Google's Privacy Sandbox more like a privacy mirage, campaigners claim
Chocolate Factory accused of misleading Chrome browser users
Updated Privacy campaigner noyb has filed a GDPR complaint regarding Google's Privacy Sandbox, alleging that turning on a "Privacy Feature" in the Chrome browser resulted in unwanted tracking by the US megacorp.
The Privacy Sandbox API was introduced in 2023 as part of Google's grand plan to eliminate third-party tracking cookies. Rather than relying on those cookies, website developers can call the API to display ads matched to a user's interests.
In the announcement, Google's VP of the Privacy Sandbox initiative called it "a significant step on the path towards a fundamentally more private web."
However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn't go away. Instead, it is done within the browser by Google itself.
To comply with the rules, Google needs informed consent from users, which is where issues start.
Noyb wrote today: "Google's internal browser tracking was introduced to users via a pop-up that said 'turn on ad privacy feature' after opening the Chrome browser. In the European Union, users are given the choice to either 'Turn it on' or to say 'No thanks,' so to refuse consent."
Users would be forgiven for thinking that 'turn on ad privacy feature' would protect them from tracking. However, what it actually does is turn on first-party tracking.
- Meta will use your social media posts to train its AI. Europe gets an opt out
- Meta faces multiple complaints in Europe over plans to train AI on user data
- Microsoft accused of tracking kids with education software
- OpenAI slapped with GDPR complaint: How do you correct your work?
Max Schrems, honorary chairman of noyb, claimed: "Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google's first-party ad tracking.
"Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite."
Noyb noted that Google had argued "choosing to click on 'Turn it on' would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR."
The Register asked Google to comment on noyb's complaint filed with the Austrian data protection authority and will update this article should we receive a response.
Google's Privacy Sandbox initiative is not going smoothly. In April, the UK's Competition and Markets Authority expressed concerns about privacy and competition, and Google decided to push back the deprecation of third-party cookies in Chrome to early 2025. ®
Updated to add
Google has defended its stance, in a statement after this article was published.
"This complaint fails to recognize the significant privacy protections we’ve built into the Privacy Sandbox APIs, including the Topics API, and the meaningful privacy improvement they provide over today’s technologies, including third-party cookies," a spokesperson told us.
"Privacy Sandbox is designed to improve user privacy and provide the industry with privacy-preserving alternatives to cross-site tracking. We’ve been closely engaging with privacy and competition regulators globally, and will continue to do that to reach a balanced outcome that works for users and the entire ecosystem."