Author Archives: William Malcolm

The path forward with the Privacy Sandbox

Google’s aim with the Privacy Sandbox is to improve web privacy for people around the world, while also giving publishers, creators and other developers the tools they need to build thriving businesses. This includes building new digital advertising tools, in collaboration with the wider industry, to replace third-party cookies with alternatives that better protect consumer privacy and preserve peoples’ access to free content online.

Since announcing the Privacy Sandbox we have been in open dialogue with the industry, consumer advocates and regulators to gather feedback on this initiative. Over the past year, we have also worked closely with the UK’s Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO), including on a set of legally-binding commitments to address the CMA’s competition concerns over the Privacy Sandbox which will govern how we will design and implement this initiative. The aim, through this regulatory oversight and supervision, is to provide reassurance that the Privacy Sandbox will protect consumers and support a competitive ad-funded web, and not favor Google.

The commitments address these concerns through three main principles. First, the changes we will make in Chrome in the context of the Privacy Sandbox initiative will apply in the same way to Google’s advertising products as to products from other companies. Second, we will design, develop and implement Privacy Sandbox with regulatory oversight and input from the CMA and the ICO. And third, we will inform the CMA in advance of our intention to remove third-party cookies and agree to wait for their feedback on whether any competition law concerns remain.

Privacy by design and by default have been at the heart of the Privacy Sandbox from the outset, and we are also intent on ensuring that the new tools meet the requirements set out in the recent ICO’s Opinion on Data protection and privacy expectations for online advertising proposals. To that end, we are designing these new tools to avoid cross-site tracking, provide people with better transparency and control, and result in better outcomes for people and businesses on the web. We look forward to further engagement with data protection authorities as we continue to iterate and improve on the proposals.

We’re pleased that today the CMA has accepted these commitments, which now go into immediate effect. The development and implementation criteria that underpin these commitments are summarized below, and can be found in full on the CMA’s website. We will apply the commitments globally because we believe that they provide a roadmap for how to address both privacy and competition concerns in this evolving sector.

Respecting user privacy while maintaining a well functioning ad-funded web

Google’s objectives in developing the Privacy Sandbox proposals are to make the web more private and secure for people, while:

  1. Supporting the ability of publishers to generate revenue from advertising inventory and the ability of advertisers to secure value for money from advertising spend;
  2. Supporting a good user experience when navigating the web, including in relation to digital advertising;
  3. Providing users with substantial transparency and control in relation to their data as they browse the web; and
  4. Not distorting competition between Google’s own advertising products and services and those of other market participants.

We recognize that many publishers and advertisers rely on online advertising to fund their websites and reach new customers. So building tools which aim to improve people’s privacy, while continuing to support advertising, is key to keeping the web open and accessible to everyone and allowing businesses of all sizes to succeed.

Developing the Privacy Sandbox

To achieve the objectives above, Google is committing to designing, developing and implementing the Privacy Sandbox proposals taking into account specific criteria agreed with the CMA:

  1. The impact on privacy outcomes and compliance with privacy laws;
  2. The impact on competition in digital advertising between Google and other market participants, and, in particular, the risk of distortion to competition;
  3. The impact on publishers (including their ability to generate revenue from ad inventory) and advertisers;
  4. The impact on user experience (e.g. relevance of advertising and transparency over the use of personal data); and
  5. The technical feasibility, complexity and cost involved for Google.

Building on many months of open consultation by Google — and the CMA — with the wider industry, Google will be consulting with the CMA and ICO on a regular basis in relation to the design, development and implementation of the Privacy Sandbox (including testing and public announcements). Google will also increase its engagement with industry stakeholders (including publishers, advertisers and ad tech providers) by providing a systematic feedback process to take on board reasonable views and suggestions. This continues our previous engagement with web community members, who are encouraged to participate in the development and testing of the proposed new technologies through public discussion forums like the W3C, developer channels such as GitHub, industry groups and origin trials. We will also establish a dedicated microsite, available from privacysandbox.com, explaining these channels in more detail and offering a new feedback form to submit suggested use cases and API feature requests, by the end of February 2022.

Ensuring compliance

Google will work with the CMA to resolve concerns without delay and consult and update the CMA and the ICO on an ongoing basis. Google has also committed to appoint an independent Monitoring Trustee who will have the access and technical expertise needed to ensure compliance, having consulted with the CMA. The Monitoring Trustee will work directly with the CMA, and will be central in ensuring compliance with the data and non-discrimination commitments offered by Google.

We believe that these commitments will ensure that competition continues to thrive while providing flexibility in designing the Privacy Sandbox APIs in a way that will improve peoples’ privacy online. Helping businesses adapt to a privacy-safe web, through invention and collaboration, can help provide the foundation for long-term economic sustainability and growth.

This process requires close engagement with competition and privacy regulators and new ways of working together. We hope these commitments can contribute to that new framework.

An update on our Privacy Sandbox commitments

For further background on this topic, please see our blog from June.

Since we announced our Privacy Sandbox commitments earlier this year, we have continued to work with the UK’s Competition and Markets Authority (CMA) to address feedback that was raised as part of its public consultation process. We have also continued to update and seek feedback from the market and the UK Information Commissioner's Office (ICO) on our proposals.

We are determined to ensure that the Privacy Sandbox is developed in a way that works for the entire ecosystem and, as part of this process, we have now offered revised commitments, which can be found in full on the CMA’s website.

These revisions underline our commitment to ensuring that the changes we make in Chrome will apply in the same way to Google’s ad tech products as to any third party, and that the Privacy Sandbox APIs will be designed, developed and implemented with regulatory oversight and input from the CMA and the ICO. We also support the objectives set out yesterday in the ICO’s Opinion on Data protection and privacy expectations for online advertising proposals, including the importance of supporting and developing privacy-safe advertising tools that protect people’s privacy and prevent covert tracking.

The revised commitments incorporate a number of changes including:

  1. Monitoring and reporting. We have offered to appoint an independent Monitoring Trustee who will have the access and technical expertise needed to ensure compliance.
  2. Testing and consultation. We have offered the CMA more extensive testing commitments, along with a more transparent process to take market feedback on the Privacy Sandbox proposals.
  3. Further clarity on our use of data. We are underscoring our commitment not to use Google first-party personal data to track users for targeting and measurement of ads shown on non-Google websites. Our commitments would also restrict the use of Chrome browsing history and Analytics data to do this on Google or non-Google websites.

If the CMA accepts these commitments, we will apply them globally.

We continue to appreciate the thoughtful approach and engagement from the CMA and ICO as we develop our Privacy Sandbox proposals. We welcome, and will carefully consider, any comments that people provide during the consultation process.

An update on our Privacy Sandbox commitments

For further background on this topic, please see our blog from June.

Since we announced our Privacy Sandbox commitments earlier this year, we have continued to work with the UK’s Competition and Markets Authority (CMA) to address feedback that was raised as part of its public consultation process. We have also continued to update and seek feedback from the market and the UK Information Commissioner's Office (ICO) on our proposals.

We are determined to ensure that the Privacy Sandbox is developed in a way that works for the entire ecosystem and, as part of this process, we have now offered revised commitments, which can be found in full on the CMA’s website.

These revisions underline our commitment to ensuring that the changes we make in Chrome will apply in the same way to Google’s ad tech products as to any third party, and that the Privacy Sandbox APIs will be designed, developed and implemented with regulatory oversight and input from the CMA and the ICO. We also support the objectives set out yesterday in the ICO’s Opinion on Data protection and privacy expectations for online advertising proposals, including the importance of supporting and developing privacy-safe advertising tools that protect people’s privacy and prevent covert tracking.

The revised commitments incorporate a number of changes including:

  1. Monitoring and reporting. We have offered to appoint an independent Monitoring Trustee who will have the access and technical expertise needed to ensure compliance.
  2. Testing and consultation. We have offered the CMA more extensive testing commitments, along with a more transparent process to take market feedback on the Privacy Sandbox proposals.
  3. Further clarity on our use of data. We are underscoring our commitment not to use Google first-party personal data to track users for targeting and measurement of ads shown on non-Google websites. Our commitments would also restrict the use of Chrome browsing history and Analytics data to do this on Google or non-Google websites.

If the CMA accepts these commitments, we will apply them globally.

We continue to appreciate the thoughtful approach and engagement from the CMA and ICO as we develop our Privacy Sandbox proposals. We welcome, and will carefully consider, any comments that people provide during the consultation process.

Read Article

Our commitments for the Privacy Sandbox

Google proposes a set of commitments for Privacy Sandbox to the U.K.’s competition regulator

Read Article

Our preparations for Europe’s new data protection law

Last year, we outlined Google’s commitment to comply with Europe’s new General Data Protection Regulation (GDPR), across all of the services we provide in the European Union. We’ve been working on our compliance efforts for over eighteen months, and ahead of the new law coming into effect, here’s an update on some of the key steps we've taken.


Improved user transparency

We’re updating our current Privacy Policy to make it easier to understand what information we collect, and why we collect it. We’ve improved the navigation and organization of the policy to make it easier to find what you’re looking for; explained our practices in more detail and with clearer language; and added more detail about the options you have to manage, export, and delete data from our services. The policy now also includes explanatory videos and illustrations, because a visual description can be easier to understand than text alone. And we've made it easier to jump to your privacy settings directly from the policy, helping you make choices about your privacy.
Introduction | Google Privacy Policy

Although we’re taking these steps to make our Privacy Policy easier to understand, it’s important to note that nothing is changing about your current settings or how your information is processed. You’ll continue to have granular control over the data you share with us when you use our services, but with clearer explanations. The updated policy is already available to read and we’ll be emailing all of our users about it individually.


Improved user controls

Every day, nearly 20 million people around the globe visit My Account, our central hub that brings together all the different ways you can review your Google security, privacy and ad settings. As part of our GDPR compliance efforts, we’ve improved both the controls and the clarity of information in My Account so that people are better informed about how and why their data is collected. Within My Account, you can: 


  • Use Activity Controls to choose what activity is saved to your Google Account. We provide simple on/off switches to control Location History, Web and App Activity, YouTube Search History and more, across all devices that are signed in to your account.
  • View or delete data—including search history, location history, browsing history—from our services using My Activity. To make it easier to browse your past online activity, we have given you tools to search by topic, date, and product. You can permanently delete specific activities, entire days or weeks of activity that you don’t want associated with your account.
  • Take a Security Checkup or Privacy Checkup to reassure yourself that your account is secure, and that your privacy settings work for you. We’ve recently added an option that allows you to subscribe to more frequent prompts to take the Privacy Checkup.
  • Manage or mute the ads you see on Google, on websites and in apps using the recently upgraded Ads Settings tool and Mute This Ad control. We have provided more information about how and why certain ads are personalized, and will also be further simplifying the look and feel of these tools in the coming months.
  • Get a clear overview of all the Google products that you use—and the data associated with them—via Google Dashboard. We’ve recently made the Dashboard more mobile-friendly so it's now easy to use across different devices.

Improved data portability

Since its launch in 2011, people around the world have used our Download Your Data tool to export data from products like Google Photos, Drive, Calendar, Google Play Music and Gmail, either to their own computer, or to storage services like OneDrive, Dropbox and Box. We are further improving and expanding this feature, adding more Google services, including more contextual data controls, and creating a new setting that helps people schedule regular downloads.
Download your Data

While we’ve enabled people to download data from our services for many years, the GDPR encourages companies to enable direct service-to-service data transfers where feasible, for example from Google Photos to another photo service. To support that aim, we've recently initiated the Data Transfer Project on GitHub, providing early-stage open source code that will, in time, be of use to any developer wanting to offer seamless transfer of data from one service directly into an alternative (or vice versa).


Parental consent and improved tools for children online

Under the new rules, companies must get consent from parents to process their children’s data in certain circumstances. To obtain that consent and to make sure that parents and children have the tools to manage their online experiences, we’re rolling out Family Link—already available in various countries around the world—throughout the EU.


Through Family Link, parents can create a Google Account for their child and are required to provide consent for certain processing of their child’s data. Family Link also allows parents to set certain digital ground rules on their child’s Android device—like approving or blocking apps, keeping an eye on screen time, or remotely locking their child’s device. We plan to evolve Family Link’s functionality over time, working closely with parents and advocacy groups.


Helping our business customers and partners

The GDPR places new obligations on Google, but also on any business providing services to people in the EU. That includes our partners around the globe: advertisers, publishers, developers and cloud customers. We’ve been working with them to prepare for May 25, consulting with regulators, civil society groups, academics, industry groups and others.


For our advertising partners, we’ve clarified how our advertising policies will change when the GDPR takes effect. We already ask publishers to get consent from their users for the use of our ad tech on their sites and apps under existing legislation, but we’ve now updated that requirement in line with GDPR guidance. We’re also working closely with our publisher partners to provide a range of tools to help them gather user consent, and have built a solution for publishers that want to show non-personalized ads, using only contextual information.


For our Google Cloud customers, we’ve updated our data processing terms for G Suite and Google Cloud Platform and provided detailed information to customers about our approach to data portability, data incident notifications, secure infrastructure and third party audits and certifications, among other features. For more information, see this post on Google Cloud.


Strengthening our privacy compliance program

Over the last decade, Google has built a strong global privacy compliance program, taking advice from regulators around the world. Across the company, we have dedicated teams of engineers and compliance experts who work in full-time privacy roles, ensuring that no Google product launches without a comprehensive privacy review. We’ve now further improved our privacy program, enhancing our product launch review processes, and more comprehensively documenting our processing of data, in line with the accountability requirements of the GDPR.


This is a snapshot of things we’ve done to date to be ready for May 25, 2018. But our commitment to compliance with the GDPR, and the rights it gives people, will continue long beyond this date. As we evolve our products over time, we’ll continue to improve our Privacy Program and the protections we offer to users. Our ambition is to have the highest possible standards of data security and privacy, and to put our users and partners in control.

Getting ready for Europe’s new data protection rules

Next May, Europe’s new General Data Protection Regulation (GDPR) comes into force, replacing the 1995 EU Data Protection Directive. It ushers in a new era, unifying data protection rules across Europe, strengthening the rights of EU citizens and placing new obligations on all organisations that offer goods and services online.

Google is committed to complying with the GDPR across all of the services that we provide in Europe. That includes our most popular consumer products like Search and Gmail, all of our advertising and measurement services like AdWords, AdSense, DoubleClick and Analytics, our Cloud services as previously announced, as well as, of course, any services we launch in the future.

We’ve always worked hard to demonstrate that our services are secure and meet the standards of  applicable data protection rules. We offer transparency to users through clear explanations of how we use personal data and our “Why This Ad” program, while giving people controls to manage their privacy through My Account and My Activity.

But we’re also keenly aware that our customers and partners have significant obligations under these new laws, and so we conduct regular audits, maintain certifications, provide industry-standard contractual protections and share tools and information to help them with their compliance. As we get ready for the GDPR, we’ll continue on that path, and have recently launched a new site for our customers and partners that explains:

In the coming months we will make available updated contractual commitments that meet GDPR requirements for our customers and partners.  And we will continue to evolve our privacy protections and practices to meet the GDPR’s requirements.

Our aim is always to keep data private and safe – and to put our users and partners in control.

Getting ready for Europe’s new data protection rules

Next May, Europe’s new General Data Protection Regulation (GDPR) comes into force, replacing the 1995 EU Data Protection Directive. It ushers in a new era, unifying data protection rules across Europe, strengthening the rights of EU citizens and placing new obligations on all organisations that offer goods and services online.

Google is committed to complying with the GDPR across all of the services that we provide in Europe. That includes our most popular consumer products like Search and Gmail, all of our advertising and measurement services like AdWords, AdSense, DoubleClick and Analytics, our Cloud services as previously announced, as well as, of course, any services we launch in the future.

We’ve always worked hard to demonstrate that our services are secure and meet the standards of  applicable data protection rules. We offer transparency to users through clear explanations of how we use personal data and our “Why This Ad” program, while giving people controls to manage their privacy through My Account and My Activity.

But we’re also keenly aware that our customers and partners have significant obligations under these new laws, and so we conduct regular audits, maintain certifications, provide industry-standard contractual protections and share tools and information to help them with their compliance. As we get ready for the GDPR, we’ll continue on that path, and have recently launched a new site for our customers and partners that explains:

In the coming months we will make available updated contractual commitments that meet GDPR requirements for our customers and partners.  And we will continue to evolve our privacy protections and practices to meet the GDPR’s requirements.

Our aim is always to keep data private and safe – and to put our users and partners in control.