‘Pretty hacky’: Decoding publishers’ concerns over Google’s Privacy Sandbox’s Protected Audiences API

They feel left out of the conversation, especially when it comes to Google’s alternative: the Privacy Sandbox. And they’re really honing in on the Protected Audiences API, which is crucial for retargeting without those cookies. Their gripe? The Protected Audiences API is lacking in transparency and reporting. 

“The testing tools are really not great,” said Justin Wohl, chief revenue officer at Salon, Snopes and TV Tropes. “You can try a bunch of browser commands and try to get the privacy auction or protected audience auction to begin, and hope you see the interest group that that user registers for in the browser, but it still feels pretty janky it still feels pretty hacky.”

Even those who haven’t delved deep into the sandbox have reservations about this API. They all share the same concerns — less insight, minimal reporting and a mishmash of data sources and business logic. As one digital director at a European publisher put it bluntly: “We don’t see that as a good thing.”

Usually, it’s easy to understand publisher concerns like this that highlight their uneven relationship with Google. But this time, it’s complicated. There are no easy fixes to their concerns because the functionality of the Protected Audiences API relies on zero sharing of audience data between publishers and SSP or DSP and SSP.

For a deep dive into the specifics of why and how this unfolds, you can find all the details here. However, for those short on time, this ultimately means that publishers will be clueless about which interest groups are bought by advertisers on their page. All the information the DSP relies on for its bid is funneled to the browser, where an auction takes place in a secure environment. Only that browser has visibility into the proceedings.

To work around this, publishers must strike deals with ad tech vendors, especially those they work with to sell ads. Although these deals can’t unveil which interest groups have triumphed in the auction, they can at least gain insights by aggregating the groups involved in those browser-based auctions. The SSPs know which DSPs are winning because they see the bids and get the win/loss reports from Google Ads Manager ad server. The DSPs, in turn, have insight into which interest groups are winning.

For publishers, this represents the best-case scenario given how the sandbox works. Anything that could potentially identify a user cannot leave it, including details about the interest groups they belong to. From this perspective, one could argue that publishers haven’t been overlooked at all; they’re simply entangled in Google’s unique attempt to protect individuals’ privacy. But, of course, that’s not how they perceive it.

“From what we’re seeing the publisher’s role is currently not contemplated in the Privacy Sandbox solutions,” said Amanda Martin, svp of monetization and business strategy at Mediavine. “With limited to no reporting for the publisher, we have to partner with others to understand if revenue is flowing. While some revenue reporting is in the works from [Google], it’s not everything we would expect to receive.”

So far, this issue hasn’t been a major blocker to publishers like this one testing the Sandbox. SSPs have been accommodating so far, agreeing to partner on tests for the one percent of Chrome traffic that no longer has a third-party cookie attached to it. The problem is that no amount of cooperation from ad tech vendors is going to be good enough for some publishers. 

Not when they’re not able to share much data in the first place.

“The Privacy Sandbox needs to build proper sell-side reporting in order for the solution to be more viable [for us] because we can’t rely on another party’s metrics in order to learn and in the long-term enable a solution,” said Martin. “It creates a lack of confidence, without these reporting signals this isn’t a solution that currently meets industry standards.”

Some of these frustrations are mired in technical issues, such as the lack of a standard method for communicating crucial information between DSPs and SSPs for data reporting. Others are structural, including the restrictions on what information can be shared between SSPs and DSPs in order to protect user privacy within the sandbox.

“The publisher layer [of Privacy Sandbox testing] is kind of just like seeing little bits and pieces of it that are exposed and it’s not the same as the testing that has been available to DSP-type buyers,” said Wohl. 

It’s hard not to feel sorry for publishers caught in this predicament. 

While the sandbox’s stated objective is to protect privacy, and there may not be an established precedent for what publishers want, it’s difficult to argue against the notion that a more effective approach to addressing their concerns could have been explored. 

This concern is particularly pronounced among those who question whether Google could have safeguarded privacy without undermining open web advertising to the extent that marketers are now eyeing Google’s ad ecosystem as their top choice.

“We’ve been testing Google Ad Manager multi-SSP PAAPI auctions, and we’re finding the reporting capabilities frustrating, yet this is not just a publisher concern; its limits in reporting, in general, are a concern for all stakeholders based on open tickets,” said Patrick McCann, svp of research at Raptive. “In its current state, it is affecting the rate at which we can scale up while we wait for Google to work out this kink. Neither the top-level seller, GAM, nor the on-page PAAPI process exposes information to the publisher on which SSP wins an auction.”

As a result, Raptive has created its own PAAPI component seller to facilitate reconciliation in the absence of an alternative solution.

“There will not be a one-size-fits-all solution; it will be important to test and retest as some solutions or vendors have promised a lot,” said McCann

Unfortunately, the harsh truth is that things aren’t going to shift anytime soon. Publishers know this deep down, and so are “going to suck it up and see,” as one ad tech exec described it to Digiday. By doing so, they hope, rather than expect, to see changes that go some way to allaying their concerns. Until then, they’re stuck with a Sandbox they’ve had no real involvement in developing — not even through Google’s discussions on its development with the Word Wide Web Consortium. 

“My advice would be that publishers speak to their sell-side partners to enable reporting for them: they work for the publisher and this does not need to come from the buy-side,” said Adform’s chief technology officer Jochen Schlosser.

Taking this step might provide publishers with at least a clearer sense of what they can and can’t do with the Protected Audiences API. Clearly, there’s a lot of confusion here. This includes the misconception that the effectiveness of interest groups hinges on which side of the auction a company resides.

As Schlosser explained: “The buy side does not get much more. Basically performance ads work by providing a buyer more controls, but do not for branding. Reporting is weak in the Sandbox, but to the best of our knowledge it is not good for advertisers and bad for publishers.”