Skip to content
Schedule a Call
Call Now

Privacy Sandbox

Article by Tsaaro

7 min read

A moreprivate, open web accessible to everyone.

Introduction
In August 2019, Google announced a new initiative (known as Privacy Sandbox) to develop
a set of open standards to fundamentally enhance privacy on the web. The goal for this
open source initiative is to make the web more private and secure for users, while also
supporting publishers.
In January 2020, just before covid-19 took over the world, Google made one more
announcement; they updated that the industry’s feedback was optimistic and confident
regarding their ‘Privacy Sandbox.’
And with that confidence, they announced that they would phase out the support for
third-party cookies in their Google Chrome browser.
In March 2021, in the recent announcement, Google said after the support for third-party
cookies are phased out, they will not develop a unique identifier solution to identify users
across the web using different browsers and devices;

Instead, they will use ‘privacy-preserving APIs,’ which will prevent identifying individuals
across the web while delivering the same efficiency and value level to advertisers and
publishers.

What is Privacy Sandbox?

Google created a developer sandbox for Google Chrome, where companies or individuals
can ‘play’ with the Google Chrome browser data. In developers’ language, a ‘sandbox’ is an
isolated environment and a safe place for testing that can’t affect anything outside of it.

Privacy Sandbox is covering four key areas:

● Ad targeting:

Advertisers want to reach users interested in their products or reach a customer on
a different website who previously visited their website.
FLoC & TURTLEDOVE, both acronyms, are two different proposals designed to solve
ad targeting problems.
FLoC stands for “Federated learning of Cohorts,” which uses advanced machine
learning known as “Federated Learning” to allow advertisers to reach new
audiences.
TURTLEDOVE stands for “Two Uncorrelated requests, Then Locally-Executed
Decision On Victory,” which is a proposal to solve the problem of retargeting
customers; this is for advertisers who want to reach the users who already visited
their website before.

● Ad delivery:

Delivering an ad to a web page is another critical point-in-time where the risk of user
privacy getting compromised is higher.

The Trust Token API

Cookies and other tracking technologies are significantly matured in detecting
advertising fraud;
Ad fraud is a type of online fraud where advertisers are tricked into spending money
to buy ads on websites that are either low value or irrelevant or visited by bots.
The Trust Token API helps authenticate real users without using any tracking
technology. For Example, if you logged into your Yahoo mail account, and if Yahoo
wants to, it can drop a Trust Token in your browser and classify you as a real user.


When you visit other sites with the same browser, the Trust Token can be accessed
by other websites and feel comfortable with you as you are already classified as a
trusted user.

● Ad performance:

Many advertisers prefer spending on online media over offline media because they
have visibility on their ad dollars’ performance and effectiveness.
To solve this without using third-party cookies, The Google Chrome team proposed
a few standards, including the Aggregated Reporting API and the Conversion
Measurement API.

The Aggregated Reporting API gives advertisers a privacy-first way to measure
how many users saw their ad from a specific ad campaign; this is achieved by
providing only a single report after gathering and aggregating the data from
multiple websites.

The conversion measurement API proposes a new way of tracking an ad
campaign’s success without using third-party cookies; it stores how many users took
action based on an ad, whether buying a product or filling a lead form.
For Example, if a user sees an ad for a pair of shoes and then buys those shoes, the
browser stores that information; after some time delay, the browser sends back that
aggregated information to the advertiser.

Google makes it hard for the advertising companies to tie the clicks and conversions
to an individual; all of this is aggregated information, nothing at the user level.

● User privacy:

Web browsers also reveal quite a lot of information about the users like the IP
address, fonts they support, version of the browser, and a lot more;
With enough data points across companies, one can stitch the data and identify a
user reasonably well; this is called the ‘fingerprinting.’ technique.
To prevent fingerprinting, Google Chrome is developing a technology called Privacy budget.

In simple terms, every website will have a budget (which is the amount of
information) that it can use to request from the browser; you can’t go beyond that
allocated privacy budget.

There might still be a possibility of identifying a large part of heterogeneous groups.

Updates by Google

By Jun 2021, Chrome and others have offered more than 30 proposals, and four of those
proposals are available in origin trials. For Chrome, specifically, Google plans to have the
key technologies deployed by late 2022 for the developer community to start adopting
them. Chrome could then phase out third-party cookies over a three month period, starting
in mid-2023 and ending in late 2023.

Each proposal goes through a rigorous, multi-phased public development process:

Discussion: The technologies and their prototypes are discussed in forums like GitHub or
W3C groups.

Testing: The technologies are rigorously tested in Chrome through potentially numerous
origin trials, allowing for transparency and feedback throughout.

Ready for adoption: Once the development process is complete, the successful
technologies are ready to be used at scale. They will be launched in Chrome and ready for
scaled use across the web.

After this public development process, Google plans to phase out support for third party
cookies in two stages:

Stage 1 (Starting late-2022): During stage 1, publishers and the advertising industry will
have time to migrate their services. This is expected to last for nine months.

Stage 2 (Starting mid-2023): Chrome will phase out support for third-party cookies over a
three month period finishing in late 2023.

Google also published updates in April 2021 regarding User Agent string reduction, a
project which aims to reduce the possibility of using the data to fingerprint and track users
across the web.

For a developer, if the site, service, library or application relies on certain bits of
information being present in the User Agent string such as Chrome minor version, OS
version number, or Android device model, he/she will need to begin the migration to use
the User Agent Client Hints API instead, which is a way to avoid the historical baggage
and passive fingerprinting surface exposed by the venerable User-Agent header.

Summary

Third party cookies are typically the ones set by “third party” ad tech companies whose
tracking code is found on millions of sites. Hundreds of ad tech trackers are collecting
information, without the user’s knowledge, and certainly without their consent. The ad tech
companies sell their data for profit or make money by using it to help marketers improve
the targeting of ads — i.e. behavioral targeting and also to collect user’s data to make a
unique identification of them — i.e. browser fingerprinting.
To solve this , Google proposed ‘Privacy Sandbox’ to develop a set of open standards to
fundamentally enhance privacy on the web. The goal for this open source initiative is to
make the web more private and secure for users. They also announced that they would
phase out the support for third-party cookies in their Google Chrome browser.
Privacy Sandbox covers four key areas that are:

Ad targeting : FLoC & TURTLEDOVE are two different proposals designed to solve ad
targeting problems.

Ad performance: To maintain Ad performance without using third-party cookies, The
Google Chrome team proposed a few standards, including the Aggregated Reporting API
and the Conversion Measurement API.

Ad delivery : The Trust Token API is designed to authenticate real users without using any
tracking technology.

User’s Privacy : To prevent fingerprinting, Google Chrome is developing a technology
called Privacy budget which is basically a limit on how much data a website can request
from a browser.

For Chrome, specifically, Google plans to have the key technologies deployed by late 2022
for the developer community to start adopting them and then phase out third-party
cookies over a three month period, starting in mid-2023.

Google also published updates in April 2021 regarding User Agent string reduction, a
project which aims to reduce the possibility of using the data to fingerprint and track users
across the web.

882 thoughts on “Privacy Sandbox”

  1. Ellat

    Excellent article! I appreciate the thorough and thoughtful approach you took. For more details and related content, here’s a helpful link: LEARN MORE. Can’t wait to see the discussion unfold!

Leave a Reply

Your email address will not be published. Required fields are marked *

cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Data Breach Management
Understanding Data Breach Management under the Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 
Tsaaro Consulting

Understanding Data Breach Management under the Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 

Introduction  The Digital Personal Data Protection Act, 2023 (DPDPA), along with the Draft Digital Personal Data Protection Rules, 2025 (DPDP …

February 10, 2025
Personal Data Protection Act
A Comprehensive Guide to Singapore’s Personal Data Protection Act  
Tsaaro Consulting

A Comprehensive Guide to Singapore’s Personal Data Protection Act  

Introduction  Singapore’s Personal Data Protection Act (PDPA) is the cornerstone of the country’s data protection framework, ensuring that organizations manage …

February 5, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.