A First Look at Chrome’s Privacy Sandbox

There’s a third-party supply chain of services collecting (personal) data when you visit a website, most notably when advertising is active. Upwards of 500 services can be active in this supply chain on a single website visit.

Services in an advertising supply chain are used for ad selection, remarketing, conversions, security etc., and use tracking mechanisms for cross-site user identity with third-party cookies, among other techniques. But on the whole, the supply chain does not offer transparency about your data, storage, and how it is shared. This is also the reason data protection authorities have rejected the consent framework that deals with managing the supply chain. And why an upcoming update to this specific framework (TCF) is needed.

The Privacy Sandbox is a rethink of this supply chain with privacy in mind.

Summary

The Privacy Sandbox is a new step in web standards to assist publishers, advertisers, and website owners build their services with their visitors’ privacy at the forefront.

The Privacy Sandbox is a highly technical approach with a proposal to safeguard personal data in specific use-cases. The overall application and impact on WordPress with an enormous variety of use cases is yet to be seen, and time will tell if the Privacy Sandbox delivers on transparency for the end-users, and website owner.

In general, this approach could impact privacy for the better, especially if it creates a shift in the supply chain towards more sustainable, privacy first solutions.

Table of Contents

What is the Privacy Sandbox?

Identifying users on the web is mainly done with third-party cookies, but more technical approaches like fingerprinting have emerged after an apparent movement to block or remove these cookies. Services use device data or user agents to aggregate data into user identification. Even the simple IP check is still alive today to track users cross-site.

Cross-site domain tracking means; if website ‘A’ has services that started tracking you, these services keep tracking you, independent of the website you’re on.

The Privacy Sandbox proposes a selection of browser tooling to limit or combat these techniques and remove third-party cookies altogether.

It will reject legacy tracking mechanisms and provide so-called APIs directly in the browser to still treat users as single entities on a website but not move this data along the supply chain.

Monetization and Privacy

In the last decade, monetization of the web has increased exponentially. This has resulted in thriving businesses, a positive impact on the open web, freely shared content, and many services we love today. The downside has been, and still is, systemic neglect of users’ privacy.

Long before 2018, many countries implemented data protection laws to protect their citizens’ personal data. However, it was only in 2018 that the combination of the EU’s ePrivacy directive and GDPR showed an impact on digital services, and a slow climb to mitigate privacy issues began.

The dilemma

But now ‘the web’ has a dilemma. Although privacy moves slowly, it doesn’t stop. And while the EU is closing in, and many other countries are following suit, monetization of the web has slowed due to data debt for services that comply strictly or high court-appointed fees by services that do not.

To solve the dilemma of data debt and keeping the web open and freely available, privacy should be implicit in the supply chain while keeping data streams open.

If the Privacy Sandbox can solve this dilemma will prove in the next couple of years, but making privacy an intricate part of browsers is the first step towards a solution.

Removing third-party cookies

Chrome will likely remove third-party cookies early next year and ramp-up to full removal end of 2024. We have seen a decline in the use of third-party cookies by services and other browsers in the last few years.

The impact of the market leader deprecating third-party cookies will now be apparent for services and developers alike. Although not directly affecting privacy, as the GDPR does not deal with cookies or even tracking explicitly, it does force the hand of services that rely on cross-site tracking with cookies.

Any concerns?

The main concern would be transparency and misinformation. Generally speaking, cookies are a well-understood tracking mechanism. They are easily identifiable and, with services like cookiedatabase.org, categorized and made public to everyone interested in how this primary tracking mechanism works. 

Because the ‘Cookie’ became a poster child of data protection violations, it was the first to be replaced, and alternatives were created. These new, sometimes cookieless techniques were far less transparent for end-users and sometimes misunderstood as a privacy-friendly replacement as ‘cookies’ were no longer used.

Introducing new tracking mechanisms as web standards require a lot of in-depth scrutinization,  broad application and transparency before any claims for privacy can be made. Expect the adoption rate and full transparency to be slower than implementation.

Are you a plugin or theme developer and curious what it means for your service? We’re happy to assist, contact us on support.

Below we will explain the current focus of the Privacy Sandbox shortly, providing browser tooling to replace third-party cookies and other legacy tracking mechanisms.

A Privacy Sandbox Use-case Example

You can start here to learn more about Privacy Sandbox development. We will explain an example of the APIs Privacy Sandbox will use to counter the removal of third-party cookies but keep monetization alive. In this case, we will take remarketing as a small subgroup of techniques being deployed by API.

In the last years, after you visited a webshop and viewed a specific product, you would (sometimes) see an ad for the product on other websites that offer ad space to the webshop. The ad space can be controlled by a so-called DSP (demand-side platform), who auctions the ad space to the highest bidder. 

The publisher then fills the ad space with the help of an ad supplier. In this simplified example, all third parties can access the supply chain and your data.

To minimize data access and sharing, 3rd party cookies are removed, and the supply chain is broken up by only allowing parties access through an API when needed. You can see a diagram below. These interest groups can also contain first-party data from the webshop directly. 

Cross-site tracking with third-party cookies is now replaced with providing API calls to specific suppliers directly in the browser. The data for auctions and interests are now pushed toward the device and browser of the user instead of the supply chain.

This minimization is a key principle for privacy and could lead to a more user-friendly web where you can configure your interests instead of being tracked for behavior. 

You can read about the Protected Audience API for a more technical approach.

How Complianz can assist?

The Privacy Sandbox provides a new framework for services that use data for business purposes. This new framework will require a deep dive into the consequences for end-users regarding privacy and their right to choose how to surf the open web in years to come.

To keep you up-to-date, you can subscribe to our newsletter below.

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.