Privacy Sandbox: Separating Fact from Fiction

Third-party cookie deprecation (3PCD) in Chrome — the final step into the so-called “cookieless future” — is all but upon us. Google deprecated 3PCs for 1% of Chrome users in January 2024, but many organizations are still confused about what they can do to prepare for the post-3PC world. The industry has been talking about 3PCD in Chrome for over four years at this point, and many organizations now understand that key pillars like media targeting and attribution are going to be disrupted. However, information available to advertisers remains sparse, vague, or requires a tech translator when attempting to use resources like the Privacy Sandbox developer blogs.

To help organizations better understand the Privacy Sandbox and how to prepare to utilize it, I spoke with Corey Blenkarn, our Director of Digital Transformation here at Merkle | Cardinal Path to help dispel fact from fiction — and to help organizations understand specific steps they can be taking now to prepare for 3PCD.

Nick Iyengar: Is Chrome still on-track to phase out 3PCs in the second half of 2024?

Credit: Google

Corey Blenkarn: That is the plan, but sticking to this timeline depends on multiple factors like approval from the CMA (Competition and Markets Authority) in the UK, as well as successful implementation of technologies such as the Privacy Sandbox. Having said that, the plan for now is to gradually phase out third-party cookies beginning in Q3 of this year. It’s worth noting that this timeline is updated monthly by the Chrome team on the Privacy Sandbox website.

Glad you brought the CMA up. This week Google received significant critiques of the Privacy Sandbox from both the CMA and the IAB (Interactive Advertising Bureau). How do you think that affects Chrome’s timeline?

The IAB and CMA are both worried that the Sandbox doesn’t support enough digital advertising use cases, and could negatively impact the industry by potentially driving revenue to the walled gardens, including Google itself.

On the one hand, it’s great to have these industry bodies holding Google accountable, but on the other, it causes advertisers to continue to wonder whether cookie deprecation is going to happen at all, which is not a place we want to be in. The delays have gone on long enough, and every business needs to come to terms that this is going to happen. 

Regarding the CMA ruling more specifically, to date, Google has followed the CMA’s required process, and is engaging with the CMA to resolve their remaining concerns. So, do I think this is a case where advertisers should slam on the brakes and change strategy because cookies are here to stay? No. This is just another bump in the road towards the evolution of a more privacy-safe ecosystem.

Advertisers increasingly understand that media targeting and attribution are going to change as a result of 3PCD. But for all the ink that’s been spilled about the “cookieless future,” many still struggle to understand specific action items that can help them prepare. Can you talk about what “testing the Privacy Sandbox” looks like in practice?

There’s a lot of confusion about this, with a lot of voices telling advertisers to “test the Privacy Sandbox” as a way of preparing for 3PCD. The truth is that the Privacy Sandbox is an infrastructure change in the back end for these adtech platforms, and not a front end element that can be tested by individual advertisers. In other words, advertisers opening their instances of DV360 or Google Ads or Campaign Manager will not see new “TOPICS” targeting capabilities or Attribution Reporting API functions within the platform.

Instead, the back end infrastructure powering in-market audiences, affinity audiences, etc. is changing from being third-party cookie based to the TOPICS API. As a result, the idea of advertisers “testing” the sandbox is not a practical reality for now. “Testing the sandbox” is referring specifically to adtech vendors who are looking to implement the APIs into their platforms.

So if advertisers can’t actually test the Privacy Sandbox for themselves, what can they do to prepare for 3PCD?

Where do I start? The number one thing that all businesses need to do is understand where they are exposed to third-party cookies, whether that is on the targeting, measurement, or experience side. Ask themselves, which use cases are going to be impacted? We see that organizations who have done that assessment of where they’re vulnerable are much better-equipped to move forward constructively than those that don’t yet have a clear idea about where they’re going to feel the impact.

With those use cases as a guide, organizations can then draft a plan on how data, targeting, and measurement strategies will need to evolve to address them. Google’s Privacy Sandbox will be only one component for many organizations, and it’s important to address this holistically — which is easier said than done, for sure. This is a big focus area for my team. We help clients to identify those use cases, build new data strategies and implement new cookieless technologies, and ultimately build a digital marketing transformation strategy needed to adapt to this new way of doing business.

OK, that gives advertisers a lot to work on over the next few months. So when should we expect to see more Privacy Sandbox features available in Google’s ad platforms?

As far as we know, it is expected to happen in Q3, but we do not have any more details on that. Also, it is worth reiterating that these features/APIs are not available via the DV/CM front ends. In other words, they aren’t features that advertisers interact with via their DV/CM accounts. Instead, they are pure back-end infrastructure solutions that will power features/tools you use via the front end.

Alright, getting a bit more tactical as we close out this interview. What do I need to do to enable remarketing post-3PCD, and which browsers/publishers will I be able to use for remarketing?

Right now, there are three proposed cookieless remarketing solutions: PAIR (Publisher Advertiser Identity Reconciliation), Protected Audiences, and Customer Match. Today, businesses can already leverage Customer Match across all browsers/OS. PAIR is available on all browsers, but limited to those publishers that have opted into the program. Lastly, the Privacy Sandbox’s solution called Protected Audiences API (PAAPI) is the new solution on the block, and it’s still being implemented. For now it’s looking like it will work just on Chrome, until more browsers integrate the API.

Last question for now: how are these tactics going to be measured if 3PCs no longer exist?

The Attribution and Reporting API (ARA) is the Privacy Sandbox’s solution for conversion measurement. It will be what powers conversion reporting within DV and CM, and will work across Google’s O&O and non-O&O. Digging into the ARA is probably a topic for its own interview, though — so let’s follow up with more detail on that soon.

This interview has been lightly edited and condensed.