In killing covert tracking and the third party cookie, what else does your business need to know about Google’s plans?
You can't have missed most of the recent industry headlines about cookies being crumbled, cut or killed. The January 2020 announcement from the Google Chrome team was pretty unambiguous - they plan to phase out third party cookies within two years. Safari and Firefox have effectively been doing this for a while but when Chrome, with its two-thirds domination of browser market share, calls last orders it's pretty hard to ignore. About time too, you're probably saying. A not insignificant proportion of adtech still relies, at least to some degree, on a twenty five year old text file format. If your fintech unicorn relied on cheques or postal orders there'd be some uncomfortable questions to answer…
But, maybe just as interesting as what's going to be removed from Chrome is how it's being removed. And what's being added, in particular the Privacy Sandbox initiative: "...a set of open standards to fundamentally enhance privacy on the web" whilst sustaining an advertising supported model. At this stage, these are all just proposals or explainers - there's no code to actually play with, so this is all pretty speculative. But when did a lack of concrete detail ever stop wild speculation when it comes to tech?
The Devil is in the Detail
Sometimes you need to get the magnifying glass out to help make sense of the bigger picture. The Chrome team’s proposals are pretty low-level, browser-specific stuff, referring to Application Programming Interfaces (APIs) and the like all over the place. An API is just a way for one bit of software to communicate with another bit of software in a defined way… the Google Maps API allows your website to include a map; the Twitter API might let you automate a tweet, and so on. In this case, it’s the general direction of travel that the detail of those APIs in the proposals hint at which is interesting.
So, the Privacy Sandbox appears to be a proposal for a collection of new Application Programming Interfaces concerned primarily with, well er, advertising rather than privacy. Albeit in a more secure or privacy enhancing way. There's a few different parts to the proposal, all with crazy Google-esque codenames - get ready for some fun new phrases to impress your friends with...
TURTLEDOVE and the Federated Learning of Cohorts use Google's machine learning muscle to analyse users’ anonymised browsing intentions and store a user’s interests, that an advertiser might like to use to target ads, in the user's browser - rather than with the advertiser or another third party.
The Trust Token API helps ensure that it's real, live humans doing the things we think, or at least hope, that they're doing on websites and not some ad-fraud committing spambot. A sort of invisible ‘I am not a robot’ checkbox for ads.
And to help mitigate covert tracking and fingerprinting the Privacy Budget API throttles the amount of potentially identifying information that a website can query from a user's browser by giving each website a limited 'budget' to spend on API requests. ‘Budget’ is a really interesting choice of name for an API here. It sounds like something from the Google AdWords API. Budgets can go up or down but generally, the deeper your pockets, the bigger your budgets. If Google is determining a site's Privacy Budget, what criteria might that be based on? I could hazard a guess… and it wouldn’t come as a complete surprise if Google decided that some sites might get a higher budget than others - sites that play by Google's Accelerated Mobile Pages rules, just for instance.
Brands and website owners will need to keep on top of how the Privacy Budget plays out as these proposals are refined over the next year or two. Browser APIs such as Device Orientation have been used for fingerprinting as they expose little details which, when combined with other little details, can theoretically be used to track users - but they're also pretty necessary for building modern web applications. If your web app's experience requires access to your user's mobile device's orientation then you might need to use that Device Orientation API pretty extensively to provide that functionality and a Privacy Budget imposed limit might affect the experience of using that app. Google acknowledges that some sites and web apps will need to query these APIs, to legitimately provide their functionality, more than others might.
The Bigger Picture
Like The Nazca Lines you sometimes need to get up pretty high to see the bigger picture. This probably all leads towards a Google identifier, based on what Google knows from its ecosystem about its users and to be leveraged by Google's advertising customers, to replace the current various ragtag third party cookie ID solutions. But, more importantly it also looks a little like the start to embedding advertising, or at least a bunch of APIs that would be pretty useful to an online advertiser, directly into the browser itself.
If users get better privacy, even if it’s as a side-effect to something else, then that's great. If these proposals help to reduce some of the shadier practices that have been used to track, identify and retarget users then that's great too. But a key indicator for brands will be if the other browser manufacturers start to show intent to support the Privacy Sandbox particularly with the sneaking suspicion that it might just be stacking the deck in favour of Google's existing advertising business.
3 Key Takeaways
1. The risk and knock-on effect when underlying browser APIs change needs to be considered. Will Trust Token, The Privacy Budget or any of the other proposed Privacy Sandbox changes affect the UX or implementation of existing web apps?
2. Google has got previous in making changes to Chrome which, intentionally or otherwise, benefit its advertising business. These Privacy Sandbox proposals are reminiscent of 2019’s proposed, also privacy-focused changes to Chrome Extensions which had the effect of blunting ad-blockers
3. If Chrome starts to get APIs that are primarily focused on advertising related activity, are ads becoming ‘first-class citizens’ in the browser?