Privacy Sandbox testing FAQs

Answers to frequently asked questions related to Privacy Sandbox testing.

What are the key coordination areas between DSPs and SSPs for the Protected Audience API?

Below are the key aspects that require alignment:

  • Creative audit: Does the SSP have a creative pre-registration endpoint for scanning, and will DSP support that workflow? If not, discuss with the SSP what they require from the DSP to implement creative audit for publisher controls.
  • DSP's renderURL methodology. Some SSPs may require the renderURL to include metadata such as seatID to support scoring and billing. How the DSP structures renderURL has implications for critical SSP use cases.
  • ORTB
    • ORTB 2.X bid request: How the SSP will signal PA-eligible auction to the DSP.
    • ORTB 2.X bid response: How the DSP will respond to the SSP for PA auction.
  • PA on-device bidding data: SSP to DSP
    • auctionSignals: Data the SSP includes in the auctionConfig that is made available to all DSP bidding functions.
  • PA on-device scoring data: DSP to SSP
    • Bid: How to handle multi-currencies. Each SSP may have different requirements.
    • Ad object (returned from generateBid()): The SSP may use this for scoring and publisher controls. DSPs and SSPs need to align on what data is included and on a data structure.
  • PA win reporting: SSP to DSP
    • What SSP's reportResult() will make available to the DSP's reportWin().
  • Post-auction reporting: DSP to SSP. Context: The DSP must capture and delegate post-auction reports to the SSP. If the SSP needs clicks, views, viewability metrics, the DSP must enable them to receive these events.
    • What reports the SSP will need.
    • The methodology for measuring that event (such as, viewability definition).
    • DSP implementation of the reportEvent() call to support the SSP requirements.
    • SSP implementation of the registerAdBeacon() lining up the event naming with what the DSP will trigger in the creative.

Is the Attribution Reporting API ready and available for testing?

The Attribution Reporting API will be generally available and ramp-up is already in progress. With that, Attribution Reporting will soon be available for use on 100% of traffic. Note that Attribution Reporting can be used with all ads, not just those served by Protected Audience.

Are there geographic requirements for testing?

There are no geographic requirements. It's up to each tester to determine geographic considerations as part of their test.

How does the CMA guidance align with Chrome-facilitated testing?

Chrome facilitated testing modes are aligned with the CMA's guidance for quantitative testing of Privacy Sandbox. In the CMA's guidance the treatment group relies on Privacy Sandbox technologies without third-party cookies. Control group 1 uses third-party cookies and not Privacy Sandbox, and Control group 2 uses neither Privacy Sandbox nor third-party cookies. With general availability, the Privacy Sandbox technologies will be available on all Chrome traffic, and the ad tech can choose to use Privacy Sandbox technologies in certain population groups and not in others. Additionally, ad techs can leverage the Mode A Chrome-facilitated testing traffic to coordinate these population groups across multiple parties.

Starting in from January 4th, 2024, Chrome will deprecate third-party cookies on 1% of traffic and this is referred to as the Mode B Chrome-facilitated testing traffic in Chrome developer documentation. In a small fraction of Mode B Chrome-facilitated testing traffic, Privacy Sandbox technologies will also not be available in addition to third-party cookies being deprecated. Using a combination of all of the above Chrome-facilitated testing modes, ad techs will be able to align their test setups to the testing guidance published by the CMA. Refer to Chrome-facilitated testing, which defines Mode A and Mode B and CMA Guidance defines Control 1, Control 2, Treatment groups (in point number 11).

Is there a contact at the CMA we could connect with to better understand what is required for the submitted final report?

You can email the CMA case team at and read more about their testing proposal guidance. For additional reference, the CMA lists all their contacts at the bottom of their Privacy Sandbox page.

Can you clarify the quantitative testing success metrics?

Companies testing the APIs can define and share as many additional KPIs as they want. The minimum test results that need to be shared are listed in the CMA Guidance.

Is there a volume threshold for testing, for example, control group ratios versus modes ratios? Do you have additional guidance on valuable KPIs to test beyond the CMA's testing guidance?

Testers can establish volume / scale requirements. We recommend you determine scale based on your business model and objectives. Your testing approach should take into account relevant metrics and Mode A and Mode B of Chrome-facilitated testing.

What types of publisher inventory integrations are supported by Protected Audience and TOPICS testing?

Privacy Sandbox doesn't place restrictions on the specific integration mechanisms. To drive the most insight, Protected Audience end-to-end testing should be coordinated with other Privacy Sandbox-integrated parties with the aim to result in billable impressions.

We understand that other companies' integration decisions could impact the types of inventory where Protected Audience and Topics can be tested. Privacy Sandbox recommends coordinating with testing partners on objectives.

How will Google facilitate connecting testing DSPs and SSPs?

Companies testing are publicly listed on GitHub with contact information for coordination. Privacy Sandbox also encourages testers to reach out directly through existing relationships to coordinate testing.