3rd-Party Cookies, Ads, and The Privacy Sandbox

Once again, two buzz-phrases have been making waves in the digital marketing and analytics space since 2024: 3rd-party cookie deprecation (or 3PCD) and privacy sandbox. Let’s briefly clarify what is happening, because this is getting a bit confusing.

You’ve probably heard, Google will be deprecating 3rd-party cookies for the Chrome browser. It’s a big deal, for many reasons. This is going to impact W3C web standards, promises to improve privacy and fraud, cross-site technologies, and a whole lot more.

What we want to touch on is, what is happening around ads? After all, 3rd-party cookies are a foundational component for understanding attribution and remarketing efforts.

First, let’s not panic. There is a proposal on the table that will, in theory, replace the functionality of third-party cookies for ads – enter the Privacy Sandbox.

What is the Privacy Sandbox?

At first, even I was thrown for a spin thinking that “sandbox” meant some kind of site or testing ground for something new. More accurately, the Privacy Sandbox is a set of proposals (APIs, standards, new tech, etc.) to improve the web’s privacy and functionality.

Here is the official site with more explanations https://privacysandbox.com/

One of these areas the Privacy Sandbox aims to tackle is the deprecation of 3rd-party cookies. It turns out that these type of cookies are not that private, and the industry is at a point where better standards are needed.

The problem is that 3rd-party cookies have been the foundation of online advertising since the start. It basically drove most of the advancements and freebies we enjoy today. Advertisers use these cookies to understand the journey of a targeted user, from an ad view to a conversion. They also use these cookies to remarket based on actions and sites the user has visited.

All of these capabilities are going away.

Without 3rd-party cookies, how do advertisers measure performance and target audiences?

Again, this 3PCD does not mean that targeted ads will no longer be possible and performance measurement will transform into guesswork.

There are three technologies that will be integrated into the Chrome browser (soon the others, hopefully) that advertisers should keep an eye on: the Topics API, the Protected Audiences API, and the Attribution Reporting API.

These APIs have, for the most part, been rolled out to Chrome browsers and are available for use. They aim to serve a similar purpose to 3rd-party cookies when it comes to ads, but in a much more secure way.


Keep an eye on the Topics API, the Protected Audiences API, and the Attribution Reporting API.

“In the browser” is a critical part of these APIs. Rather than sending user data to advertisers’ for logic and processing, Privacy Sandbox proposals emphasize keeping user data in the user’s browser, requiring the advertisers to use non-identifiable markers to target audiences.

1. The Topics API

The Topics API aims to replace the more traditional and less private way advertisers used 3rd-party cookies to create targeted audiences – i.e. measuring user behavior across different sites to build detailed profiles of individual interests and activities.

Rather, this API will build a ‘topics’ library of sorts that stays in your browser.. While it is based on the browsing history, it does not reveal what websites were visited to qualify for the topic.

Curious on what topics you have been qualified for? Try it out!

This API has already been rolled out to 99% of Chrome users. You should be able to see what topics you are qualified for by going viewing the following: 

chrome://topics-internals

Here are my topics. Nothing personal needed hiding.

2. The Protected Audience API

This API is aimed at remarketing and custom audience use cases, designed so third parties cannot track user browsing behavior across sites.

It differs a bit from the Topics API since it’s main purpose is to run ad auctions involving cross-site audiences. It is similar in that it is the user’s browser that holds the data the advertiser uses for bidding.

If I can further paraphrase the image below, when a user visits an advertiser’s site, the advertiser adds a code to the browser. Later, when the user visits a site that serves ads, the advertiser bids based on the previously created code. No one else can see the user’s interest.

Image from https://developers.google.com/privacy-sandbox/relevance/protected-audience?hl=en

3. The Attribution Reporting API (for Web)

This API is meant to provide measurement for clicks and views. In other words, when actions from a user (ad views or clicks) leads to a conversion. Historically, this has been something 3rd-party cookies would allow advertisers to understand.

The gist is straightforward, there is code on websites that record user actions as “source events”, and some other code that is added when there is a conversion called “trigger events”. The API matches the source and the trigger and BAM!, attribution with anonymity. The reports are then sent to the advertiser.

Reports are going to be less granular and will have random data to preserve privacy.

NOISE!

Noise will be a critical part to preserve privacy in the various reports the APIs will send to the advertisers. The Google team made sure to emphasize this during the last POSSIBLE marketing conference, which we were lucky to assist (here are a few notes on our experience).

In short, Google will include random data that, in the end, should add up to the actual reported number.

Conclusion

There is a lot changing with the upcoming deprecation of third-party cookies. Most of the heavy lifting will be done by advertisers, but there is some work to do for web and app developers.

There are more technologies coming that will touch on the ads ecosystem, but for now, the Topics API, Protected Audiences API and Reporting Attribution APIs might be the best ones to understand to further advance a digital marketing and measurement strategy.

When will this finally come?

Everyone was waiting for this to come down in 2024, but Google delayed the target date to the beginning of 2025. The reason for this delay is that Google is following decisions from the UK’s Competition and Markets Authority (CMA). The latest? Google envisions “proceeding with third-party cookie deprecation starting in early 2025”

3pcd timeline
Image from https://developers.google.com/privacy-sandbox/3pcd

Jose Uzcategui

Global Lead / Sr. Analytics Consultant

Jose Uzcategui

Mr. Uzcategui joined Ayudante in Japan after working for ASICS and Amazon. His position previous to Ayudante was as a team leader, working on data construction/implementation and performance improvement using the Google Marketing Platform and the cloud. His hobbies are playing squash and cooking. He enjoys studying Japanese, Spanish, and English, and spring in Japan is his favorite season.