In T.S. Eliot’s poem “The Hollow Men,” he writes:
“This is the way the world ends
Not with a bang but a whimper.”
Well, the same could be said of Google’s Privacy Sandbox.
Nearly five years after wading into the quagmire, the UK’s Competition and Markets Authority quietly announced on Friday that it’s officially releasing Google from its Sandbox-related commitments.
Simultaneously, Google announced that it’s “decided to retire” a whole pile of Privacy Sandbox technologies, including (and strap in): the attribution reporting API on both Chrome and Android; IP protection; on-device personalization; private aggregation (including shared storage); the Protected Audience API on Chrome and Android (bye, bye PAAPI!); protected app signals; related website sets (including requestStorageAccessFor and related website partition); SDK runtime; and, finally, topics on Chrome and Android.
Google will follow up with more info on the phaseout process later, as per a brief blog post by Anthony Chavez, VP of what’s left of Privacy Sandbox.
Sandbox scraps
What is left in the Sandbox?
Just a few crumbs, really.
Google will maintain CHIPS (which stands, a little torturedly, for “Cookies Having Independent Partitioned State”), a feature that lets websites store cookies separately for each site a user visits so third-party services can’t track users across sites.
It’s also keeping FedCM, a browser-based system that lets users sign into websites privately and securely without relying on third-party cookies. And also sticking around: private state tokens, which are encrypted “trust tokens” that websites can use to stop fraud without having to track someone’s identity.
Both CHIPS and FedCM have seen broad adoption, according to Chavez.
Separately, Google will support a proposal for Attribution, an interoperable browser AI for ad attribution without cross-site tracking. (“Attribution” is the newish name for the Privacy-Preserving Attribution API.)
Despite retiring the attribution reporting API, Google said it plans to repurpose the feedback it got from companies while it was developing that tool and use it to help inform the ongoing development of Attribution within the Private Advertising Technology Working Group within the W3C.
Farewell, My Sandbox
It’s not surprising that the Privacy Sandbox is scaling back its ambitions. After years of delay, drama, tepid industry adoption and shifting regulatory demands, the writing was on the wall.
When Google finally fully abandoned its deprecation plans last year, it was only inevitable that the CMA would begin to step back and eventually exit stage left.
It’s been a journey, though.
In early 2021, the CMA first started looking into potential competition concerns related to Google’s now-defunct plan to deprecate third-party cookies in Chrome.
Specifically, the CMA was probing whether removing third-party cookies would give Google’s own ad products – Ad Manager and DV360 – an unfair advantage over independent ad tech companies.
Google made legally binding commitments to the CMA in 2022, promising to ensure that the Privacy Sandbox tools to replace cookie tracking would be developed in a fair and transparent manner.
After what felt like countless consultations, revisions and progress reports with the CMA, Google dropped its cookie deprecation timeline altogether in July 2024, and, in April of this year, it also scrapped plans to launch a user choice prompt for third-party cookies In Chrome.
A few months later, in June, the CMA announced its plan to start the process for releasing Google from its Privacy Sandbox commitments, signaling that it no longer sees a competition risk now that cookie deprecation is off the table.
In order to release Google from its commitments, the CMA first had to undertake a formal consultation process that involved soliciting feedback from various interested parties, including businesses, industry groups and members of the public.
A clash of concerns
The CMA received 15 responses in answer to its call – and every single respondent was against releasing Google from its commitments, with most arguing that there are still competition concerns.
Several respondents expressed worries that ongoing development of the Privacy Sandbox, such as it is, could still lead to anti-competitive behavior if Google reverses its current approach. In response, the CMA assessed that Google’s recent decision not to deprecate third-party cookies or introduce user prompts significantly mitigate the original concerns.
Another respondent raised the risk that Google might still use Privacy Sandbox features to limit tracking capabilities for its competitors, like by applying IP protection to general browsing. But the CMA decided this isn’t an issue since Google is retiring that API, as well as so many others in the Privacy Sandbox.
“Having considered the consultation process, the CMA remains of the view that it has reasonable grounds for believing that its competition concerns no longer arise,” the CMA wrote in its decision.
No rest for the wicked
These developments certainly mark “the end of an era,” said Stephen Dnes, a founding partner at boutique law firm Dnes & Felver in the UK.
The question now is what comes next, he said.
“The underlying point that rich data adds value for rivals remains,” Dnes said, “and so does the scope for biased prompts to raise problems.”
In other words, the battles over data access and fair user choice are far from settled. And so ongoing vigilance remains essential, said James Rosewell, co-founder of Movement for an Open Web, the advocacy group that filed the initial complaint in 2021 that got the CMA involved in the Privacy Sandbox in the first place.
“The CMA needs to keep an eye on this situation as Google is a known recidivist,” Rosewell said in a statement. “[It] could easily U-turn again and threaten the interoperability on which the open web relies.”
Updated on 11/18 to reflect that the Attribution API is the new name for the Privacy-Preserving Attribution API and was not originally proposed by Google. H/t to Don Marti for the callout.
