Transparency, choice, and control over personalized digital advertising — this is what Google Chrome’s new privacy features aim to address.
Rumours had been circulating the AdTech industry for sometime, but on May 7th, 2019, at the Google I/O conference they were finally laid to rest when Google announced that they would introduce a set of new privacy and transparency features to their Chrome browser.
It’s not known when these features will be available, but a Q4 2019 release seems likely.
The goal of these new changes is to strengthen online privacy by giving users more control, choice, and transparency when it comes to personalized online advertising.
The announcement follows in the footsteps of other popular browsers like Safari and Firefox who have introduced similar, but more severe, privacy controls.
Here’s what we know so far about these new additions to Google Chrome:
Google will introduce an open-source browser extension that will provide users with more transparency into which companies are involved in the ad-servicing process, including intermediaries like ad networks, demand-side platforms (DSPs), and supply-side platforms (SSPs).
The browser extension can also be used across different browsers, will explain to Internet users why the ads were displayed to them, and show them a snapshot of ads they were served recently.
There will be an open API that AdTech companies can also use to present users with this information.
Choice and Control
There will be two new privacy features in Chrome that will provide users with more choice and control over online advertising.
The first one will allow users to see which cookies are being stored on their Chrome browser and enable them to block and delete certain cookies.
The new cookie controls relate to third-party cookies — typically used for online ad targeting, measurement, and attribution — while there’ll be little or no impact to first-party cookies — ones that remember what you added to your shopping cart and keep you logged in to websites and accounts.
Also, cross-site cookies will need to be sent over HTTPS to prevent hackers accessing, storing, or modifying them when being passed from server to server.
The second one aims to prevent device fingerprinting, but Google didn’t explain how this feature would work or when it would be introduced (more on this below).
We explain what device fingerprinting is and how it works in one of our previous posts.
What Does Google Chrome’s New Privacy Features Mean For AdTech?
While the new privacy features aren’t as restrictive as Apple’s Intelligent Tracking Prevention (ITP) feature, they still stand to negatively impact the online advertising industry.
Here are a few key points about the impact of these new features:
1. Google Chrome is the most popular web browser world wide with a 62% market share. In comparison, the second most popular browser is Safari with global market share sitting at just 15.8%.
Due to Google’s large share of the web browser market, these new privacy features in Chrome will likely have a bigger impact on online advertising than what other browsers have had so far. Firefox and Safari’s enhanced privacy features only apply to around 13% of global Internet users, but the introduction of Chrome’s new features will see that number reach 78% — albeit the level of privacy protection will vary across the three browsers.
2. Chrome users have been able to disable third-party cookies for some time, but they were still turned on by default. It seems that users will be able to block and delete third-party cookies, while keeping useful first-party cookies in tact.
It’s unclear how Google will manage the use of third-party cookies, but if it wants to take the next step towards privacy protection, then it will ask users whether they want to enable third-party cookies, rather than turning them on by default.
Depending on how this consent is managed, it could mean that things like ad targeting, retargeting, measurement, and attribution will be less effective.
3. Developers will have to make changes to how their cookies are stored.
To allow users to delete third-party cookies but keep first-party cookies alive, website developers will have to make changes to how cookies on their website are set.
In short, they’ll have to include a new “SameSite” attribute (specifically, SameSite=None) when setting a cookie to tell Chrome which cookies are to be used only by the current site or current URL that the user is on, and which ones are cross-site cookies. They’ll also have to add the `Secure` attribute as cookies will only be set via HTTPS.
Even though this attribute applies to Chrome, which was the first browser to support this attribute, it shouldn’t cause any issues in other browsers that don’t support it.
You can read more about same-site cookies here.
Setting cookies in this way will eventually help Chrome understand which ones are first-party and which ones are third-party.
In the future, Chrome could then ask users if they want to block third-party cookies. If the user says ‘yes’, then cookies created with `SameSite=None` will be blocked.
4. No more device fingerprints (probably).
Device fingerprinting is a technique that aims to identify an Internet user by analysing the configuration of their browser, for example, what browser version they are running, which fonts they have, what plugins are installed, etc.
The practice can be used for a number of different purposes, such as for web analytics and for preventing unauthorized access to a person’s online banking account.
However, it is also used by AdTech companies to identify and track users. Compared to tracking via cookies, device fingerprinting is a more privacy-invading tracking technique because users don’t really have any way to access or delete their fingerprint.
AdTech companies that use device fingerprinting as one of the methods to track users, and subsequently link together different activities into a single profile, will have to adapt and accept the fact that this technique will probably be no longer available to them. This will result in less data in user profiles.
It’s also likely that matching the same users across different browsers, which can be achieved by canvas fingerprinting and similar techniques, will be prevented.
However, questions remain as to how Google plans to limit the use of device and canvas fingerprinting.
The new changes to Chrome, for the most part, will have little impact on AdTech companies as they’ll simply need to change a few characters in their code to ensure third-party cookies are still set.
However, when these new features are released, there will be some AdTech companies that will feel the impact of the new restrictions of device fingerprinting.
Also, the new methods for setting third-party cookies via the SameSite attribute could mean that their availability will decrease. If Google asks users to allow third-party cookies to be set, then you can only imagine how low the opt-in rates will be.
This announcement by Google is just another sign that the Internet is heading towards a more privacy-friendly future. However, this move is a much smaller one compared to other popular browsers like Safari and Firefox.
There are two main reasons for this:
- A large majority of Google’s revenue (about 86%) is derived from advertising. This means they can’t be too strict with user privacy and blocking third-party cookies as this will negatively impact them, as well as other independent AdTech companies, financially.
- If they were to follow in the footsteps of Apple (highly unlikely) and introduce something similar to ITP that heavily restricts third-party cookies, then they could find themselves in another antitrust investigation.
AdTech has seen this coming for a long time with the likes of the GDPR and ITP, but has done little to create future-proof ways of delivering personalized advertising that respects user privacy. Instead companies have decided to ignore the problem and invent workarounds.
AdTech vendors may not be willing to change, but the web browsers that help serve their ads certainly are.