3rd-party cookie phase-out: "Now is the time to test APIs at scale and share performance insights"

From mid-2024, Chrome plans to gradually disable third-party cookies. In a comprehensive interview with Lidia Schneck, Strategic Partner Development Manager in Google's Privacy Partnerships Team, werbewoche.ch offers detailed insights and exclusive recommendations for advertisers, publishers and ad tech providers.

Lidia Schneck, Google in conversation with werbewoche.ch editor Beat C. Hürlimann

The reason for this exclusive conversation with Lidia Schneck is the launch of the Privacy Sandbox for the Web, whose Relevance & Measurement APIs have been publicly available since September 8. This article goes into more depth about the APIs discussed in the interview and once again reveals Google's reasons for launching the sandbox. In addition, various terms are clarified in the interview.

werbewoche.ch: Why did Google or Chrome decide to do away with third-party cookies, even though they were a successful business model?

Lidia Schneck: Chrome's decision is based on growing global user concerns about their online privacy, particularly how their activities are tracked across different websites and apps. In 2022, we conducted a global study that showed 80 percent of users are concerned about their online privacy and 85 percent want companies to invest in privacy-focused technologies. However, this is difficult when many web features rely on technologies such as third-party cookies and other cross-site tracking mechanisms that were not designed with a privacy focus in the first place.

Wouldn't it have been sufficient to obtain the consent of the users?

Providing settings options to control data usage is an important step in addressing user concerns about online privacy. However, this alone is not enough to address the challenge of limiting cross-site user tracking. We believe that user:ins don't need to understand complicated data usage policies across different websites and apps to keep their online activities private. Instead, we need to provide them with online experiences that are private by default, based on solutions that offer technical privacy protections.

How did the idea behind the Privacy Sandbox come about?

The idea behind the Privacy Sandbox was born out of the question of how users can take back control of their data by reducing cross-site tracking and better understanding and influencing how their data is used. The Privacy Sandbox is designed to be "private by default," meaning that Chrome ensures user data is protected at a technological level by storing potentially identifying user characteristics on the user's device (e.g., smartphone or laptop) and not sharing them with third parties. This prevents third parties, such as ad tech platforms, from gathering cross-site insights about individual users. Instead, this data remains with the users themselves, who can determine which advertising topics are relevant to them or from which websites they would like to receive suggested advertising.

In other words, information about areas of interest and remarketing lists are stored on the user's device and can be viewed via the Chrome settings. Among other things, the user can decide to block topic fields or ad suggestions from certain websites and thus delete all associated data. This means that the user has control over the use of his or her data and not third-party providers, who today register the user-related data on their own servers with the help of third-party cookies.

Lidia snail is Strategic Partner Development Manager Google. She works in the Privacy Partnerships Team at Google, and is responsible for the Privacy Sandbox APIs of Chrome and Android, among others, in the German-speaking countries. Previously, she spent several years in the Google Marketing Platform Team and the Google Ads Team advising advertisers on the optimal use of the technologies.

Lidia Schneck during the interview with werbewoche.ch at the Google premises in Zurich on Europaallee.

And how do I manage this as a user:in?

On the website privacysandbox.com anyone interested can learn about Chrome's initiative and learn more about the privacy-preserving functionality of the APIs. In Chrome, they can then choose their desired Settings make.

How can effective advertising still work if third-party cookies are eliminated?

This question is indeed on the minds of the advertising industry, as many use cases today still rely on third-party cookies - be it interest-based advertising, remarketing audience creation and targeting, or measuring campaign success including view-through conversions. Chrome has made the decision not to phase out third-party cookies without valid alternatives, and has therefore worked with the industry to develop more than 20 new technical solutions. The best known are the Topics API for interest-based advertising, Protected Audiences API for the creation of target groups as well as remarketing applications and Attribution Reporting API. These technologies allow interest-based ads to continue to be served in the Chrome browser and Android operating system, but without relying on cross-site identifiers like third-party cookies, which is a big step forward for users' online privacy.

Why did Chrome make this decision?

The decision to work with the industry to develop privacy-friendly alternatives is based on the realization that without alternative solutions, covert tracking methods such as fingerprinting would increase. Fingerprinting does not allow users to retain control over their data or adjust settings. Changes that impact the industry as a whole - whether introducing new technologies or eliminating existing ones - must also be done openly. It is also in the interest of the advertising industry to have valid alternatives. Therefore, the Privacy Sandbox initiative is being done in a very open and collaborative way. The aforementioned APIs have been developed with industry feedback to ensure that effective digital advertising can continue after the elimination of third-party cookies, while maintaining privacy at the technical level. Chrome believes that privacy and performance can coexist, and that digital advertising can meet these demands by relying on purpose-built APIs instead of cross-site identifiers. This also aims to preserve an open web, where online content and services remain accessible to all.

What is "fingerprinting"?

"Fingerprinting is a covert method of tracking in which the user has no means of control. In fingerprinting, various characteristics of a user's hardware, software and network configuration are collected, analyzed and enriched with additional data points. These characteristics cannot simply be reset by the user. Therefore, fingerprinting is even more problematic than third-party cookies from the user's point of view. Chrome is opposed to fingerprinting and is therefore investing in alternative technologies to provide better options to the market and avoid the use of such user-unfriendly methods.

Now, can I ask you to explain the term API in this context?

You're welcome. In this context, "API" stands for Application Programming Interface, which is something like an interface or access point that ad tech providers, advertisers or publishers can use to retrieve certain information. The important thing about Privacy Sandbox APIs is that they protect the user's identity and keep data collection to a minimum. Using the Protected Audience API as an example, this means that only the data that is really needed for an advertising auction is made available in protected auction environments. Here, it is no longer possible for third parties to gain insights at the user level, as is the case with third-party cookies. These APIs act as a shield for the user, so to speak. Further details can be found in the recently published article "How Privacy Sandbox raises the bar for ads privacy".

Privacy Sandbox APIs are supposed to act like shields for users' data. (Image: Google | Privacysandbox.com)

What does the move away from third-party cookies in Chrome mean for publishers and advertisers?

A distinction can be made between advertising APIs and APIs that go beyond them. In the case of advertising APIs, such as Topics, Protected Audience or Attribution Reporting, the technical implementation is not the responsibility of the publishers or advertisers, but of their ad tech platforms. These platforms integrate the APIs as additional building blocks into their existing products to cover use cases that were previously based on third-party cookies. These technology providers then make their products available to publishers and advertisers using the advertising APIs.

And APIs that go beyond advertising, as you just mentioned?

In contrast, there are other APIs, such as CHIPS or Related Website Sets, that are relevant to in-house development teams and that are included in our Guide for website owners will be described in more detail. In it, we recommend that publishers and advertisers examine their websites for third-party cookies and find out which functionalities depend on them. Based on the identified use cases, they can then consider the use of privacy sandbox APIs or alternative methods. Regarding third-party cookies set by embedded third-party services on their domains, publishers and advertisers should contact these third parties to ensure that their services are changed in time to work without third-party cookies. It is advisable to address this today in order to be well prepared for the planned elimination of third-party cookies in the second half of 2024.

From the "Guide for website operators

How should publishers and advertisers deal with ad tech providers in light of these changes?

Again, my recommendation for publishers and advertisers is to contact their existing ad tech platforms and ask about their planning regarding the Privacy Sandbox initiative. This will help them better understand how ad tech providers are preparing to operate without third-party cookies and keep them informed about testing opportunities.

In addition, there is a GitHub for Topics, Protected Audience and Attribution Reporting Lists of so-called API testers. Here, some of the dedicated ad tech platforms have registered publicly and provide information about which part of their business they are testing or planning to test with, be it DSP, SSP or both, as well as how to contact them.

This means that even if the existing ad tech vendors you work with don't have testing opportunities planned yet, there is an opportunity to find companies that are excited about early adopters to participate in performance testing. This applies to both publishers and advertisers.

Are there performance insights already available from various industry vendors that give an idea of how successful these APIs are for effective digital advertising?

Within the framework of the Origin Trials the Relevance & Measurement APIs were initially rolled out to only 6 percent of Chrome browsers to allow early adopters to perform initial functionality tests. This phase was primarily to test and optimize the basic functionality of the APIs. Now that the Relevance & Measurement APIs are available to all Chrome users, the scaled testing phase begins. This means ad tech vendors can now apply these APIs to live traffic, and this will lead to versatile performance insights from the industry throughout the first half of 2024. To help companies run scaled testing, Chrome will offer two Test modes provide, with the first test mode A starting as early as the fourth quarter of 2023.

Who are these test modes for?

These test modes are primarily intended for developers. In the context of Mode A they will have the ability to use labels to simulate the removal of 3P cookies in Chrome for a configurable portion of their traffic. Chrome will provide labels for up to 9 percent of Chrome users, allowing developers to define consistent control and experiment groups. This will allow them to gain insights into the performance of the Advertising APIs compared to situations without third-party cookies. Providing this optional simulation capability to run tests on a higher volume of cookieless traffic comes in response to feedback from the market; some ad tech vendors have explicitly requested this capability.

What are the next steps?

In the first quarter of 2024, Chrome will be part of Mode B globally eliminate third-party cookies for 1 percent of Chrome users. This deactivation is random and serves to best prepare the industry for the elimination of third-party cookies in Chrome, as there will then be a significant number of instances without third-party cookies worldwide. Among other things, this will allow ad tech vendors to conduct real-world tests and optimize their products for the time without third-party cookies. These two testing modes are expected to remain available in parallel until Chrome, in collaboration with the UK Competition and Markets Authority, which is overseeing this process, plans to begin eliminating third-party cookies in the second half of 2024.

So is it fair to say that from the second half of 2024, things will then move forward quickly?

Yes, from then on, third-party cookies are to be phased out in Chrome. Advertisers and publishers should definitely be ready from mid-2024. Therefore, now is the right time to deal with this upcoming change and prepare. Ad tech vendors can do this regarding Advertising APIs, while publishers and advertisers should take stock of the third-party cookies on their domains, contact their third-party vendors, and consider for themselves the use of the Non-Ads APIs I described earlier. The goal is to ensure that the user experience does not suffer, but remains pleasant and functional, by all preparing in time and using the relevant privacy sandbox APIs to migrate their use cases from third-party cookies before they are completely eliminated.

Are there alternatives to the Privacy Sandbox APIs?

While there are many alternative solutions, some of them are still based on user-level tracking, whereas Privacy Sandbox APIs are not. Our APIs protect privacy through various technical approaches, such as data aggregation, data noise, and processing of sensitive data on the end device or in special trusted execution environments in the cloud. For this reason, the Privacy Sandbox APIs significantly improve privacy compared to third-party cookies and other cross-site tracking methods such as fingerprinting and PII-based identifiers. The Privacy Sandbox APIs therefore provide a durable foundation on which the ecosystem can build, further strengthening privacy and industry capabilities over time.

How do we ensure that ad tech vendors, publishers, and advertisers have the necessary expertise to migrate their use cases from third-party cookies to the privacy-preserving APIs? What information does Chrome provide and where?

There are different sources of information for different stakeholders. At privacysandbox.com introductory information on the initiative can be found, including a tab for News and updateswhere all big news are communicated. I recommend interested people to register there with their e-mail address to be automatically notified about updates. Developers can register on developer.chrome.com or developer.android.com to get familiar with the technical details of the APIs. There they will also find links to the more in-depth technical explanations and discussions on GitHub, where feedback is always welcome. In addition, developers have the opportunity to register for the individual API announcement groups.

Excerpt of the companies participating in the Privacy Sandbox (as of September 18, 2023)

Are the Privacy Sandbox APIs equally usable by everyone?

Yes, the Privacy Sandbox works the same for everyone. This means all publishers, advertisers and ad tech platforms, including Google platforms, have the same access to data and functionality via the Privacy Sandbox. This is a fundamental principle of this open initiative, which is accompanied by the UK Competition and Markets Authority to ensure that the APIs work equally for the entire industry and that there is no favoritism towards Google platforms.

How can the industry best share its feedback?

We encourage all market participants to share their questions, feedback and insights publicly on GitHub. The links to do so are in the Developer Documentation mentioned earlier. This is the only way we can encourage public discussion, validate APIs in terms of their performance impact, and ensure they meet the performance needs of the market. The GitHub contributions are read and moderated by the Chrome product team, which means that submitted feedback can thus be evaluated directly.

Another way to get actively involved are the W3C callswhich take place regularly on the APIs. Here, everyone is welcome to participate, share ideas and ask conceptual questions about the technical implementation. Representatives from the product team are also present and welcome any concrete, practical suggestions from the industry.

How strong is the interest in Sandbox APIs in German-speaking countries so far, perhaps also specifically in Switzerland? Who is testing, who is participating in the discussion? Is that a lively discussion or would you make a call there now to participate more?

A call for active participation is definitely never wrong! Now is the right time to use the two testing modes to test and help shape how the APIs work at scale. The Privacy Sandbox Initiative has been around for several years, and everyone has had - and continues to have - the opportunity to provide feedback. We are very grateful for the feedback we've received so far from engaged ad tech providers, publishers, and advertisers, as it has significantly influenced the functionalities with which the APIs are now generally available. Therefore, anyone who does not take advantage of this opportunity to contribute is giving away the chance to actively shape the future without third-party cookies.

Do you have any idea how many ad tech providers are involved, what percentage of the ad traffic goes through those ad tech providers?

The website privacysandbox.com and the API-specific tester lists on GitHub list some of the companies that are actively involved in the initiative. They include widespread and globally used ad tech providers that are also highly relevant for the Swiss market. This means that Swiss publishers and advertisers will also have testing opportunities. If you want to participate early, it's worth asking about it.

And how does Chrome see the global framework for the initiative?

Regulatory privacy requirements vary around the world, but the overall trend is towards better protection of users' online privacy. We see this as an endorsement of the Privacy Sandbox Initiative, as it aims to develop fundamentally new technologies to ensure privacy for users at a technical level and to curb covert cross-site and cross-app tracking mechanisms. To this end, long-standing processes based on third-party cookies are being redesigned in an industry-wide initiative. Initial functional testing has successfully demonstrated that the APIs can be used to map key industry use cases without compromising user privacy. We look forward to working with the industry to take the next steps toward a fundamentally more private Internet.

Lidia Schneck, thank you very much for the detailed explanations as well as the related recommendations to our esteemed readership.

More articles on the topic