I might have to rename our Data Privacy Roundup newsletter as the “Privacy Sandbox Bulletin.”
First, the UK’s CMA announced on Friday that it’s begun the process of releasing Google from its Privacy Sandbox commitments, which aren’t considered necessary anymore now that Google isn’t deprecating third-party cookies in Chrome. We’ve got the full story here.
And just last week, we covered new academic research that found the number of sites making Topics API calls was essentially flat between September 2024 and April of this year at roughly 29%.
Meaning, Privacy Sandbox adoption was, is – and will probably remain – tepid.
But the initiative isn’t dead, and the Sandbox team is apparently noodling some new stuff.
On Thursday, Google released a proposal for a Chrome feature called script blocking as part of a broader effort to mitigate API misuse for broader reidentification.
Put more simply, it’s a feature to prevent fingerprinting workarounds in Incognito mode.
Flipping the scripts
But wait … wasn’t it just earlier this year that Google lifted its longstanding prohibition against device fingerprinting for companies using its advertising products?
Yes, it did, and this is unrelated.
The script blocking feature is specifically to stop sites from using fingerprinting to identify people who are trying to browse privately.
Not that Incognito is fully private, despite the expectation that it is.
Last year, Google settled a class-action lawsuit for tracking users while they were in Incognito mode. Google admitted no wrongdoing but said it would delete billions of user records and update its disclosures to clarify that it’s still possible to track users in private browsing mode on Chrome.
(For what it’s worth, there’s no chance for monetary relief in this case. On Monday, a US district court judge ruled that users can’t sue Google as a group for damages. If they want to do so individually, though, they can.)
Settlement aside, Google can still track some user activity in Incognito mode, including IP address and logged-in activity. The idea with the new script blocking feature is to crack down on third-party weirdness.
Some third parties use sneaky methods that misuse APIs to gather extra details about a browser and/or device that can be combined to reidentify someone, even in Incognito mode.
To combat that, Chrome developed a method for spotting scripts that routinely harvest too much information. Chrome adds the sites that use these misbehaving tracking scripts to a blocklist.
For all your GitHub heads out there, click here for a more technical explanation of how it all works.
No peeking
For now, script blocking in Incognito in Chrome is just a proposal, and Google says it’s seeking feedback from the ecosystem.
The feature will eventually be available in Chrome’s Incognito mode on Android and desktop. It’ll be on by default, and users will be able to disable it if they want to.
But it’s worth noting that script blocking will only apply to scripts served from what Google refers to as “a third-party context,” as in scripts loaded by a third-party domain. First-party scripts won’t get blocked.
According to Google, it’ll do its best to deduce which scripts should be considered first party, but there’s an appeals process for domain owners who believe they’ve been added to the blocklist by mistake.
Google didn’t share a timeline, but I’d imagine script blocking for Incognito will get released around the same time as IP Protection, the other privacy feature the Sandbox folks are working on.
IP Protection, which prevents advertisers and publishers from tracking a user’s IP address by routing traffic through a proxy, is set to launch in Q3.
I’m sensing a theme here.
With third-party cookies sticking around – and the Privacy Sandbox scaling back its broader ambitions – the team seems to be concentrating on features for private browsing.
So please forgive me for this bit of snark, but I can’t help myself: Considering how adoption is going, maybe the Privacy Sandbox is in Incognito mode itself. ¯\_(ツ)_/¯
🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback. And happy Friday the 13th to those who celebrate. 🐈⬛ Oh, and see you in Cannes if you’re heading out there!
