🤖 AI Summary
This study addresses the critical challenge of preserving user privacy while maintaining the usability of web services such as advertising. It presents the first large-scale, longitudinal empirical analysis of the Privacy Sandbox initiative and its associated Web APIs, leveraging seven years of historical HTTP Archive crawl data alongside Chrome’s public telemetry to track adoption across the CrUX Top 100K websites. The findings reveal persistently low and highly concentrated API adoption among a small set of actors, fragmented deployment patterns, and significant divergence in privacy policy implementation across browsers. Notably, Chrome’s privacy protections remain heavily contingent on user-initiated opt-ins. These results illuminate the underlying incentives and risks shaping stakeholder behavior and offer actionable insights for the design of future privacy-enhancing technologies.
📝 Abstract
While several web actors have been trying to reduce web tracking for years, it remains unclear how to achieve both desirable levels of utility and privacy. In 2019, Google launched the Privacy Sandbox initiative to balance that trade-off and find privacy alternatives to common use cases such as advertising. Yet, in late 2025, Google canceled the project and deprecated most of the newly introduced APIs. Despite its end, the Privacy Sandbox represents a unique opportunity to learn about how the ecosystem reacted to the proposed changes and make observations about why and how it failed. In this paper, we present a longitudinal measurement and analysis study of the Privacy Sandbox APIs to characterize their adoption and deprecation over the past seven years by different web actors. Leveraging historical HTTP Archive crawls and public Chrome telemetry data, we offer the largest study of its kind into the prevalence of each Privacy Sandbox feature, during their entire respective lifetime (5+ years for some), on popular websites (CrUX top 100k), and as experienced by Chrome users during their browsing journey. Our results showcase an adoption that remained limited and uneven across the years; only few web actors implemented very specific APIs, and in disparate manners. We motivate our interpretation of these results by considering the incentives (interest, resources, timeline, etc.) and risks (potential trade-offs, privacy violations, and legal exposure, etc.) for these actors. Finally, our analysis also yields actionable recommendations for the next generation of web privacy proposals. More broadly, the Privacy Sandbox illustrates the limitations and disparities across browsers of ``fix it in the browser'' remedies: today, tracking and third-party cookies limitations in Chrome still remain largely opt-in, while they have been enabled by default on other browsers like Brave, Firefox, or Safari.