Jump to content

The Privacy Sandbox

How Privacy Sandbox raises the bar for ads privacy

Aug 15, 2023

Victor Wong's picture

Victor Wong

Senior Director of Product Management, Privacy Sandbox

An image of web ads and a web browser with a lock in the center that represents privacy technology enhancements.

Useful ads that don’t need your identity

The Privacy Sandbox initiative is focused on keeping people's activity private across an open and free internet. Publishers rely on ads to keep content as free and broadly available as possible. Advertisers help people discover new products or offers they may want. We're shipping new features in Chrome and Android that enable websites and apps to show people useful ads based on their activity with different parties, without revealing the user's identity to those parties.

The Privacy Sandbox APIs use privacy-preserving technologies to enhance the privacy and safety of data used to personalize and measure ads. These APIs make it possible for advertisers and publishers to show relevant ads without sharing the user's identity with third parties. As a result, the Privacy Sandbox provides people who are enjoying ad-supported content and services a higher level of privacy compared to third-party cookies and other user identifiers like hashed email addresses.

The Privacy Sandbox’s privacy-preserving APIs shield the identity of the user and restrict the amount of available data, while enabling key advertising use cases. Here’s how:

Hiding Identity: Most digital ads today rely on exchanging user identifiers between parties, which allows for easy re-identification of a user across different apps and websites. In contrast, the Privacy Sandbox platform does not provide a cross-site or cross-app user identifier. Instead, it aggregates, limits, or noises data provided to advertisers to prevent user re-identification. For example:

  • Protected Audience stores limited browsing history on the device. Ad tech providers can only make use of this restricted data inside an isolated process in a limited way for serving ads. As a result, ad tech providers aren’t entrusted with detailed browsing history data that they historically accumulated on their servers and could potentially use to identify a given user's activities across sites.

  • Topics generates a handful of a user's ad topics based on the coarse data of participating websites’ hostnames and a relatively small taxonomy of potential user interests. To improve privacy, random interests are at times mixed in. As a result Topics makes it much harder to accumulate sufficient data that might identify the user across different webpages and apps.

  • Attribution Reporting injects noise and adds timing delays to further reduce the potential for connecting user-level activity across sites. These safeguards prevent many re-identification attacks that are possible today with user identifiers, even if they are hashed and encrypted.

Minimizing Data Collection: Without a user identifier to track an individual’s activity across sites and apps, third-parties such as ad tech providers and data brokers are limited in their ability to build cross-context profiles on individuals, unlike what’s possible today with third-party cookies. In addition, the Privacy Sandbox limits the amount of cross-site information that can be learned about a user at a given time, which curtails the potential of large-scale data collection that exists today. For instance:

  • Protected Audience restricts which parties receive data about each ad impression. With this API, the winner of the protected auction receives back limited event-level data. In contrast, today’s real-time bidding ad auctions can share unlimited data with multiple parties. These parties may observe the ad auctions, profile users across impressions being auctioned, and use those profiles elsewhere for any number of purposes.

  • Topics limits ad tech providers to collect a small number of topics per week based on overall browsing history. In contrast, with third-party cookies and other cross-site or cross-app user identifiers, ad tech providers can collect detailed information about the sites a user visits.

  • Attribution Reporting enforces a limit on the amount of publisher and advertiser data that can be connected for event-level reporting. In addition, for aggregate reports, the API limits the number of dimensions that can be measured and caps the amount of conversion information recorded. In contrast, today’s user identifier-based measurement solutions enable effectively unbounded data collection, including detailed information about an individual user’s cross-site and cross-app activity.

Greater accountability for ad tech and better controls for people

The Privacy Sandbox makes ad tech providers more accountable for data practices and puts people in greater control of their cross-site and cross-app activity data. Here’s how:

Greater Accountability: Requiring registration of ad tech companies using these APIs provides new public visibility into advertising practices.

  • The attestations that will be required on their public websites also provide new clear representation and commitments for how ad tech will use the Privacy Sandbox APIs. Previously, there was no uniform standard on what ad tech providers could use third-party cookies for, including re-identification of users across sites and cross-site profile building.

Better Control: People can easily select — with simple settings — what cross-site or cross-app activity data can be used for ads relevancy and measurement.

  • Users can easily configure how Privacy Sandbox works for them. This includes the ability to view and block the topics that sites can use to personalize ads.  Users can also view and block the websites / apps they'd like to see ads from, based on having visited them previously.

  • In comparison, managing your ads privacy with third-party cookies involves either sorting through scores of cookie domains of often unrecognizable tech providers, or blocking all such cookies, which can inadvertently affect non-ads use cases like keeping you logged into websites.

  • And users have even less control when ad tech providers use permanent and immutable identifiers, like those derived based on device fingerprinting, since there's no central place for users to manage those.

This is only the beginning

We are committed to building browsers and operating systems that respect privacy while keeping them useful for everyone. We continue to work closely with the CMA to ensure that our work complies with Google’s Commitments to the CMA as we work toward the planned deprecation of third-party cookies in 2H 2024. In addition, we also continue to consult closely with privacy regulators, including the ICO, to ensure that the Privacy Sandbox APIs offer robust protections for users and comply with applicable legal requirements.

Moving from third-party cookies to these more private solutions is just the start of our vision for a more private internetWe plan to continue innovating and adding new protections for users over time.

We're committed to partnering with the industry to develop solutions that keep people's activity private across a free and open internet. To learn about the technologies that make up the Privacy Sandbox, our Learning Hub is a great place to start. We also have an ongoing video series covering the Privacy Sandbox journey, outlook, and APIs.

Tags: