Third-Party Cookies and Privacy Sandbox – Explained

In July this year, Google announced that it may not deprecate third-party cookies, as it has long been promising. Instead, it suggests offering users a choice between third-party cookies and other tech, such as Privacy Sandbox, in their browser.

Privacy Sandbox was originally envisioned by Google as an alternative set of technologies built in Google Chrome to support digital marketing practices including audience targeting, interest targeting, and measurement/attribution, without relying on third-party cookies.

Google has faced a decidedly lukewarm response from the industry and regulators to Privacy Sandbox, a technology that Google originally hoped would become a cross-browser standard. We see this announcement as Google throwing the question back at the industry: if you don’t like Privacy Sandbox, what do you want?

There are differing views in the industry on the path forwards. Google, reliant on ad revenue for its core business, is building Privacy Sandbox. Apple is developing the more restrictive AdAttributionKit and uses privacy as a core selling point for its products and ecosystem. Additionally, there are initiatives for new “open” identity systems to support targeting and measurement such as UID2 and EUID (backed by The Trade Desk), RampID (backed by LiveRamp), and ID5 (investors include TransUnion and S4S Ventures).

In many cases, the stated aspiration is to create a new open standard, however, it’s also important to consider who develops and controls the standard and what the underlying goals and incentives of those companies might be. Some groups advocate that (third-party) cookies should be that open standard, and that any technology is only as good or bad as what it’s used for. For advertisers, what this currently means is uncertainty on the path forward.

How it works

In very simple terms, Privacy Sandbox aims to move as many processes as possible to the user’s device (“on-device processing”) rather than to centralised servers (owned by Google or other ad-tech companies). The diagram below illustrates how this works in simplified terms using audiences as an example.

Considerations

There are several important considerations for advertisers thinking about how this change (or lack of change) will affect them:

• Third-party cookies are already effectively deprecated in Apple browsers (and have been since 2020).
• Google’s announcement is a suggestion, not a confirmation that they will continue to support third-party cookies. We expect that Google will continue to develop and advocate for Privacy Sandbox.
  
• Privacy Sandbox is designed as a set of technologies that would be used by ad platforms (e.g. DV360, The Trade Desk, Criteo, etc). It isn’t a tool that advertisers would use directly, but rather that they would use indirectly via their use of an ad server that supports Privacy Sandbox tech.
  
• Control for whether Privacy Sandbox is switched on or off lies entirely with Chrome (or other browsers that support Privacy Sandbox) and ad platforms (i.e. whether they implement Privacy Sandbox methods for targeting and measuring ads). Platforms such as DV360 are currently using a hybrid of third-party cookies and Privacy Sandbox.
  
• The industry is becoming increasingly fragmented. Other players propose different solutions to enable ad-tech and identifier functionality such as the EUID, backed by The Trade Desk.

Expected effects for advertisers

As an emerging technology, it has been challenging to quantify the effects of Chrome maintaining third-party cookies versus moving to Privacy Sandbox. The current opinion in the industry is that targeting can be more accurate and measurement can be more complete with third-party cookies than with Privacy Sandbox. This is supported by Google’s own study on their own platforms where they assess the “recovery rate” of key metrics under Privacy Sandbox vs using third-party cookies – though it should be noted that it is very difficult to run a true comparison when support for Privacy Sandbox isn’t widespread.

Expected impact if third-party cookies remain in Chrome and relied on by the industry:

In the short term:

• Functionality remains broadly the same as it is today
• There is a significant functionality gap between Chrome and Safari browsers (third-party cookies are not supported in Safari).

In the long term:

• Google has hinted about giving “user choice” regarding third-party cookies, which may mean that it’s easier for users to disable them. If this is the case, usage of third-party cookies will rapidly decrease and ad platforms will be forced towards alternative technologies.

Expected impact if Chrome and industry migrates away from third-party cookies:

In the short term:

• Some initial deterioration of performance in terms of ad targeting and measurability during the transition phase
• Remarketing is likely to be the most heavily affected channel, as match rates reduce in the absence of cookie IDs
• A potential migration of ad spend towards closed-ecosystems (e.g. Google’s owned and operated inventory like YouTube) as targeting and measurement across-site is fragmented, which may result in increased competition and CPCs.

In the long term:

• A new normal will emerge and stabilise as the industry converges around new technologies. Advertisers adjust to new ways of measurement and targeting and performance begins to stabilise.

What to do

Given that this announcement currently confirms very little, and if anything suggests an extension to the status quo of third-party cookies being supported in Chrome rather than an immediate change, the existing guidance to advertisers remains relevant to prepare for the new landscape. Here are the main areas we recommend focusing on:

• Continue preparing for change: We believe that third-party cookies will eventually either be deprecated, or so heavily restricted that they are not useful. Advertisers should assume that we will eventually reach a point where third-party cookies can’t be relied on in any platform.
• Implement modern measurement tools: Implement new technology such as CAPIs, Enhanced Conversions, and Consent Mode to reduce reliance on cookies for measurement and boost signals for models.
• Maximise consented, first-party data: First-party data will become more important than ever. Build trust and optimise consent flows to maximise first-party data collection.
• Use models to your advantage: Modelling is increasingly used to fill the gaps left by privacy. Don’t rely only on the black-box models integrated into ad platforms. Migrate your attribution stack to an approach where you combine econometric approaches (e.g. ongoing, digital MMM) with a structured approach to causality testing (e.g. lift, incrementality, and geo studies).
• Adapt audience strategies: Audiences will become less granular. Adapt audience strategies accordingly and maximise the value of higher quality audiences (i.e. better data coverage, closed-ecosystem / signed-in audiences, etc) and first-party data audience lists (e.g. Customer Match).
• Creative is key: In a world where targeting will become less granular, it’s less about “exactly the right ad at the right time for the right person”, and more about high-impact creative with broader appeal. It also becomes increasingly important to deploy bolder creative testing with more variation to allow ad platforms to match the right creative with the right audiences algorithmically.
• Beyond the Google ecosystem: Keep an eye on what’s happening outside of the Google ecosystem. For example, players such as The Trade Desk propose a new alternative to third-party Cookies — EUID — which is available for advertisers to test and use with supported platforms.

TL;DR

• Google has announced that they might keep third-party cookies in Chrome. Despite this, we think it’s unlikely that third-party cookies will remain as a long-term solution.
• Privacy Sandbox isn’t something that advertisers work with directly. Rather, it’s a new set of technologies used by ad platforms (e.g. DV360, The Trade Desk, Criteo) to enable features like audiences, remarketing, and measurement for advertisers.
• As ad-tech changes, so do best practices. In this document, we list the concrete actions that advertisers can take to be prepared for the new environment.

Further reading

Practices, and the relevant Privacy Sandbox technology proposed to solve them:

• Retargeting: Protected Audiences API.
• Demographic / Interest-based targeting: Topics API.
• Frequency Capping: Shared Storage API.
• Attribution Reporting: Attribution Reporting API.
• Effects: Google study on Privacy Sandbox effects for advertisers.
• Alternative solutions to third-party cookie deprecation: EUID by The Trade Desk.

Or, you know, just reach out 😉