On Monday 22 July 2024, Google announced that it has officially dropped plans to deprecate third party cookies through the implementation of Privacy Sandbox, in favour of a new approach designed around offering "elevated user choice".
Google’s Privacy Sandbox was first announced in 2019 as an initiative aimed to create technologies that protected people's privacy online while also providing companies and developers the tools to build digital businesses. Originally this was limited to the Chrome browser, but early in 2023 was extended to also cover Android devices.
As part of its core design ethos, Privacy Sandbox had two underpinning goals:
Privacy Sandbox primarily aimed to achieve its core goal to “enhance user privacy” by preventing tracking through third-party cookies and similar third-party technologies and instead supporting only first-party approaches to data collection and tracking - both through the Chrome browser and across Android products/services.
Although the Privacy Sandbox initiative has been repeatedly delayed for a variety of reasons, both technological and regulatory, recently it seemed to be moving towards the final hurdles before full implementation, and indeed late in 2023 the initial tests of deprecating 1% of third-party cookies were launched. However, within its statement, Google provides that, while early testing from adtech companies indicated that the Privacy Sandbox APIs had the potential to achieve the Privacy Sandbox outcomes, Google recognises that this transition required “significant work by many participants” and would “have an impact on publishers, advertisers, and everyone involved in online advertising”.
In light of that significant work effort involved in bringing the Privacy Sandbox to life, Google are now proposing an updated approach that “elevates user choice”. Instead of deprecating third-party cookies, Google plan on introducing “a new experience in Chrome that lets people make an informed choice that applies across their web browsing” which users can “adjust…at any time”. Google states that it is in the process of discussing this new path with regulators and notes that it will engage with industry as they roll this out. No further details have been released on the new approach at this stage though from the brief outline within the statement, it appears to be considering a browser-based consent mechanism.
The UK’s Information Commissioner’s Office (ICO) has today announced that they are “disappointed that Google has changed its plans” and provide that they will “monitor how the industry responds and consider regulatory action where systemic non-compliance is identified for all companies…”. The UK’s Competition and Markets Authority (who had expressed concerns in regard to Google’s original proposals) has also announced that they will now “work closely with the ICO to carefully consider Google’s new approach to Privacy Sandbox” and “welcome views on Google’s revised approach, including possible implications for consumers and market outcomes”.
Given the notable impact on existing data collection and tracking methodologies that would have resulted from the implementation of Privacy Sandbox, many organisations have expended significant time, energy and resources into exploring alternative approaches to third-party cookies and similar technologies. This announcement will come as a relief for many who would have otherwise been significantly impacted by the impending changes, no matter how well-intended those changes.
However, with momentum having continued to build in favour of first-party data strategies as a result of this preparatory work, it seems unlikely that the results of these efforts will be thrown out in favour of maintaining the status quo. The work undertaken has already seen significant development of sophisticated, and powerful, technological approaches for maximising the value of first-party data, in a privacy-first manner and without requiring third-party cookies. The industry as a whole can only benefit from the work that has already been done, and these new tools should continue to form an important part of any advertiser or publisher data strategies.
That said, the urgency driving change has definitely now diminished, and we are likely to see a relaxing of the adoption of these new initiatives across the industry in favour of continuing to use tried-and-tested techniques. In that context, it will be interesting to see how Google’s new “elevate[d] user consent” concept develops – if this continues to be built in order to further Google’s larger picture goals for Privacy Sandbox, this could still result in a significant change to the broader adtech sector in favour of better supporting user privacy and choice. Historically, “browser-based consent” mechanics have seemed clunky and unwieldy when proposed – but of course, that has been without the technical expertise and market presence of a player such as Google.
Ultimately, we are now in a period of “watch this space” to understand in more detail the exact nature of Google’s revised approach and any associated implications for the adtech ecosystem.
Finally, although organisations no longer need to prepare for the phase out of third-party cookies, it is nevertheless important to ensure that the way you track individuals is carried out in compliance with data protection and ePrivacy legislation and guidance. This is especially important given the current regulator focus on cookies; the ICO began sending cookie compliance warnings at the end of 2023 and the European Data Protection Board is in the process of finalising its guidelines on the scope of “cookie” rules.
If you would like advice on how to stay compliant in this rapidly changing adtech landscape, please get in touch with our team or reach out to your usual Bird & Bird contact here.