Apologies to the gentleman sitting beside me minding his own business and quietly reading a book in the departure lounge last week near gate B15 at Nice Côte d’Azur Airport.
I may have startled him when I suddenly exclaimed, “Well, would you look at that!”
This is what I was reacting to: While waiting for my flight home from Cannes, I was browsing the internet on my laptop, as one does, when a Chrome Privacy Sandbox consent modal popped up on my screen:
Most normal people wouldn’t get excited about seeing a consent modal in the wild, but I’m no longer a normal person. My brain is broken after more than four years of writing about third-party cookie deprecation.
These prompts first started appearing for people in Q3 2023 when the Privacy Sandbox APIs were made generally available to the majority of Chrome users.
The thing is, I don’t recall ever seeing one at the time. Yet, I must have opted in at some point, because when I checked the ad privacy section of my Chrome settings, all three Sandbox features were already turned on: ad topics, site-suggested ads and ad measurement.
The reason I was shown the pop-up again is likely because I was in Europe, which has its own stringent consent requirements under GDPR.
I can’t explain why I only saw the pop-up on my final day of an eight-day trip during which I used the Chrome browser umpteen times, but that’s not the first question that came to my mind.
What I immediately wondered was: What would a regular person think when presented with this consent screen?
To give Google its due, the language used to describe the privacy features is relatively concise and not overly jargony.
For example, “Your ad topics are based on your recent browsing history, a list of sites you’ve visited using Chrome on this device,” is pretty easy to grok. And “Chrome auto-deletes topics that are older than 4 weeks” is self-explanatory.
People can click dropdowns for more information, and there are two buttons at the bottom of the consent screen, one that says, “No thanks,” and another that says, “Turn it on.”
But some parties consider the supposed simplicity of this choice to be a dark pattern in and of itself.
Just a few weeks ago, NOYB, the advocacy nonprofit led by well-known privacy activist Max Schrems, filed a complaint with Austria’s data protection authority. The complaint alleges that the Privacy Sandbox consent pop-up is problematic under GDPR because although it’s “presented as a privacy feature … when users enable it, they are unknowingly consenting to online tracking.”
Under GDPR, consent must be “specific, informed and unambiguous.”
I’ll say it: The Privacy Sandbox consent screens don’t bother me. Putting aside all of the Sturm und Drang about whether the APIs are viable (or ever will be), the UX of these pop-ups and the explanations are less confusing than they could be.
My concern is something a little different. Yes, people need to know what they’re opting into, but beyond that, do people even realize when they’ve opted in?
I’m an ad tech journalist who by this point can’t even look at a Thin Mint without thinking about the Privacy Sandbox, and yet I somehow managed to opt in without even realizing it.
🙏 Thanks for reading! And here’s some live footage of Google trying to deprecate third-party cookies in Chrome. As always, feel free to drop me a line at [email protected] with any comments or feedback.
✉️ If you’d like to get these nerdy little missives direct to your inbox, click here to subscribe to the Data Privacy Round-Up.