Privacy Sandbox Testing Results Show Shortfalls to Meet CMA Requirements

Our Chief Product Officer, Todd Parsons, shares details on Criteo's Privacy Sandbox Market Testing results and recommendations.
Updated on July 3, 2024

We believe the Privacy Sandbox has the potential to be a sustainable alternative to third-party cookies, provided our requests are satisfied, a disciplined rollout schedule is maintained, and a clear roadmap is provided. We are committed to continue helping Google close Privacy Sandbox gaps through our partnership and testing.

Criteo’s Privacy Sandbox recommendations outlined herein are non-breaking and can be easily implemented by Google to meet their objectives. Our requests cover a large variety of advertising use cases, not just retargeting. And our testing also concludes that a reasonable rollout schedule will help alleviate issues like a massive increase in Google Ad Manager (GAM) traffic.

At the core of Privacy Sandbox’s success, publishers play a vital role. Maintaining the quality of their user experience and healthy ad revenues is essential. The three main drivers of ad revenue for publishers are:

  1. High-quality content
  2. Consumer audiences that are desired by advertisers
  3. Measurable impact on advertiser campaign outcomes

Criteo ran a full test on most of our advertising campaigns and publisher inventory to assess the impact of the Privacy Sandbox on these three drivers. Our testing results and direct publisher feedback indicate the current version of Privacy Sandbox falls short of Google’s stated goal of limiting the publisher revenue lost to a maximum of 5%.

Our findings are similar to those of our partners:

“Raptive is deeply involved in shaping the solutions that will enable more private, cookieless advertising on the web. We’ve been testing the Privacy Sandbox APIs, along with Criteo, and both of our results show that the Privacy Sandbox is not yet a viable alternative to cookies. Criteo’s suggested improvements for more utility are required to maintain a vibrant open web and functioning market.”

-Paul Bannister, Chief Strategy Officer, Raptive

After the UK’s Competition and Markets Authority (CMA) began their investigation into the Privacy Sandbox, Google made multiple commitments to address the CMA’s initial concerns, namely the Development and Implementation Criteria, which are, as stated by Google:

  1. “impact on privacy outcomes and compliance with data protection principles as set out in the Applicable Data Protection Legislation;
  2. impact on competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants;
  3. impact on publishers (including in particular the ability of publishers to generate revenue from advertising inventory) and advertisers (including in particular the ability of advertisers to obtain cost-effective advertising);
  4. impact on user experience, including the relevance of advertising, transparency over how Personal Data is used for advertising purposes, and user control; and
  5. technical feasibility, complexity and cost involved in Google designing, developing and implementing the Privacy Sandbox.”

The Privacy Sandbox does not meet these commitments. If third-party cookies were deprecated today with the current Privacy Sandbox, our testing demonstrates publishers will lose an average of 60% of their revenue from Chrome.

Criteo has publicly prescribed modifications to both Google and to the CMA that bring the Privacy Sandbox closer to delivering on its promises. We trust that both parties will consider and implement the necessary modifications to sustain a healthy publisher ecosystem.

Testing Methodology

Criteo’s Privacy Sandbox Market Testing, the basis for our final report to the CMA, was conducted over eight consecutive weeks between March 18th and May 12th. Prior to market testing, Criteo adapted our entire advertising infrastructure to operate in this new environment.

Our rigorous market testing methodology enabled us to understand the impact to publisher ad revenue if third-party cookies were deprecated today, and the current version of the Privacy Sandbox was rolled out. These tests were conducted at unmatched scale, across the majority of our 18,000 advertisers and 1,200 publishers, at a rate of over 100 million weekly ad impressions.

We tested three groups:

  • Treatment Group: Third-party cookies were removed, and the Privacy Sandbox was used alongside contextual targeting and publisher first-party data if available.
  • Control Group 1: Third-party cookies were used without using the Privacy Sandbox.
  • Control Group 2: Neither third-party cookies nor Privacy Sandbox were used. Only contextual targeting and publisher first-party data were leveraged.

Publisher ad revenue directly depends on advertising performance. We continuously adjusted advertiser spend on the Privacy Sandbox based on campaign performance, which enabled us to measure the downstream impact to publisher revenue.

Our Findings

Below, we highlight four key findings from our market testing. Each finding is crucial to understanding the overall conclusions and implications of the Privacy Sandbox’s impact on publishers.

Criteo’s first key finding is that if third-party cookies were deprecated today and the Privacy Sandbox released in its current state, we expect publisher revenues to decrease by an average of 60% for those that have fully integrated the Privacy Sandbox. Publisher adoption overall remains below 55%.

Second, the current version of the Privacy Sandbox also creates an advantage for Google’s advertising business. Our testing showed that Google Ad Manager (GAM) captured the majority of spend in the treatment population, an increase in market share of 360%: from 23% to 83%. This demonstrates a significant increase in publisher reliance on Google for ad revenue.

Third, we observed a median increase of more than 100% latency in publisher ad rendering on Privacy Sandbox traffic. Latency negatively impacts consumer experience due to long page load times. Publisher revenue is likewise impacted due to degraded viewability, click-through rates and price per ad slot.

Finally, we observe that results from various industry participants may vary as testing methodologies differ between companies. In addition, Criteo identified four potential biases that, if not mitigated, may distort test results to erroneously show more favorable performance of the Privacy Sandbox.

Our Recommendations for Privacy Sandbox Success

We are longstanding partners with Google and have committed significant time and resources to providing evidence-based feedback that will ensure the Privacy Sandbox meets its objectives.

Google has implemented several of our recommendations, including adding a server-side component (KV server), currency management, native integration, an updated permission policy to test the Attribution Reporting API at scale, and weighted Topics per business value, which resulted in Google launching the Topics API rather than the initially proposed FLoC.

Most recently, we’ve proposed essential Privacy Sandbox features to Google and the CMA. Backed by our testing, these requests are made to ensure a functioning market emerges post Privacy Sandbox rollout. By adopting our requests, Google would improve Privacy Sandbox performance and provide assurances of less damage to publisher ad revenue:

Performance Features: These are aimed at enhancing machine learning performance, which translates into more spend on the open web and higher CPMs for publishers:

  • Expand the 12-bit data limitation in the Protected Audience API (PA API) reporting.
  • Provide more granular win/loss auction data reporting.
  • Add global click and display counters to the PA API.
  • Move part of the bid computation server side, instead of on-device, for better models, and better performance.
  • Provide user-centric AB testing to compare bidding strategies and improve their performance outcomes.

Audience Qualification: These requests enable better qualified, more valuable, audiences, also translating into higher revenues for publishers:

  • Extend interest group duration to a 90-day minimum to support longer sales cycles.
  • Enable combining interest groups at bidding time for highly targeted audiences that increase competition and CPMs.
  • Support exclusion targeting in PA API.

Critical Functionalities: These features provide essential capabilities to ensure transparency, avoid fraud, and maximize sustained improvement and competition:

  • Tie deprecation of third-party cookies on mobile to the adoption of Privacy Sandbox for Android, for continued advertising support across web and app.
  • Provide real-time data samples for debugging and monitoring.
  • Support traffic shaping which is essential to manage DSP infra cost and avoid market concentration.
  • Ensure PA API auction integrity to prevent bid tampering and fraud at scale.
  • Provide transparency about user opt-out rates from Privacy Sandbox APIs.

Governance: Optimizations to enhance decision-making, accountability, and efficiency, leading to better performance for publishers:

  • Follow an orderly rollout schedule to test efficacy at scaled market participation without harm to publishers.
  • Allow partners at least one quarter of development and testing of new Privacy Sandbox API features, depending on the scope of changes.
  • Progressively deprecate third-party cookies in a three-step approach (deprecating third-party cookies to 10%, 50%, and 100% respectively) in accordance with positive test results.
  • Provide a detailed, rolling roadmap.

Our Request to the CMA

We believe that the Privacy Sandbox is not yet ready for full implementation, and therefore support Google and the CMA’s decision to delay cookie deprecation until 2025. However, if no further action is taken by Google to significantly improve the Privacy Sandbox per our recommendations outlined above, we believe publishers will struggle with lower yields and decreasing revenue, as well as inability to measure performance.

We trust that Google will honor their commitments to the CMA, publishers and the wider advertising ecosystem. We ask the CMA to consider the recommended changes that are needed to help Google deliver on these objectives during their analysis and deliberation. Additionally, we ask Google and the CMA to consider that the technical Privacy Sandbox setup for publishers remains complex and challenging, apart from Google Ad Manager (GAM), all SSPs need to individually onboard their publishers onto the Privacy Sandbox. Criteo will continue to advocate for the needs of our partners and clients in various working and trade association groups, while we also pursue and advance the other pillars of our multi-pronged addressability solutions.

We encourage all parties to visit and bookmark our Addressability Hub, where we will continue to share news, updates and learnings for addressability and future-proofed commerce media strategies in the post-cookie era.

Todd Parsons

Todd Parsons joined Criteo as Chief Product Officer in August 2020. He is responsible for product strategy and new product innovation to diversify and transform Criteo's platform offerings. For over a decade Todd has built marketing solutions at the intersection of consumer identity and data. Prior ...

Chief Product Officer (CPO)
Subscribe to our newsletter

Fresh sales trends and consumer insights to help you plan and win.