‘It’s in Google’s best interest’: Sources urge more formal Privacy Sandbox legal terms

While Google’s engineering team was quick to make the requisite repairs and little-to-no data was lost as a result of the outage, according to sources, ad tech companies, advertisers and publishers alike all got a glimpse into the future.  

In particular, it underlined how many face a level of dependency on Google that has created a widespread sense of unease, with separate sources pointing to the myriad issues they have with Google’s existing terms of service required to participate in the Privacy Sandbox. 

These can be grouped into two camps: one is a contractual gripe between two businesses, and the other pertains to consumers’ consent, with some citing this as an example of why internet browsers should be regulated in the same way as public utilities such as electricity providers, etc.  

The B2B concerns

Sources point to an April 2024 update to the Privacy Sandbox ToS, whereby the wording does not guarantee “the coordinator service will meet your requirements,” including data accuracy, the requisite APIs will always be fully operational, plus skewing legal liability away from Google and towards third parties. 

Given that Privacy Sandbox effectively proposes to port the ad auction roles traditionally performed by an ad server and a supply-side platform into the Chrome browser, such terms are unacceptable to many.

The B2C concerns

Furthermore, multiple sources active within the Privacy Sandbox Task Force – a group with representatives of dozens of companies, including Google, that meets weekly – assert that the current Chrome user instructions on consenting or opting out of Privacy Sandbox fall short of GDPR requirements.

“The tech itself has PII [personally identifiable information] because it’s inside your browser, as it’s an API which is pinning activities to a browser that can likely be tied to an individual,” added one regular attendee source, noting the sensitivities of the ongoing deliberations.

Juggling priorities 

For some, the fumbled rollout of Privacy Sandbox – Google has delayed its planned phase-out of third-party cookies, initially slated to take place in 2022, three times – is a byproduct of the myriad obligations faced by its parent company Alphabet. 

Digiday readers will need little to no reminder of the multiple antitrust cases faced by Alphabet in several jurisdictions – its impending September case will see its own suite of ad tech tools scrutinized in the dock. 

Meanwhile, the company must also meet the requirements of privacy lawmakers across the globe (arguably this is the genesis of the entire Privacy Sandbox project). Also, let’s not forget that Alpabet executives are continually obligated to answer to Wall Street – as evidenced in multiple disclosures from Google’s ‘search trial’ of the past 12 months – where investors are often spooked by government oversight. 

Pressed in such a pincer movement, the separate teams within Google must be siloed, meaning the Privacy Sandbox team must operate independently of its ad tech team, according to several sources with knowledge of how teams there have had to operate in recent years. 

“I think the root cause of this is because it’s a solution [Privacy Sandbox] built by browser engineers that didn’t understand the digital advertising ecosystem,” said one source, who similarly requested anonymity in return for candor. 

“I think Privacy Sandbox was built out of general naïveté and hubris,” added the source, albeit they did go on to note how the Privacy Sandbox team has made overtures to third parties in the ad tech ecosystem within the past year through its appointments and dialog. 

An emailed statement from Google underlined that the reliability of Privacy Sandbox is its “highest priority” and that its APIs are not proprietary and open for third-party developers to use free of contractual arrangements.

The Google spokesperson further claimed that its Privacy Sandbox model is not dissimilar to the web’s status quo. “Access to web APIs does not depend on accepting terms of service or otherwise entering into a contract with the maker of the user’s browser. This is critical to a functioning web: when a user navigates to a site, the site should just work, regardless of pre-existing commercial arrangements between browser and site.”

Furthermore, per Google’s assessment, it does not prohibit ad tech firms from having their own data processing agreements, and demand- and sell-side players get to decide which APIs determine the outcome of ad auctions within Chrome.   

“The browser provides on-device infrastructure that supports these functions, but it does not determine when or how they are performed,” read Google’s emailed statement.

Government intervention? 

For some, the Privacy Sandbox outage of earlier this year has outright undermined Google’s earlier assurances that its API infrastructure would withstand the wear and tear of shouldering the privacy requirements of all Chrome users. 

Indeed, some have pondered the prospect of governmental bodies intervening in the operations of internet web browsers, just like public utilities. 

“Just look at gas, power, or telco companies; they’re public and utilities. I think browsers should be regulated in the same way,” commented one source who requested anonymity. 

“Just look at what Apple has done, and Google is doing [with the removal of third-party cookies from their web browsers], and they have effectively moved away from how the W3C has defined how browsers should operate.”   

Related Insights

Life Beyond the Cookie

‘Many misunderstandings and inaccuracies’: Google issues retort to critical Privacy Sandbox report Read More

IAB Tech Lab CEO Anthony Katsur told Digiday that transparent, legally binding service-level agreements are the basis of business operations in the sector, echoing the body’s earlier Privacy Sandbox assessment. Instead, Google should seek to further assuage the concerns of such third parties with more explicit terms of engagement

Added Katsur: “The terms of service, as Google has now expressed them… provides no ad tech business, publisher or advertiser any recourse if there’s any material harm in the form of revenue, campaign reporting or campaign reconciliation” and that “There’s no recourse for Chrome to be taken into account; we think that’s a problem for the industry. … Chrome should have agreements with the industry. Candidly, I think that’s in Chrome’s best interest, as wouldn’t it create a level of comfort for publishers, agencies, and their DSP partners to use this?”