Home Online Advertising IAB Tech Lab Says The Chrome Privacy Sandbox Is A Time Bomb That Will Break Real-Time Bidding

IAB Tech Lab Says The Chrome Privacy Sandbox Is A Time Bomb That Will Break Real-Time Bidding

Comic: Mount Cookie

The online advertising industry is in for the bumpiest ride of its existence.

Of the 44 basic digital advertising use cases analyzed by the IAB Tech Lab’s Privacy Sandbox Task Force over the past few months, only a small handful remain feasible using the APIs in the Google Chrome Privacy Sandbox.

According to the task force’s first report, which was released on Tuesday, the majority of use cases – including lookalike modeling, competitive separation on the page, audience creation, video advertising, frequency capping and most forms of ad reporting – are “explicitly not supported or have been degraded to the point of being untenable.”

In short, does the Privacy Sandbox work?

In the Tech Lab’s view: No.

But whether these APIs work or not is a deceptively slippery question, because it depends on your definition of “work.”

Degraded by design

There’s no debate about whether the Privacy Sandbox breaks the way real-time bidding has functioned for well over a decade. It does.

And if you ask the Chrome team, that’s the point. To introduce privacy-centric features, RTB has to change. Which is why the online ad industry now finds itself at an impasse.

The Privacy Sandbox represents a massive divergence from standard business practices, yet it’s only recently become possible to run even somewhat scaled testing of the APIs. And Google still plans to fully phase out third-party cookies in Chrome by the end of this year.

Against this backdrop, the Tech Lab is publicly analyzing the business impact of the Privacy Sandbox to demonstrate that the APIs don’t address fundamental use cases, said Tech Lab CEO Tony Katsur.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“Yes, there are some elements in the industry that pine for the past, but most of us know we’re not going to have our cake and eat it, too,” Katsur told AdExchanger. “What we’re saying is that many of the building blocks in the Privacy Sandbox aren’t effective or robust enough and in some cases they’re simply dysfunctional.”

Mind the gap analysis

The Tech Lab’s report is a deeply technical document, and if you want to read the whole thing, you can access it here.

The analysis primarily delves into the viability of the Protected Audience API (PAAPI, formerly known as FLEDGE) which is primarily a mechanism for privacy-safe retargeting on Chrome.

The task force analyzed the Privacy Sandbox’s ability to support online advertising use cases across five categories:

  • Audience-management-related use cases (such as exclusion targeting and lookalike modeling)
  • Auction dynamics (such as frequency capping and second-price auctions)
  • Creative delivery and rendering (such as using VAST tags)
  • Reporting (such as multitouch attribution and being able to charge based on cost per action)
  • Interoperability (as in still being able to serve ads programmatically to people who opt out of the Privacy Sandbox)

The main purpose of this analysis, Katsur said, is to demonstrate to the Chrome team which basic advertising use cases will continue to work and which won’t after third-party cookies are fully phased out.


And, apparently, most won’t, said a senior ad tech executive who was privy to the report before it was released and asked to remain anonymous.

For example, the exec said, the Privacy Sandbox changes the terms of the ad auction by not supporting exclusion targeting or allowing buyers to create a custom audience across multiple domains that aren’t owned by the same publisher.

The Privacy Sandbox also makes it more difficult for buyers not to bid against themselves because PAAPI generates bids for every eligible interest group.

Meanwhile, the exec said, the Privacy Sandbox effectively disintermediates supply-side platforms because the ad exchange and ad server are built into the browser.

And since there’s not a contract between Chrome and different parties in the supply chain as there typically would be between ad tech partners, “if Chrome ships a bug,” the exec said, publishers have little recourse. They can’t fire their tech partner, since they never had a choice to begin with.

The exec also noted that none of the APIs in the Privacy Sandbox have been accredited by the Media Rating Council to ensure they are counting impressions correctly.

No GOOGs allowed

Considering how much feedback the Tech Lab has for Chrome about the Privacy Sandbox – and how close the deprecation deadline is – one would be forgiven for wondering why the Tech Lab didn’t start its analysis earlier.

The IAB Tech Lab only announced the formation of its Privacy Sandbox Task Force in September of last year.

But there’s a reason for the delay, Katsur said.

Until recently, the APIs weren’t “stable enough” to analyze, he said, because the Chrome team was still making additions and modifications.

“It wasn’t even clear to us whether certain features were complete or not until April or May,” Katsur said.

Around that same time, the Chrome team presented the Privacy Sandbox APIs to the IAB Tech Lab board, and “we saw a lot of feature gaps,” he said, which triggered the creation of the Privacy Sandbox Task Force.

Your baby is … ugly

The task force is made up of 65 ad tech companies and publishers, including many of the usual suspects, such as Raptive, Criteo, TripleLift, PubMatic, Index Exchange, RTB House, Viant, Amazon Ads, The Trade Desk, NBCUniversal, The Washington Post and Dotdash Meredith.

More than 50 of these companies were actively involved in the research and gap analysis, Katsur said.

But there is one company conspicuously absent from that list. The report states that no Google employees were invited to join the task force in order “to ensure the most candid possible conversation.”

“Anytime you give product feedback, there is an element of telling someone their baby is ugly, and it can be uncomfortable to do that if they’re in the room,” Katsur said. “We wanted people to be as unvarnished as possible with their analysis – no holding back.”

Sandbox slugfest

Cookie caption contest (we've got until 2024, folks)But the report that Katsur calls unvarnished, Google claims to be untrue.

Although Google wasn’t on the task force, the Tech Lab did share an advanced draft of its raw technical analysis with Google for feedback a little less than two weeks ago, and representatives from the two groups met for around two hours after the IAB’s Annual Leadership Meeting last week to go over the findings.

Google didn’t like what they saw. According to a company spokesperson, Google is “disappointed” the Tech Lab would even release its report “in this state” and asserts that the report “includes dozens of fundamental errors, inaccuracies and instances of incomplete information.”

A person familiar with the conversation that happened between Google and the IAB Tech Lab told AdExchanger they believe the report would have been better informed if Google had been part of the task force.

“If the goal is to make sure that people actually understand the APIs, then the people who wrote the APIs should be contributing,” the person told AdExchanger. “[Google] engages in multiple forums to explain things and also get new feedback, but this report hasn’t really been an exercise in collaboration.”

A VAST disagreement

The question now is: How much of the industry’s feedback will the Chrome team incorporate into the Privacy Sandbox APIs?

Some of the Tech Lab’s concerns will be addressed by feature requests and eventually shipped, such as exclusion targeting.

But it’s hard to imagine they’ll align on everything.

Take VAST tags, the mechanism that ad servers use to communicate with video players. They’re what enable video ad delivery and basic interactivity, and the debate raging between IAB Tech Lab and Google about VAST is emblematic of how these technical discussions are playing out overall.

According to the report, PAAPI doesn’t support the use of VAST tags.

According to Google, however, PAAPI does support the use of VAST tags; they just have to function differently in a Privacy Sandbox setup.

“If the question is, ‘Can you run a video ad auction and get VAST XML out?’ the answer is ‘Yes, it’s possible,’” a person who was present at the IAB Tech Lab meeting with Google last week told AdExchanger.

To be fair, the report does note that it’s technically possible to render a VAST tag into a video player, but it argues that the process is such an operationally heavy engineering lift within a PAAPI auction that it’s too burdensome for publishers to implement.

One more year ...Google’s response? “[Google] acknowledges that this is going to require people to do new work,” the person who attended the meeting said.

But that stance doesn’t fly, according to Katsur.

“It’s like if I need to go to the airport this afternoon, yes, I can walk there,” he said, “but it’s highly impractical for me to do that. I’m going to take a car.”

So … do VAST tags work in the Privacy Sandbox? Guess it depends on your definition of “work.”

The end we start from

The Tech Lab will collect feedback on its Privacy Sandbox report and gap analysis during a 45-day public comment period that ends on March 22.

Google plans to publish its response to the report sometime soon, including technical feedback, most likely during the comment period.

Meanwhile, the task force has a small handful of between six and eight additional use cases that it’s analyzing, after which it will likely break into subcommittees, each of which will focus on specific use case verticals, such as attribution reporting, creative rendering, audience management and auction mechanics.

And Google is now welcome to join the task force, Katsur said.

“That is the next step, to bring Google into this,” he said, “and hopefully get them to work with the industry to make improvements.”

Must Read

Amazon Juices Profits, With A Big Assist From The Ads Biz

Wall Street wanted profits. Big Tech delivered. That was the case for Google, Meta, Microsoft, Apple and – more than any other US tech giant – Amazon.

Comic: Welcome Aboard

Google’s Ad Revenue Rockets Upward Again, But The Open Web Is Getting Less

Google has always been the internet waystation. People arrive to be shuttled someplace else. Increasingly, though, Google is the destination.

How Bayer Is Using Creative Analytics To Cure Its Data Divide

Bayer partnered with its data agency, fifty-five, to develop a custom in-house creative analytics dashboard built on Google Cloud to more effectively measure and evaluate creative performance.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

First-Party Data On Ice? How Conagra’s Birds Eye Brand Navigates The New Video Ecosystem

Conagra-owned brand Birds Eye brings a new approach to online video, social shopping and first-party data.

As The Open Web Wobbles, Index Exchange Is Betting On Curated Deals

Index Marketplaces activates the curation capabilities of DSPs, DMPs and RMNs – and the demand for their PMP deals – across Index Exchange’s network of publishers.

an almost handshake

LUMA: 2024 Will Be Better For M&A (No, Seriously This Time)

Overall deal activity in the ad tech market was down 10% year over year in 2023, according to LUMA Partners. But 2024 may be looking up.