Privacy Sandbox for Android Is Deprecated: What Actually Happened and What It Means for Your Stack

Google deprecated Privacy Sandbox for Android on October 17, 2025, ending development of the Topics API, Protected Audience, Attribution Reporting API, Protected App Signals, and SDK Runtime for Android. The Google Advertising ID (GAID) is still active, with no scheduled deprecation. Operators do not need to change their core stack. Preparation work on server-side measurement and contextual signal infrastructure carries forward and still has value.

October 17, 2025: the deprecation and what it ended

Google deprecated Privacy Sandbox on Android on October 17, 2025. Google VP of Privacy Sandbox Anthony Chavez confirmed the decision in an official blog post on privacysandbox.google.com. The deprecation is documented on Google's developer site at developers.google.com/admob/android/privacy/sandbox.

What ended: the full suite of Android Privacy Sandbox APIs. Topics API, Protected Audience API (formerly FLEDGE for Android), Attribution Reporting API for Android, Protected App Signals, and the SDK Runtime are all discontinued. Google Mobile Ads SDK version 22.4.0 was the last version to include these APIs. Later SDK versions do not carry them.

The GAID is not deprecated. Google's own language commits to maintaining the Android Advertising ID's primary use cases without material changes. There is no scheduled GAID deprecation. With the deprecation of Privacy Sandbox, the original multi-year plan to replace the GAID no longer exists. The replacement is gone. The original identifier remains.

This is the part that is confusing operators right now. The 2022 Privacy Sandbox announcement said the GAID would eventually be replaced by privacy-preserving alternatives. Eric Seufert's widely-read Mobile Dev Memo post at the time was headlined "RIP GAID." That prediction was wrong, not because Privacy Sandbox succeeded, but because it did not. The GAID is here because the thing that was supposed to replace it was discontinued.

If you found this article after reading a guide that says "prepare for Privacy Sandbox for Android," that guide is obsolete. Most content ranking for Privacy Sandbox-related queries was written before October 2025. The SERP has not caught up to what actually happened. This article is the post-deprecation synthesis that does not yet exist elsewhere.

What Privacy Sandbox for Android was

This recap is intentionally brief. If you tracked Privacy Sandbox from the 2022 announcement, you know this. If you need the overview, here it is.

Google announced Privacy Sandbox for Android in February 2022, roughly nine months after Apple launched ATT on iOS. The stated goal was to create privacy-preserving alternatives to the GAID that did not require an opt-in prompt like ATT.

The core APIs:

Topics API. Classified device app usage into roughly 350 coarse interest categories and shared those categories with advertisers for interest-based targeting, without exposing the underlying app list or user identity.

Protected Audience API (FLEDGE for Android). Enabled on-device remarketing by running advertiser targeting logic and bid evaluation entirely on the device, without sending user data to ad servers.

Attribution Reporting API. Provided aggregated, privacy-preserving conversion measurement. Noised aggregate reports rather than individual conversion events, similar in concept to iOS's SKAdNetwork.

SDK Runtime. A sandboxed execution environment for ad SDKs that would have restricted what data those SDKs could collect from host apps.

Protected App Signals. Allowed apps to pass verified first-party signals into Protected Audience auctions without exposing the underlying data to ad buyers.

The framing from 2022 onward: Privacy Sandbox for Android was described as a multi-year effort running in parallel with the GAID before eventually replacing it. That two-to-three year preparation window is what ended on October 17, 2025.

Why Google deprecated it

Three documented reasons. Do not treat this section as speculation. All three are sourced from published testing results and official statements.

Performance shortfalls. Criteo published testing results showing that under Privacy Sandbox conditions, publishers would lose roughly 60% of their revenue from Chrome compared to third-party cookie environments. Google's stated goal for Privacy Sandbox was to limit revenue impact to 5%. The gap between 5% and 60% is not a configuration problem. It reflects a fundamental limitation of coarse-grained topics-based targeting relative to user-level signal. The same structural limitation applied to the Android framework.

Low adoption. Google VP Anthony Chavez cited low adoption of the APIs directly in his deprecation statement. Ad networks, DSPs, and attribution vendors had largely not integrated the APIs. The developer experience was difficult. And there was no pressing incentive to integrate while the GAID remained available. Why build an attribution pipeline on a new API when the existing one still works?

Market concentration. Criteo's testing showed Google Ad Manager's share of ad spend increasing from 23% to 83% in test environments under Privacy Sandbox auction conditions. The CMA (UK Competition and Markets Authority) was monitoring Privacy Sandbox development precisely because of these concerns. A framework where Google's own ad stack had structural first-mover advantages over third-party demand was not going to pass CMA review without material changes. Once it became clear the performance gap was too wide to close without redesigning the architecture, discontinuing the initiative was the lower-cost path than a full rebuild under regulatory scrutiny.

One important distinction: the web-side Privacy Sandbox, meaning the Chrome third-party cookie deprecation initiative, is a separate story. Third-party cookie deprecation for Chrome was reversed in 2024. The Attribution Reporting API and Topics API for Chrome are also being discontinued. CHIPS and FedCM continue on the web. Do not conflate the Chrome initiative with the Android initiative. They shared branding but were operationally separate programs with separate timelines and separate outcomes.

Is the GAID going away?

No, not currently.

Google has committed to maintaining the Google Advertising ID without material changes to its primary use cases. There is no scheduled deprecation date. The original "at least two years" commitment from 2022 has been extended further with the deprecation of the replacement initiative. The GAID-replacement timeline no longer exists because the replacement no longer exists.

What the GAID still does: user-level cross-app targeting for users who have not opted out, frequency capping across apps, attribution of install and in-app events to campaigns, and personalized advertising based on app-level behavior.

What the GAID cannot do: function for users who have opted out via Android's "Opt out of Ads Personalization" setting. This has always been the case. The opt-out rate on Android has historically been much lower than iOS's ATT opt-in rate. Aggregate data from AppsFlyer and Adjust puts Android opt-out rates at roughly 10-25%, compared to effective signal loss of 35-45% on iOS post-ATT.

The practical implication: your Android targeting and attribution stack based on GAID still works exactly as it did before Privacy Sandbox was announced. Nothing about GAID availability changed as a result of the October 2025 deprecation. The uncertainty that has hung over Android monetization since 2022 (when will the GAID disappear, when do we switch to topics-based targeting, how do we prepare for attribution changes) has resolved. The answer is: not now, and not on the timeline anyone was planning for.

What to watch: Google has not ruled out a future privacy framework for Android. The GAID maintenance commitment is real but not permanent. If a new framework is proposed, it will go through a more extensive industry consultation process, and the experience with Privacy Sandbox makes it likely that Google will move more cautiously on timeline and performance validation before committing to another GAID replacement.

What this means for your monetization stack today

Short answer: nothing changes immediately. Your existing setup is fine.

The signal environment on Android is now clearer than it has been since 2022. Treat that clarity as good news and do not overcorrect.

AdMob and Google Mobile Ads SDK. Remove any Privacy Sandbox-specific permissions or configuration added during preparation. SDK version 22.4.0 was the last to include the Privacy Sandbox APIs. Later versions do not include them. You do not need to request android.permission.ACCESS_ADSERVICES_TOPICS or android.permission.ACCESS_ADSERVICES_CUSTOM_AUDIENCES in your manifest. If those are present, they are harmless but unnecessary and can be cleaned up in your next release.

Mediation stack. No changes required. Demand partners were not yet relying on Privacy Sandbox APIs for their buying decisions. Your waterfall vs in-app bidding configuration remains valid. Your mediation platform configuration (whether MAX, LevelPlay, or AdMob mediation) is unaffected by the deprecation.

Attribution. Your existing attribution setup on AppsFlyer, Adjust, Kochava, or Singular continues to function on GAID. The Attribution Reporting API integration that some measurement vendors were testing is discontinued. If your measurement vendor had a "Privacy Sandbox beta" configuration enabled, check whether they have issued guidance to turn it off.

SDK Runtime. If any of your SDK partners had begun prototyping SDK Runtime implementations, those efforts are discontinued. No action required on your end.

The one practical audit worth doing: check your AndroidManifest.xml for any Privacy Sandbox-related permissions added during preparation and remove them. They will not break anything, but clean manifests are good hygiene. While you are there, check your SDK and adapter versions to confirm you are not running anything that has a known compatibility issue post-deprecation. You can also review your AdMob configuration to confirm nothing was staged for Privacy Sandbox that should be rolled back.

What to keep from the preparation work

This section is for the operator who spent real time and money preparing for Privacy Sandbox. Not everything was wasted.

What carries forward:

Server-side measurement infrastructure. If your preparation pushed you to build or improve a server-side event pipeline, that investment pays off regardless of Privacy Sandbox. Server-to-server attribution is more durable than SDK-based attribution because it is less vulnerable to any future privacy changes from Google, from OS-level restrictions, or from regulatory requirements. Keep it.

Contextual signal investment. Any work you did to generate and pass contextual signals (content category, app vertical, session depth, time-of-day patterns) into your ad requests is durable. Contextual targeting is the fallback when user-level signal is unavailable, and that condition is not going away on iOS (ATT opt-out), on Android for opted-out users, or in any future privacy framework. A cleaner contextual signal layer makes your inventory more valuable regardless of what Google does next. This connects to the broader argument for building a durable mobile monetization setup.

First-party data architecture. If Privacy Sandbox preparation pushed you to build a user consent flow, a first-party data collection layer, or a CRM connection to your ad serving, that infrastructure has long-term value. Consent-based first-party signals are the most durable signal type across all privacy frameworks.

Measurement vendor due diligence. If the preparation period forced you to evaluate your measurement vendor's privacy readiness, you now have a better understanding of their attribution methodology than you did in 2022. That knowledge does not expire.

What was genuinely wasted:

SDK Runtime integration prototyping. Any engineering time spent on SDK Runtime readiness is not recoverable. Topics API testing and topic taxonomy work is no longer applicable. Vendor evaluation cycles for Privacy Sandbox-specific products represent sunk cost.

The overall framing: the preparation period was not entirely wasted. It accelerated investment in server-side measurement and contextual infrastructure that has lasting value. The specific Privacy Sandbox API work is over. The adjacent infrastructure work carries forward.

If you are not sure which parts of your Privacy Sandbox preparation work carry forward and which are sunk costs, that is the kind of structured review that takes an hour and prevents six months of building toward the wrong thing. The free initial conversation is the place to start. Book a free 30-minute call.

The post-deprecation signal architecture for Android

The dominant Android signal stack as of late 2025:

GAID. Active for users who have not opted out. Used for cross-app targeting, frequency capping, and attribution. Still the primary identifier for programmatic demand on Android.

Contextual signals. App category, placement context, session depth, device type, time-of-day, geo. Always available regardless of user opt-out status. Increasingly used by DSPs as the first-pass signal layer.

IP-based signals. Still used for geo-targeting and frequency capping at the device level. Not a user identifier, but a useful supplementary layer.

First-party behavioral signals. In-app events, session frequency, purchase history, passed server-side by publishers who have built that infrastructure.

Consent-based identity signals. Email hash, phone hash, or other consented identifiers passed via secure signals to demand partners who support them, including Google's Encrypted Signals for Publishers and LiveRamp's RampID on mobile.

How this compares to iOS: iOS requires ATT opt-in for IDFA access. Effective opt-in rate is roughly 45-50% per aggregate AppsFlyer and Adjust data. Supplemented by SKAdNetwork 4 (install-level attribution only, aggregated, with 15-30 day delays) and Apple's Private Click Measurement for web-to-app. Signal loss is materially higher than Android. See SKAdNetwork 4.0 Conversion Value Setup for the iOS attribution picture in depth.

Android by comparison: GAID available without an opt-in prompt for the majority of users. Opt-out rate historically 10-25%. The signal environment is substantively richer than iOS for most use cases.

What changed on Android since 2022 despite the Privacy Sandbox deprecation: Google added Data Safety section requirements in the Play Store, requiring publishers and networks to declare data collection practices. The opt-out mechanism is more prominent in Android Settings than it was in 2022, so opt-out rates may increase gradually over time even without a formal deprecation. Several large markets, including the EU and India under the DPDP Act, have regulatory requirements that affect how GAID can be used for targeting. These are live compliance workstreams that are separate from Privacy Sandbox and are not resolved by the deprecation.

The key operator implication: Android is the better-signal platform right now and will remain so unless a new framework changes it. Operators who were assuming Android signal would converge downward toward iOS signal levels should reset that assumption.

What might come next

Google did not say they are done with Android privacy. They said they are discontinuing specific APIs due to low adoption and performance shortfalls. Those are different statements.

What is documented: VP Anthony Chavez's deprecation statement focuses ongoing Google Privacy Sandbox work on CHIPS and FedCM for web, interoperable attribution standards through the W3C, and Private State Tokens for fraud prevention. For Android specifically, the statement does not describe a replacement framework.

What is in active industry workstreams but not close to deployment: the W3C Private Advertising Technology Community Group (PATCG) is developing interoperable attribution standards that could inform a future approach. The IAB Tech Lab has published guidance on privacy-preserving signals. These workstreams are real but have not produced anything that replaces GAID-level functionality at scale.

What is possible but not announced: a future attempt at a GAID replacement that is architecturally different from Privacy Sandbox. The CMA concerns and the Criteo data point to a specific problem: any framework that routes through Google's own ad infrastructure at the auction level faces the same market concentration critique. A viable future framework would need to be genuinely interoperable with no structural advantage for Google's own demand. Whether that is technically and commercially feasible is an open question with no current answer.

The operator's planning horizon: treat the GAID as stable for at least the next two to three years. Monitor the W3C PATCG output and Google's official Android advertising announcements. If a new framework is proposed, it will be announced well in advance. Google's original Privacy Sandbox announcement gave more than two years of lead time. That cadence will apply to anything that follows.

What not to do: do not immediately rebuild your stack around contextual-only targeting in anticipation of a GAID replacement that has not been announced. That would be an overcorrection. The GAID is here and working.

Android vs iOS: how these privacy timelines differ

iOS went hard and fast. Apple launched ATT in April 2021 with a binary opt-in prompt and a policy mandate: all apps collecting device identifiers for advertising required explicit opt-in. No multi-year preparation window, no industry consultation on technical architecture, no performance validation against existing revenue baselines before launch. ATT achieved over 95% rollout within one iOS release cycle. Publishers saw IDFA-based revenue drop 20-40% in the months following rollout, with recovery over 18-24 months as DSPs adapted their models to SKAN-based signals.

Android went slow and stopped. Privacy Sandbox for Android was announced in February 2022 with an explicit multi-year timeline and a commitment not to deprecate the GAID until the replacement APIs had achieved real-world performance parity. That measured approach left the initiative in a long preparation period that allowed advertiser resistance to accumulate. When performance testing showed the gap was too wide to close quickly, the initiative was easier to discontinue precisely because no hard deadline had been set.

The regulatory context differs too. ATT was an Apple business decision executed unilaterally. Privacy Sandbox for Android was developed under active CMA oversight, with the CMA holding formal power to object if the outcome distorted competition. That constraint created a higher bar for performance validation and contributed structurally to the decision to discontinue.

The signal loss comparison as of today:

iOS: IDFA opt-in required. Effective opt-in rate 45-50%. SKAN 4 available for install attribution (aggregated, delayed, limited by crowd anonymity thresholds). Signal environment materially degraded versus pre-ATT baseline.

Android: GAID available without an opt-in prompt. Opt-out rate 10-25%. No SKAdNetwork equivalent needed because GAID-based attribution still functions for the opted-in majority. Signal environment substantially richer than iOS.

For cross-platform context on SKAdNetwork 4.0 and iOS attribution, that article covers the iOS measurement architecture in detail. The practical operator takeaway for cross-platform stacks: iOS optimization is a SKAN and ATT problem. Android optimization is a GAID and mediation problem. They are not converging. Expect materially different monetization architectures on each platform to remain the case for the foreseeable future.

The vendor pivot

Several ad tech vendors invested heavily in Privacy Sandbox readiness. What happens to that investment now?

Attribution vendors (AppsFlyer, Adjust, Kochava, Singular). These vendors built Privacy Sandbox API integrations and beta programs. With the deprecation, their Android attribution product reverts to GAID-based measurement, which they already support. The reinvestment direction is server-side measurement improvements and first-party data infrastructure that is durable across future privacy changes. Expect continued investment in cookieless and identifier-less measurement as a defensive architecture, regardless of whether a new Android framework is announced.

Ad networks that invested in Protected Audience and Topics API buying. DSPs and networks building bidding infrastructure for Topics-based targeting have no live product to show for that work. The pivot is to contextual signal-based buying, which is the next-best option when GAID is unavailable (opted-out users) or when a future framework restricts it. Networks with strong contextual buying capabilities (brand safety, content vertical, session quality signals) are in a better position than those that were building solely around Topics classification.

SDK vendors preparing for SDK Runtime. Any SDK vendor that was rebuilding for the sandboxed SDK Runtime architecture has stopped that work. The maintenance direction is the current SDK architecture combined with server-side ad serving investment for the long term. Several large mediation platforms were already moving in that direction. That trend continues regardless of SDK Runtime.

The consolidation effect. Privacy Sandbox preparation required significant engineering investment. Vendors with the resources to run extensive testing programs (the large networks, the well-funded measurement companies) absorbed that cost more easily than smaller ones. Now that the preparation period is over, the resources smaller vendors spent on Privacy Sandbox readiness represent real cost with no return. Expect consolidation pressure on mid-tier SDK and measurement vendors over the next 18-24 months.

If your measurement vendor or ad network still has a Privacy Sandbox sunset plan they are pushing, that conversation needs a reset. Most of what they were preparing for is no longer relevant. If you want to work through what that means for your specific setup, the free initial conversation is the right starting point. Book a free 30-minute call.

Frequently Asked Questions

Is Privacy Sandbox for Android still happening?

No. Google deprecated Privacy Sandbox on Android on October 17, 2025. Development of the Topics API, Protected Audience API, Attribution Reporting API, Protected App Signals, and SDK Runtime for Android has ended. The deprecation is confirmed on Google's official developer documentation. The initiative is not being paused or delayed. It is discontinued.

When did Google deprecate Privacy Sandbox for Android?

October 17, 2025. Google VP Anthony Chavez confirmed the decision in an official Privacy Sandbox blog post, citing low adoption of the APIs and the need to refocus on technologies with broader industry uptake. Google Mobile Ads SDK version 22.4.0 was the last version to include the Privacy Sandbox APIs.

Is GAID going away?

No, not currently. Google has committed to maintaining the Google Advertising ID (GAID) without material changes to its primary use cases. There is no scheduled deprecation date for the GAID. With Privacy Sandbox for Android deprecated, the original GAID-replacement timeline is no longer active. Operators can treat the GAID as the stable Android identifier for at least the next two to three years, subject to monitoring future Google announcements.

What should I do with the Privacy Sandbox prep work I already did?

Keep the parts that are durable, drop the parts that were Privacy Sandbox-specific. Server-side measurement infrastructure, contextual signal pipelines, first-party data collection, and consent flows all carry forward and remain valuable. SDK Runtime integration prototyping, Topics API taxonomy work, and Protected Audience API testing are discontinued. If you added Privacy Sandbox-specific Android permissions to your manifest (ACCESS_ADSERVICES_TOPICS, ACCESS_ADSERVICES_CUSTOM_AUDIENCES), they are harmless but unnecessary and can be removed in your next release.

Why did Google deprecate Privacy Sandbox for Android?

Three documented reasons: performance shortfalls in testing (Criteo's published data showed publishers would lose around 60% of Chrome revenue under current Privacy Sandbox conditions, against Google's stated goal of 5% impact), low advertiser and publisher adoption of the APIs (the industry had largely not integrated them), and market concentration concerns (testing showed Google Ad Manager's share of ad spend increasing sharply under Privacy Sandbox auction conditions, which the CMA was monitoring). Google did not attribute the decision to a single cause, but these three factors are documented in published testing results and official statements.

What is replacing Privacy Sandbox for Android?

Nothing is replacing it right now. Google has not announced a successor framework for Android. The GAID remains active and is the primary Android advertising identifier. Google's ongoing focus areas include interoperable attribution standards through the W3C and fraud prevention tools, but neither is a GAID replacement. If a new privacy framework for Android is announced in the future, it will require extensive industry consultation given the experience with Privacy Sandbox. Treat the current signal environment (GAID plus contextual) as stable for the near term.

Closing

Privacy Sandbox for Android is over. The GAID is not. Your stack is probably fine as-is. If you want to confirm that and make sure nothing is misconfigured given the prep work you did, that is what the initial conversation is for. Book a free 30-minute call.