Google Privacy Sandbox: Topics API Deprecation and Chrome 144 150 Milestones

Google’s plan to replace third‑party cookies with a new set of “Privacy Sandbox” web APIs has quietly entered reverse: Chrome will continue to support third‑party cookies in normal browsing, and Google engineers have begun formally deprecating at least some of the Privacy Sandbox Ads APIs — most notably the Topics API — with deprecation milestones aimed at Chrome 144 and full removal slated for Chrome 150, while related cleanup for other Privacy Sandbox pieces is already visible in Chromium’s developer traffic.

Background​

The Privacy Sandbox started as a 2019 effort to rebuild ad targeting and measurement around browser‑side, privacy‑preserving primitives instead of cross‑site identifiers. Over the last half‑decade Google proposed and iterated a suite of APIs — Topics, Protected Audience (FLEDGE), Attribution Reporting, Shared Storage, Private Aggregation and others — intended to let publishers and adtech measure and target ads without exposing raw browsing histories to third parties. The program became a focal point for technical debate, commercial concern and regulatory scrutiny. In April 2025 Google publicly changed course on its rollout plan: instead of enforcing a phase‑out of third‑party cookies or compelling a single migration path, the company opted to leave cookie choice in users’ hands (via Chrome’s existing Privacy & Security settings) and focus on smaller, user‑facing protections such as enhanced Incognito safeguards. That decision effectively sidelined the aggressive timetable many in the industry had planned for. Reuters and multiple industry outlets documented and analysed the April decision at the time.

---

What changed this week: deprecation activity in Chromium​

On November 7–8, 2025 the Chromium project’s developer channels recorded formal “intent to deprecate and remove” activity for Privacy Sandbox functionality. The clearest public record is the Blink‑dev thread titled “Intent to Deprecate and Remove: Topics API,” which explicitly states a planned deprecation in M144 (Chrome 144) and removal in M150 (Chrome 150), and cites current usage figures for Topics. The thread also explains Google’s rationale: with Chrome keeping third‑party cookies available via user choice, interest‑based ads will continue to be feasible through cookies and adoption of Topics is expected to decline; other browser engines have not signalled broad support for the API. Separately, Chromium mailing‑list activity and related “intent” posts show removal work on parts of the Protected Audience (formerly FLEDGE) implementation — in some cases earlier, lower‑impact elements were already flagged for removal — because usage numbers were negligible and the implementation added code complexity. These threads and the Chromium feature dashboard entries serve as definitive, engineering‑level confirmation that Google and the Chromium maintainers are shifting from building Privacy Sandbox primitives to removing or slimming them. Taken together these signals confirm two interlinked shifts:

• Google will keep the existing cookie model available for regular browsing, leaving cookie control to users rather than enforcing a new default; and
• Chrome’s codebase is now pruning Privacy Sandbox APIs that have low adoption or narrowed utility in a world where third‑party cookies remain an available option.

---

What the main APIs are — and what losing them means​

Before assessing impact, here’s a concise, developer‑level primer on the key Privacy Sandbox Ads APIs so readers can understand what deprecation actually removes.

• Topics API — a browser‑side classifier that surfaces a small set of high‑level interest “topics” (one per epoch) for on‑device use by ad platforms. It was designed to permit interest‑based advertising without sharing site‑level browsing histories. Deprecation here removes that standardized topics signal from Chrome.
• Protected Audience / FLEDGE — an on‑device bidding and auction API intended to enable remarketing and audience‑specific ad selection without cross‑site identifiers. Variants of the API implemented different mechanisms (e.g., web bundles or header‑based signals). Some low‑usage subcomponents have already been scheduled for removal.
• Attribution Reporting — a privacy‑preserving mechanism to connect ad interactions (clicks/views) with conversions; it supports both event‑level reports (with noise and delay) and aggregated reports. It is central to campaign measurement under the Sandbox model.
• Private Aggregation & Shared Storage — building blocks for returning aggregated, noisy metrics and for storing limited, partitioned data that cannot be used for cross‑site tracking.

Removing these APIs (or curtailing their visibility/attack surface) changes the technical landscape for advertising — it removes standardized, browser‑level privacy primitives that adtech and publishers had started to test and, in some cases, implement.

---

Verification: what can be proven and what remains uncertain​

• Confirmed: Google publicly aborted the planned cookie phase‑out and decided not to ship a new standalone cookie prompt; that change was announced in April 2025 and widely reported.
• Confirmed: Chromium/Blink developer threads show an intent to deprecate and remove the Topics API with concrete milestone targets (deprecate in M144, remove in M150) and provide usage figures referenced in the thread. This is an authoritative engineering signal.
• Confirmed: Chromium threads also document clean‑up and deprecation activity for components of Protected Audience/FLEDGE (for example, the subresource web‑bundle variant of directFromSellerSignals) where usage is extremely low; this work is already reflected in intent threads and Chromestatus entries.
• Less certain / Not yet independently verified: public reporting that every major Privacy Sandbox API (Topics, Attribution Reporting, Protected Audience, Shared Storage, Private Aggregation, etc. will be deprecated on the same schedule. The WindowsReport piece supplied as the briefing lists a set of APIs the company "announced plans to retire," and the Topics/Protected Audience threads corroborate part of that claim. However, not every API named in that aggregate list has an easily discoverable, dedicated developer intent thread that explicitly repeats the same M144→M150 milestone language. Where a public engineering thread cannot be located for a particular API, treat the claim as plausible but unverified until an explicit Blink/Chromium intent entry or the Chrome Platform Status is updated. The Chromium project’s own feature pages and Blink mailing lists remain the canonical source for exact timelines and should be checked for each API.

Because Chromium's dev channels and the Chrome Platform Status are the authoritative technical record, the single best checks are:

• Blink‑dev intent threads (where they exist) and
• the Chrome Platform Status / Chrome release notes and developer docs for milestone references.

---

Why Google is doing this — engineering, market, and regulatory reasons​

Several credible drivers converge on this outcome:

• Ecosystem uptake was thin. The Topics thread itself points to a modest adoption footprint (the thread cites ~13% of page loads for Topics) and notes that other browser engines did not signal an intent to implement the API — leaving Topics useful to Chrome‑centric adtech only and reducing cross‑browser standardization incentives. On a web where other engines continue to permit cookies, advertisers can still do interest‑based ads without switching to newer APIs.
• Commercial resistance and cost to publishers/advertisers. Transitioning massive ad measurement and targeting stacks from cookies to a novel set of browser APIs is expensive, risky during revenue cycles (holidays), and requires cross‑industry coordination. Advertisers and publishers repeatedly told Google they needed more time or alternate solutions. Industry coverage from April 2025 documented this dynamic when Google paused aggressive cookie removal.
• Regulatory pressure and antitrust context. Privacy Sandbox attracted close scrutiny from competition authorities; regulators worried that Google could use browser‑level primitives to entrench adtech advantages or disadvantage rivals. These legal clouds made a unilateral, rapid shift harder to justify. Reuters and other outlets flagged the regulatory backdrop at the April announcement.
• Engineering and maintenance costs. Some Privacy Sandbox features were complex to implement and test; if an API is used by only a tiny fraction of the web, removing it reduces code surface, attack vectors and maintenance burden. Chromium’s decisions to prune low‑usage code follow normal engineering hygiene.

---

What this means for advertisers, publishers and developers​

This is neither a simple rollback nor an all‑clear for the adtech industry — it’s a re‑set with real operational consequences.
Immediate impacts:

• Short‑term stability for cookie‑based targeting and measurement: platforms that rely on third‑party cookies will continue to function in standard Chrome profiles, reducing the immediate need for wholesale migration. This was a deliberate outcome of Google’s April policy shift.
• Uncertainty for roadmaps: publishers and DSPs that invested in Privacy Sandbox tests must now decide whether to continue experimentation, maintain dual code paths, or shelve work that was intended to replace cookie workflows. Expect fragmentation: some publishers will move forward with server‑side or first‑party alternatives, while others stick with cookies. Practical developer and testing guidance from Windows/enterprise communities highlights the complexity of keeping both cookie and cookie‑less compatibility.

Medium‑term consequences to plan for:

• Measurement complexity — Without a single, browser‑delivered measurement standard, measurement solutions will fragment: server‑side tagging, first‑party measurement, and vendor ID systems may gain traction. Advertisers must run side‑by‑side comparatives.
• Operational cost — Maintaining parallel stacks (cookie‑based and Privacy‑Sandbox capable) increases cost and testing requirements across publishers and adtech vendors. Windows‑focused developer notes and enterprise guidance enumerate common debugging headaches and test requirements in such mixed modes.
• Market consolidation risk — If Google continues to operate key measurement or identity services outside standard browser APIs (for example, via Ads Data Hub or other first‑party pathways), publishers could become more dependent on Google’s infrastructure for measurement — a central concern regulators raised around Privacy Sandbox. Independent, interoperable alternatives will be harder to create without cross‑browser standards.

Actionable short checklist for teams (ranked):

• Inventory current reliance on third‑party cookies, Topics, FLEDGE and Attribution Reporting.
• Run parallel measurement tests where feasible (cookies + Private Aggregation / Attribution Reporting) to gather comparative metrics.
• Harden first‑party measurement pipelines and server‑side tagging to reduce dependence on any single browser API.
• Track Chromium Blink dev threads and Chrome Platform Status closely for formal timelines (M144 / M150 are milestone numbers in the Chromium release cadence and correspond to calendar release plans).

---

Privacy, user choice and the net effect on protections​

The headline for privacy advocates is straightforward: this change keeps third‑party cookies technically available in the browser for typical browsing sessions. That means the long‑standing, cross‑site cookie graph remains possible for organizations that choose to use it until users explicitly block cookies.
However, two nuances matter:

• Chrome’s Incognito mode will continue to block third‑party cookies by default and Google has indicated ongoing work on privacy features for private browsing sessions (for example, IP Protection in Incognito). That preserves a stronger privacy posture in that specific mode.
• The absence of a single, dominant browser‑level privacy API does not stop publishers, platforms or browser vendors from deploying other privacy features (e.g., stricter tracking prevention, Global Privacy Control support, or server‑side measurement with robust consent governance). Many publishers and adtech firms are already investing in these alternatives.

For users, the practical lesson is unchanged: browser privacy settings and informed choices matter. When Google says cookie control will be left to users, that places the burden of privacy protection back on user configuration and on platform features that make the choices easy and visible. Community guidance for Windows users and enterprise administrators underscores the importance of per‑site settings, tracking prevention levels, and the fragility of cookie‑based opt‑outs.

---

Risks and unanswered questions​

• Timing and coordination: M144 and M150 are release‑milestone numbers, not calendar dates. Exact release timing will depend on Chromium’s schedule and any downstream ingestion by browser vendors (Edge, Brave, etc.. Enterprises should not assume immediate removal without monitoring official Chrome release notes.
• Partial removals vs. stubs: Chromium maintainers sometimes ship “stubs” or backward‑compatible shims to preserve site behavior while removing functionality. The Topics thread explicitly describes mitigations to reduce page breakage, but web developers should still feature‑detect and avoid assuming any API will be present in all browser variants.
• Regulatory reaction: Removing standardized privacy APIs while leaving cookies available might draw renewed regulatory attention, especially where Privacy Sandbox had been presented as a remedy for competition or privacy concerns. Those legal dynamics remain fluid and could change engineering timelines.
• Ecosystem fragmentation: Without cross‑browser adoption, the web risks splintering into bespoke measurement approaches — server‑side aggregation, proprietary identity graphs, and per‑vendor SDKs. That fragmentation increases technical debt for publishers and reduces transparency for users.

---

Bottom line: where this leaves the web​

Google’s engineering move to deprecate at least the Topics API (and to prune low‑usage Protected Audience code) reflects a pragmatic retrenchment: the Privacy Sandbox experiment succeeded in producing a set of technical proposals and pilots, but the commercial, cross‑browser and regulatory conditions needed for a hard migration never fully materialized.
The immediate outcome is stability for existing cookie‑based workflows — which helps advertisers and publishers in the short term — and more complexity for those who hoped the browser would provide a single, privacy‑first replacement. For developers and enterprise teams, the practical imperative is to diversify measurement and targeting strategies, harden first‑party data capabilities, and monitor Chromium’s developer channels and Chrome release notes for the precise deprecation timelines and migration guidance.

---

Practical next steps (concise checklist)​

• Audit cookie and Privacy Sandbox API usage on your sites and ad stacks now.
• Implement feature detection and graceful fallbacks for Topics, Attribution Reporting and Protected Audience (where used).
• Invest in first‑party measurement, server‑side tagging and clean room approaches to reduce reliance on any single browser feature.
• Track Blink‑dev threads and Chrome Platform Status for exact M‑release dates and flags.
• Communicate transparently with advertisers and publishers about expected measurement divergences during the transition.

---

Google’s November deprecation signals do more than change code flags: they change the incentives shaping ads, measurement and privacy engineering across the web. The industry will now be judged on whether it can deliver privacy protections and robust measurement without a single browser‑level, cross‑vendor standard — a tougher, more distributed challenge that puts the onus on publishers, platforms and regulators to coordinate the next phase.

---

Source: Windows Report Google Is Scrapping Privacy Sandbox APIs as Chrome Keeps Third-Party Cookies After All