The IAB published a clinical yet critical analysis of Google’s Privacy Sandbox two weeks ago. In its report, the IAB determines that Google’s suite of advertising targeting and measurement tools – built to replace the use of third-party cookies in Chrome, which Google plans to deprecate in the second half of this year – do not accommodate most existing advertising use cases, of which the trade group identifies 45. From the piece:
In its current form, the Privacy Sandbox may limit the industry’s ability to deliver relevant, effective advertising, placing smaller media companies and brands at a significant competitive disadvantage. The stringent requirements could throttle their ability to compete, ultimately impacting the industry’s growth.
The IAB may be missing the point. Of course the Privacy Sandbox is not a perfect functional replacement for the advertising identifiers that Google is sunsetting. The Privacy Sandbox provides tools that facilitate a very specific set of advertising targeting and measurement objectives – the ones that Google, implicitly, deems acceptable. In this way, the Privacy Sandbox represents not just tools to replace the use cases that were previously accomplished with cookies and other identifiers, but a circumscription of acceptable use cases altogether.
IP Protection, for instance, is a Privacy Sandbox tool that is completely unrelated to cookie deprecation. The availability of the IP Protection tool will coincide with Google’s introduction of a device setting that allows users to hide their IP addresses from known trackers. IP-address-based tracking is clearly a use case that Google wants to eliminate, not preserve with privacy-centric tools.
What is Google’s underlying motivation in deprecating third-party cookies in Chrome? Suspicion is warranted. Google’s mission statement for its Privacy Sandbox initiative is to “Protect [user] privacy online,” across its Chrome browser and its Android operating system (Google intends to deprecate its GAID Android identifier at some point). Cookies, unquestionably, present severe data leakage risks to consumers: they allow anonymous services to observe the web activities of users with little preventative recourse. But as I point out in this piece, “privacy” is an abstract social concept, and firms – but especially multi-trillion dollar market leaders – don’t make dramatic, sweeping policy changes absent commercial benefit. Believing that a company would utterly reform the mechanics of digital advertising solely in service of increased user privacy is as absurd as believing that two firms would engage in a merger as an expression of friendship. To not assume a commercial motive in cookie deprecation is naive.
Apple’s App Tracking Transparency (ATT) privacy policy is an apt example of this. Apple launched an international PR campaign championing the privacy safeguards of the iPhone following its introduction of ATT in April 2021. Yet as I point out in this piece, Apple collects and utilizes consumer data in the ways that ATT was ostensibly designed to prevent. Apple positions its use of install and purchase data collected via consumer engagement in apps that it doesn’t own as “ads personalization” and not “tracking.” Apple claims first-party privileges over this consumer data because Apple exerts (and is stridently maintaining a firm grip on) control over iOS payments, giving it exclusive, proprietary access to that data. And in a court filing from December 2023, Apple had the following to say about the logical contortions of its privacy policies (all emphasis from the document):
The Allow Apps to Request to Track setting governs whether apps can ask to track users across apps or websites owned by other companies, as Apple’s descriptions of the setting consistently make clear … Plaintiffs also include a screen shot of the Tracking disclosure, which explains that Apple “requires app developers to ask for permission before they track your activity across Apps or websites they don’t own.” … Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple.
This isn’t to say that Google and Apple don’t employ well-meaning, intelligent, and highly effective people whose efforts are centered on promoting their conceptions of digital privacy. But digital privacy initiatives from publicly traded, multi-trillion-dollar corporations must be viewed in a broader commercial context.
The UK’s Competition and Markets Authority (CMA) agrees that corporate talking points may not perfectly capture commercial intent. The CMA has stated that the deprecation of cookies could “cause online advertising spending to become even more concentrated on Google.” And the CMA has entered into a legally binding agreement with Google that provides the competition authority full transparency into the development of the Privacy Sandbox tools, with regular performance tests mandated. Earlier this month, the CMA determined that Google “cannot proceed with third-party cookie deprecation” until its remaining concerns are addressed. Google began a limited, 1% rollout in January 2024 that is currently planned to be expanded to all users in Q3 of this year.
So given that Google must have a commercial motivation in deprecating cookies, what is it? The most obvious is simply margin expansion: Google’s network business, which serves ads on third-party websites and apps, will almost certainly suffer if the Privacy Sandbox is less effective for targeting and measurement than cookies (and early indicators suggest it is). If the economics of buying third-party open web inventory through Google’s tools degrades, some of that demand may simply be routed to Google’s owned-and-operated channels. And these channels feature much higher margin for Google than its Network business: Bernstein estimated in December 2022 that Google’s margin on Network revenue is 10%, while it’s 15% for YouTube and 55% for Search. As I argue in this piece, because advertising budgets are deployed against absolute performance, Google will likely lose some degree of top-line revenue if its Network business unit declines. But Google doesn’t need to shift all of the revenue from Network to these channels to maintain its current bottom line given the margin differentials: $1BN in Network revenue produces the same margin as $181MM in Search revenue.
Google’s Network business is in a consistent state of quarterly decline. It’s also the subject of the Department of Justice’s antitrust lawsuit against the company, which could result in its divestment. It’s tempting to impute an unrealistic amount of coordination here: Google is not a monolith but a confederation of fiefdoms that don’t necessarily interface effectively and may pursue competing objectives (as court documents in the DoJ suit confirm). But equally unrealistic in Google’s deprecation of third-party cookies in Chrome is wholly charitable intent that bestows no commercial benefit, especially given the pressures on Google’s Network business and the margin expansion opportunity with its owned-and-operated channels.
