How Google Chrome’s Privacy Sandbox Will Work + Possible Solutions for AdTech
Maciej Zawadzinski
3x Exited Founder-Turned-VC | Investing in Hard-to-Beat Founders
Since Google Chrome announced it’ll stop supporting third-party cookies, publishers, agencies, AdTech companies, and brands have questioned what it will mean for the future of the online advertising industry.
But to understand the impact this will have on digital advertising in Google Chrome, we first need to understand how Google Chrome’s Privacy Sandbox will work.
Although not much is known about how it will work, there’s enough information out there to get a basic understanding.
In this post we paint a picture of how the digital advertising industry works in Chrome now and how we believe it will work once third-party cookies disappear and Privacy Sandbox is introduced.
The Role of Third-Party Cookies in Digital Advertising
For close to two decades, third-party cookies have powered several key digital advertising processes.
Within web browsers, AdTech companies create third-party cookies to:
- Identify users across different websites in the same web browser.
- Run behavioral advertising and retargeting campaigns.
- Target audiences created in a DMP via DSPs.
- Measure the performance of ad campaigns.
But simply creating third-party cookies isn’t going to help with most of the above processes.
To power identification, behavioral targeting, retargeting, and audience activation, they need to be shared between different AdTech vendors.
And this is where cookie syncing comes in.
The Decline in Availability of Third-Party Cookies
The availability of third-party cookies has been declining for over a decade.
The first phase started when ad blockers (browser plugins) were introduced in the mid-2000s.
Most ad blockers prevent AdTech tags (i.e. JavaScript snippets) from loading on a web page. And when AdTech tags don’t load on a page, then third-party cookies can’t be created.
More recently, the decline of third-party cookies has been accelerated by privacy laws like the GDPR and privacy settings in web browsers — Safari and Firefox block third-party cookies by default.
Both Apple’s Safari and Mozilla’s Firefox have killed off the very thing that keeps online display advertising together without offering publishers and advertisers an alternative.
Google Chrome has also made some changes to how it handles third-party cookies with the introduction of the SameSite attribute that requires website developers and AdTech companies to mark their third-party cookies with SameSite=None. Doing so will make it easier for users to block and delete third-party cookies.
Then on Tuesday the 14th of January, 2020, Google Chrome announced that it would stop supporting third-party cookies altogether within the next two years.
Because a large portion of its revenue derives from advertising, Google Chrome would never follow suit and block third-party cookies like Safari and Firefox have without offering up an alternative.
The alternative to third-party cookies that Chrome is proposing is called Privacy Sandbox.
What Is Google Chrome’s Privacy Sandbox?
Google Chrome’s Privacy Sandbox, which was first revealed on August 22, 2019, is a set of open standards aiming to improve user privacy and maintain an ad-supported web.
Just like with other sandboxes used in computer security, Chrome’s Privacy Sandbox will execute advertising processes in a restricted environment, which is in stark contrast to how these processes are carried out today.
There are three parts to Privacy Sandbox:
- Replacing cross-site tracking processes — i.e. the ones currently powered by third-party cookies.
- Phasing out third-party cookies by separating first-party and third-party cookies via the SameSite attribute and turning off support for third-party cookies.
- Mitigating workarounds such as fingerprinting.
In the post, we’ll focus on the first part.
Although it’s still in development, Privacy Sandbox puts forward a completely new way of how online advertising works.
Below we illustrate how key advertising processes work now via independent AdTech companies and how they’ll likely work in Chrome’s Privacy Sandbox.
The diagrams below aim to provide a general idea of how Chrome’s proposed changes will look when they come into effect.
How AdTech Works Now vs How Privacy Sandbox Will Work
The online advertising processes we’ll look at are:
- Identification.
- Ad targeting and media buying.
- Measurement and reporting.
1. Identification
AdTech now
As mentioned above, most user identification is done with third-party cookies.
Here’s how it works:
When an AdTech vendor creates a third-party cookie in a user’s web browser, it can then read its cookie when the user visits a different site, provided the AdTech vendor’s code loads on the page, which has either been added directly by the publisher or by piggybacking off a different AdTech company’s code.
When third-party cookies stop working, most AdTech companies will turn to other identifiers and web browser storage methods to identify users, but these solutions will be much more limited than third-party cookies. See the section titled “Possible Solutions” below for more information.
Privacy Sandbox
If you read the material published by Google Chrome about Privacy Sandbox, it’s clear that their goal is to provide an environment for advertising that doesn’t rely on 1:1 identification.
For that reason, Privacy Sandbox won’t identify individual users. There also probably won’t be an ID that replaces cookies — i.e. no browser IDs.
This is the biggest change that the online advertising industry will have to get used to, as publishers, brands, agencies, and AdTech vendors have built their businesses around identifying individuals across the web.
Although many AdTech vendors will turn to other identifiers such as first-party cookies, it’s impossible to rule out the possibility of Chrome limiting the use of first-party cookies and other techniques for identification, like what Safari has done with Intelligent Tracking Prevention (ITP).
Evidence of this is scattered throughout Chrome’s page about Privacy Sandbox (important text in bold):
The Privacy Sandbox project’s mission is to “Create a thriving web ecosystem that is respectful of users and private by default.” The main challenge to overcome in that mission is the pervasive cross-site tracking that has become the norm on the web and on top of which much of the web’s ability to deliver and monetize content has been built.
As that functionality becomes available we will place more and more restrictions on the use of third party cookies, which are the most common mechanism for cross-site tracking today and eventually deprecate them entirely. In parallel to that we will aggressively combat the current techniques for non-cookie based cross-site tracking, such as fingerprinting, cache inspection, link decoration, network tracking and Personally Identifying Information (PII) joins.
As we’re removing the ability to do cross-site tracking with cookies, we need to ensure that developers take the well-lit path of the new functionality rather than attempt to track users through some other means.
The last sentence suggests that any cross-site tracking alternatives (aka workarounds) that AdTech companies create will be restricted or blocked by Chrome.
2. Ad Targeting and Media Buying
Independent AdTech
AdTech companies offer different targeting methods, with the two most common methods being contextual and behavioral:
Contextual targeting uses the context about a page to determine which ads to show. This information is collected by web crawlers and via the user agent string in HTTP header requests.
Most contextual ad campaigns are executed by ad networks via a media-buying process known as programmatic direct.
Behavioral targeting uses data known about users, such as which websites they visited and products they’ve purchased, to determine which ads to display. This data is collected by AdTech and data companies (e.g. DMPs) and is added to user profiles.
Advertisers then create audiences, which consist of multiple user profiles, and use them for ad targeting.
Retargeting also uses data known about users, but displays ads to users that have interacted with a brand, such as visited their website and viewed their products.
The main way advertisers run behavioral-targeted and retargeting campaigns is via real-time bidding (RTB).
Real-time bidding starts when an SSP’s code (JavaScript snippet) loads on a publisher’s website. The SSP then sends a bid request to multiple DSPs.
Here’s just some of the information that can be contained in a bid request:
- Impression type, size, and placement.
- IAB content categories, such as ‘automotive’ and ‘fashion’.
- Device information, such as device type, operation system, device make and model, and device version.
- Cookie ID, which is used to identify users across different websites, allowing advertisers to identify members of their target audience.
If the information contained in the bid request matches their target criteria, then they’ll send back a bid response. The DSP with the highest bid wins the auction and the advertiser’s ad is displayed to the user.
RTB heavily relies on third-party cookies and cookie syncing to identify and track users across different websites. For RTB to continue to work without third-party cookies, AdTech companies will need to use a different identifier. See the section below about possible solutions for more information.
So to recap, contextual advertising can be done without knowing anything about the user — e.g. an advertiser can display an ad for a mountain bike on a web page about mountain biking — whereas behavioral targeting and retargeting use data about a user’s interests and behavior, such as which websites they’ve visited and products they’ve purchased.
But does behavioral targeting result in more ad revenue for publishers compared to contextual targeting?
This is a question many folks have tried to answer, with varying answers.
A 2019 study by Veronica Marotta, Vibhanshu Abhishek, and Alessandro Acquisti found that the presence of cookies on a large publisher’s website contributed to 4% higher CPMs for publishers.
This report suggests that behavioral ad targeting isn’t a big revenue booster for publishers as many AdTech companies claim it is, however, the devil is in the detail and in this case many key factors may have been overlooked.
More recently, a team at Google Ad Manager ran an experiment where it disabled access to cookies for a small fraction of users to see whether publisher ad revenues would fall when cookies weren’t available.
The team at Google found that when cookies were disabled, ad revenues fell by 52% for the top 500 global publishers, with a median per-publisher decline of 64%.
The experiment highlights the value of personalized and targeted advertising.
Privacy Sandbox
The ad-targeting options in Chrome’s Privacy Sandbox will be fairly similar to the ones available today, but will be done on a cohort level, rather than on an individual level.
With this method, users will be displayed ads that match the context of the page they’re visiting, similar to how contextual advertising works today.
The only difference is that Privacy Sandbox will be responsible for informing AdTech platforms about the context of the page, rather than the AdTech platforms themselves (e.g. via web crawlers and the user agent string).
With interest-based targeting, a user will be added to a group based on the websites they visit. Advertisers will be able to target them based on the groups they belong to.
The important thing to note here is that targeting will be done on a cohort level, meaning no user data will be passed to AdTech platforms, just the name of the interest group they belong to. This new way of running targeted ad campaigns is in stark contrast to how it’s done currently.
The remarketing (aka retargeting) method is similar to the interest-based targeting method above, with the main difference being how the ad-decisioning process works.
With interest-based targeting, advertisers can show ads to users based on the interest groups they belong to.
With the remarketing method, the browser will send two ad requests to the AdTech platform — one containing contextual information and one referencing the interest group that the user belongs to.
The process Chrome’s Privacy Sandbox will use for remarketing is known as Two Uncorrelated Requests, Then Locally-Executed Decision On Victory (TURTLE-DOV).
The AdTech platform won’t know that these two ad requests are coming from the same user, hence the name ‘two uncorrelated requests’. The reason for this is to make it hard for AdTech platforms to identify users by connecting the time the two requests are sent.
The interesting thing about this proposed approach is many of the key ad-decisioning and even auction mechanics will be conducted in the browser (aka on device) instead of by AdTech platforms.
3. Ad Measurement and Reporting
AdTech now
AdTech companies measure and report on the performance of ad campaigns by impression and click trackers, and pixels (e.g. conversion tags).
Below is an example of how impression tracking works in real-time bidding:
Privacy Sandbox
Chrome’s Privacy Sandbox puts forward APIs for measuring and reporting on ad campaigns, all designed to strengthen user privacy by avoiding cross-site tracking.
To make it hard for AdTech companies to tie a click or conversion to an individual user, reports will be sent in aggregate from a server-side aggregation service.
Below is an example of how reporting will likely work in Chrome’s Privacy Sandbox.
Possible Solutions
Since Google Chrome announced they’ll be killing off third-party cookies, AdTech companies have proposed several solutions. Most of them revolve around using a publisher’s first-party data for identification, which can then power ad targeting and measurement.
Here are the main ways a publisher can use their first-party data for identification:
1. Use Email Addresses as an ID
This solution is one that gets talked about a lot.
It involves a publisher asking users to create an account or provide an email address to access their content (e.g. read a news article).
Websites like The Information require readers to provide an email address to read their articles.
Once a publisher has obtained a user’s email address, they can hash it and use the hash as an ID. This ID can then be used to identify returning visitors and power audience targeting.
Email IDs created by publishers can also be matched with hashed email addresses from advertisers with an ID solution from companies like LiveRamp and Neustar.
The main drawback of this solution is scale and reach as it will all be limited to one publisher, or a group of publishers if they’re part of a universal login alliance.
Also, because Chrome’s goal is to move to an advertising model that doesn’t identify individuals, it’ll likely restrict this identification method, just as they’re doing with other user identification methods like device fingerprinting.
2. Use Other Browser Storage Methods
Cookies aren’t the only way web browsers can store data.
Another web browser storage method that’s gaining popularity is local storage.
Similarly to cookies, local storage can store IDs, which can be used to identify users.
But again, the main drawback with this option is that it’s limited to the publisher’s domain, meaning there’s no easy way for AdTech companies to identify users across different websites.
3. Create a New Subdomain for AdTech Companies
Creating a new subdomain for the sole purpose of hosting a piece of software is nothing new; many MarTech platforms use this option.
Publishers could create a subdomain (aka a CNAME record) for their AdTech partners (e.g. ssp.publisher.com), which would allow them to create a first-party cookie. This cookie could then be used for user identification.
The Main Problem With These Solutions
The above solutions present somewhat viable replacements to third-party cookies, but they should be viewed as short-term solutions.
The reason we say that is because most are not privacy friendly.
Even with the appropriate consent and opt-out features, these solutions are still based on identifying individual users. And as we mentioned earlier, this goes against the very ideals of Chrome and the other major web browsers, especially Firefox and Safari.
So What Should AdTech Companies Do Now?
Even though the end of third-party cookies is near, it’s still a couple of years away and a lot can change.
We saw recently Google Chrome announce that it’ll roll back SameSite cookie requirements it deployed with Chrome 80.
Regardless of what happens over the next couple of years, AdTech companies should be planning for the future, participating in discussions around Chrome’s Privacy Sandbox, making changes to their tech to make it privacy friendly, and staying up to date with new announcements.
With all that’s been happening in digital advertising over the past 5 years regarding privacy (the GDPR, ITP, etc.), it’s clear that the future of digital advertising lies in privacy-friendly tech and processes.
Until Chrome shuts off third-party cookies, it will be business as usual but AdTech companies should have one eye on the present and one eye on the future.
Of Earth. Lover, software architect, pattern matcher and abstraction finder.
3 年"[…A] team at Google Ad Manager ran an experiment?where it disabled access to cookies for a small fraction of users to see whether publisher ad revenues would fall when cookies weren’t available. The team at Google found that when cookies were disabled,?ad revenues fell by 52%?for the top 500 global publishers, with a?median per-publisher decline of 64%." My goodness, how completely unexpected and not-a-conflict-of-interest-at-all that a company which uses behavioral advertising and data profiling as their profit model up and down almost their entire stack, would produce research with the findings that behavioral advertising and data profiling are fundamental to the success of ... <gestures toward Capitalism, vaguely> So shocked / would have expected there to be bias, but it turns out, no / to think that for the whole of civilization prior to 2001 we all lived in abject poverty, squalor, and struggle because behavioral targeting didn't exist back then & every company ever founded was careening into the chasm of bankruptcy. Hey, you know who else should put out their own studies? I'm thinking maybe cigarette companies and the fossil fuel industry's bottom lines could both use this kind of shot in the arm.
Senior Specialist
4 年Thanks for the good read.
Building Custom AI Solutions for Marketing to increase efficiency, improve campaign performance and save time & money
4 年Good piece - agreed that the focus should not be on solutions like hashed PII or localStorage workarounds Cohort targeting across domains can be possible (even in Safari/Firefox) currently with user consent: https://www.dhirubhai.net/feed/update/urn:li:activity:6653297734205997057/
TMT Analyst + HNW Investor
4 年Extremely high quality?