IAB Tech Lab In-Depth Analysis of Google Privacy Sandbox APIs – A Summary

Posted by Jonas Jaanimagi On February 07, 2024 ad tech matters, chrome, google, iab tech lab, Privacy, privacy sandbox, third party cookies

We recently published an article on Google Chrome’s 1% global rollout of its Tracking Protection feature and an update on the evolving portfolio of Privacy Sandbox APIs. These are proposed as the alternative to enabling digital advertising without third party cookies in Chrome, whilst enhancing user privacy. This article acts as a general explainer and update on Privacy Sandbox itself and a guide to testing – and to access this please click here

In early February 2024, IAB Tech Lab’s Privacy Sandbox Taskforce published draft commentary and analysis on the challenges associated with the industry’s adoption of Google’s Privacy Sandbox proposals.

This analysis included 45 specific use-cases, grouped into five programmatic advertising ‘pillars’, with both a technical assessment and potential business impact analysis for each use case. The intention of this feedback was for industry to work collaboratively on reviewing and potentially resolving these considerations over the coming months – and locally IAB Australia are committed to ensuring that there is both awareness of these ongoing efforts, and an opportunity to actively engage and contribute.

On 15th February 2024, Google published a detailed response to this feedback – available here

Below we summarise the initial collaborative feedback, explain the approach, provide insights into any key areas worthy of review and make some general recommendations to our members and the local Australian digital advertising industry. The sections are as follows:

  1. Privacy Sandbox Task Force Purpose & Approach
  2. Key Considerations
  3. Some Local Recommendations
  4. Critical Areas That Demand Further Review

The fit gap analysis is open for public comment and feedback until March 22, 2024.

1. Privacy Sandbox Task Force Purpose & Approach

The IAB Tech Lab Privacy Sandbox Task Force is composed of senior ad tech leadership from over 65 different companies. Its purpose is to bring industry participants together to better understand the functionality and evaluate implications of Google’s proposed Chrome and Android Privacy Sandbox APIs, whilst also working closely with Google’s Privacy Sandbox team to provide consolidated industry feedback and product update recommendations.

These initial evaluations were performed by members of the Privacy Sandbox Task Force and approved by at least 4 additional members outside of the original assessors company. Each of the 45 use-cases included were deemed to be foundational to programmatic advertising and evaluated using technical specification documentation available during November 2023.

The feedback has been grouped into five core programmatic advertising categories (or ‘pillars’):

  • Audience Management: Use-cases related to creating and managing audiences across sites.
  • Auction Dynamics: Use-cases related to offering inventory to buyers, receiving bids, and selecting a winning bid.
  • Creative Delivery & Rendering: Use-cases related to invalid traffic, malware, acquiring assets for display, and ad rendering.
  • Reporting: Use-cases related to measuring advertising from request to conversion to lifetime value.
  • Technology & Interoperability: Use-cases related to partnerships and collaborations.

It’s also worth noting that to ensure the most candid possible conversations, Google employees were not initially included in the IAB Tech Lab Privacy Sandbox Task Force. However,  Google were provided a copy of these assessments 13 days prior to its release and are now fully engaged in the Privacy Sandbox Task Force and collaborative feedback process.

To learn more about the IAB Tech Lab Privacy Sandbox Task Force click here

2. Key Considerations

Before providing some noteworthy examples of the feedback, it’s worth reviewing the key topics of concern that this analysis has highlighted and we are also keen to provide general recommendations and advice for local audiences.

The in-depth analysis focuses on a few key questions that arise from the work of the Privacy Sandbox Task Force and it’s worth keeping an eye on how these topics can be collaborative resolved over the coming months. Some are technical concerns, some are more practical and others are related to the requirements of some of the more standard conventions of traditional digital advertising.

These key considerations are as follows:

Scalability & Performance of Privacy Sandbox in Chrome – programmatic advertising in the early days relied very heavily on the capabilities of browsers to handle the required auction requests and transactions. The limitations of browsers in coping with these demands let to technical inefficiencies and poor consumer experiences. As a result server-to-server architecture has become very standardised as it can handle multiple requests concurrently and fully leverage multi-threading and distributed computing capabilities. Privacy Sandbox is proposing a return to on-browser handling and execution of all these moving parts.

Resultingly – how does Chrome propose the digital advertising industry support third-party verification & audits in the areas of fraud, ad delivery, and measurement, to name a few critical areas subject to audits today?

Lack of Consideration for Commercial Requirements – historically a wide range of different business relationships have existed throughout the programmatic eco-system in order to enable automated advertising across the open internet.

These relationships are governed by different contracts with very specific legal parameters related to details such as latency, discrepancy thresholds, data protection, privacy compliance, and limitations of liability. However, these conventions are potentially ignored by Chrome acting as both the an ad exchange and ad server in Privacy Sandbox, which could result in legal penalties and loss of trust from different customers and partners (as things stand).

Resultingly – how does Chrome plan to address the need to maintain contractual relationships with media buyers, publishers, and technology partners?

Absence of Third-Party Audits – another current key convention in programmatic advertising is the ability to objectively assess that advertising transactions are fraud-free, properly targeted, and meet any expected measurement standards. Currently these are not included in the proposals, as yet.

Resultingly – how does Chrome propose the digital advertising industry support third-party audits in the areas of fraud, ad delivery, and measurement, to name a few critical areas subject to audits today?

Chrome Transparency – as things stand the Privacy Sandbox is acting as something of a ‘black box’ in terms of the details (and controls) related to how campaigns are executed, the decisioning processes involved and the ability to objectively monitor the results.

Resultingly – given the resource constraints imposed by the browser, how does Chrome plan to ensure that auction participants are treated fairly? Does Chrome have plans to make the decision criteria public and the setting of those criteria something that is owned by an industry body to ensure fair treatment?

Future Governance – again there is a concern related to transparency, in relation to how transparent the governance mechanisms within Privacy Sandbox are. As regulation in digital advertising evolves globally, with variances at a local level, this could increase the risk of arbitrary changes that may not align with the broader needs of the entire digital advertising ecosystem.

Resultingly – how does Chrome consider future governance of the Privacy Sandbox in collaboration with the digital advertising ecosystem to ensure that consumer privacy is balanced with advertising utility and continues to power a robust ad-supported open web?

Fragmented Documentation – one of the reasons we have focused on helping to educate local industry on the Privacy Sandbox proposals is because of the sheer number of different proposals and APIs, very often evolving and being developed at different rates. In testing for the different use cases the group found it currently very difficult to ensure the functional assessments were accurate based on the public documentation available. As a result, more robust and centralised technical documentation were requested.

Lack of Standard Industry Accreditation – standard industry accreditation (such as the MRC accreditation) are non-negotiable prerequisites for many agencies and brands involved in programmatic advertising. Currently these are not included in the proposals, as yet.

3. Local Recommendations

As quick guidance to our related recommendations please see below:

Engage, Test & Learn – we continue to recommend that industry take the forthcoming changes seriously and seek to research and test for the portfolio of future-proof approaches that are both currently available and in development, as we mention in our recent guidance here

Resource Adequately – ensure that you have the right people in place internally that can understand the changes, ramifications to your business and can review the various options available that best meet your needs. This constructive feedback is the continuation of a process that requires local businesses have competent people engaging, participating and contributing.

Collaborate Effectively – existing in a bubble isn’t practical when building for change at this scale. Look to collaborate with your partners, clients and across the industry through events, partner workshops and dedicated industry body councils and/or working groups. At IAB Australia we have several collaborative groups engaged in initiatives related to preparing our members for both the technical and regulatory changes that are forthcoming.

4. Critical Areas That Demand Further Review

The feedback from the Privacy Sandbox Taskforce was fairly detailed, with each of the 45 use-cases classified as being Supported, Temporarily Supported, Degraded, Impractical or simply Not Supported.

Below are the use-cases classified as being ‘Not Supported‘, separated out by the predefined programmatic advertising pillars:

Audience Management

Exclusion Targetingthis is a decision made not to bid on the avail or show an ad creative and is a core component of many digital marketing strategies

Create and Modify an Audience Across Domainsability to create a custom audience across multiple domains, not necessarily owned by the same publisher

Look-alike Modelinga common strategy used by brands to run campaigns designed to market a product or service to users defined as likely to want to engage with that product or service

Auction Dynamics

Avoid Bidding Against Myselfensure that buyers cannot submit multiple bids that compete with one another

Competitive Separation ensure that a brands’ ad does not appear alongside messaging from competitors

Receive a ‘No Bid’ Response from a DSPsellers traditionally use reports on how many times bid requests received no bids from a given buyer to analyse the reasons as to why a bidder didn’t return a bid response


Creative Delivery & Rendering

Use a VAST TagVAST (Video Ad Serving Template) is a widely used, industry standard technology designed to facilitate the communication between ad server and video player for the purposes of delivering digital advertising

Render a Video Ad Alongside Video Contentboth advertisers and publishers want to be able to serve pre-, mid-, or post- roll video advertisements alongside video content

Render Native Ad on Webthis is the serving of non-HTML ads, including formats such as JSON or raw assets like MP4 or JPGs, as well as support for ‘seller-rendered native,’ a scenario where a seller provides the final ad markup upon receiving native components from a buyer

Creative Quality Assurance and Malware in Creativesthe ability for publishers to view and review ads in advance so as to ensure that any creatives delivered will meet the required internal quality standards

Loss of Runtime Data for Brand Safety it’s standard for programmatic vendors to provide clients with Brand safety services dependent upon top level page URLs to decide if they should display a creative on a webpage, or block the ad from displaying

Auction Latencythe longer the perceived delay in a user requesting a page, and a complete page including advertising being rendered is inversely proportional to customer satisfaction with the page, and also willingness of a customer to click on an advertisement


Second Price Auction Reporting ability to report on both the winning and second-highest bid

Bid Loss Reportingability to understand why a bid did not win to inform and optimise future bidding strategies

CPA Billable Metricsability to charge and pay for user actions such as view-through conversions, click-through conversions

Multi-touch Attributionability to understand the relative contributions of prior ad exposures across publisher ad inventory in driving marketing outcomes

Measure Bot Impressionsknow if a certain ad impression was activated from non-human traffic generated from data centers, headless browsers and/or bots and spiders etc.

Report on Information Gleaned from Macrosability to generate a report using values gleaned from key values appended to the ad markup using Macros

Reporting by Creative URLknow which specific creatives are being served to users


Technology & Interoperability

Managing Infrastructure Coststhe lack of transparency removes the ability to efficiently and sustainably manage related workloads and technological effort across the ad tech infrustructure

Privileged Signalssensitive insights (such as pricing, publisher controls and brand blocks) not normally accessible to competitors, partners and end-users are forced to be publicly available without any way to protect this information

Data Guaranteesability to support the contractual and commercial mechanisms which govern common business relationships through contracts with clauses pertaining to data usage and security

Algorithm Integrity Guaranteeability to guarantee that any algorithms making decisions on behalf of a business are implemented as per the expected specifications or adhere to requirements laid out in material instructions

It’s also worth noting that the Invalid Traffic use-case was classified as being impractical, which is an important topic in minimising any opportunities for ad fraud through non-human traffic . For more guidance on ad fraud simply click here


Jonas Jaanimagi