Google Chrome finally started removing third-party cookies

After years of postponements and delays, Google has finally unveiled and started implementing the roadmap for transitioning the Chrome browser to new privacy-focused APIs. In the Chromium blog article, director of Chrome Engineering Justin Schuh encourages advertising companies, publishers and other browsers to solve the challenges collectively. He explains that “users are demanding greater privacy – including transparency, choice, and control over how their data is used – and it’s clear the web ecosystem needs to evolve to meet these increasing demands”. The process started on January 4 and will be completed by the end of 2024. There will be several subsequent phases, and companies will have the opportunity to select, test, and implement alternative technologies.

According to Google’s roadmap, third-party cookies will be blocked for 1% of Chrome users starting in the first quarter of 2024. During this period, new APIs will be tested on real traffic. Then, starting from the third quarter of 2024, the ban on third-party cookies will be gradually extended to all other Chrome users. Thus, Google intends to completely abandon the technology that allows tracking users across different sites by 2024. This is part of a global privacy initiative aimed at strengthening data privacy on the Internet.

Instead of cookies, Google provides the technology called Privacy Sandbox aimed to strengthen users’ privacy while using the browser and make users’ data more secure.

Five Questions On 3rd-Party Cookies and Their Forthcoming Demise

What Is The Role Of Third-Party Cookies?

A cookie is a piece of information sent from the web-server to the web browser that saves the user’s data and then sends it back with each request made to the server when the user visits the website. While sending a request, the browser checks if the properties, domain, path, and secure match the website’s data that was requested initially. If the information lines up, the browser sends the relevant cookies together with the request.

The first-party and third-party cookies are both data files that the web browser saves to the user’s computer. First-party cookies store login details, website configuration, and information about added products to the shopping cart. Through third-party cookies, advertising companies and social networks can carry out behavioral targeting, ad tracking, and measurement for deep analytics. The core difference between the first-party and third-party cookies lies in the domain that creates the cookies and saves them primarily. The website that user visits directly creates and stores first-party cookies. Other sites of the publishers’ partners and advertising services set up and gather third-party cookies to use them for remarketing purposes.

Third-party cookies have been the base for programmatic advertising intended for ad serving and cross-site tracking since 1994. Here are the main functions of 3P cookies:

• personalized ad targeting;
• cross-site retargeting;
• social buttons posting;
• third-party services placing (such as chatbot);
• impressions measuring to user actions;
• detailed analysis.

Third-party cookies play an important role in the digital advertising ecosystem. The cookies technology enables publishers and ad buyers to show relevant advertising to specific users and get impressions that have been valuable assets in programmatic. Google Chrome is going to eliminate third-party cookies leaving the whole digital marketing in the dark about future substitution mechanisms. Though the web giant claimed it has some workarounds.

Why Did Google Chrome Decide to Get Rid of Third-Party Cookies?

Transparency and data protection have become acute problem on the web. Google announced its Privacy Sandbox with a clear intention to strengthen privacy on the web. The aim is to make browser’s usage more secure for users who in turn demand greater possibilities to control usage of their personal data. Industry observers have also suggested that Google protects its own business as the world’s largest online advertising company, representing 65.3% of the global browser market, according to Statcounter.

Though Google is not the first browser that initiated the anti-tracking approach through cookies blocking. Safari and Firefox have already reduced cross-site tracking by limiting cookies and website data analysis. Apple Safari initiated Intelligent Tracking Prevention (ITP), released in 2017, as a solution to protect user privacy by restricting their data tracking across the web. Mozilla Firefox did the same by launching Enhanced Tracking Protection (ETP).

With Apple’s initiative, the primary challenge has become a short lifetime of cookies that breaches web analytics. Originally user-tracking cookies can last up to 2 years from the date of the first user’s visit. Such a mechanism as ITP is aimed to break user tracking by reducing the lifetime of cookies. Any cookie set by the browser will be deleted after 7 days in ITP 2.1. Cookie set by the browser, if the user came from the cross-domain link, will be deleted after 1 day in ITP 2.2. According to the latest ITP update 2.3, any local storage set when the user comes from a cross-domain link is wiped after 7 days of inactivity. This affects publishers, marketers, and ad tech vendors who rely on third-party cookies to target a niche audience.

Google said they want to institute a mechanism to control who is in charge of an advertisement and who collects the information and for which purposes. Though, in contrast to Mozilla’s Firefox and Apple’s Safari that have already started blocking third-party cookies, Google Chrome will implement it in phases.

What Impact Does Chrome’s Initiative Have On Programmatic Parties?

As a result of Apple’s efforts to improve the Intelligent Tracking Prevention function in Safari by applying anti-tracking updates, ad tech companies have shown decreased prices. Publishers have also reported rapid drops in programmatic ad revenue.

Google itself made research that publishers’ digital ad revenue can be reduced by 52% on impressions without cookies. The Wall Street Journal cited another survey and said: “publishers only get about 4% more revenue for an ad impression that has a cookie enabled than for one that doesn’t”. Another study reveals that third-party data remains a necessity for many marketers. IAB Tech Lab together with Winterberry Group wrote that American companies were ready to spend nearly $19.2 billion on the purchasing of audience data and on solutions to examine this data. In 2021, eMarketer represented statistics of worldwide digital ad spending (graphic is below), and now everything can change.

The changes will likely have an impact on Google’s business buying ads affecting Google’s partners such as the publishers who use Google Ad Manager. Justin Schuh claimed that blocking third-party cookies by default can have significant implications that Google wants to prevent during the two-year cut-off date.

What Does Google Propose Instead of Third-Party Cookies?

In August the company represented the idea of new standards aimed to enhance users’ data privacy. “We are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete”, mentioned Justin Schuh in the Chromium blog.

Privacy SandBox is an open environment where Google Chrome is supposed to store the user-generated data and let ad tech vendors make an API call to this sandbox to receive personalization and measurement but the information should be without user-level reports. By the end of this year, Google plans to launch a testing version for personalized advertising without third-party cookies. As an option, Google Chrome intends to provide a list of users grouped under certain attributes such as browsing habits to provide generic data.

In May 2019, Google announced the first initiative on its way to ensure privacy across the web. The browser implemented a new secure-by-default model for cookies to make the browser faster and more protected. It’s about SameSite Cookies settings that require website owners to state label the third-party cookies that can be used on other sites. Cookies that do not include the “SameSite=None” and “Secure” labels won’t be available by third parties in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections. From February, cookies will be “SameSite=Lax” by default which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie. The “SameSite=Strict” designation limits cross-site sharing between various domains that are owned by the same publisher.

Publishers should go to HTTPS secure pages, in case they haven’t done so already, and they can start testing their websites by going to chrome://flags and enabling #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to check if anything breaks down.

Is it challenging period for transition to Privacy Sandbox?

Although Google has given an obvious signal about the prospects of third-party cookies technology and has already begun its implementation, market players were not ready for this. Thus, according to a study conducted by Adobe among 2,667 companies from 8 countries (USA, Australia, UK, France, Japan, Germany, India, and New Zealand), around 75% still rely on third-party cookies and are not ready to replace it, 45% spend more than half of their marketing budgets on companies based on third-party cookies, and 65% even plan to increase their spending on marketing based on third-party cookies, even even though cookies will become unavailable at the end of the year already to all users.

Another problem with the transition to alternative technologies is the reaction of government agencies regulating the market. Thus, the UK’s Competition and Markets Authority (CMA) has several concerns regarding Privacy Sandbox.

“We are particularly keen to ensure that Google does not use this technology to gain an anti-competitive advantage for its advertising services,” the Competition and Markets Authority (CMA) claimed in its report published on December 31, 2024. Currently, Google Ad Manager powers over 90% of display advertising in the UK.

Google agreed to make specific commitments to ensure its advertising technology doesn’t crowd out its competitors. Until all of these obligations are met, Privacy Sandbox cannot fully operate in the United Kingdom.

IAB Tech Lab also made some public comments about Google’s alternative technology. According to their report, many use cases, including audience building, video advertising, frequency, and many types of reporting, are either not supported at all by this technology or have become untenable. In short, their conclusion is: “Privacy Sandbox does not work.”

Therefore, the transition to new alternative technologies will not be easy; it will affect the entire industry, and it will likely take quite a long time before the parties involved can achieve the same performance as third-party cookies.