Google officially announced it will scrap its long-delayed plan to deprecate third-party cookies on Chrome. Third-party cookies are here to stay despite years of promises to the contrary.
This is big news: third-party cookies are a crucial part of the ad tech ecosystem and a pressing privacy issue. Here is all you need to know about the decision and its implications for online privacy.
- What are third-party cookies?
- What is wrong with third-party cookies?
- Why is Google so important for cookies?
- Why didn’t Google deprecate cookies?
- What will Google do?
- What does this mean for privacy?
- What is in store for ad tech?
- Final Thoughts
What are third-party cookies?
As you probably know, cookies are small files that browsers exchange with servers. They are used for all sorts of purposes: showing targeted advertising, authenticating users, remembering UI preferences or the items in your shopping cart, and so on.
First-party cookies can only be read by the domain that placed them in your browser while third-party cookies can be read by other domains. This makes third-party cookies very useful for targeted advertising because an advertiser can learn about your interests based on your browsing habits and display an ad that you are likely to be interested in.
What is wrong with third-party cookies?
There is a serious and obvious downside to third-party cookies: websites can learn a lot about you from your browsing behavior - including intimate information that could compromise you, expose you to exploitative advertising, and get you in trouble in a number of other ways.
To make things worse, targeted advertising is powered by the exchange of information between many actors. It is not about an individual website learning information about you: your personal information is disclosed to an enormous number of advertisers bidding for each ad placement (including the hundred advertisers that lose each bid!), and passed on to data brokers with questionable data governance.
Long story short, the real time bidding environment behind targeted advertising is nothing short of a dumpster fire, as the ICCL explained in detail.
And yet, third-party cookies have long been a staple for ad tech despite the privacy issues. But the winds are changing: the public is increasingly concerned about data privacy and many legislations around the world passed stringent privacy legislations in the wake of the GDPR. The climate is not as favorable to the widespread use of third-party cookies as it was in the early, wildly unregulated days of Web 2.0 and the industry is reluctantly adapting to these changes by leaning towards first-party data.
Why is Google so important for cookies?
Google Chrome is the only major browser to accept third-party cookies by default and accounts for a whopping 65% of the browser market worldwide. Google is effectively keeping third-party cookies on life support in a browser market that has long moved on.
Google’s motives are obvious: the company is an ad tech monopolist (which is why, incidentally, the US DOJ is attempting to break up its ad tech stack). The company owns many of the key services that power the ad tech environment, including Google 360, AdExchange, DoubleClick, and Google Analytics.
That’s not what a healthy market looks like (source: US DOJ).
For a long time Google’s lucrative ad tech environment was largely powered by the invasive user tracking allowed by third-party cookies. But even Google eventually acknowledged that tracking users across websites was not sustainable in the long run. So, the company started experimenting with ways to move past third-party cookies without destroying its own ad tech empire.
Google’s plan for replacing cookies revolved around several key points. The company started working on new standards and ideas for facilitating (supposedly) privacy-friendly targeted advertising. Collectively, these proposals were dubbed the Privacy Sandbox. Google would not only develop these standards, but also nudge stakeholders towards embracing them by deprecating third-party cookies as well as Universal Analytics- the older version of Google Analytics built on third-party cookies.
Things didn’t go as planned. The company first announced the deprecation of cookies in 2020 with 2022 as the deadline and later pushed the deadline to 2023, 2024, 2025, and never. Cookie deprecation basically became something of a joke in the tech community.
Google will surely deliver.
Why didn’t Google deprecate cookies?
Google never got around to kill third-party cookies because it failed to replace them. A first proposal called FLoC (Federated Learning of Cohorts) was scrapped after facing backlash from privacy advocates, regulators, and some stakeholders. Google tried again with a proposal called Topics and it met the same fate as FLoC.
We have another blog on Topics so we won’t bore you with the details here. Long story short, Topics analyzes the user’s browsing history to figure out their interests and broadcasts them to advertisers. Much like under FLoC, this analysis is carried out by the Chrome browser directly and does not involve Google’s servers.
Not everyone was happy about that. The developers of other browsers (with the notable exception of Microsoft) wouldn’t touch Topics with a ten foot pole. They pointed out that browsers are user agents: they are supposed to work for the benefit of the user, not the developers.
Topics suffered from other problems too. Privacy advocates claim that Google used deceiving language to sugar-coat Topics as a “privacy feature” in order to collect consent from Chrome users. The Mozilla Foundation examined Topics in depth and highlighted its vulnerability to re-identification attacks. Last but not least, the UK privacy watchdog and antitrust authority both took issue with Topics.
What will Google do?
Google hasn’t scrapped the Privacy Sandbox entirely but isn’t looking to get rid of third-party cookies anytime soon. So, replacing them remains a long-term goal at best.
The company has been vague over its next moves. Its blog mentions that they are working on “a new experience in Chrome that lets people make an informed choice that applies across their web browsing”, which sounds like tighter restrictions over third-party cookies will be implemented.
It is hard to see how this “new experience” could represent a meaningful change for privacy. Again, Chrome is the only major browser that accepts cookies by default. Safari, Firefox, and even Microsoft Edge are shipped with privacy-friendly cookie settings. Only Chrome is that invasive by default.
But hey, the user will be "able to adjust that choice at any time”. As if enjoying some degree of control over your personal data was a gracious concession from the company rather than a legal requirement in the EU and many countries around the world.
What does this mean for privacy?
On the one hand, third-party cookies are still around and that sucks. On the other hand, we are happy to see that the proposal to turn a browser into a tracking machine was met with the backlash it deserved. This backlash may actually force Google to come up with a good proposal that strikes a better balance between privacy and advertising necessities.
But is such a balance even possible?
The public has shown time and time again that it doesn’t like tracking. When Apple implemented user controls over third-party tracking in 2020, a whopping 96% of US users opted out of tracking- a number that exceeded advertisers’ worst fears. Would the public respond any better if companies promised to track users a little less, like Google did with Topics?
This is not a theoretical question. Each year privacy laws around the world increasingly reinforce the principle of user control over their personal data and often require consent for tracking users. This is why commercial surveillance is largely built on user blackmail and deception.
We see these two strategies all the time: Google chose deception for Topics while Meta opted for [take-it-or-leave-it extortion] for Facebook and Instagram. It is not just the big fish, either: many online news outlets present readers with cookie walls and countless apps refuse to work unless you give them permission to access data on your device which they don’t really need except for monetization.
But these practices are facing increasing scrutiny from regulators and relentless challenges from privacy advocates. These advocates have some legal ammunition on their side as the GDPR sets a high standard for valid consent- as do legislations inspired by the Regulation. Deceiving or blackmailing users is not only shitty but also increasingly risky in the current regulatory landscape.
What is in store for ad tech?
This is a time of uncertainty. Regulatory developments will deeply impact the ad tech environment in the next future but it is hard to say how just yet. Regulators may legitimize invasive practices that currently sit in a legal gray area or deliver the final blow to commercial surveillance- at least in the key European market.
Meta’s long-running pay-or-ok saga is commercial surveillance’s last stand in Europe. We already have a blog about pay-or-ok so here is the takeaway: the Court of Justice needs to clarify to what extent and under which conditions companies can ask users to pay with their data. The answer to these questions will have immense implications for ad tech as a whole and may very well end up killing cookie walls and other forced consent practices.
The European will play a key role as well: the long awaited ePrivacy Regulation is in the works and should eventually replace the ePrivacy Directive that currently governs cookies in the EU. The final draft may stick to the strict approach of the Directive and enforce strict consent, or carve some room for (allegedly) privacy-preserving approaches to advertising. The Regulation may also take a page from the CCPA and strictly enforce Global Privacy Controls or other do-not-track signals from browsers.
Last but not least, there is ADPPA- the US’ latest bipartisan attempt at a federal privacy law. ADPPA would have an enormous impact on the ad tech environment as a whole because the Google/Meta duopoly is subject to US legislation. The current draft is unclear when it comes to advertising, to put it mildly. Hopefully, new drafts will be formulated more clearly and give us a glimpse of what lies in store should ADPPA become law.
Final Thoughts
With all these regulatory developments in the work, we may see a privacy-friendly Internet soon enough. But why wait?
We believe in an independent internet that is friendly towards its visitors. That's why we built Simple Analytics to provide you with all the traffic insights while preserving user privacy.
No cookie banner. 100% GDPR-compliant and easy to use. Feel free to give it a spin.