Privacy Sandbox relevance and measurement APIs and updated user controls are now generally available in Chrome. Ecosystem participants have asked about Chrome's approach to privacy-related compliance with Privacy Sandbox as well as their own responsibilities. While we cannot provide legal advice, we can share our responses to frequently asked questions and provide information about the APIs that can help those responsible for privacy-related compliance decisions.
Questions and answers
Do sites and other Privacy Sandbox relevance and measurement API callers have ePrivacy obligations?
ePrivacy laws in the European Economic Area (EEA) and the UK require consent to store or access data on and from a user's browser unless strictly necessary, and don't differentiate between legacy technologies such as third-party cookies, and emerging Privacy Enhancing Technologies (PETs) such as the Privacy Sandbox APIs.
Use of each of the Privacy Sandbox APIs involves accessing data that is stored on the user's device.
For reference, companies can see how Google's own ads services, which operate independently from Chrome, are incorporating Privacy Sandbox technologies as part of their EU User Consent Policies.
Can sites and API callers rely on exemptions to ePrivacy consent requirements?
Exemptions from the consent requirements in ePrivacy laws are narrow, and typically limited to use cases which are 'strictly necessary' for the provision of an online service explicitly requested by the user. Our understanding is that using the Privacy Sandbox APIs for interest-based advertising purposes is not exempt from obtaining consent.
We expect only a small subset of use cases to be regarded as strictly necessary, for example using the Private State Tokens API for account security or spam prevention purposes, or using the Federated Credential Management API for authentication purposes. Using these APIs for other purposes would require a separate analysis and is likely to require user consent. It is your responsibility to determine whether your particular use case is exempt, taking into account local regulations and data protection regulatory guidance where appropriate in your assessment. Even if you conclude that your use case is exempt from ePrivacy requirements, you still need to provide clear information to users about your use of the APIs under European data protection laws.
Do I need to inform users when I use the Privacy Sandbox APIs?
Whenever you use the Privacy Sandbox APIs, you should ensure that you are fair and transparent about this. Transparency and fairness are particularly important if you are using the Privacy Sandbox APIs to identify the interests of a specific audience or individual, particularly to influence their behavior. Users don't always understand how their information has been used in this way, and so you may need to take extra steps to bring it to their attention. Specific information requirements apply whenever you seek consent from individuals to your use of the APIs. However, even if your use case is exempt from consent requirements (e.g. because it is strictly necessary to provide a service requested by the user), you still need to provide clear information to users about your use of the APIs.
How do I seek end user consent for the Privacy Sandbox APIs?
Use of each of the Privacy Sandbox APIs involves accessing data that is stored on the user's device. ePrivacy laws require you to obtain consent from the end user before you access this data - just the same as you need consent for cookies. We expect most companies will rely on consent management platforms to obtain consent for the APIs, similar to the way they seek consent to cookies today. It's your responsibility to get consent for your own access and use of the Sandbox APIs, including topics. It's not enough that the user has agreed to turn on Topics on their device: you must seek your own consent, specific to your activities. When you ask for consent, you must be clear about how you will use the APIs. It's particularly important that you highlight any use of topics (or the other APIs) for non ads-related purposes, as users may not expect this. You should also make sure end users can withdraw their consent easily and at any time.
Can users withdraw consent or otherwise control Privacy Sandbox relevance and measurement APIs?
Yes. Users can access chrome://settings/adPrivacy, which provides individual,
granular controls for turning off Privacy Sandbox APIs, blocking individual
topics and specific sites from setting Interest Groups. Users can delete
ad-measurement data by deleting browsing data.
Sites will need to determine what choices they offer to users, how those preferences are stored, how a user's preference is signaled to the site's ad-tech vendors who may call the Privacy Sandbox APIs, and how those vendors are held accountable. Sites and their vendors will need to decide what a user's choice means in terms of whether and how a given Privacy Sandbox API is used.
Some opt-out based, self-regulatory programs such as AdChoices rely on third-party cookies. We encourage you to ask those programs how they are preparing for third-party cookie deprecation.
Can user choices related to Privacy Sandbox be persisted across sites?
Users can access chrome://settings/adPrivacy, which provides controls for turning
off Privacy Sandbox APIs altogether or blocking individual topics. Users can
delete ad-measurement data by deleting browsing data.
Sites will need to determine whether they take responsibility for extending user choices expressed on their own sites to the rest of the web. Some opt-out based, self-regulatory programs such as AdChoices are meant to offer users choices about how ad tech companies process user data across sites (such as Interest-based Advertising). Traditionally those programs are specific to ad tech companies who choose to participate, and not to sites. We encourage you to ask those programs how they are preparing for third-party cookie deprecation.
Can users delete data related to Privacy Sandbox relevance and measurement APIs?
Users can access chrome://settings/adPrivacy, which provides individual, granular
controls for turning off Privacy Sandbox APIs, blocking individual topics and
specific sites from setting Interest Groups. Users can delete ad-measurement
data by deleting browsing data. Additionally, Chrome will automatically delete
users' topics of interest, Interest Groups and reporting events after a set
period of time.
For sites and other Privacy Sandbox relevance and measurement API callers, the following technical functions are available:
- For Protected Audience, a site or its ad tech that can add Interest
Groups from this site can also call the
leaveAdInterestGroupfunction. - For Shared Storage, a site or its ad tech can call the
deletemethod on a key or theclearmethod to clear all keys. - For the Attribution Reporting API, a site or its ad tech can use
the
Clear-Site-Dataheader.
Sites and other API callers will need to determine if their current mechanisms for deletion rights are suitable if and when they have chosen to store data retrieved from Privacy Sandbox APIs or data related to calling the APIs.
How is Privacy Sandbox approaching privacy-related compliance in Chrome?
In the case of Topics, this is a new experience for Chrome users and Chrome wanted to provide a separate moment for users to learn and choose what's best for them. Topics marks a new way for Chrome to enable relevant experiences based on a user's browsing history, and Chrome has taken the decision to ask for consent from users in the UK/EEA and Switzerland before enabling the API.
The Protected Audience and measurement APIs represent more private versions of existing processing behaviors both within the browser and in protected, trusted environments. Overall, all users will have robust controls, and can opt out of the Privacy Sandbox experience at any point.
You can learn more about Privacy Sandbox ad controls in our Help Center.
More API information
Learn more about the Privacy Sandbox relevance and measurement APIs:
- Topics: Generate signals for interest-based advertising without third-party cookies or other user identifiers that track individuals across sites.
- Protected Audience: Select ads to serve remarketing and custom audience use cases, designed to mitigate third-party tracking across sites.
- Attribution Reporting: Correlate ad clicks or ad views with conversions. Ad techs can generate event-level or summary reports.
- Private Aggregation: Generate aggregate data reports using data from Protected Audience and cross-site data from Shared Storage.
- Shared Storage: Allow unlimited, cross-site storage write access with privacy-preserving read access.
- Fenced Frames: Securely embed content onto a page without sharing cross-site data.