Ad execs sound the alarm over Google’s risky Privacy Sandbox terms

While many ad execs have long been aware — it’s right there in the sandbox contracts — the risks hit home hard several weeks ago when a tech glitch rendered the sandbox useless for several hours. Ad revenue took a nosedive for those companies testing it. Google fixed it fast, but not before ad execs caught a glimpse of what could go wrong for them once third-party cookies are history.

Their takeaway? When Digiday asked some of the companies that were swept up in the outage, the response was mostly a collective shoulder shrug.  They’re acutely aware of the financial and legal risks of the sandbox — especially in its current form — but many seem resigned to the belief that these wrinkles will smooth out with time, or that they have no viable alternative regardless of Google’s moves. 

Either way, its clear ad execs aren’t thrilled about the terms they’re agreeing to with the sandbox. The recent outage only amplified those concerns, serving as a stark reminder of how Google views its contractual obligations within the sandbox.

Sources point to an April 2024 update to the Privacy Sandbox terms of service (ToS), in which the wording does not guarantee “the coordinator service will meet your requirements,” including data accuracy, the requisite APIs will always be fully operational, all while skewing legal liability away from Google and towards third parties. 

“If this was ‘SSP X’ proposing those terms, nobody would ever sign off on it,” said one source who asked for anonymity given their direct involvement in the IAB Tech Lab’s Privacy Sandbox Task Force. “These are just not valid business terms,” added the source.  

This has been bluntly articulated by Prieskel & Co, legal counsel for Movement for an Open Web — a collective of businesses taking aim at the sandbox. Their findings are neatly summarized in a comprehensive report, but here’s the cliff notes for brevity.

Google’s sandbox ToS are severely one-sided. Usually, such agreements maintain a balance, with the service provider guaranteeing a certain standard of performance. However, Google’s stance absolves itself of any obligations, said the law firm, leaving sandbox users to bear the brunt if the sandbox stops working. 

“Google specifically disclaims all liability,” said Tim Cowen, chair of the antitrust practice at Prieskel & Co, “They’ve said they’re liable for nothing.”

Ad execs are understandably miffed. To them, the sandbox plays the dual role of an ad server and exchange, so it should adhere to the same legal standards as those platforms. However, it doesn’t, leaving them uncertain if they’ll recoup their losses should the sandbox falter and take a toll on their wallets.

“I’ve got no idea if my business gets compensated if the sandbox suddenly stops working because the documentation Google has put together provides no feedback on this,” said an ad tech exec who is building technology on top of the sandbox. “This throws up all sorts of other ancillary problems because the legal frameworks we typically operate within elsewhere in the market aren’t used here.”

But that’s not even half of it. Potential legal pitfalls loom large too.

Specifically, when it comes to those ToS again: they notably omit a crucial data processing agreement, essential for compliance with the General Data Protection Regulation privacy law, said Prieskel & Co.

Granted, this poses more risk for Google than for sandbox users. However, any privacy slip-up could still send shockwaves far beyond Google’s reach. 

Indeed, multiple sources active within the Privacy Sandbox Task Force — a group with representatives of dozens of companies, including Google, that meets weekly — assert that the current Chrome user instructions on consenting or opting out of Privacy Sandbox fall short of GDPR requirements. 

“This is an organization which doesn’t appear to comply with the law,” said Cowen.

If he sounds like he’s laying it on thick, it’s because he thinks the situation demands nothing less. 

From his vantage point, Google has made these terms without consulting the rest of the ad industry. When companies act this way, it’s because they think they’re untouchable. That’s definitely cause for alarm. Worse still, it potentially breaches the Digital Markets Act. According to the law, Google is supposed to establish fairer terms of service, not impose seemingly discriminatory ones unilaterally.

A spokesperson from Google responded in an email statement: “The Chrome team places the highest priority on the reliability of our platform and all of the critical APIs used by major sites and services across the web, including the Privacy Sandbox technologies.  We recognize the Privacy Sandbox tools will help support monetization across the web and will continue to work with industry stakeholders to ensure the best possible performance and reliability.

The statement further clarified Google’s own stance on those terms. In simple terms, the sandbox APIs are treated like other web standards and technologies, allowing open access and implementation without specific terms of service requirements from Google. This approach maintains the open nature of the web platform while introducing new privacy-preserving technologies, according to Google. Crucially, it added that the terms don’t change the underlying commercial relationships in online advertising.

Clearly, there’s a schism in perspective here. Google’s outlook clashes sharply with industry perception.

Yet, these hurdles aren’t impassable — or at least, they shouldn’t be.

Google could provide clearer assurances to the industry about financial repercussions if the sandbox fails, especially given the persistent technical issues.

The same applies to regulatory risks. Google could demonstrate a willingness to clear up any uncertainty in several ways: clarify its role as controller or processor; embed robust data processing agreements in its ToS; provide clear guidelines for data handling; prevent data re-identification; enhance transparency; empower user rights; conduct regular audits; and establish compliant mechanisms for API data sharing under GDPR.

Taking such steps could nip privacy and compliance headaches in the bud for both Google and the businesses using the system. As of now, that likelihood remains uncertain at best.

But that could shift. 

After all, Google hasn’t outright rejected these solutions; in fact, it’s actively in talks with sandbox users on them. The hurdle lies in translating these discussions into definitive commitments. As it stands, ad execs aren’t exactly holding their breath for a swift resolution. 

One executive, speaking anonymously to Digiday due to concerns about potential repercussions for their candid criticisms, summed it up bluntly: “When it comes to data processing agreements, no outreach from the Sandbox team has included a DPA agreement with ad-tech companies leveraging the Sandbox features for advertising purposes. Any normal ad-tech vendor working in the space would have these agreements buttoned up, especially in the European market.”

This exec is pointing to a persistent subplot within the Privacy Sandbox saga: it’s just the latest indication of Google’s pervasive influence over the ad industry. Consider this: whether it’s the delays in its rollout or the technical challenges needing to be addressed, the industry finds itself compelled to adapt, even against its better judgment. 

If they don’t adapt, they risk being marginalized or left behind in a landscape increasingly shaped by Google’s initiatives and standards.

“It’s appalling that Google thinks it can behave like this,” said Cowen. “Remember, only third parties are impacted by these issues with the sandbox because first-party cookies can still be used within Google’s own walled garden.” 

Faced with this dilemma and the opportunity to advertise within Google’s ecosystem, unencumbered by the sandbox’s limitations, it’s not hard to predict which way ad execs might lean. Admittedly, that does sound like a Machiavellian maneuver from Google. Nevertheless, many ad execs are finding it progressively harder to disregard these more daring assertions.

And that’s despite trying to see things from Google’s viewpoint. They acknowledge the challenges of replacing third-party cookies and the need for compromises. Yet, they also believe Google could do more to navigate this swamp without dragging everyone else into it.

If this contractual conundrum is to be untangled, Google faces the daunting task of balancing two seemingly contradictory objectives: appeasing privacy advocates and consumers on one hand while ensuring ad performance — and thus ad industry monetization — remains intact on the other.