Google’s Privacy Sandbox and User-Choice Prompt: What You Should Know

Owing to users’ growing privacy concerns and evolving global regulatory necessities, Google introduced the Privacy Sandbox initiative. Its primary purpose is to significantly improve user privacy while allowing other stakeholders, such as the digital advertising industry, to continue to thrive.

As part of the Privacy Sandbox initiative, Google has announced that instead of deprecating third-party cookies, it would now introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing. The user-choice prompt will ask data subjects whether they want to provide their consent to third-party cookies and data subjects will have the option to either accept or reject the use of third-party cookies.

Read on to learn more about the Privacy Sandbox's background, nuances, implications, potential impact on the global digital ecosystem, criticisms, and, most importantly, how your organization can best prepare for it.

Google’s Early Approach to the Privacy Sandbox

In January 2020, Google widely invited advertisers, publishers, and all other stakeholders involved in the digital advertising space to join the Improving Web Advertising Business Group (IWABG) of the World Wide Web Consortium (W3C). The purpose of this consortium would be to propose initiatives and measures to improve digital privacy without compromising advertising effectiveness.

This resulted in more than 30 proposals, which included Protected Audience [formerly known as First Locally-Executed Decision over Groups Experiment (FLEDGE), Attribution Reporting, Private Aggregation, Shared Storage, Bounce Tracking Mitigations, Private State Tokens, Fenced Frames, and Topics API [formerly known as Federated Learning of Cohorts (FLoC)] among several others related to cross-site privacy boundaries, content & ads, covert tracking prevention, and anti-spam and fraud on the internet.

As Google decided to shift to privacy-friendly solutions and deprecate third-party cookies, it has been testing several tools that can display interest-based advertising to users without collecting their personal data or tracking them. Single-origin trials for Topics, FLEDGE, and Attribution Reporting APIs followed, where select websites were allowed to run unified experiments. RTB House and Criteo published their results, highlighting, among other things, the need to expand the scope of such experiments to get better aggregate results. A report by the Competition and Markets Authority on Google and others’ experiments with Sandbox technologies reflected a similar concern. The lack of a common testing framework prevented performance tests that could enable more wide-scale tests.

Google introduced Topics in 2022, replacing Google’s FLoC proposal. The Topics API would select 3 topics of interest based on a user’s browsing history without involving external servers and share those topics with advertising partners. Users would be signed in to Topics by default but have the option to see the topics, remove any of the topics, and opt-out of the feature completely.

Then, in September 2023, Google announced the general availability of Privacy Sandbox APIs for all Google Chrome and Android OS users.

Recent Shift to User-Choice Prompt

On July 22, 2024, Google announced that instead of deprecating third-party cookies, it would introduce a new user-choice prompt experience in Chrome that lets people make an informed choice that applies across their web browsing. The prompt would ask data subjects whether they want to consent to the use of third-party cookies.

While Google still has not released detailed information on the user-choice prompt, this route seems to be providing users with more granular control over the use of third-party cookies.

From Google’s recent announcement, the user-choice prompt will be similar to some existing consent frameworks in the advertising industry, with notable differences.

Apple’s App Tracking Transparency (ATT) Prompt

Similar to Apple’s ATT prompt that asks data subjects whether they want to be tracked, Google’s user-choice prompt will ask data subjects if they wish to consent to the use of third-party cookies. Where Apple’s ATT prompt relates to an end-users choice with respect to tracking, the scope of Google’s user-choice prompt would be broader as it relates to third-party cookies—third-party cookies can and cannot be involved in tracking individuals.

Google’s Advertising ID Framework

Google’s advertising ID framework for Android allows data subjects to delete or reset the advertising identifiers from their mobile devices which would enable mobile applications to carry out tracking of individuals. Google’s user-choice prompt, on the other hand, will allow the data subject to provide a choice with respect to third-party cookies and not just cookies that enable tracking of individuals or send them advertisements.

Global Opt-out Preference Signals

Websites are required to opt-out the user from non-essential cookies upon detection of an opt-out preference signal on the browser such as the global privacy control (GPC). The opt-out preference signal is an indication from an end-user to websites that they would like to be opted out. As per US state privacy laws such as CPRA and Colorado Privacy Law, websites must opt-out the user from non-essential cookies that are involved in the sale or sharing of personal information in the case of GPC signal detection. Similarly, websites would be required to opt-out the user from third-party cookies if the user has refused consent to third-party cookies via Google’s user-choice prompt.

Google has not released extensive information on the user-choice prompt, but based on current insights, an informed analysis can be made from a data privacy and compliance standpoint.

Firstly, cookie banners will still be required for several reasons. Most privacy laws mandate websites to display notices or banners not only for the use of third-party cookies but also for first-party cookies and even essential cookies. Therefore, websites must continue to show cookie banners that provide information on the use of all cookies and allow users to consent to first-party cookies.

Secondly, most privacy laws require organizations to enable data subjects to opt-out at any time as easily as they provide their consent. So, even if users have provided consent to third-party cookies through Google’s user-choice prompt, websites will still need to offer an option for users to opt-out and manage their choices on a more granular level.

Most importantly, websites will be required to read an end-user’s choice to third-party cookies through Google’s user-choice prompt, honor the choice, and reflect the same choice on cookie banners and preference centers.

Implications of the User-Choice Prompt

Google’s new approach towards the Privacy Sandbox initiative, i.e., the user-choice prompt, will have implications for all actors in the advertising chain, including users, advertisers and publishers.

It is important to note that the full impact of Google’s new approach will only become clear over time. The following analysis highlights the potential outcomes based on current trends and market behavior; however, it is not definitive, and future developments may shift the trajectory in ways that are difficult to predict at this stage.

Changes in Targeting & Measurement

Google’s shift towards offering users a choice prompt for third-party cookies marks a significant change in its Privacy Sandbox initiative. Previously, this was expected to disrupt traditional tracking methods, pushing many organizations to invest heavily in alternatives that relied on first-party data. While the new approach offers relief from immediate changes, the momentum toward first-party data strategies remains strong. However, for the time being, the industry may see a slowdown in innovation and adoption of technologies, and reliance may continue to be placed on earlier third-party cookie-tracking methodologies.

Concerns regarding Validity of Consent

IAB Europe has raised concerns regarding the validity of consent obtained through the Google prompt. As per the requirements of GDPR and the e-privacy directive, consent should be specific, informed, and unambiguous. A browser-level prompt may serve as an impediment to the fulfillment of consent validity criteria, as it does not enable users to make granular choices. Further, there may also be issues concerning the user experience, as introducing the user-prompt would lead to a fragmented experience where users would be making their choices regarding first-party and third-party trackers in different web-spaces.

Increased Control and Ease for Users

While concerns about the validity of user consent remain, a single, browser-level prompt for third-party cookies would likely offer users a more streamlined and less intrusive experience than encountering separate cookie banners on each website they visit. However, it’s important to acknowledge that users would still need to make separate consent decisions for first-party cookies on individual websites. Despite this, a universal browser prompt for third-party cookies could significantly enhance user control by offering a more consistent and manageable privacy experience. This approach may align with the broader push toward user autonomy in data protection.

Antitrust Concerns

IAB also has flagged that Google’s new user choice prompt for third-party cookies could have a negative impact on publishers, much like Apple’s App Tracking Transparency (ATT) did. The use of the ATT framework led to a significant reduction in available user data, adversely affecting publishers' advertising revenues. This has triggered antitrust scrutiny in several EU jurisdictions, as it’s viewed as potentially harmful to competition. Similarly, Google’s proposed approach could result in an uneven playing field, particularly favoring larger players with more access to first-party data, and might attract similar antitrust concerns regarding its impact on market competition.

Increased Collaboration between Advertisers and Publishers

Advertisers and publishers will collaborate closer than ever before to pool their resources, devote themselves to educating users about why they should accept third-party cookies, and enact second-party data-sharing agreements that allow them to rely on each other’s first-party data for advertising purposes.

Criticisms from Within the Industry

The Privacy Sandbox initiative has its fair share of critics. When Google originally announced its plans to phase out third-party cookies eventually, it raised obvious concerns about the virtual monopoly Google would enjoy, as its proposals were deemed “anticompetitive and a danger to privacy.”

Other major browser vendors such as Mozilla, Apple, and Chromium took various measures to disable such a feature by default on their browsers, as they raised concerns about new ways user activity could be tracked under the FLoC proposal, which were not possible via third-party cookies. Google’s decision to enable the feature by default for all Chrome users during the initial testing phase without any prior notice led to further criticism.

Topics API that replaced FLoC faced similar concerns, particularly how advertising networks could use aggregate interests across multiple websites to reidentify and track users.

The most extensive criticisms of the Privacy Sandbox have come from None of Your Business (NOYB). In a comprehensive blog published in June 2024, NOYB alleged that Google was engaging in deceptive & manipulative practices by outright lying to its users about the functionality of the Privacy Sandbox.

Max Schrems, the man renowned for the Schrems I and II verdicts, stated, “If you merely steal less money from people than another thief, you can’t call yourself a ‘wealth protection agent’. But that is basically what Google is doing here.” He made this accusation when discussing how Google’s internal browser tracking would be automatically enabled after users are shown a pop-up displaying “Turn On Ad Privacy Feature”. The pop-up box, through both the wording and interface design used, implies enabling the feature would restrict any tracking at all for advertising purposes when, in fact, Google would be the one tracking users instead of third parties.

The privacy advocacy group has already proceeded with a formal complaint to the Austrian Data Protection Authority, insisting that the Privacy Sandbox blatantly violates the provisions under Article 4(11) of the GDPR that require consent for such data collection to be a “specific, informed and unambiguous indication of the data subject’s wishes…”

How Securiti Can Help

Securiti’s Privacy Center is an easy-to-use and easy-to-deploy solution that empowers your organization to easily comply with a myriad of complex and evolving global privacy regulations, while building trust with your users.

It is particularly helpful for organizations that have to comply with multiple regulations in different jurisdictions simultaneously, as it is equipped to enable real-time management of compliance actions necessary related to first-party consent and third-party tracking, such as cookies, individual privacy rights, privacy notices, and breach notifications.

Furthermore, Securiti offer a plethora of other individual modules, including cookie consent management, assessment automation, universal consent, and vendor risk management, and many others that are designed to address nearly every major data privacy-related obligation an organization may be subject to.

Request a demo today and learn more about how Securiti can help you comply with all major obligations your organization will likely be subject to under most data privacy laws worldwide.