Google’s Privacy Sandbox is officially no longer. The idea was doomed from the start

Google has announced the end of its Privacy Sandbox initiative that was supposed to make online tracking for targeted advertising “more private.” In a blog post on October 17, 2025, the company confirmed that most of the Privacy Sandbox APIs which were meant to replace third-party cookies and protect users from cross-site tracking (read: online surveillance) are being retired.

The fall of this six-year experiment was anything but unpredictable. In fact, the more Google talked about it, and the more it tried to position the Sandbox as a privacy-friendly alternative to traditional tracking, the clearer it became that the idea simply wouldn’t work.

The first worrying sign came in July 2024 when Google said that it would hold on to third-party cookies for a while
longer. Even then, Google insisted the Sandbox was not dead yet and that “performance using Privacy Sandbox APIs will improve over time as industry adoption increases.” But the writing was already on the wall.

As the months went by, what was left of the optimism had faded. By April 2025, Google officially confirmed what many had already expected: it would not be phasing out third-party cookies after all. Just half a year later, the company itself declared Privacy Sandbox dead, citing low adoption rates as one of the main reasons for its failure.

And indeed, that low adoption wasn’t surprising. While privacy advocates, including us at AdGuard, had long warned that key parts of the Sandbox like the Topics API didn’t really protect privacy — instead centralizing data collection and giving Google even more power — advertisers weren’t happy either. They feared that if cookies disappeared, Google’s dominant position in the ad ecosystem would give it an even bigger advantage.

In simple terms, many in the industry thought that killing cookies would mainly help Google. Without third-party cookies, Google’s own access to user data across its massive ecosystem (Search, YouTube, Android, Chrome, etc.) would still let it target ads effectively while smaller ad companies would lose the little visibility they still had into user behavior. It was a deal that only Google could win.

Last year, Criteo shared numbers that backed up these fears. Based on their own analysis, if third-party cookies had been deprecated and the Privacy Sandbox had taken their place, publishers’ revenues would have dropped by an average of 60% compared to the modest 5% decrease Google once predicted.

What’s left, what’s gone, and what could have been

We’ve already written about Privacy Sandbox before, and as we explained then, it was not one technology, but rather a collection of different technologies, each of which should be considered on its own.

While most Privacy Sandbox technologies will cease to exist, some technologies will continue to — and for the better. Among the few survivors are:

• CHIPS (Cookies Having Independent Partitioned State) — a mechanism that lets developers store third-party cookies separately for each website instead of sharing the same cookie across many sites. This prevents third parties from using cookies to follow users around the web while still allowing useful embedded features like login widgets or media players to work normally.

• FedCM (Federated Credential Management) — a new way to log into websites using existing accounts (like Google or Facebook) without exposing as much personal data to the identity provider.

These two technologies are genuinely useful steps forward, and it’s good to see they’ll be maintained.

What’s gone

Google says that after reviewing “ecosystem feedback” and considering “low levels of adoption,” it has decided to retire the following components of Privacy Sandbox both in Chrome and on Android:

• Attribution Reporting API
• IP Protection
• On-Device Personalization
• Private Aggregation (including Shared Storage)
• Protected Audience
• Protected App Signals
• Related Website Sets (including requestStorageAccessFor and Related Website Partition)
• SelectURL
• SDK Runtime
• Topics API

We won’t mourn the deprecation of Attribution Reporting, Protected Audience, and Topics. These were complicated, opaque, and in practice didn’t provide meaningful privacy improvements. The Topics API, in particular, promised to preserve privacy by storing users' interests locally and sharing only broad categories, like "sports" or "music," with advertisers. While it aimed to prevent fingerprinting by using randomized topic selection and limiting how often data could be updated, it ultimately failed to protect users. The issue is that large companies, especially those with multiple apps or services, could still correlate topics across their platforms to build highly detailed profiles of users. Despite the local storage and randomized features, it did little to stop the growing monopoly of Google and others in the ad tech space, and allowed for more subtle tracking mechanisms.

What’s truly disappointing, though, is that IP Protection won’t be continued. That one actually had the potential to make a real difference by masking users' IP addresses, something that could have genuinely reduced tracking and fingerprinting online.

Why it’s happening

In the end, Chrome is still the only major browser that keeps third-party cookies alive, long after everyone else has dropped them. And there are clear reasons for that. It’s not about chance or indecision: it’s a mix of internal problems and outside pressure that left Google with no good way forward.

Inside the company, switching its entire advertising business to new technologies turned out to be much harder than expected. Rebuilding such a huge system without breaking how ads work or without cutting into profits turned out likely to be simply too risky. Keeping everything running smoothly across billions of devices, ad networks, and partners is already complex enough, and introducing untested systems on top of that was probably a step too far.

On the outside, Google is under constant antitrust pressure. Every change it makes in how ads are delivered or data is handled is watched closely by regulators. In this situation, any move that could look like giving itself even more control over online advertising might backfire badly. So Google is stuck, caught between the need to show progress on privacy and the fear of being accused of tightening its grip on the market.

And as usual, users end up losing. Some of the few features that could have actually improved online privacy are gone, while third-party cookies — an outdated and broken system everyone wanted to move past — are still here. The promise of a more private web has been delayed once again, just to keep business as usual running.