In January 2020, when Google first announced its intention to deprecate third-party cookies in Chrome, a five-alarm fire was lit under the ad tech industry’s butt.
(This article briefly broke our site, by the way, because the surge in traffic was so intense.)
A little over four years later, when Google confirmed that it wouldn’t deprecate third-party cookies after all, the reaction was a collective mix of frustration, anger, “Told ya so” and “Are you kidding me?”
When Google doubled down on the status quo in April by even nixing its plans for a new cookie consent mechanism in Chrome, the reaction was a quick flare-up of annoyance that quickly fizzled. The fire was out.
In fact, cookie deprecation became a punchline of sorts.
At AdExchanger’s Programmatic IO event in Las Vegas a few weeks ago, our Executive Editor Sarah Sluis gave a brief speech to kick off Day Two, during which she apologized for even mentioning cookies (“I know everyone is so sick of hearing about cookies, so I promise I’ll be brief”) and then went on to compare the industry’s “long, weird journey” in the Privacy Sandbox to “watching your friend take five years to plan her wedding – and then breaking up with her boyfriend.”
But for all of that, companies haven’t completely abandoned the Chrome Privacy Sandbox, and Garrett Johnson has the receipts to prove it.
Still kicking
In 2023, Johnson, an associate professor of marketing at Boston University’s Questrom School of Business, worked with Sincera to develop site-scanning technology that tracks the real-world adoption of APIs in the Privacy Sandbox across 59,000 websites.
He’s been using the tool to inform academic research on Sandbox adoption in particular and the broader ad industry shift toward privacy-enhancing technologies in general.
Last year, Johnson and his colleagues – PhD student Zhengrong Gu and Shunto Kobayashi, an assistant professor of marketing at BU Questrom – noted anemic adoption of the Privacy Sandbox APIs even before Google reversed course on cookies.
But there were still companies using the APIs then and, apparently, there are still companies using them now.
The number of sites making Topics API calls for user interest groups was just shy of 29% in September 2024 and, as of April 2025, that hasn’t changed much. The share of sites with vendors calling the Topics API is flat at 29.9%.
In other words, the Privacy Sandbox may well be moribund, but it’s not dead yet.
“Yes, there’s uncertainty about its future, but I’d be surprised if Google just walks away from the whole thing,” Johnson told me. “Although, honestly, I wouldn’t be totally surprised by anything at this point.”
You can’t please everyone (or anyone)
It’s also not surprising that the Privacy Sandbox ran into so much trouble along the way over the years.
Johnson says he believes Google originally launched the Privacy Sandbox initiative as a good faith effort to create “a thoughtful replacement” for third-party cookies. But, over time, it became very clear that doing so is incredibly difficult if not impossible.
“Even the most thoughtful replacement solutions would have a hard time meeting every use case and solving every problem,” Johnson said. “A lot of people have very strong opinions about this.”
Understatement of the year!
But there’s a reason folks have been feeling some kind of way about all this. It’s because the results just aren’t there, despite the big engineering investment that many ad tech companies made to test the thing.
Cookies vs. the Sandbox
Just this week, Johnson, Kobayashi and Gu released another paper detailing the results of a field experiment to test the Privacy Sandbox APIs across the 5,000 publishers in Raptive’s network.
The test, which looked at revenue tied to more than 200 million impressions, found that the average price of ads falls 29.1% without cookies (compared to with cookies) and 27.9% when using the Privacy Sandbox.
The amount of lost cookie-related revenue that publishers on average were able to recover when using the Sandbox APIs was just 4.2%.
“It’s not great,” Johnson said.
One explanation for this rather poor recovery rate is that the Protected Audience API (PAAPI) appears to cause major latency problems. If the ads won’t load, there isn’t even an opportunity for publishers to monetize those impressions.
Still, it’s worth noting that the situation is a little less blah in Europe, where Johnson and crew found that publishers were able to recover roughly 22% of lost cookie revenue, which isn’t too shabby.
How so, though? It’s a chicken-and-egg thing.
“There are just a lot more users in Europe without cookies,” Johnson said. “And there’s also presumably more adoption of the Privacy Sandbox.”
Just 19% of US users in the Raptive experiment opted out of cookie tracking, whereas, in Europe, that number is closer to 43%.
“I mean, if you’ve got 43% of Chrome users you can’t target, that’s a large audience, and you’re probably not going to get them to log in everywhere,” Johnson said. “From that perspective, having Protected Audiences could be pretty useful.”
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback. And you’ll never get my cookies, never!
