving revenue to the walled gardens, including Google itself.

On the one hand, it’s great to have these industry bodies holding Google accountable, but on the other, it causes advertisers to continue to wonder whether cookie deprecation is going to happen at all, which isn’t a place we want to be in. The delays have gone on long enough, and every business needs to come to terms that this is going to happen. 

Regarding the CMA ruling more specifically, to date, Google has followed the CMA’s required process, and is working to resolve the remaining concerns. So, do we think this is a case where advertisers should slam on the brakes and change strategy because cookies are here to stay? No. This is just another bump in the road towards the evolution of a more privacy-safe ecosystem.

Advertisers understand that media targeting and attribution are going to change as a result of 3PCD. But for all the ink that's been spilled about the "cookieless future," many still struggle to understand specific action items that can help them prepare. 

What does "testing the Privacy Sandbox" look like in practice?

There’s a lot of confusion about this, with a lot of voices telling advertisers to “test the Privacy Sandbox” as a way of preparing for 3PCD. The truth is that the Privacy Sandbox is an infrastructure change in the back end for these adtech platforms, and not a front-end element that can be tested by individual advertisers. In other words, advertisers opening their instances of DV360, Google Ads, or Campaign Manager will not see new “TOPICS” targeting capabilities or Attribution Reporting API functions within the platform.

Instead, the back-end infrastructure powering in-market audiences, affinity audiences, etc. is changing from being third-party cookie based to the TOPICS API. As a result, the idea of advertisers “testing” the sandbox is not a practical reality for now. “Testing the sandbox” is referring specifically to adtech vendors who are looking to implement the APIs into their platforms.

So, if advertisers can’t actually test the Privacy Sandbox for themselves, what can they do to prepare for 3PCD?

The number one thing that all businesses need to do today is understand where they are exposed to third-party cookies, whether that is on the targeting, measurement, or experience side. Ask, which use cases are going to be impacted?

With those use cases as a guide, brands can then draft a plan on how data, targeting, and measurement strategies will need to evolve to address them. Google’s Privacy Sandbox will be only one component for many organizations, and it’s important to address this holistically -- which is easier said than done, for sure. This is a big focus area for our teams as we help clients to identify those use cases, build new data strategies and implement new cookieless technologies, and ultimately build a digital marketing transformation strategy needed to adapt to this new way of doing business.

Ok, so when should we expect to see more Privacy Sandbox features available in Google’s ad platforms?

As far as we know, it’s expected to happen in Q3, but we don’t have any more details on that. Also, it is worth reiterating that these features/APIs are not available via the DV/CM front ends. In other words, they aren’t features that advertisers interact with via their DV/CM accounts. Instead, they are pure back-end infrastructure solutions that will power features/tools you use via the front end.

What do I need to do to enable remarketing post-3PCD, and which browsers/publishers will I be able to use for remarketing?

Right now, there are three proposed cookieless remarketing solutions: PAIR (Publisher Advertiser Identity Reconciliation), Protected Audiences, and Customer Match. Today, businesses can already leverage Customer Match across all browsers/OS. PAIR is available on all browsers but is limited to publishers that have opted into the program. Lastly, the Privacy Sandbox’s solution called Protected Audiences API (PAAPI) is the new solution on the block, and it’s still being implemented. For now, it’s looking like it will work just on Chrome, until more browsers integrate the API.

Last question for now: How are these tactics going to be measured if 3PCs no longer exist?

The Attribution and Reporting API (ARA) is the Privacy Sandbox’s solution for conversion measurement. It will be what powers conversion reporting within DV and CM and will work across Google’s Owned & Operated and non-O&O. Digging into the ARA is probably a topic for its own interview, though -- so let’s follow up with more detail on that soon.

Do you want to learn more about Google's Privacy Sandbox?  Contact the Merkle team!

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

side image splash

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy