The GAID is Dying: What Does Google’s 2022 Privacy Sandbox Update Mean For Mobile Marketers?

Google's new Privacy Sandbox updates prove that the powerhouse is just as serious about user privacy as Apple is. How do the changes affect mobile marketers? Read this important piece.

Let’s start with a quick recap, shall we?

In February 2022, Google announced new updates to its 2019 “Privacy Sandbox”, an initiative that has three main goals: 

  1. Building new technology that keeps user information private.
  2. Enabling publishers and developers to keep online content free.
  3. Developing new internet privacy standards in collaboration with the industry.

The initiative has been focused mostly on the web (some has reached the upcoming deprecation of third-party cookies on Chrome), but these new updates give a first peek into how Google wants to achieve the above three goals in the mobile Android ecosystem. 

The in-depth details of some of these technologies are extremely technical, and in my view, it’s not a good use of your time to learn about all the nuts and bolts. You don’t need to know how an i5 Intel processor works to understand what a computer is and what it means. 

Instead, this note will give you a quick overview of how all of this affects (or will affect) you as a marketer, so you can have intelligent conversations on the topic within your companies and teams, and be the most strategic marketer you can be. Which will lead you to the best career path possible.

A top-level understanding of Google’s privacy moves

Google is in a different position to Apple. Apple’s advertising business is relatively new, and is solely a search-engine-based advertising solution that’s less sensitive to user-level targeting. 

Google on the other hand, makes almost $210B per year in advertising revenues on the web and mobile. 

When Apple introduced its new privacy guidelines that inhibited the ability of mobile user acquisition teams to advertise efficiently and profitably on ad networks, it didn’t hurt its own revenues directly. Its own ad network, Search Ads, actually benefited.

The result of which was the movement of advertising budgets from the iOS ecosystem to Android. 

If Google had done the same thing, without ensuring that advertisers could continue to spend on its ad networks, it would have significantly hurt its own revenues. 

What do advertisers need if they’re to advertise efficiently? Mainly just two things: 

  1. The ability to measure ad spend and attribute revenues to it, and run return-on-ad-spend (ROAS) calculations. 
  2. The ability to find and target quality audiences.

So Google is unwilling to move forward with privacy guidelines until they feel comfortable that mobile advertisers are able to accomplish these two things.

What was announced?

Google announced the expansion of the Privacy Sandbox initiative and introduced its Android version. There are three main proposals under that version: 

  1. Show relevant content and ads
  2. Measure Digital Ads
  3. Limit Covert Tracking

So it is very easy to understand – allow advertisers to continue finding great users for their apps and games, measure the effectiveness of ads but limit covert tracking. 

How is Google planning to do this? There are four different components to it. 

Show relevant content and ads

  1. Topics – Topic will be a way to target users based on how they engage with apps on their devices. In a nutshell, imagine this. 

A user downloads apps & games. Based on the type of apps & games and how they engage with them, the user would be associated with an interest-based topical group. That information would be stored only on the user’s device. 

This will allow advertisers to target certain groups without user-level information being shared with third parties (ad networks, SDKs). 

  1. FLEDGE – This cool acronym stands for advertisers adding users to a custom audience based on how they interact with their apps and games, and then targeting that custom group on other properties (other apps that show ads). 

This will allow functionalities such as retargeting. 

Again, the information of which custom audience a user belongs to is stored locally on that user device and is never shared with other parties. 

Measure Digital Ads 

  1. Attribution Reporting – A set of privacy-first APIs that would allow advertisers to understand the value of their UA campaigns in a more evolved way than SKAdNetwork. 

The reporting would include event-specific attribution (showing that a specific click resulted in a valuable action, be it an in-app purchase, or any other downstream event you define). 

It will also include aggregated reports that, at a campaign level, show you the total value a campaign has driven.

These APIs would include several mechanisms that stop advertisers from understanding which user performed which action or came into the app/game from which ad. However, these APIs would still provide some comfort that the campaign they’re running is profitable and cross a sufficient ROAS threshold. 

Limit Covert Tracking

  1. SDK Runtime – This is perhaps the most effective proposal with the potential to end fingerprinting as we know it. 

What you need to know about it is that up until now, SDKs from various ad networks or attribution partners (MMPs) were included in the code of each app/game and had the same permissions that the host app/game had. They ran in the same environment as the app itself which means they had access to various device-level parameters, and were able to access these to perform fingerprinting (reading a lot of device-level parameters like the OS, the IP address, various hardware pieces versions, battery levels, and more). 

With SDK Runtime, there will be a decoupling of apps/games and the SDKs they use. An SDK would run in a different, more protected environment and won’t have the same permissions as the host app/game. The SDK providers would need to pass their SDKs through an SDK review process, and to the store. And at the moment of download, a user would actually download the app/game together with the SDKs they are using separately. 

For example, an attribution SDK would run in a secure environment where the host app/game can define which permissions it has (or Google themselves as a part of the review process) and they won’t have the technical ability to read the device parameters they need for fingerprinting. 

What does it mean for mobile marketers, especially UA teams? 

Now that we understand the four components of Privacy Sandbox for Android, what does it mean for you as a marketer?

Firstly, Android is going to take time. The process that Google has outlined with these new guidelines and frameworks is such that it will change over time based on industry feedback before it is finalized. Moreover, they will provide two more years before they start to enforce it (and kill the GAID for example). 

Secondly, the Topics and FLEDGE frameworks far from prove that they can actually result in serving ads to high-quality audiences. We have no transparency into how these topics may be constructed, or how valuable they will be for you. 

A very likely scenario would be that users would need to opt-in (or at least will have the ability to opt out) to get more relevant ads in order to be included in Topics and FLEDGE groups (we all know how low opt-in numbers are based on iOS 14.5+ data.) 

I don’t believe that we have enough understanding right now to believe that targeting would be based on non-contextual signals (the source app that presents the ad mostly) any time soon. 

Thirdly, Attribution Reporting would probably be better than the current version of SKAdNetwork. However I can’t see how they’ll easily overcome the SKAN challenges that are now making it, de-facto, an insufficient solution to understand advertising spend efficiency. 

These three components would need a lot of work over the next two years to ensure that they can be relied on in full for Android user acquisition efforts.

The real nugget to take note of – SDK Runtime, the fingerprinting killer 

SDK Runtime, the fourth component of the Privacy Sandbox, does however seem to be the “fingerprinting killer”. When Google implements it and deprecates the GAID at the same time, it will be very hard, not to say almost impossible, to perform deterministic or probabilistic attribution (through fingerprinting) on Android. 

This proposal can’t really escape the eyes of Apple who still haven’t acted aggressively on enforcing the ban on fingerprinting. It didn’t do so because there isn’t an easy way for Apple to actually enforce it. It can ban SDKs (such as certain ad networks or MMPs) and reject apps that include it, but that would throw the industry into mayhem. 

Because of how SDKs operate, Apple couldn’t prevent the accessing and reading of device-level parameters without significantly handicapping the host app/game functionality. 

With Apple’s own SDK Runtime implementation, they can block these specific SDKs from performing fingerprinting in a pretty elegant way. 

Takeaways, thoughts and talking points for your team

Now that we’ve got through this update, here are the takeaways and talking points to discuss with your broader mobile marketing or user acquisition team:

  • Google is following suit deprecating the GAID, and preventing fingerprinting in about two years. 
    • Start having conversations and anticipate the long-term impact of that. 
  • The Topics and FLEDGE proposals might not deliver on their promise, especially not when they’re out.
    • Start taking the necessary decisions to ensure you are developing the right methodologies and techniques to target your Android ad spend based on contextual signals, and you can reduce the negative impact of any such storm. 
  • The Attribution Reporting solution resembles SKAdNetwork and might also resemble it in performance and completeness of information. 
    • If the attribution API works only partially, you need to have the technology, methodologies and techniques to understand the value your user acquisition campaigns are driving even without it. This means ensuring your team has the ability to use media mix models and incrementality testing and measurement, and blended ROAS measurement on aggregated data. 
  • If SDK Runtime gets adopted and if Apple follows suit and “gets inspired” by this proposal, most of what you currently do that relies on fingerprinting for targeting, optimization and measurement purposes will break. 
    • Start discussing now how reliant you are on fingerprinting for these activities and what would happen if it stopped. Discuss the long-term solutions for this (outlined in the above point). 

Google has revealed a pretty massive update in the new, privacy-first world for mobile marketing. By being a proactive mobile marketer that owns and starts these early conversations in your company, you can be the top source of knowledge that can guide your team and your career through.

Join 10,000 other mobile marketers and stay on top of your craft with the mobile growth newsletter