Privacy in AdTech FAQ: Google Chrome’s Privacy Sandbox, Safari ITP, Firefox, GDPR

Privacy in AdTech FAQ

Contents

Our Newsletter

Get AdTech & MarTech resources sent straight to your inbox

We respect your privacy. Learn more here.

Ever since Google Chrome announced that they’ll stop supporting third-party cookies, folks within the digital advertising industry have questioned what this means for AdTech and what impact it will have.

But these aren’t the only questions people have. And Chrome’s changes to third-party cookies aren’t the first.

So we’ve compiled a list of frequently asked questions about privacy in AdTech and tried to answer them the best we can. 

If you have a question that’s not listed here, then contact us and we’ll answer it for you and add it to the list.

The privacy topic in AdTech is multilayered and has been trending in AdTech for over a decade. 

The first challenge publishers, and AdTech companies, and advertisers had to deal with was ad blockers, which were introduced in the mid-2000s.

Then, Safari allowed users to install content blockers (similar to ad blockers) in 2015.

Then came the GDPR in 2018

More recently, Safari and Firefox stopped supporting third-party cookies and Google Chrome is now following the trend.

The trend is also moving towards removing IDs that could serve as fingerprints. Some companies already started using first-party cookies and local storage in browsers, combined with fingerprinting & link decoration, as a workaround to third-party cookie restrictions. 

These techniques are alternatives to Privacy Sandbox, but they aren’t future-proof solutions as they can be blocked or restricted by web browsers. For example, in light of Safari’s ITP, some AdTech and MarTech companies started storing data in a browser’s local storage. Safari noticed this workaround and now removes data in local storage after 7 days.

Chrome hasn’t mentioned anything about restrictions around first-party cookies, but it’s impossible to rule out any future changes that will restrict their ability to identify users (similar to Safari’s first-party cookies restrictions). 

Currently, between 20% to 30% of traffic in web browsers no longer supports third-party cookies (based on Safari and Firefox’s market share in the US and Europe). When Chrome stops supporting third-party cookies, this figure will be closer to 100%.

What changes has Google Chrome made to third-party cookies?

Google Chrome has recently made a couple of big changes to third-party cookies. 

The first was on May the 7th, 2019, when Google announced it would be giving Chrome users more control, transparency, and choice over personalized digital advertising.

For the most part, this meant that Chrome would start allowing users to block and delete third-party cookies, while keeping first-party cookies intact. Web developers and AdTech companies have to include a SameSite attribute (specifically, SameSite=None; Secure) when setting third-party cookies to ensure they can be used in a third-party context. 
 
The second big announcement came on Tuesday the 14th of January, 2020, when Google Chrome announced that it would be shutting off support for third-party cookies by 2022.

Then, on Thursday June 24, 2021, Google Chrome announced that it would be extending its planned sunset of third-party cookies by 2 years. It’s currently expected that Chrome will shut off support for third-party cookies starting from the middle of 2023.

On Wednesday July 27, 2022, Google Chrome once again announced that it would be delaying the deprecation of third-party cookies by another year, stating that it will start shutting off third-party cookies in the second half of 2024.

When will Google’s changes to third-party cookies come into force?

The first wave of changes (i.e. the SameSite attribute) came into force in February 2020 with the release of Chrome 80. 

Google said that it intends to stop supporting third-party cookies by 2022, but then announced it would delay this by 2 years in 2021. Then, on Wednesday July 27, 2022, Google Chrome announced that it won’t start phasing out third-party cookies until the second half of 2024.

Chrome is currently working on and testing out the standards and APIs in Privacy Sandbox, so depending on the outcome, it could mean that third-party cookies Chrome will stop being supported after 2024 as per Google’s most recent announcement. 

The end goal is for Chrome’s Privacy Sandbox to replace the processes currently carried out by third-party cookies. 

What is Privacy Sandbox and how does it work?

Google Chrome’s Privacy Sandbox is a secure environment for ad personalization and measurement. 

Chrome sees Privacy Sandbox as a new standard for the web — one that has user privacy at its core and is still ad supported. 

There are several parts of Privacy Sandbox that will replace the key processes of display advertising:

APIs for conversions and measurement: Chrome will provide two APIs that AdTech companies can use to retrieve click-through and conversion data. These reports will be sent in aggregate and delayed on purpose to make it harder for advertisers and publishers to link a click with a user.  

Federated Learning of Cohorts (FLoC) for interest-based targeting: FLoC aims to place users into groups based on similar interests and behavior, which will then be used for ad targeting. For example, if an advertiser wants to show an ad for a new car, then Chrome can show this ad to users who belong to a certain group, e.g. new car enthusiasts. 

This type of ad targeting is more privacy friendly as it’s done on a group level, rather than on a 1:1 level as it’s done currently with first- and third-party cookies.

FLoC is connected with Google’s Federated Learning, which uses AI and machine learning to analyze data in a privacy-friendly way.

Two Uncorrelated Requests, Then Locally-Executed Decision On Victory (TURTLEDOVE) for retargeting (aka remarketing): This works in a similar way to FLoC, but the use case here is for retargeting, rather than interest-based targeting. 

How advanced is Chrome’s Privacy Sandbox project?

Some of the standards and APIs in Privacy Sandbox have already been released for testing (origin trials), such as FLoC and the Attribution Reporting API, but others like FLEDGE will likely be released for testing this year. 

There is still a lot of work to do before Privacy Sandbox can be released, hence the extension.

What impact will Google Chrome’s changes have on AdTech and MarTech?

All AdTech and MarTech platforms that use or rely on third-party cookies will be impacted. 

The Impact on AdTech:

  • Behavioral targeting and retargeting: Advertisers won’t be able to show ads to users based on their behavior. Some behavioral ad targeting will still be possible via first-party data, but it will be limited.
  • Audience activation via cookie syncing: DSPs and DMPs sync cookies with each other to help advertisers reach their target audiences. As cookie syncing relies on third-party cookies, this won’t be possible when Chrome stops supporting third-party cookies.
  • Attribution: Attributing ad views to conversions, known as view-through attribution, won’t work anymore.

The Impact on MarTech:

As most MarTech platforms (e.g. analytics tools and marketing automation tools) use first-party cookies, they won’t be impacted by the changes to third-party cookies in Google Chrome. However, any MarTech tool that relies on third-party cookies will be impacted.

Who will be the winners of Google Chrome’s changes?

The winners of these changes will be the ones that don’t rely on third-party cookies for identification. 

Even though every player involved in advertising in web browsers will be heavily impacted by Chrome’s changes to third-party cookies, publishers with a large and engaged audience are in the best position. 

The main reason is because they have a direct relationship with Internet users, meaning they’ll be able to collect first-party data and use it for ad targeting. 

Also, DMPs that collect and use non-cookie IDs, such as email addresses and device IDs, are in a good position. Two examples of DMPs that can identify users without third-party cookies are LiveRamp and Permutive. As most other DMPs rely on third-party cookies, they’ll be severely impacted by these changes.

Who will be the losers of Google Chrome’s changes?

The players that will lose the most will be advertisers and AdTech companies. 

Advertisers won’t be able to activate their audiences for media buying via cookie syncing or run retargeting campaigns in the same way they do now. This will lead to less reach and lower campaign performance (conversions etc.).

Because a majority of AdTech companies have built their businesses around using third-party cookies (e.g. for identification, ad targeting, and measurement), they’ll also need to make a number of changes to their business model and technology to survive. 

Although Chrome’s Privacy Sandbox project will still allow advertisers to run targeted, and even retargeted, ad campaigns on a group level, it’s unclear whether this will be enough to deliver the same or even similar results that are achieved currently via third-party cookies.

Are other browsers introducing Privacy Sandbox or similar mechanisms?

Safari introduced a privacy feature called Intelligent Tracking Prevention (ITP) in September 2017. ITP blocks third-party cookies by default and limits the lifespan of first-party cookies and local storage. 

Firefox also released a privacy feature known as Enhanced Tracking Protection (ETP), which also blocks third-party cookies by default and also blocks device fingerprints. 

Currently, neither of these web browsers have said they’ll adopt Google Chrome’s Privacy Sandbox, but it’s impossible to rule out.

What do publishers, AdTech companies, and advertisers need to do to prepare for the end of third-party cookies in web browsers?

Publishers

The end of third-party cookies in web browsers will mean that DMPs won’t be able to create audiences that can be later used for audience activation and targeting by advertisers. 

Additionally, SSPs/ad exchanges won’t be able to identify users on websites in the same way they can now (i.e. via third-party cookies).

This means publishers will need to start creating addressable audiences, if they haven’t already, and start offering them to advertisers. One way to do this would be to get users to register and login via email, allowing the email addresses to act as an identifier to power ad targeting and even measurement in a limited capacity. 

Publishers could take this one step further and integrate with an ID resolution service, as long as it’s based on first-party cookies. One popular example of this is the Advertising ID Consortium that uses LiveRamp’s Identity Link. 

An alternative to the register and login option would be to join a login alliance — a tool that allows users to create one account that can be used to access different publishers, provided they are part of the alliance. 

Login alliances were created in a number of EU countries, such as Germany, as a way to make complying with the GDPR easier and to enable targeted advertising based on first-party data. However, adoption of these login alliances has been slow due to competition concerns.

AdTech companies

The end of third-party cookies in web browsers means that AdTech companies will need to change how their technology works.
 
Here are a few areas AdTech companies should focus on:

  • First-party data: AdTech companies should turn their attention to unlocking the most value possible in first-party data for publishers and advertisers. 
  • Other digital advertising mediums and channels: Although advertising in web browsers is , there are many other areas of digital advertising where brands are spending their money. These include in-app mobile, OTT and CTV, and digital out-of-home (DOOH)
  • Privacy Sandbox: Two years is not a long time, so AdTech companies should start looking into how they can use Privacy Sandbox for ad targeting, retargeting, and measurement. 

Advertisers

There are a couple things brands and advertisers can do:

  • Focus on collecting first-party data tied with an email address: this will help them with ad targeting and retargeting as they’ll be able to match their email lists with those collected by publishers via an ID resolution service like LiveRamp.
  • Establish closer relationships with publishers: by purchasing inventory from publishers directly (e.g. via direct deals) will make it easier for advertisers to reach their target audience.

How can AdTech companies still exist if targeting, measurement etc. is done in aggregation (not on a 1:1 basis like it is now) and controlled by Chrome?

Although ad targeting based on third-party cookies and data won’t work, targeting based on the first-party data will. But CPM prices will drop drastically as it will be much harder to consistently identify audiences across websites. 

Many linking fields like cookie IDs in cookie syncing won’t be available, meaning many ad network integrations, such as device graphs and DMP-DSP connections, will stop working. Every AdTech process that uses cookie IDs as a link for data exchange will stop working. 

Ads displayed in mobile apps will continue to work as they are served and measured via SDKs. 

One thing that differentiates one AdTech company from another is their cookie pool and ability to reach certain audiences. 

It’s hard to say what impact Privacy Sandbox will have on the business models of AdTech companies, but it looks like ad targeting, measurement, and possibly even auctions will all be controlled by the browser. This means AdTech companies will have access to the same data, resulting in less differentiation. 

If other major web browsers like Safari and Firefox adopt Privacy Sandbox, then it’s possible that ad targeting via first-party data will be somehow blocked or restricted. We’ve seen this happen with Safari’s ITP.

What percentage of ads are displayed in browsers and what percentage are in-app mobile ads (via SDKs)

According to reports from eMarketer, programmatic ad spend on display advertising in the USA reached $57 billion in 2019. Conversely, in-app ad spend in the USA for 2019 was around $77 billion.

Both display advertising in web browsers (either on desktops/laptops or smartphones) and in-app mobile advertising represent a significant portion of media budgets. 

Any negative change to how these industries operate, such as the end of third-party cookies, has serious consequences for all players involved.

Reading recommendation

Read our online book

The AdTech Book by Clearcode

Learn about the platforms, processes, and players that make up the digital advertising industry.

Mike Sweeney

Head of Marketing

“The AdTech Book is the result
of our many years of experience in designing and developing advertising and marketing technologies for clients.”

Find out how we can help you with your project

Schedule a call with us today and find out how we can help you with your AdTech or MarTech development project.