Quantitative testing of Google’s Privacy Sandbox technologies—Additional CMA guidance to third parties on Testing—Competition & Markets Authority
CMA reports about progress advancements in the Privacy Sandbox roll-out through Q3 2023 and specifies that testing labels, called “Mode A”, are going live on 31 October and will be available through H1 2024. In “Mode B,” which is supposed to start in Q1 2024, 0.75% of Chrome’s traffic is said to be deprived only of third-party cookies, while 0.25% is expected to have neither third-party cookies nor Privacy Sandbox. Additionally, CMA confirms that 1 July will begin a “standstill period” of 60 days (subject to extension to 120 days), in which CMA will decide if Google can start full-scale third-party cookies deprecation. [Note: In April 2024, the full-scale deprecation was further postponed until early 2025].
What’s more, in Privacy Sandbox’s advancements, Chrome launched the third-party cookie deprecation trial, which is supposed to start on 4 Dec 2023 and end on 27 Dec 2024. It would allow sites to re-enable third-party cookies to preserve their key user-critical functionalities. However, these functionalities cannot depend on cross-site tracking for advertising purposes.
Staying within the Privacy Sandbox domain, Chrome introduces a new feature to its Topics API, which depends on grouping topics in its taxonomy into “standard” and “high” utility buckets. This results in prioritizing high-utility topics while assigning them to the user. If the utility is of the same type, the secondary feature determining the order of assigned topics will be the frequency of their presence in the user’s history. This aims to make the topics more commercially relevant and therefore, more valuable for advertisers. As a reminder—the aforementioned order is important as the top 5 topics are selected for each user for an epoch, after which they’re randomly shared with the callers.
Last but not least, Google announces its intent to experiment with IP Protection—an API which is going to be responsible for masking the real IP of Chrome’s users. For the initial testing stage, it is said to be an optional feature on Google-owned domains and use Google-owned proxy. This API leverages a list-based approach, so it is expected to work only for specific third-party domains. AdExchanger reminds us that this will essentially “replumb” the MarTech ecosystem, and companies that wanted to use IP addresses as an alternative tracking method after third-party cookie deprecation will have to change their approach.
GroupM Does Its Part to Kickstart Privacy Sandbox Testing—AdExchanger
GroupM announces it would select a batch of its most Privacy Sandbox-eager clients to integrate its APIs (Topics, Protected Audiences, and Attribution Reporting) into its media plans to test them over the course of 2024. The clients should derive from various markets (the U.S., the U.K., Germany, India, Australia) and verticals to represent a widespread testing sample.
The first efforts are expected to depend on setting out a testing framework and baseline performance, followed by enlarging the tested pool of advertisers with some other volunteers. Participating customers will be privileged to get their hands on insights deriving from the experiment, but it is still unknown which advertisers opted in.
AdExchanger underlines that this is, in fact, a mutual initiative in which Google takes an active part. It is its first such partnership with an agency as Google’s “part of a broader set of efforts” to support the Privacy Sandbox testing.
Adopting SDA In a Privacy-Centric World—IAB Tech Lab
IAB Tech Lab released the SDA (Seller-Defined Audiences) Implementation Guide, which primarily aims to address the feedback from the industry (largely deriving from RTB House’s observations made in its blog post from March 2023) that SDA signals passed in parallel to other user-specific signals (such as third-party cookies or external identifiers) are likely to be used to upgrade various graphs in order to monetize valuable publishers’ data outside of their inventories.
The proposed approach in the environments where third-party cookies and EIDs are plentiful includes batching SDA-driven insights into non-descriptively named Deal IDs for isolated buyers’ exclusive use.
IAB Tech Lab recognizes that such deployment of Seller-Defined Audiences is less elegant than the previously proposed open-market approach. However, it claims that the only alternative to prevent data leakage would be to strip EIDs and third-party cookies from bid requests, which would not be “revenue-optimal” for sellers.
Digital Advertising In a Paradigm Without Third-Party Cookies—Infocomm Media Development Authority in Singapore
Ben Savage reports that Meta tested the Interoperable Private Attribution (IPA) proposal with the Singaporean Privacy Regulator (PDPC) overseeing the effort. Multi-Party Computation (MPC) was operated by three different organizations, deployed in three different countries and in three different cloud environments.
The most important takeaway is supposed to be the fact that PDPC found technical, governance, and contractual safeguards in the system strong enough to consider Helper Parties, device/browser keys, and the process of using those keys not to be subject to the Personal Data Protection Act (PDPA) for the sufficient degree of end-to-end anonymization.
However, the detailed report points out that “Adtech Entity” will have to act as a data intermediary that processes personal data. Moreover, while the security of the data is sound and its utility is preserved, latency might be an issue if the query size gets bigger.
If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.