Explaining Google Chrome's new Privacy Sandbox

Google is celebrating Chrome’s 15th birthday with a new default theme on desktop, but another recent change is stealing attention: the Privacy Sandbox. It’s a collection of new web technologies that allow Chrome to analyze your web behavior and provide that information (in a somewhat anonymous manner) to any website that requests it, so sites can then display targeted advertisements. That sounds pretty creepy, and the rollout has led to many articles, videos, and social media posts explaining how to turn it off.

But what exactly is the Privacy Sandbox? Why do I need to turn it off? Why is it called Privacy Sandbox when it involves providing interest data to third-party websites? Didn’t I hear something about this a few years ago?

This is my attempt at a thorough but simple explanation of the Privacy Sandbox, based on my knowledge reporting on its development over the years and my experience as a web developer.

What is the Privacy Sandbox?

The Privacy Sandbox is a collection of features created for Google Chrome intended to replace third-party cookies in web browsers with more secure and private alternatives, without significantly disrupting the online advertising industry as it exists today.

The most important component of the Privacy Sandbox, and the one that has caused the most panic, is the Topics API. Instead of advertising networks and data brokers tracking your individual browsing habits over time using cookies, the browser will do it based on your browsing history, and then provide the topics you are interested in to any site or advertiser that requests it.

The topics are generalized like “Indie and alternative music,” “Tennis,” or “Printing and publishing,” and not individual URLs or websites you have visited — a full list of potential topics is available on GitHub. If you’re using incognito mode or clear your history, the list of topics is blanked out. The site can then combine that data with any other information it has about you to display relevant advertising.

There’s also the Protected Audience API to manage auctions for advertisers, and Attribution Reporting and Private Aggregation for advertisers to track performance over time. The Shared Storage API allows unlimited cross-site storage, which will likely be useful for cross-site logins and other common use cases, and Fenced Frames allow advertisements and other content to be embedded in pages without giving them information about the parent page. CHIPS will allow cookies to be used in third-party contexts in cases not related to tracking, such as in content management systems and sandbox domains. Some other recent changes in Chromium and other browsers have been described as part of the Privacy Sandbox effort, such as the ongoing deprecation of User Agent strings to reduce tracking.

Generally, all these technologies are more private and secure than third-party tracking cookies, hence the name “Privacy Sandbox.” However, some of the features ultimately involve sharing data about your habits and interests with third-party sites and are enabled by default. It’s a bit like calling a pickup truck “energy efficient” just because it’s more efficient than a semi-truck.

Privacy Sandbox is mostly intended for Google Chrome and other web browsers, but some of the features are also in development for Android phones and tablets.

What web browsers are using Privacy Sandbox?

The Privacy Sandbox is rolling out now in Google Chrome. Most other web browsers are based on Chromium, the open-source code that powers Chrome, which means they will inherit the features unless they decide to modify that code themselves. Web browsers not based on Chromium, such as Firefox and Safari, will have to implement the features from scratch and are less likely to support them as a result.

Below is a list of popular browsers and their positions on some of the major Privacy Sandbox proposals.

Google Chrome: Chrome will support all Privacy Sandbox features.

Apple Safari: Apple rejected the Topics API for Safari and its WebKit engine in December 2022, saying “It’s important that any pre-existing privacy deficiencies on the web not be used as excuses for privacy deficiencies in new specs and proposals.” Apple was supportive of the CHIPS proposal in 2022, but has not yet taken a position on Shared Storage.

Microsoft Edge: Microsoft does not appear to have an official statement on the Topics API. It’s not listed on the site compatibility changes document (where it should appear if Edge blocks it), and the API is missing in Microsoft Edge 119 Canary. Microsoft was generally supportive of CHIPS as of April 2022, and does not appear to have an official position on Shared Storage yet.

Mozilla Firefox: Mozilla said in January 2023 that it will not implement the Topics API, as “we just can't see a way to make this work from a privacy standpoint.” It supports the CHIPS proposal, as of May 2022. Mozilla declined to support the Shared Storage API in September 2022, saying “We have no evidence to suggest that this might be a viable design.”

Opera Opera: Opera largely does not participate in the development of web standards, so we don’t really know where it stands. It’s based on Chromium, so it will inherit all Privacy Sandbox features unless Opera makes changes.

Brave Browser: Brave also does not really participate in web standards. The company wrote a blog post criticizing the Topics API in January 2022, but that did not explicitly state if the Topics API would be blocked in Brave Browser. Regardless, don’t use Brave Browser.

Vivaldi Browser: Vivaldi said in a blog post that “Google’s Topics API will not be enabled in Vivaldi, and it cannot work in Vivaldi. It would need two things to make it work, and we have disabled both of them.” Vivaldi’s positions on the other Privacy Sandbox APIs are unclear, but it will presumably implement most or all of the other features, since it’s based on Chromium.

You can check if the Topics API is present in any browser by opening the Console in the Developer Tools, and running the command 'browsingTopics' in document to see a true or false result. This doesn’t ensure the API is fully working, though.

How do I turn off the Privacy Sandbox?

The Topics API and other features related to advertisements and topic targeting can be changed in Google Chrome by clicking the main menu button, then navigating to Settings > Privacy and Security > Ad privacy. Then you have to open the menu for each feature and turn it off. The ad privacy page is also accessible at the chrome://settings/adPrivacy URL.

How did we get here?

Tracking cookies have been commonplace on the web for decades, allowing advertising companies, data brokers, and other groups to track your activity across different websites, usually to create a profile of your behavior for targeted advertisements. For example, if you do a web search for Star Wars and visit a few websites, the search engine and sites might have cookies from ad networks, which can then be used to show you ads for Star Wars content on the Disney+ streaming service.

Tracking cookies are difficult to understand, and even more difficult to control and manage. The European Union passed legislation that forced sites to add simple controls for cookies to EU visitors. Apple’s Safari browser gradually limited the functionality of third-party cookies over time, until blocking them entirely in 2020. Mozilla Firefox implemented “Total Cookie Protection” in 2021, which prevents sites from accessing cookie data created by other sites.

The attempts to limit the power of tracking cookies haven’t been perfect, and they have damaged the non-scary uses for cross-site cookies. The EU’s legislation leads to annoying cookie prompts on every site. The blocking feature in Safari and Firefox can cause issues with cookies used for login credentials. Cross-site cookies also powered services like Scroll, which provided a single subscription for turning off ads on partnered websites. Meanwhile, advertisers and other companies have attempted to circumvent browser-level protections — some tracking cookies were using CNAME cloaking to disguise themselves, which Apple patched in Safari 14.

The other important factor here is Google. The company functions as both a monopoly on the online advertising business (currently the subject of a lawsuit by the United States Department of Justice) and as the dominant web browser vendor. Google Chrome has somewhere around 63% of the global market share for web browsers, but browsers based on Chrome (which inherit many of the same product decisions) make up roughly another 10%. The Chrome team creating more safeguards around tracking cookies would be a conflict of interest with Google’s advertising business.

Still, it was clear something needed to change with how tracking cookies and online advertisements worked, if for no other reason than preserving Google’s ad business. The company started working on a potential solution in 2019, called the Privacy Sandbox. Here’s how Google explained its direction and goals in a blog post from March 2021:

When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we absolutely need a more private web, and we know third-party cookies aren't the long-term answer. Worried because today many publishers rely on cookie-based advertising to support their content efforts, and we had seen that cookie blocking was already spawning privacy-invasive workarounds (such as fingerprinting) that were even worse for user privacy. Overall, we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was irresponsible, and even harmful, to the free and open web we all enjoy.

Since 2019, we’ve been working on a collaborative open-source effort — the Privacy Sandbox — to develop a set of new privacy-preserving technologies that make third-party cookies obsolete and enable publishers to keep growing their businesses and keep the web sustainable, with universal access to content. It’s a polarity to balance, but one we think is critical to keep the web open, accessible and thriving for everyone.

The integral component of the Privacy Sandbox was the “Federated Learning of Cohorts,” or FLoC for short. With FLoC, your web browser was now responsible for creating a profile about you and your interests, instead of online advertisers and data brokers. That meant no more tracking cookies and, at least in theory, more control over your data.

The initial FLoC proposal involved the browser analyzing your browsing behavior over time, and placing you into large groups (“cohorts”) of people who had similar interests. Sites and advertisers could then target those cohorts individually, as a middle ground between tracking individuals and less-profitable non-targeted ads. The cohort identifier would be presented to any site that you visit, and the browser would prevent cohort detection based on visits to “medical websites or websites with political or religious content.”

FLoC was not popular. The Electronic Frontier Foundation pointed out how it could make it even easier to track people over the long term than tracking cookies. Even advertisers didn’t like it, because it was up to individual sites or advertising platforms to figure out what the cohort numbers were supposed to mean, giving an advantage to Google and other large advertisers that had more data to work with. Vivaldi Browser promised to not support FloC, Mozilla said “further work” needed to be done, and Microsoft turned it off in the Edge browser. Major sites started to opt out of FLoc tracking, including GitHub and Amazon.

FloC was announced in March 2021, and by June 2021, it was dead. Google started working on its replacement, the Topics API, which addressed some of the complaints. The Topics API still organizes people based on their browsing behavior, but the Topics are less specific and accurate than the earlier cohorts, which makes tracking specific individuals much harder. The Topics API was developed alongside the other Privacy Sandbox technologies, and finally in September 2023, most of the technologies are now enabled by default in Google Chrome and some other Chromium-based browsers.

The uncertain future

The Privacy Sandbox is essentially Google’s attempt at regulating itself and the rest of the online advertising industry. Google has worked with groups like the United Kingdom’s Competition and Markets Authority to ensure the proposals don’t give Google some level of advantage in advertising. However, it’s still ultimately a compromise between web advertisers (which is the main source of revenue for most websites) and the privacy concerns of users, at a time when even the compromises can become dangerous.

Earlier this year, a Nebraska woman pleaded guilty to helping her daughter have a medical abortion, after Roe v. Wade was overturned and abortion became illegal in many U.S. states. The deciding evidence was a Facebook Messenger conversation that Meta handed over to authorities, where mother and daughter discussed the abortion. That and other cases have put a spotlight on the data that big tech companies collect, and how they could potentially be used against us under more authoritarian governments.

Google has tried to build the Topics API (and FLoC before that) to not group people into categories that could be used in discriminatory ways, but that’s difficult to maintain in the ever-changing legal landscape of the world. The question of how to choose sensitive topics for the Privacy Sandbox is still an unanswered. It would be better to not collect interest data at all, but then the entire online advertising industry shrinks, because targeted ads are worth a lot more money than non-targeted ads.

It’s hard for me to guess what the future of the Privacy Sandbox and online advertising will look like. Google has the green light to integrate it in Chrome, but if Apple never implements the Topics API in its browsers (and continues blocking other web rendering engines from the iPhone and iPad), generating revenue from the roughly 16% of global web visitors using Safari would be much harder. We also don’t have a clear picture of how Microsoft will handle the proposals, and there could be another wave of sites opting out of Topics API tracking, like we saw after FLoC was announced.