Google’s Privacy Sandbox terms may, ironically, violate privacy law, new research says

But beyond the obvious threat of reduced performance and revenues, the Privacy Sandbox is also raising alarms within the advertising community over its contractual risks.

New research commissioned by the Movement for an Open Web (MOW), a nonprofit interest group that advocates against restrictive digital walled gardens, finds that the Sandbox’s terms of service may be both unfair and illegal.

For one, the research, produced by MOW’s legal counsel, Preiskel & Co, finds that should Privacy Sandbox tech falter, companies using the tools are left to absorb the financial impact – while Google takes on none of the risk.

The Sandbox’s terms of service, Preiskel & Co suggests, differ from traditional service level agreements in the ad industry in this way. Generally speaking, service providers take on some liability for service failures; in the case of Privacy Sandbox, however, the onus falls on customers.

These terms, said Tim Cowen, chair of the antitrust practice at Preiskel & Co, in a statement, ”have been imposed at the whim of a monopolist on a market with little choice but to accept them and they impose significant obligations on the users with no corresponding liability on Google.”

This will raise a red flag for advertising and adtech professionals, especially considering that the Sandbox is not immune to mishaps. Chrome’s Sandbox ad features suffered an hours-long outage on May 22 that impacted a variety of APIs, including Attribution Reporting, Protected Audience, Private Aggregation, Shared Storage and Topics. The temporary disablement of the Sandbox led to significant revenue losses.

As Paul Bannister, the chief strategy officer at adtech firm Raptive, wrote on LinkedIn following the outage, “Having the entire system unavailable for a big chunk of a day could be catastrophic for many publishers and advertisers.”

Google disputes the idea that the Sandbox’s terms of service are meaningully different – or more onerous – than other standards governing the use of APIs on the open web.

“Access to web APIs does not depend on accepting terms of service or otherwise entering into a contract with the maker of the user’s browser. This is critical to a functioning web: when a user navigates to a site, the site should just work, regardless of pre-existing commercial arrangements between browser and site,“ Google policy communications manager Scott Westover told The Drum in a statement on Monday. “Nothing about the Privacy Sandbox requires a change to this model. The Privacy Sandbox APIs are not proprietary to Google. Like third-party cookies today – and hundreds of other open web platform technologies – they are available for browsers to implement and for developers to use, free of any commercial contracts.“

The debut of additional APIs within Privacy Sandbox in the future, Westover clarified, “should not change the underlying commercial relationships in online advertising.“

But the Sandbox’s service level agreement, which MOW suggests unfairly burdens advertisers in the case that Chrome’s ad tools go down, are just one concern spelled out in Preiskel & Co’s research.

The firm also points out that, according to the UK’s Information Commissioner’s Office, Privacy Sandbox outputs personal data on users – which, under the EU’s sweeping General Data Protection Regulation (GDPR), requires the establishment of a data controller agreement. But the terms of service for Google’s Privacy Sandbox make no allowance for such an arrangement, the report indicates.

Should Google found to be noncompliant with GDPR or other privacy legislation, it could face serious legal repercussions.

“Our analysis suggests that the terms of service for Google’s Privacy Sandbox would be found to be unfair and illegal if contested in a court,” said Preiskel & Co’s Cowen. “They seem to ignore the basics of privacy law … Google needs to go back to the drawing board if they want to release [Privacy Sandbox] to the mass market.”

Google, however, claims that it does not disallow data processing agreements.

Just last month, Google was slapped with another allegation concerning the Sandbox’s privacy practices. Nonprofit organization Noyb (None of Your Business), helmed by privacy activist Max Schrems, filed a complaint with the Austrian data protection authority claiming that Privacy Sandbox enables Google to track users within the browser, despite marketing itself as a privacy-safe alternative to cookies. Noyb contends that even this kind of internal tracking necessitates user consent under the law – but alleges that Google often secures ‘consent’ through deceptive methods by presenting the opt-in as an ad privacy feature.

Finally, Preiskel & Co’s report also indicates that Google’s dominant market position forces businesses to accept the Sandbox’s terms without consultation or negotiation. Google can unilaterally change these terms, which, under competition law, may be illegal.

And Privacy Sandbox is only likely to increase Google’s market share in advertising. As cookie deprecation squeezes publishers, Google is poised to lap up the ad revenues. Criteo research estimates that the Sandbox will ultimately bring Google’s market share from 24% to 83%.

Google is already under the microscope for the Sandbox’s potential violations of competition law in the UK. In April, the country’s Competition and Markets Authority (CMA) spelled out 79 concerns it has with Privacy Sandbox – up from 39 previous issues it had flagged in January. In response, Google said it would delay third-party cookie deprecation until 2025.

MOW director James Rosewell said that the organization has flagged its new research with Preiskel & Co to the CMA and expects a response in a forthcoming report from the agency.

On the whole, findings of the new report suggest that Google’s Privacy Sandbox terms of service are “onerous, discriminatory and one sided,” MOW said.

Google, for its part, disagrees. Westover said that Chrome “places the highest priority on the reliability of our platform and all of the critical APIs used by major sites and services across the web, including the Privacy Sandbox technologies.“ Tools within the Sandbox, he said, “will help support monetization across the web and will continue to work with industry stakeholders to ensure the best possible performance and reliability.“

For more, sign up for The Drum’s daily newsletter here.