Relevant Blog: Expertise and current insights on online media and advertising commercialisation

Cookie alternatives

Google Privacy Sandbox APIs

  • August 6 2024
  • Suvi Leino

In July 2024, Google announced an update to its approach to third-party cookies in the Chrome browser. The initially planned phase-out of cookies, announced in 2020, has now been cancelled. Google decided to retain cookies in response to long-standing concerns from the advertising industry.

In a blog post, Google introduced an "updated approach," which allows users to make and change informed choices about their browsing during web sessions. Google has already discussed this change with the UK's Competition and Markets Authority (CMA) and the Information Commissioner's Office (ICO) and plans to expand these discussions with industry stakeholders.

Despite the new approach, Google has stated that it will continue to develop Privacy Sandbox APIs, focusing on improving privacy protection and usability. New privacy settings, such as IP protection, have also been added to Chrome.

The Privacy Sandbox initiative aims to find solutions that significantly enhance online privacy while maintaining an ad-supported internet that supports a diverse ecosystem of publishers and connects businesses with customers. This text will focus on Google's Privacy Sandbox and its APIs.

 

Privacy Sandbox

Google aims to secure an ad-supported internet with browser-based open standards, and for this purpose, the "Privacy Sandbox" initiative was launched in August 2019. This initiative aims to respond to the growing pressure to improve privacy protections and ensure the sustainability of ad-funded content.

The goal is to create a secure standard that enables personalisation while respecting users' privacy. The Privacy Sandbox project seeks to minimise the data shared between websites and advertisers and store a larger portion of user data on the user's device. The initiative envisions targeted advertising and conversion measurement through privacy-protecting APIs within the browser environment. Several APIs are designed to meet different needs, benefiting all stakeholders.

 

Google Interface proposals (API)

The situation may change fast; text updated 6.8.2024

Show relevant content and ads:

  • The Topics API - would be a new way for browsers to enable interest-based advertising on the web. Topics is based on the user's recent browser activity and site categorisation. Advertisers can then use these categories to target more relevant advertising to visitors. The initial testing of the Topics API began at the end of the first quarter of 2022, and it became generally available in September 2023. 
  • The Turtledove API - The interface is designed to enable targeted and retargeted advertising without allowing third parties to track users' browsing behaviour across websites. The aim is to allow ad auctions in the browser instead of the server. The Protected Audience API is the first experiment implemented in Chromium within the TURTLEDOVE family of proposals—other TURTLEDOVE proposals and discussions about them: W3C Web Advertising Business Group.
  • FLoC API - FLoC was a proposal in the Privacy Sandbox designed to cluster people with similar browsing patterns into large groups, or "cohorts." This "safety in numbers" approach effectively blended any individual into a crowd of people with similar interests. The development of FLoC stopped in 2021.

To fight spam, fraud, and DoS (denial of service):

  • Private State Tokens API – With this API, publishers can verify real users without tracking technology, making it Google's alternative to CAPTCHA. The idea behind the Private State Tokens API is that once a visitor has performed actions on a site, based on which the API believes the user to be a natural person, it stores a token in the user's browser. The browser token does not allow tracking individual visitors but only verifies the visitor as a natural person. The token remains in the user's browser, enabling the transfer of information from one website to another. Private State Tokens API testing began in early 2021, and testing has concluded with the API being updated according to new versions and token types.

Measure digital ads:

  • Attribution Reporting API - The interface would allow the collection of data related to campaign performance without user tracking. The information would include, e.g., Reach, Views, Ad Impressions, and more in one report. The interface would allow data to be stored in a browser and passed on to the advertiser's systems. Several features have been planned for this interface, which will be generally available from September 2023 onwards. This API is a work in progress and will evolve, dependent on ecosystem feedback and input.

Strengthen cross-site privacy boundaries:

  • Related Website Sets - With this API, it would be possible to declare relationships between websites so that browsers could allow limited use of third-party cookies for specific purposes. In practice, RWS would be a collection of domain names reported to Chrome, with one set as primary and the others as members. Related Website Sets would be a solution for cases where sharing a single sign-on identity is necessary across different top-level sites.
  • Shared Storage API - To prevent tracking users across websites, browsers partition all storage formats (cookies, localStorage, caches, etc.). However, several legitimate use cases rely on unpartitioned storage. The Shared Storage API would enable sites to store and utilise unpartitioned cross-site information. Various businesses could benefit from using the Shared Storage API. For example, Ad tech companies could measure campaign reach, set ad frequency limits, and vary ad content. Currently, all these functions rely on third-party cookies. Several features have been proposed for this API. You can read more about it here
  • CHIPS API - The CHIPS (Cookies Having Independent Partitioned State) API would allow developers to choose "partitioned" storage for cookies for each top-level site. The goal of CHIPS would be to enable cookies to be set by third-party services, but they could only be read in the context of the top-level site where they were initially set.
  • Fenced Frames API - A Fenced Frame would be an iframe-like HTML element for the embedded content. It would allow developers to isolate content and functionality by creating a protected environment. With Fenced Frames, advertisers could, for example, display ads safely without gaining access to users' personal information. Additionally, Fenced Frames could help web application developers protect their users from harmful third-party scripts and content.
  • Federated Credential Management API - Federated Credentials Management (FedCM) is an interface that makes integrating third-party authentication and credential services into browsers easier. FedCM aims to provide a safer, more privacy-respecting way to manage user authentication information across different services. With this interface, developers could combine authentication information from various service providers in one place, reducing the need for users to remember multiple passwords and promoting privacy and security.

Limit convert tracking:

Browser resources like cookies, which allow users some control, stand in contrast to other browser aspects that facilitate unregulated tracking and identification of users. Conversion tracking methods such as fingerprinting and cache inspection exploit intricate browser details, often unbeknownst to users, making it challenging for individuals to defend themselves. In response to these covert tracking tactics, Chrome proposes several technologies designed to dismantle these hidden channels of information tracking. The current proposals to limit conversion tracking include User-Agent Client Hints, User-Agent Reduction, DNS-over-HTTPS, IP Protection, Privacy Budget, Storage Partitioning, Network State Partitioning, and Bounce Tracking Mitigation. 

 

Testing for all the APIs above, designed to enhance privacy between websites, commenced in 2021-2022 for a partially limited audience. In May 2023, Google announced its intention to make targeting and measurement APIs generally available to all users by July, enabling developers to conduct scaled testing. In September 2023, Google announced that the interfaces are available to everyone.

 

There is a long way to go

Even though Chrome browser updates have rapidly changed, Google has announced that this is a complex process and that ecosystem changes will take time. The Privacy Sandbox proposals have evolved significantly over the past year and will likely continue changing. While the proposals have potential, the journey is still ongoing.

We at Relevant Digital follow the development of the situation and will continue to open it to the followers of our blog. Join our monthly newsletter subscribers to stay on the map!

Share on: