What exactly happened to Google's Privacy Sandbox, and when?

Google's Privacy Sandbox, the six-year initiative meant to replace third-party cookies with a set of privacy-preserving advertising technologies built into Chrome, was effectively wound down in late 2025, and understanding the sequence matters because it reverses the assumption the entire ad industry had been planning around. On October 17, 2025, Google announced it would retire a large set of the Privacy Sandbox advertising APIs, the technologies that were supposed to enable interest-based advertising, remarketing and conversion measurement without cross-site tracking. The advertising APIs being removed include Topics, which would have let the browser assign users to interest categories; Protected Audience, the remarketing API formerly known as FLEDGE that was meant to deliver retargeted ads without third-party cookies; Attribution Reporting, which would have provided conversion measurement; and supporting infrastructure such as Private Aggregation and Shared Storage. These are being removed through Chrome 150. A smaller set of non-advertising APIs — CHIPS for cookie partitioning, FedCM for federated identity, and Private State Tokens for anti-fraud — continue to operate, because they serve functions beyond ad targeting. Google's stated reasons were low adoption of the advertising APIs and continued regulatory pressure; after years of development, uptake among advertisers and ad-tech vendors had been limited, and the initiative had drawn sustained scrutiny from competition and privacy regulators. The UK Competition and Markets Authority, which had been overseeing Privacy Sandbox closely because of its implications for competition in digital advertising, wound down its related oversight. The significance for advertisers is that the long-promised, Google-provided replacement for cookie-based advertising is not coming in the form everyone prepared for, which forces a rethink of how retargeting and measurement will work. This is not a minor product change; it is the abandonment of an industry-wide transition plan. Track how platforms are responding on the Policy Change Tracker , and review the Google advertising rules in the Google Ads policy guide . The organizing principle is that Google retired the Privacy Sandbox advertising APIs in October 2025, removing them through Chrome 150 and ending the planned cookie replacement.

If Privacy Sandbox is gone, what happened to third-party cookies?

Third-party cookies did not disappear — Google decided not to deprecate them in Chrome — but they have become a less reliable foundation for advertising, and the gap between cookies technically surviving and cookies actually working is the single most important thing for advertisers to understand in 2026. The history is worth recalling. For years Google planned to remove third-party cookies from Chrome and replace them with Privacy Sandbox. Then in 2024 Google announced it would not deprecate third-party cookies after all, instead proposing a user-choice mechanism, and it reaffirmed that direction in 2025 amid antitrust scrutiny. With the Privacy Sandbox advertising APIs now retired, the net result is that third-party cookies remain available in Chrome with no announced removal timeline. However, availability is not the same as reliability. The share of users for whom third-party cookies actually function has been eroding: more users move into enhanced privacy settings, other browsers such as Safari and Firefox already block third-party cookies by default, and the consent requirements that must be satisfied before a cookie can legally be set mean that a growing portion of traffic either blocks or does not consent to tracking. The practical effect is that cookie-based audiences are smaller and patchier than they used to be, retargeting pools shrink, and measurement based on cookies undercounts. For advertisers this produces a deceptively comfortable situation: the cookie-based setup still runs, dashboards still populate, and it is tempting to conclude that nothing changed. But the data underneath is degrading, and — just as importantly — the legal obligations attached to cookies did not loosen simply because Privacy Sandbox ended. Every third-party cookie used for advertising still requires a valid legal basis and, in most jurisdictions, prior consent. The right reading of the situation is that cookies are a declining asset that must be supplemented with consented first-party data, not a stable foundation to keep leaning on. Assess where your tracking depends on cookies and where consent is captured with the Legal Compliance Scan , and review the consent mechanics in the Consent Mode v2 enforcement guide . The organizing principle is that third-party cookies survived but became less reliable, so they are a declining asset still bound by consent law, not a stable base.

What actually breaks for retargeting and conversion measurement in 2026?

The end of Privacy Sandbox combined with declining cookie reliability degrades the two functions advertisers depend on most — audience retargeting and conversion measurement — and the breakage is uneven across campaign types, which is what advertisers need to map before reallocating budget. On the retargeting side, the campaign types most exposed are those that historically depended on cross-site tracking: display remarketing, behavioral targeting and custom intent audiences, along with cookie-dependent inventory across the open web. Display and YouTube are the most cookie-dependent campaign types, so remarketing pools built from website visitors who can be re-identified across sites shrink as fewer users carry usable third-party cookies. The Protected Audience API that was supposed to provide cookieless remarketing is being removed, so there is no Google-provided in-browser replacement arriving to fill the gap. The result is smaller, noisier retargeting audiences and reduced reach for campaigns that lean on them. On the measurement side, conversion attribution that relied on third-party cookies and on the now-retired Attribution Reporting API becomes fragmented: conversions are undercounted when users block or do not consent to tracking, attribution windows capture less of the journey, and measurement looks different across vendors and channels because each is improvising its own approach. This fragmentation has a compounding effect, because optimization algorithms that bid on conversion signals receive degraded data and therefore allocate budget less efficiently. Three consequences follow for planning. First, advertisers should expect cookie-based retargeting performance to drift downward and should not interpret that purely as a creative or bidding problem. Second, measured conversions increasingly understate true conversions, so blended and modeled measurement, holdout testing and first-party signals become necessary to see real performance. Third, because the breakage is concentrated in display, YouTube and open-web remarketing, channels grounded in first-party relationships and contextual relevance hold up better and deserve a larger share. The strategic response is to shift from cross-site re-identification toward consented first-party data, contextual targeting and durable measurement methods. Review the broader Google advertising rules in the Google Ads policy guide , and track measurement developments on the Policy Change Tracker . The organizing principle is that display, YouTube and open-web remarketing degrade most while measurement fragments, so first-party and contextual approaches gain.

Where is the compliance risk if cookies still technically work?

The compliance risk is precisely in the assumption that because third-party cookies survived, nothing changed legally — when in fact the consent obligations attached to cookies are unchanged, and the workarounds advertisers are adopting to compensate for declining cookies each introduce their own privacy duties. Start with the cookies themselves. The retirement of Privacy Sandbox has no effect on data-protection law: in Europe, the ePrivacy rules and GDPR still require prior, informed consent before non-essential cookies are set, and consent must be freely given, specific and demonstrable. In the United States, state privacy laws such as California's CPRA treat cross-context behavioral advertising as a regulated activity, require honoring opt-out requests, and mandate recognition of the Global Privacy Control browser signal. None of that loosened because Google kept cookies; if anything, regulators and browsers are tightening. So an advertiser that keeps running cookie-based retargeting without a robust consent mechanism is carrying the same — or growing — legal exposure it always had, now without the cover of an industry transition narrative. Then consider the workarounds. To replace shrinking cookie audiences, advertisers are leaning on first-party data, server-side tagging, the Conversions API and expanded data-sharing partnerships, and each of these carries obligations. First-party data collected for one purpose cannot be freely repurposed for advertising without an appropriate legal basis and disclosure. Server-side tagging and Conversions API move data collection to the advertiser's infrastructure, which can improve resilience but also concentrates responsibility — the advertiser is now plainly the controller deciding what is shared with the platform, and must have consent and contracts in place. Hashing an email and sending it to a platform for audience matching is still processing of personal data subject to consent and transparency requirements. The compliance risk, in short, migrates rather than disappears: from the third-party cookie to the first-party pipeline. The defensible approach is to treat every audience and measurement integration as a data-processing activity that needs a documented legal basis, a consent state, and a record of what is shared with whom. Assess exposure across cookies and server-side pipelines with the Legal Compliance Scan , and align the consent layer using the Consent Mode v2 enforcement guide . The organizing principle is that consent law applies to surviving cookies and to every workaround, so the compliance risk migrates from the cookie to the first-party data pipeline.

How should advertisers rebuild retargeting and measurement durably?

Advertisers should rebuild retargeting and measurement on a consented first-party data foundation rather than waiting for a browser-level replacement that is no longer coming, and the rebuild is as much a governance exercise as a technical one because each new method carries its own compliance duties. The foundation is first-party data collected with clear consent and a stated purpose that includes advertising. That means capturing customer and prospect data through owned channels — accounts, purchases, newsletter sign-ups, logged-in experiences — with a consent mechanism that records who agreed to what, and building retargeting audiences from that consented base rather than from cross-site cookie tracking. On top of that foundation, four practical layers help. The first is consent infrastructure: implement Google's Consent Mode so that tag behavior and modeling adjust to each user's consent state, and ensure the consent banner genuinely captures freely given consent rather than assuming it. The second is server-side measurement done responsibly: use server-side tagging and the Conversions API to send consented first-party conversion signals to platforms, recognizing that this makes the advertiser the clear decision-maker over what data is shared and therefore requires consent records and data-processing agreements. The third is contextual and modeled approaches: lean on contextual targeting, which does not depend on tracking individuals, and on modeled and blended measurement — conversion modeling, incrementality and holdout testing — to recover the visibility that cookie undercounting erodes. The fourth is signal honoring: build the pipeline to recognize and respect opt-out signals and the Global Privacy Control, so that compliance is enforced by the system rather than left to manual policy. Around all of this sits documentation: maintain a register of every audience source, measurement integration and data-sharing partner, with the legal basis and consent state for each, so the program can withstand both regulatory scrutiny and the ongoing erosion of cookies. The payoff is a retargeting and measurement program that is more durable than the cookie-based setup it replaces and that is compliant by construction. Map the current state and gaps with the Legal Compliance Scan , define terms with the compliance glossary , and track platform changes on the Policy Change Tracker . The organizing principle is consented first-party data plus consent mode, responsible server-side measurement, contextual and modeled methods, signal honoring, and full documentation.

Does Privacy Sandbox ending change anything for US state privacy laws and consent signals?

The end of Privacy Sandbox does not relax US state privacy obligations — it arguably raises their practical importance, because with no privacy-preserving browser replacement arriving, the cross-site tracking that state laws regulate continues to run on cookies and first-party pipelines that must comply directly. The US privacy landscape in 2026 is a growing patchwork of state laws, with California's framework the most developed. Under the CPRA, using personal information for cross-context behavioral advertising — essentially the retargeting advertisers rely on — is a regulated activity that consumers can opt out of, and businesses must provide a clear opt-out mechanism and honor it. A central requirement is recognition of the Global Privacy Control, a browser-level signal that communicates a consumer's opt-out preference automatically; California regulators have treated failure to honor the Global Privacy Control as a violation, and other states with opt-out regimes are following similar logic. Because Privacy Sandbox is gone and cookies persist, the advertiser's obligation to detect and respect these opt-out signals falls squarely on the advertiser's own tagging and audience infrastructure rather than being mediated by a privacy-preserving browser layer. That makes correct implementation of consent and opt-out handling more, not less, important. Several practical duties follow. Advertisers must ensure their tag management and server-side pipelines actually suppress cross-context advertising for users who have opted out or who transmit a Global Privacy Control signal, not merely display an opt-out link. They must extend this discipline across the growing set of state laws, recognizing that thresholds and definitions differ but the direction — opt-out of targeted advertising, recognition of universal signals, transparency about data sharing — is consistent. And because the workarounds for declining cookies route more data through first-party systems, the advertiser as the controller of that data must map where state-regulated personal information flows and ensure opt-outs propagate to downstream platforms and partners. The synthesis is that ending Privacy Sandbox shifts responsibility for honoring privacy choices onto advertiser infrastructure, so building opt-out and Global Privacy Control handling into the retargeting stack is now a core compliance task. Assess opt-out and signal handling with the Legal Compliance Scan , and reference US obligations in the US advertising compliance guide . The organizing principle is that with no browser replacement, honoring CPRA opt-outs and the Global Privacy Control falls on advertiser infrastructure, raising the importance of correct implementation.

Privacy Sandbox Shutdown 2026: Ad Retargeting Compliance

Quick Answer

Google's Privacy Sandbox is effectively over: on October 17, 2025 Google announced it would retire the major Privacy Sandbox advertising APIs — including Topics, Protected Audience (the remarketing API formerly called FLEDGE), Attribution Reporting, Private Aggregation and Shared Storage — with removal landing through Chrome 150, while a few non-advertising APIs such as CHIPS, FedCM and Private State Tokens continue. Google cited low adoption of the advertising APIs and sustained regulatory pressure after six years of development, and the UK Competition and Markets Authority wound down its related oversight. Critically, third-party cookies did not go away: Google had already decided in 2024, and reaffirmed in 2025, not to deprecate them in Chrome, so cookies remain available — but their reliability has declined as more users move into enhanced privacy settings and as browsers and regulators tighten the consent expected before tracking. For advertisers, the practical 2026 reality is that the promised privacy-preserving replacement for cookie-based retargeting and measurement is not arriving from Google, display and YouTube remarketing remain the most cookie-dependent campaign types and are getting noisier, and conversion measurement is fragmenting across vendors and consent states. The compliance trap is assuming that because cookies technically survived, nothing changed legally — but the consent obligations under GDPR and ePrivacy in Europe, and under US state privacy laws such as the CPRA with its opt-out and Global Privacy Control signals, apply to third-party cookies regardless of Privacy Sandbox, and the workarounds advertisers are adopting (first-party data, server-side tagging, Conversions API, expanded data sharing) each carry their own consent and data-governance duties. The durable posture is to build retargeting and measurement on a properly consented first-party data foundation, implement Google's Consent Mode correctly, honor opt-out and Global Privacy Control signals, and document the legal basis for every audience and measurement integration. Review the consent framework in the Consent Mode v2 enforcement guide, check exposure with the Legal Compliance Scan, and track developments on the Policy Change Tracker.

Privacy Sandbox Is Gone: What the 2026 Retargeting and Measurement Reality Means for Advertiser Compliance

What Changed When Privacy Sandbox Shut Down

Google's Privacy Sandbox — the six-year initiative meant to replace third-party cookies with privacy-preserving advertising technologies in Chrome — was effectively wound down in late 2025. On October 17, 2025, Google announced it would retire the major advertising APIs, including Topics, Protected Audience and Attribution Reporting.

This reverses the transition plan the entire ad industry had prepared around. The long-promised, Google-provided replacement for cookie-based retargeting and measurement is not coming. At the same time, third-party cookies — which Google had earlier decided not to deprecate — remain available but have grown less reliable.

"We will not be deprecating third-party cookies... and we are retiring a number of the Privacy Sandbox APIs.
— Google, Privacy Sandbox update"

This guide explains which APIs are gone, why cookies surviving is not the relief it appears, what breaks for retargeting and measurement, and the compliance risk hiding in the workarounds. Review the consent framework in the Consent Mode v2 enforcement guide, check exposure with the Legal Compliance Scan, and track developments on the Policy Change Tracker.

The Wind-Down and Which APIs Are Gone

Google cited low adoption of the advertising APIs and sustained regulatory pressure after six years of development. The UK Competition and Markets Authority, which had overseen Privacy Sandbox closely, wound down its related oversight.

Retired vs. Retained

API	Purpose	Status
Topics	Interest-based categories in the browser	Retired (via Chrome 150)
Protected Audience (FLEDGE)	Cookieless remarketing	Retired
Attribution Reporting	Conversion measurement	Retired
Private Aggregation / Shared Storage	Supporting measurement infrastructure	Retired
CHIPS	Cookie partitioning	Continues
FedCM / Private State Tokens	Federated identity / anti-fraud	Continues

The advertising APIs are gone; a few non-advertising APIs continue because they serve functions beyond targeting. This is not a minor product change — it is the abandonment of an industry-wide transition plan. Track how platforms respond on the Policy Change Tracker.

Cookies Stayed — But Got Less Reliable

Google decided in 2024, and reaffirmed in 2025, not to deprecate third-party cookies, instead proposing a user-choice mechanism. With Privacy Sandbox now retired, cookies remain available in Chrome with no removal timeline — but availability is not reliability.

Why the Cookie Base Is Eroding

Privacy settings: A growing share of Chrome users move into enhanced privacy modes that limit tracking.
Other browsers: Safari and Firefox already block third-party cookies by default.
Consent: A cookie can only be set legally with valid consent, so unconsented traffic is unusable for tracking.

The result is smaller, patchier audiences and cookie-based measurement that undercounts. The trap is a deceptively comfortable situation: the setup still runs and dashboards still populate, so it is tempting to conclude nothing changed — but the data is degrading and the legal obligations on cookies did not loosen. Assess where tracking depends on cookies with the Legal Compliance Scan.

What Breaks for Retargeting and Measurement

The breakage is uneven across campaign types, which advertisers need to map before reallocating budget.

The Two Functions Most Affected

Retargeting: Display remarketing, behavioral targeting and custom intent audiences depend on cross-site tracking. Display and YouTube are the most cookie-dependent — pools shrink and get noisier, with no in-browser replacement arriving.
Measurement: Attribution that relied on cookies and the retired Attribution Reporting API fragments — conversions undercount, windows capture less, and each vendor improvises its own approach.

Fragmented measurement compounds the problem, because bidding algorithms receive degraded conversion signals and allocate budget less efficiently. Expect cookie-based retargeting to drift downward, treat measured conversions as understating true conversions, and shift share toward channels grounded in first-party relationships and contextual relevance. Review the Google Ads policy guide for the broader rules.

The Compliance Risk Hiding in the Workarounds

The compliance risk is the assumption that because cookies survived, nothing changed legally — when the consent obligations are unchanged and the workarounds each introduce their own duties.

Where the Risk Lives

The cookies themselves: GDPR and ePrivacy still require prior, informed consent in Europe; US state laws like the CPRA require honoring opt-outs and the Global Privacy Control. None of that loosened.
First-party data: Data collected for one purpose cannot be repurposed for advertising without a legal basis and disclosure.
Server-side tagging and Conversions API: Moving collection to advertiser infrastructure concentrates controller responsibility — consent and data-processing agreements are required.
Audience matching: Hashing an email and sending it to a platform is still processing of personal data subject to consent and transparency.

The risk migrates rather than disappears: from the third-party cookie to the first-party pipeline. Treat every audience and measurement integration as a data-processing activity needing a documented legal basis and consent state. Assess exposure with the Legal Compliance Scan and align the consent layer with the Consent Mode v2 enforcement guide.

A Privacy-Durable Retargeting Workflow for 2026

Rebuild on a consented first-party data foundation rather than waiting for a browser-level replacement that is no longer coming. The rebuild is as much governance as technology.

Foundation Plus Four Layers

First-party foundation: Capture customer and prospect data through owned channels with a consent mechanism that records who agreed to what; build audiences from that base.
1. Consent infrastructure: Implement Google Consent Mode so tag behavior and modeling adjust to each user's consent state.
2. Responsible server-side measurement: Use server-side tagging and the Conversions API for consented signals, with consent records and data-processing agreements.
3. Contextual and modeled methods: Lean on contextual targeting and on modeled, blended and incrementality measurement to recover lost visibility.
4. Signal honoring: Build the pipeline to recognize and respect opt-out and Global Privacy Control signals automatically.

Around all of this sits documentation: a register of every audience source, measurement integration and data-sharing partner, with the legal basis and consent state for each. Map the current state and gaps with the Legal Compliance Scan and define terms with the compliance glossary.

2026 Retargeting Compliance Checklist

[ ] Cookie dependence mapped across retargeting and measurement
[ ] Valid prior consent captured before any non-essential cookie is set (GDPR/ePrivacy)
[ ] CPRA opt-out and Global Privacy Control signals detected and honored in the tag/server pipeline
[ ] First-party data collected with a stated purpose that includes advertising
[ ] Google Consent Mode implemented so behavior adjusts to consent state
[ ] Server-side tagging / Conversions API backed by consent records and data-processing agreements
[ ] Audience matching (e.g. hashed email) covered by consent and transparency
[ ] Contextual and modeled measurement adopted to offset cookie undercounting
[ ] Register maintained of every audience source, integration and data-sharing partner with legal basis
[ ] No assumption that surviving cookies mean unchanged legal obligations

Check exposure with the Legal Compliance Scan, reference US obligations in the US advertising compliance guide, and track developments on the Policy Change Tracker.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Keyword Risk Checker first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#Google Ads#Privacy Sandbox#Third-Party Cookies#Retargeting#Measurement#Consent Mode#First-Party Data#Ad Compliance#Compliance Guide 2026#2026 Policy#Advertisers

Share This Report

Tweet Share

Performance Max Brand Safety in 2026: Placement Transparency, Exclusions and Account-Level Controls

Performance Max automates placement across Google's network, but brand safety stays the advertiser's job. Account-level controls and new placement reporting are how you keep ads off unsafe inventory.

Google Performance Max Auto-Generated Asset Disclosure May 2026: AI Creative Labelling, Asset Approval Cap & Advertiser Workflow

Google Performance Max's May 2026 update tightens auto-generated asset disclosure — AI-created variants now carry visible labels, asset approval caps narrow, and advertiser-side review burden lands.

Google Demand Gen Campaign Compliance Guide 2026: Creative Requirements, Audience Signals & Policy Differences from Discovery Ads

Google's Demand Gen campaigns replace Discovery Ads with expanded placements, AI creative tools, and lookalike segments — but compliance requirements differ significantly across YouTube, Discover, and Gmail surfaces.

Privacy Sandbox Is Gone: What the 2026 Retargeting and Measurement Reality Means for Advertiser Compliance