Yesterday Google published a blog post regarding its approach to web tracking once third-party cookies are phased out in Chrome. The post was the talk of the day all over Twitter and the mainstream press, and certain commentators even suggested that Google has pledged to stop selling ads based on individual web browsing (a monumental change, if one considers how Google pioneered the use of behavioral advertising). But is that so? Well, as is typically the case with Google’s blog posts, one needs to consider both what the post states and what it does not state.
In January 2020 Chrome engineer Justin Schuh announced Chrome will phase out support for third-party cookies in two years in order to increase web privacy. Third-party cookies are a fundamental building block in online advertising (if disabled, publisher revenue may drop up to 70% per the CMA), but they have sparked privacy concerns, since they make it technically possible to track users across sites. Google proposes to replace third-party cookies with a set of proposals known as the Privacy Sandbox. While they have the potential to increase user privacy, Google’s browser changes may have negative effects on competition – and this is why the CMA decided to launch an antitrust investigation earlier this year. [For a detailed analysis of the complex issues raised by the Privacy Sandbox, you may wish to have a look at a paper I wrote with Damien and Theano in late 2020]
The basic concept behind the Privacy Sandbox is that publishers, marketers, and ad tech vendors will no longer be able to track users across the web (which they may now do with the help of third-party cookies). Rather, tracking will be possible only at a cohort level (e.g., a user will be tracked only as part of a large group comprising thousands of other users). Tracking will be performed by the browser, which will expose only aggregate information to third-parties.
While all this may sound good in theory, the actual technology to run this new type of advertising is still in development. Perhaps because of concerns that the Privacy Sandbox solutions may not be as effective as third-party cookies (or that they may end up favoring Google), other industry actors have tried to come up with alternatives to third-party cookies that would still enable user-level tracking, typically solutions based on (hashed) email addresses. In part, Google’s yesterday blog post was a response to these alternative solutions.
What Google stated in its blog post – and what it did not state
Google’s blog post makes the following key points:
First, Google disapproves of alternative, email-based solutions. In Google’s words, “We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment.” This statement is really nothing new, and was widely expected in industry circles.
- What Google does not state is whether it will also take concrete steps to prohibit email-based solutions, thus making Privacy Sandbox the de facto solution for advertising. While this is a real possibility (and remember, Chrome is working on a proposal called WebID whose precise purpose is to curb tracking based on email), it may not be so straightforward considering the antitrust scrutiny to which Google is subject.
Second, Google states that once third-party cookies are deprecated, it will not “build alternate identifiers to track individuals as they browse across the web, nor will [it] use them in [its] products.” Rather, its web products will be powered by the Privacy Sandbox APIs. Taken at face value, this means that for instance Google will not use its widespread first-party cookies (think of ubiquitous Google Analytics code) to track users across the web.
- What Google does not state is whether it will still use Chrome’s sign-in mode to track users across the web (which it currently does under certain conditions). In theory it might consider that in this case it’s the first-party (since the user is logged-in), hence there is no concern around cross-site tracking. A clarification would be necessary here.
- In addition, Google does not explain whether it will use the Privacy Sandbox solutions when it sells ads on its owned and operated properties like Search and YouTube – that is the real question. No one seems to really know the answer , but most commentators surmise that Google will not use the Privacy Sandbox solutions for its own properties. Google will continue tracking users across its services and commingling the data to create user profiles which it then offers to advertisers (this is basically how it has built an advertising empire). This would be in line with Google’s final point in yesterday’s blog post: it’s all in when it comes to “first-party” data (data each publisher collects on its users when they interact with its properties).
And here’s the problem: by focusing on first-party data, guess who’s going to win (or suffer the least compared to everybody else) when it comes to advertising? Those that have the largest scale, namely Google, and probably also Facebook or other smaller walled gardens.
Note that Google is not merely operating a handful of separate websites. Google operates more than 50 user-facing services, including some of the most popular services on the web across the world. In addition, by operating Google Search, Google is effectively able to follow users’ browsing activity beyond its properties; it knows what the user is looking for, and has full visibility into the search result the user clicks on. For users that primarily use Search to navigate to the publisher’s website, Google Search alone offers Google significant visibility into the user’s browsing history across the web.
P.S. Google’s rhetoric has consistently demonized third-party cookies and exalted first-party data. I am not defending third-party cookies, but we should not let this flashy rhetoric distract from the fact that privacy is no less harmed in walled garden environments like those operated by Google and Facebook, where user profiles are often woven around our real-world identities. Personally, I think that these environments can be much more dangerous when it comes to privacy. And what will the Privacy Sandbox do to improve privacy in such environments? Well, nothing. Read Paul Bannister’s insightful piece on the “tyranny” of the first-party here.