How the cookie crumbles: on Google, Privacy Sandbox, & third party cookies

What does Google’s recent step back from deprecating third party cookies mean for Privacy Sandbox on Android? Does the third party cookie’s death row pardon mean that the GAID will now live on as well?

Or, is ATT how the mobile cookie will crumble?

A brief history of advertising identifiers, including third party cookies

In mobile, we’re pretty familiar with device identifiers. 

In the beginning, there were device identifiers (Android ID on … Android, and UDID, or Universal Device Identifier on iOS). The big problem: they were basically hard-coded, non-user-changeable, and massive privacy risks thanks to being universally available while also being essentially eternal. 

In 2013 Google switched advertisers to the Google Advertising ID (GAID), sometimes also referred to as the Android Ad ID, following Apple’s equivalent move to IDFA in 2012.

Cookies, however, are from an entirely different era.

Think Netscape Navigator era.

23-year-old developer Lou Montulli created cookies as one of the early employees of Netscape in 1994. That tiny little 4-kilobyte container, enough to hold a couple pages of text, became a great way to identify a particular user with a particular web browser to a specific server and maintain state. 

Interestingly, cookies were sandboxed — hey, that term again — so that only the server that set them could read them. 

But because web pages are often made up of components from multiple different servers — including ad servers — that sandboxing essentially became irrelevant. The first-party cookie plus the architecture of the web led some pioneering adtech innovators at DoubleClick (yep, the one bought by Google later on) to start using cookies as persistent identifiers to target ads just a year or so after their introduction.

A decade and a half later, questions and concerns from regulators about surveillance capitalism and privacy started to get louder and louder. (Technology typically moves much faster than regulation, or our ability to understand the consequences of new innovations.) Apple began restricting third party cookies in 2017 and blocked them in full by default by 2020 in Safari 13.1. Firefox did the same between 2018 and 2019.

So Google started to think: if everyone blocks cookies, and if regulators force us to block cookies too, how will we target and attribute ads on the open web? 

Privacy Sandbox on Web was born.

Those of us who have grown up in mobile will recognize a similar progression on smartphones: device identifiers to ad IDs, and then on Apple to SKAdNetwork (AdAttributionKit going forward). 

On Android, the path was supposed to be Android ID to GAID to … Privacy Sandbox on Android because there was an assumption that the GAID was going to be deprecated. 

In fact, I’m pretty sure Google initially said that. You can find some evidence of this on the web, but all Google-owned and controlled websites have been scrubbed of such language if it ever existed there.

But is that still the case? Is it even in Google’s best interest to do so?

Google’s interests, advertisers’ interests, regulators’ interests

Google is an ad network.

It’s also many other things: videos, cloud computing, consumer electronics, AI, operating systems for mobile, wearable, and desktop devices, mapping, photos, news. And — oh yeah — apparently they have a search engine too.

But fundamentally, Google is a massive ad network (and exchange and DSP and DMP and ad server and SSP and so on). More than 75% of the company’s revenue comes from advertising in one form or another.

However, it’s not always clear what Google’s interests are.

The Electronic Frontier Foundation is pretty sure it knows:

“Google’s announcement underscores their ongoing commitment to profits over user privacy,” EFF staff technologist Lena Cohen told Bleeping Computer.

Others, including perhaps the most knowledgeable mobile adtech person on the planet, see things somewhat differently. 

“Google is very obviously motivated to excise the cookie from the open web ecosystem for the benefit of its owned-and-operated channels: its Network business is in a state of systemic decline, YouTube and Search feature higher margins than Network, and Network presents the company’s most acute regulatory liability,” says Eric Seufert. “The benefits to Google of cookie extinction are manifest: more demand for its higher-margin channels.”

There’s economic incentives on both sides of cookie for Google, clearly:

• More third party cookies mean more potential revenue opportunity on Google’s network side, which has been declining as a percentage of total revenue over the past 18 months
• Fewer third-party cookies increase the value of Google’s owned-and-operated channels (just like ATT and SKAN resulted, eventually, in walled gardens with owned first-party data doing better)

Call me naive if you wish: I also think there are good people at Google who care about privacy and are trying to balance it with profit: both Google’s and the open web’s.

ATT is probably how third party cookies will crumble (and how GAID will survive)

Like it or not, Apple’s non-deprecation deprecation of the IDFA was genius. 

With a gray-to-black pattern via a scary prompt that made marketers have to think about how to ask people for permission to track them, Apple at one and the same time didn’t deprecate the IDFA (officially) and did deprecate the IDFA (at least mostly, in practice).

My first thought on seeing Google’s retraction of the third party cookie’s execution was: they’ll ATT the GAID. Apple has already shown them how. And that’s kinda funny, because today, most of the cookie-placement requests on the web that GDPR has forced us to click through are annoyingly syrupy: over-zealous and saccharine. 

Allow us to place this cookie or puppies will die a horrible death. Allow us to set cookies or children will starve. Take a cookie, please, or western civilization will crumble.

The key for a non-deprecating deprecation of the GAID will be the interface: will Google make it a setting far far away in the preferences? Will they actively pop up a prompt to get users to set a universal preference that will be applied to all websites? If so … what language will they use?

If the prompt is ominous, we already know what happens in this scenario: people are likely to say no. That’s exactly what happens with ATT.

But again, as with third party cookies, it’s not entirely clear where Google’s own interests lie:

• GAID enables more intelligent targeting and attribution for AdMob
• But Google’s owned and operated properties don’t need it as much
• And Google can achieve similar objectives with its SDKs, very likely, which are in almost all Android apps

Plus, at least some of Google’s people are sincere in their desire to boost privacy

Likely, Google’s approach on the web could be significant for how GAID and Privacy Sandbox evolve on mobile: user choice:

“We are proposing an updated approach that elevates user choice,” says Anthony Chavez, Google’s VP of Privacy Sandbox. “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.”

Regulators will have their say as well, but here’s where we are:

1. Third party cookies are here to stay
2. But people are unlikely to say yes, I want third party cookies in my browser
3. Android is likely to follow the path of web in Privacy Sandbox
4. GAID is likely to become optional

GAID: available but scarce

If that third point turns out to be true, ATT could be how the mobile cookie (GAID) crumbles on Android smartphones. 

Which means: theoretically available (and yes, some percentage allow it), but actually scarce. 

Which at this point is probably a net positive for mobile marketers. After all, the default reality mobile marketers have been living with for several years now is that GAID is on death row, and Privacy Sandbox is their only salvation. 

Now at least there’s some hope that GAID won’t quite die.

And that’s probably also aligned with Google’s conflicting interests.

Because frankly, even when Google tries to do the right thing, it gets static. The EFF, for instance, says that “even if it’s better than third-party cookies, the Privacy Sandbox is still tracking, it’s just done by one company instead of dozens”  … clearly not understanding that the Sandbox within which Privacy is happening is users’ own devices, meaning that no company is tracking.

So if you can’t win for trying, you might as well just let the world kinda have what it wants.

And that probably shows the future of device identifiers … theoretically available, but actually less and less relevant, both due to the changing priorities of the biggest of big tech (Apple & Google) and privacy tools, regulation, and practices.