In April 2026, at the CHI Conference in Barcelona, Abir Benzaamia and Oana Goga of École Polytechnique IP Paris and Inria presented the first empirical user-perception study of Google's Privacy Sandbox — the suite of Chrome APIs that was supposed to replace third-party cookies. The study, "Privacy Settings and Ad Perception: The Shift from Third-Party Cookies to the Privacy Sandbox" (DOI: 10.1145/3772318.3790444), had been submitted in February 2026. By then, the Privacy Sandbox had already been abandoned.
Google had announced in October 2025 that it was deprecating most Privacy Sandbox APIs — Topics, Protected Audience, Attribution Reporting, Shared Storage, and the Private Aggregation API — citing "low levels of adoption" after years of development. The APIs Chrome was built to replace cookies had outlived the replacement.
Benzaamia and Goga, running IRB-authorised study nº 2025-48 with 449 participants generating 1,050 ad-level responses, had conducted a between-subjects experiment comparing three configurations: the existing third-party cookie ecosystem (Status Quo), the Privacy Sandbox APIs alone, and a pure cookieless contextual approach. The findings were precise. Privacy Sandbox ads produced relevance ratings of 2.14 ± 1.21 versus 2.37 ± 1.32 for the cookie Status Quo — a statistically significant gap of −0.23. Purchase intent followed the same pattern: 2.24 ± 1.26 for Privacy Sandbox versus 2.46 ± 1.39 for Status Quo, a drop of −0.22. On privacy perception — whether users felt their data was being handled appropriately — there was no statistically significant difference between Privacy Sandbox and third-party cookies. The authors wrote it plainly: the Privacy Sandbox "is not yet a perfect replacement for third-party cookies."
It was a conclusion that arrived six months after Google had already conceded the same thing.
The Privacy Sandbox began as a technical proposal and became a policy instrument. Google's stated goal was to provide the advertising ecosystem with alternative targeting mechanisms that didn't require tracking individual users across the web — eliminating third-party cookies and replacing them with browser-native APIs that preserved some degree of relevance without the granular cross-site profile building that regulators had begun to target.
The core APIs were: Topics, which surfaced broad interest categories derived from a user's local browser history without transmitting that history to any server; Protected Audience (née FLEDGE), which ran ad auctions in the browser rather than on remote servers, keeping user data local; and the Attribution Reporting API, which allowed measurement of ad conversions without exposing individual-level data to either advertiser or platform.
Industry response was mixed from the start. IAB Tech Lab's internal fit-gap analysis, conducted in October 2024 among 65 senior industry leaders, found that Protected Audience "fell well short of what is needed" for common use cases and could not support multi-touch attribution models that most major advertisers considered standard practice. The W3C's Improving Web Advertising Business Group flagged similar concerns. The APIs were being built in a direction the industry had not asked for, toward a destination the industry had not chosen.
By early 2025, it was clear that adoption was minimal. Google quietly shelved the standalone user consent prompt for third-party cookies in April 2025, effectively admitting the ecosystem was not ready to move. Then came the October announcement: most of Privacy Sandbox was being retired.
The Benzaamia-Goga study is significant not because it reveals that Privacy Sandbox performed worse than third-party cookies — that much was architecturally obvious from the beginning — but because it measures what users actually perceived. The critical finding is the privacy perception result: there was no statistically significant difference in how violated users felt their privacy was between the Privacy Sandbox condition and the Status Quo cookie condition. Users did not feel more protected.
This is the specific failure the study captures. The entire policy rationale for Privacy Sandbox rested on the premise that users would trade some targeting relevance for genuine privacy protection — that the replacement would feel meaningfully different in a way that justified the disruption. The study found no such feeling existed. Users got less relevance and no privacy benefit. The exchange rate was entirely unfavorable.
"Privacy Sandbox, as implemented in Chrome, is not yet a perfect replacement for third-party cookies."
— Benzaamia & Goga, CHI 2026
Google's own October 2025 blog post, written by VP of Privacy Sandbox Anthony Chavez, framed the retirement decision around "evaluating ecosystem feedback about their expected value and in light of their low levels of adoption." This framing — framing the failure as a failure of adoption rather than a failure of the technology — is worth noting. The ecosystem didn't fail to adopt Privacy Sandbox. The ecosystem examined it, found it insufficient for actual targeting needs, and declined. The adoption problem was endogenous to the product.
Third-party cookies are still deprecated in Chrome — the browser still prompts users to block them, and major advertisers have spent three years building contingency plans. But Privacy Sandbox, the declared successor, is gone. The advertising ecosystem exists in a specific kind of liminal state: post-cookie but pre-replacement, with neither the granular targeting that made modern programmatic advertising efficient nor the privacy protection that regulators demanded.
Publishers have adjusted. The IAB's 2024 Global Publisher Revenue Survey found that nearly 60% of premium publishers had restructured their first-party data strategies in anticipation of Privacy Sandbox, building registration-based identification systems and contextual targeting capabilities. These investments were made on the assumption that Privacy Sandbox would arrive as a bridge technology — a transitional mechanism that preserved enough targeting to maintain CPMs while the ecosystem migrated toward a more privacy-compliant model. The bridge was built. Then the destination was abandoned.
Advertisers, for their part, accelerated first-party data strategies and contextual targeting adoption. The trade press called this a privacy-first future. It was more accurately a return to pre-cookie targeting methodology — broad demographic segments, contextual placement, publisher-direct relationships — with a higher price tag and lower precision.
The Benzaamia-Goga study found that a purely contextual, cookieless approach (the Cookieless condition in their design) actually performed worse on relevance (1.99 ± 1.20) than Privacy Sandbox did (2.14 ± 1.21). Privacy Sandbox, had it worked as designed, would have been incrementally better than pure contextual — not a bridge to nowhere, but a bridge to a slightly better nowhere. The bridge was still worth crossing. Google closed it anyway.
What the study doesn't address — because it was outside its scope — is the measurement infrastructure gap that Privacy Sandbox's retirement creates. The Attribution Reporting API was the only proposed mechanism for server-side ad measurement that didn't require individual-level cross-site data. Its retirement means advertisers who want to measure incrementality — whether an ad actually caused a conversion rather than simply preceding one — have fewer tools than they did in 2020.
The major platforms have responded by building proprietary measurement environments: Meta's Aggregated Measurement, Google's Ads Data Hub, TikTok's Event Manager. These operate on logged-in user data within each platform's ecosystem, which is more privacy-compliant than cross-site third-party cookies but also more limited. An advertiser can measure whether a Meta ad caused a conversion among Meta users. They cannot measure whether a Meta impression combined with a programmatic display impression on the same user caused a different outcome. The cross-channel attribution problem — understanding how different touchpoints interact — has gotten harder, not easier.
Incrementality testing, which directly measures causal rather than correlational ad impact, has become the primary tool for advertisers who need to understand actual ROI rather than attributed credit. Studies by Nielsen, AnalyticsIQ, and internal platform experiments consistently show that 30-50% of conversions attributed to a given channel would have occurred without any advertising. The incrementality gap is real, persistent, and growing as measurement visibility decreases.
The Privacy Sandbox would not have solved this problem. Nothing would have. But it was the only proposed industry-wide infrastructure project aimed at the measurement gap. Its retirement leaves the problem in the hands of individual platforms operating proprietary systems — with no independent verification and no cross-platform comparability.
What Benzaamia and Goga documented in April 2026 was not a technology failing to find its market. It was a policy instrument that was never evaluated on its own terms by the people it was meant to serve. Privacy Sandbox was designed through a process dominated by regulatory objectives — reducing cross-site tracking, providing user-visible privacy controls, enabling compliance with GDPR and ePrivacy requirements — with advertising industry input solicited but not determinative. The result was an architecture that satisfied regulators and troubled advertisers, a technology that traded targeting precision for local processing in a browser, and a proposition that users never signed up for because they were never asked.
The study's final observation is the most liminal of all: the Privacy Sandbox was supposed to occupy the space between the cookie era and whatever comes next. It was the bridge technology. When it was retired, the bridge was not replaced. The advertising industry, regulators, publishers, and users remain on opposite banks of a river that has no crossing.
Google's position — that the ecosystem failed to adopt the tools it was given — requires ignoring why adoption was low. The tools didn't work for the job. The job remains undone.