First of all, the reason for the somewhat contrived name (Privacy Sandbox on Android) is that there is already a web version of Privacy Sandbox, introduced way back in August of 2019.
The Android version of Privacy Sandbox consists of four design proposals, which are a good (if semi-technical) read. You can find them here.
The responses so far have fallen broadly into four different categories:
- Mainstream media, like the NY Times, which all pretty much just riffed on Google's announcement blog post.
- Misinformed mainstream media counter-takes, which tried to spin up a narrative around how Google was delivering a second, ATT-esque 'body blow' (or some equivalently violent metaphor) to Facebook.
- Privacy zealots, who have a reputation to maintain and feel the Privacy Sandbox proposals don't go nearly far enough.
- Industry analyses, which generally seem to agree that Privacy Sandbox on Android is a genuinely good collection of proposals that deserves serious discussion.
Type: Industry Analysis.
I'm slightly biased because I wrote it, but if you only read one article about Privacy Sandbox…make it this one.
This blog post explains the various pieces of Privacy Sandbox, its history, the rollout timeline, and how it compares to ATT on iOS. I also address a number of other FAQs we've heard so far.
Type: Industry Analysis.
If you read a second article, this should probably be it. A good breakdown of the different parts of Privacy Sandbox, including the ad targeting components (which my overview above doesn't really get into).
Type: Industry Analysis.
To round out the top three, if you'd like a really solid teardown of how the attribution components of Privacy Sandbox will work, this is worth your time.
Type: Privacy Zealot.
Next, we have an example of a much more skeptical take (another is here). The thrust of these naysayers seems to be around three things:
- Privacy Sandbox is not
- The two-year rollout timeline is long.
- These are still just proposals (rather than requirements), and there is no explicit confirmation that GAID will go away.
In other words, they're interpreting this is a cynical move by Google to head off regulatory scrutiny, while keeping the 'tracking party' on Android going full-frenzy.
I think this is wrong for several reasons:
- Two years is really not that long (reminder: we're already coming up on the two-year anniversary of iOS 14, and that turmoil is still shaking out).
- When it comes to ads, Google faces regulatory pressure that Apple doesn't (for better or worse), so they can't do what Apple did. This means they're stuck between a rock and a hard place on privacy and antitrust, so they need to provide a workable alternative before touching the current infrastructure.
- The status quo on Android's user privacy protections isn't 'nothing' — between the new Data safety in Play Console and the change to delete GAIDs when users opt out of ads personalization, the landscape is already shifting.
Ultimately, nothing Google introduced here was going to be good enough for everyone: when it comes to privacy, the mainstream take seems to be that Apple can do no wrong…which means even if Google had announced a full, point-for-point photocopy of ATT, it would have been cast as insufficient simply because it's coming from a different source.
Type: Misinformed Counter-Take.
This is an example of A Very Bad Take™ from a mainstream reporter who simply didn't understand the announcement, didn't read the the documentation, and took the easy headline of casting this as 'ATT for Android'.
For evidence of why this is not correct, we need go no further than this supportive tweet from Meta's own VP of Ads and Business Product Marketing, Graham Mudd. Yes, there will certainly be some impact compared to the status quo, because 'walled garden' advertisers (like Facebook) currently rely on user-level identifiers like IDFA and GAID to power the feedback loops that let them target and optimize ad campaigns.
Universal user-level IDs are a relic of a previous era that are going extinct one way or the other — almost no one seriously disputes that at this point, so the real discussion is around how to find alternatives that give acceptable user privacy protections while still allowing apps to function. The cost of getting that wrong? The bad behavior simply goes underground.
Finally, one of the (legitimate) concerns about Privacy Sandbox is timeline and scope-creep: its web version was announced two and a half years ago, and nothing has really changed yet.
Consensus-driven changes are always going to be slower than autocratic decisions, but one big reason for the delay is that Privacy Sandbox has been under investigation for the last year by the UK's competition regulators. That was finally cleared up last Friday.
Google usually announces Android-related changes on Wednesdays, and Privacy Sandbox came to Android the very first Wednesday after the UK's investigation was closed. Probably not a coincidence?