The Five Looming Questions About Google Chrome’s New Privacy Rules

Google Chrome is making it easier for its users to block cookies and harder for ad tech companies to do fingerprinting.

But Google's dominant position in online advertising means even small changes will unleash a cat-and-mouse game with ad tech companies, who may choose to sidestep the new restrictions. There's also the concern that consumers may opt out en masse, just as many installed ad blockers or chose to "limit ad tracking" on their iPhones. And it's yet another wake-up call for an industry facing US regulation following The General Data Protection Regulation (GDPR).

AdExchanger asked industry vets to speculate on how Google's privacy features will affect them, and why Google built its new privacy features in the way it did.

Here are the different questions looming as Google tightens its privacy in coming months.

Question 1: Why did Google make such a small change compared to Safari ITP?

Google always needs to protect its core advertising business, which is the most simple reason Chrome only made basic improvements to its ad business. But that argument glosses over a lot of complexity.

A more aggressive approach on privacy would potentially allow Google to further solidify its own advertising advantage - but open up the company to anti-trust concerns. GDPR, for example, is already pushing marketers to move more fully onto the Google stack, because Google has been able to preserve identity even in a consent-based environment.

And with the California Consumer Privacy Act just seven months away, it's likely Google had to do something fast - and its Chrome announcement was the most it could cobble together in time for Google I/O.

"Google's announcement, similar to what Facebook did, gives them the narrative angle to say they're making a pivot to privacy without making it seem like they were derelict in protecting privacy before," said Ghostery President Jeremy Tillman, whose company operates a browser extension that tracks or limits third-party cookies.

However, an alternate theory is that Chrome's privacy improvements - much smaller compared to Safari and Firefox - are only the first step in a larger plan. Safari ITP, for example, is already multiple versions in after just two years in the market. Because a massive company like Google can't make significant changes quickly, measured steps could ease the transition for its many partners.

"This is the first step," said Nishant Desai, director of tech partnerships at Xaxis. "They are moving slowly because of how large they are, and because of how much their business depends on advertising."

Question 2: How many consumers will block cookies?

In order to block third-party cookies, Chrome requires users to opt out - and traditionally, very few people opt out.

"The vast large majority of users don't want to mess with their settings," said Brian Kane, COO and co-founder of Sourcepoint, which provides consent management software to publishers.

Similarly, Chrome's proposed "why am I seeing this ad?" browser extension would offer little appeal to consumers, Ghostery's Tillman said, in part because it wants consumers to monitor their ads on an ongoing basis.

"Users like set-and-forget tools," Tillman said. They don't have the bandwidth to check where all their ads are coming from.

Similar dynamics exist around consent to use data. "Most users just want to get on with their experience," Sourcepoint's Kane said. "I don't expect consumers to tailor their settings or block cookies, so I don't think it will be very impactful."

Question 3: How will the fingerprinting crackdown impact the ad industry?

Depending on whom you talk to, Chrome's fingerprinting restrictions will affect either no one or everyone in ad tech.

That uncertainty speaks to the hush-hush nature of fingerprinting. The identification technique, in which browser attributes are used to triangulate an identity, has always required "probabilistic" gymnastics to justify from a privacy perspective. Fingerprinting previously got Verizon and Turn in trouble and led to an FTC settlement in 2016.

Companies built on cross-device IDs, or DSPs that built their own tech to reach users across devices, could see those capabilities break. Whether that happens depends on what exactly Chrome restricts when it comes to fingerprinting.

"If Google obfuscates all IP addresses coming from Chrome it will have a negative effect on cross-device capabilities of DSPs, but they haven't explicitly mentioned that they are going to do this," said Ari Paparo, CEO of the DSP Beeswax.

Google wouldn't share how its fingerprinting restrictions would work. A likely scenario is that Chrome would hone in on one popular parameter for fingerprinting, the user agent string, and scramble just that piece. Chrome could pass a less specific user agent string or create multiple, different strings for the same person, said Jounce Media founder Chris Kane.

To thwart fingerprinting with this method, Chrome will either have one identifier represent multiple people, or create multiple identifiers for one person - both of which confuse fingerprinting attempts.

Cracking down on fingerprinting will be a good thing, said Sovrn CEO Walter Knapp.

"I like the browsers taking a more restrictive approach to flush out some of the bad actors," Knapp said. Publishers and companies closer to consumers will benefit.

Question 4: Is it possible to represent a third-party cookie as a first-party cookie?

Under the new cookie-blocking privacy, Google is requiring site owners to declare which cookies are actually third-party cookies - which can be blocked.

This scenario could play out a few ways.

If ad tech companies don't respect consumers who opt-out of tracking, they could simply re-engineer their cookies to work in first-party environments. Even Facebook created a first-party cross-site tracker last year to allow tracking in places like Safari. Then consumers can't block cookies and Chrome won't be able to offer an opt out.

"Google is setting itself up to deal with the same cat-and-mouse game Safari played," Jounce's Kane said.

Plus, if Google's cookies with tracking capabilities get designated as first-party cookies, "anti-trust swords will be rattled," noted ad tech vet and former AppNexus head Brian O'Kelley.

For example, Google Analytics is now considered a first-party cookie.

"Overall, it seems less of a win for consumers and the open internet and more of a win for Google's own walled garden," said Ana Milicevic, principal and co-founder of Sparrow Advisers.

Question 5: Although Google preserved cookies, are they still on the outs?

Google's preservation of third-party cookies means ad tech companies aren't faced with anything as disruptive as Safari ITP or GDPR. Criteo issued guidance expecting a neutral to low single-digit negative affect on its business.

The Trade Desk CEO Jeff Green told investors Thursday that Google did not make significant changes because it's in the ads business itself, unlike Apple. "They did a good job and tried to thread the needle between privacy and relevancy," Green said.

Although Google saved third-party cookies - which are still necessary to serve relevant ads - ad tech is trying to find alternate IDs in the event that cookies are blocked more regularly. They're looking for something more persistent, that can be matched against a cookie to serve an ad when needed.

"Companies that haven't been thinking about investing in an identity-based solution will be caught flat-footed," said Eric Franchi, partner at MathCapital.