On July 23rd, 2024, four years and three delays later, Google announced it Would Not kill the third-party cookie in Chrome that rocked the ad industry. With this, Cookies have managed to get a reprieve from death row, but they still have a life sentence to serve. 

This is because, instead of Google deciding, ‘We’re going to remove cookies on this day,’ the decision is now shifted to the user, giving them control over the timing. Here is what Google’s VP, Anthony Chavez, said

anthony-chevez

Source: Google, A new path for Privacy Sandbox on the web

“No one should take a false sense of security at this news,” said Scott Messer, founder of consultancy Messer Media to ADWEEK. “The only sure way to lose here is by retreating from your diversification plans.” 

Impact on the Industry 

Many advertisers are already on the journey to move away from cookies, and most are already working to run cookie-less campaigns. According to ad industry experts, Google’s decision to keep cookies around will still have an uneven impact across the industry.

Starting with Google, its Privacy Sandbox tools, meant to replace Cookie's ad tracking and measurement functions, were buffeted by government regulators worried that they were anti-competitive and ad tech companies claiming they didn’t work. Google, for now, has silenced these critics, and its next move is too vague to elicit any immediate criticism.

Adtech companies that spent years investing in their cookieless infrastructure—like The Trade Desk, Criteo, and LiveRamp—will see setbacks as immediate demand for their tools declines (given the announcement, all three stocks have seen a dip of over 10%).

While these are short-term “losers,” experts believe the identity solutions these companies have been developing, which require consumer consent, will be valuable over time as consumers demand more control over how their data is used.

Impact on Publishers

Publishers that invested in cookieless solutions have already lost time and might lose more money. This is because those who moved away entirely from relying on third-party cookies to power their ads will see a revenue hit and might have to revert to cookie solutions as marketers refocus spend on cookie-based solutions.

Google's decision to change its mind messes with publishers' strategies and makes it harder for them to run their businesses. But most publishers' “cookipocalypse” preparedness plans are still intact. Eleven publishing execs told Digiday that they would be maintaining or increasing their tests of cookieless targeting alternatives, including Google’s Privacy Sandbox. 

This is because Google’s proposed plan allows Chrome users to choose whether or not third-party cookies are used across their web browsing. Leaving the choice up to the user eliminates many of the certainties that publishers rely on to guide their digital advertising strategies. 

On a related note, as the advertising industry approaches the three-year mark since the introduction of Apple’s App Tracking Transparency (ATT) framework, 50% of app users today have opted into tracking, marking a 10% increase since the rollout. That still leaves half of the iOS users untrackable. 

Google's announcement has left several publishers feeling somewhat betrayed. Although their strategies for testing and implementing third-party cookie alternatives remain unchanged, the four years of effort and stress to prepare for cookie deprecation now seem wasted. As one publisher put it, after a steadfast plan to deprecate third-party cookies and roll out its Privacy Sandbox solution, it was as if Google said we were 'just kidding.'

What Next?

Several uncertainties remain going forward. Google’s proposal has not included a timeline or an indication of how they will offer users the choice of opting in or out of third-party cookies—let alone the frequency of giving them the opportunity to do so.

Google’s proposal changes nothing for publishers, and most must be prepared to face a potential future without third-party cookies. Because any plans for monetizing a third-party cookie-free ad environment cannot be abandoned, most won’t take their foot off the gas pedal. Instead, they’ll increase testing of cookieless alternatives, including the Privacy Sandbox. 

And rightly so. If the consent choice is like Apple’s ATT, there will be a sudden drop-off, and ad buyers will be left in no-man's land. There is a high probability that the number of “third-party cookie addressable users” will taper off in coming years, and media buyers will need to rely on cookieless alternatives. 

Even though this reversal decision has been frustrating, publishers believe their efforts to reduce dependency on third-party cookies have not been in vain. They have been dealing with cookie deprecation from other browsers for years, and their cookieless solutions have helped improve the revenue potential of that inventory. This seems to be the right way to go. 

So far, we have covered the updates around Google's decision to continue supporting cookies. The subsequent sections provide a historical overview of cookies, their types, privacy concerns, industry responses, and the factors influencing Google's shifting stance on this issue.

A Primer on Cookies

What's A Cookie?

Cookies are small pieces of text sent to your browser by a website you visit. While they’ve long suffered a dubious reputation as vehicles for creepy ads following users around the web, they help websites remember information about your visit, making it easier to visit the site again and make the site more useful to you. Alternative technologies, including unique identifiers used to identify an app or device, pixel tags, and local storage, can perform the same function. 

A Brief History Of Cookies

Browser cookies were developed in 1994 out of necessity to allow a browser to peruse pages on a web server while maintaining a continuous session. Lou Montulli of Netscape Communications played a major role in the development of Cookies.

Since web protocols are stateless, there is no inherent connection from one page viewed by a browser to the next, making each view an isolated occurrence. Cookies are the glue that allows programs on a server to track the same user on a single browser over time. 

This is commonly used for logging into an account. You type in a username and password, and the server will validate your identity. It then passes back a snippet of text that contains a unique token. Each request by a browser for a subsequent page is accompanied by any cookies set for that domain.

cookies

Cookies were quickly seized upon as a way to follow a user across multiple sites, thus spooking the privacy-conscious. Fortunately, cookies have significant limits: they can contain no more than a few thousand characters, browsers retain only a few for each Web site, and it's a matter of a few clicks to examine their contents—or delete them. 

Browsers can also be configured to ask before accepting cookies. So long as a user is sufficiently tech-savvy and cares enough to do something about it, cookies are largely harmless. Or at least it was until the cookies evolved into several types, including Supercookies— a more persistent form of tracking cookies stored outside the browser's usual cookie storage and are notoriously difficult to remove. 

Types of Cookies

Cookies have diversified over time to serve various purposes. Here are some important cookie types and the purpose they serve:

Privacy Concerns

Depending on the type, cookies present privacy concerns because they can track your online behavior and collect personal data. Here are the most common concerns surrounding cookie use:

  • Data Collection and Profiling: cookies, particularly third-party and tracking cookies, can collect vast amounts of data on user behavior. These data include browsing history, search queries, and interactions with advertisements. Over time, this information feeds the creation of detailed profiles of individual users without their explicit consent or knowledge.

  • Lack of Transparency: many users are unaware of how much data is being collected about them and how it is used. Websites provide no clear information about their cookie policies or how data is shared with third parties.

  • Behavioral Targeting and Advertising: While targeted advertising can enhance user experience by showing relevant ads, it also means that advertisers can track users across multiple sites. This extensive tracking raises concerns about surveillance and the potential misuse of personal information.

  • Security Risks: Cookies can be exploited for malicious purposes. For instance, session hijacking attacks can occur when an attacker steals a user's session cookie to gain unauthorized access to their account.

  • Consent and Control: Users often feel they have little control over their data and how it is used. Despite the introduction of cookie consent banners, many users do not fully understand the implications of their choices.

Impact on Consumers

For consumers, the convenience of cookies comes with several disadvantages:

  • Loss of Privacy: The primary concern for consumers is the erosion of their privacy. With extensive data collection, users may feel like they are constantly being watched, leading to a loss of anonymity online.

  • Misinformation and Manipulation:  Detailed user profiles can be used to influence behavior in manipulative ways. For example, to identify targets and mobilize them towards the strategic objectives of entities they aren’t aware of, including governments, political campaigns, corporations, and special-interest groups.

  • Data Breaches: When companies collect vast amounts of data, they become attractive targets for cyberattacks. Data breaches can expose sensitive information, leading to identity theft and other forms of fraud.

  • Digital Inequality:  Not all consumers are equally informed about privacy issues. Those with less knowledge or fewer resources may be more vulnerable to exploitation. 

  • Impact on Children and Vulnerable Groups: Children and other vulnerable groups are particularly at risk. The collection of data on children raises ethical concerns, as they may not fully understand the implications of their online activities.

Regulatory responses

In response to these concerns, regulatory bodies worldwide have implemented measures to protect user privacy. The European Union’s 2002 ePrivacy Directive (Cookie Law) was among the early attempts to regulate websites, requiring them to provide security and confidentiality to their users.

Today, the General Data Protection Regulation (GDPR), enforced in May 2018, mandates strict data collection and user consent guidelines across the EU. It requires websites to obtain explicit consent before collecting data and allows users to request deletion.

cookie-settings

Example of a GDPR-compliant cookie consent prompt (Source: Deutsche Bank)

Given the EU’s significant influence, GDPR compliance has extended beyond its borders, inspiring similar regulations across various continents. However, it remains controversial for favoring established companies with large compliance teams over startups, burdening users with annoying popups and extra clicks, and reducing the utility of many services consumers value.

In the U.S., states have their own regulation. For example, The California Consumer Privacy Act (CCPA), signed into law by then-Governor Jerry Brown in June 2018, gives consumers more control over their personal information. It is similar to GDPR in many respects but defines personal data more narrowly.

Here is a more detailed guide to global cookie laws and compliance strategies.

Industry Responses To Privacy Protection

In addition to regulatory measures, the tech industry has taken several steps to address privacy concerns:

  • Browser Initiatives: Apple developed the Intelligent Tracking Prevention (ITP) system that uses machine learning to identify cross-site tracking activity and time-limit first-party cookies in Safari. Mozilla’s Firefox’s Enhanced Tracking Protection (ETP) relies on a cookie blacklist aggregator to disconnect and flag bad actors. Such moves have pressured other industry players, including Google, to reconsider their cookie approach.

  • Privacy-Centric Tools: Companies have developed tools and technologies that prioritize user privacy. These include privacy-focused search engines like Brave, virtual private networks (VPN) services like ExpressVPN and Surfshark, and browser extensions like Ghostery designed to block trackers.

  • Enhanced Transparency: Some companies are improving their transparency practices, providing users with clearer information about data collection and offering more robust privacy controls.

Cookie-less Alternatives

Though the decision is a reprieve from the potentially devastating impact of Privacy Sandbox (Criteo says third-party cookie deprecation could result in an astonishing 60% drop in publisher revenue), the trajectory of movement remains unaltered. 

The chapter on third-party cookies will likely close sometime soon if not today. Marketers must explore alternative approaches to effectively reach and engage their audiences.

Contextual Advertising

One approach to reinvigorate is contextual advertising. By understanding the context in which their ads appear, marketers can promote their content alongside topically compatible content, increasing the likelihood of interested eyeballs on the user’s end.

Social Media Marketing

Platforms like Facebook, Instagram, and LinkedIn provide rich user data and sophisticated targeting tools, allowing marketers to identify interest and push content toward it. Social advertising, in concert with active community management, fosters a strong community around a brand, driving engagement and loyalty. By actively participating in conversations, responding to feedback, and creating content around community interests, publishers can build a loyal base and generate organic growth.

Branding

This type of social marketing requires publishers to develop strong brands. With reduced reliance on cookies, publishers must aim to establish brands that resonate with consumers on an emotional level. This involves consistent messaging, compelling storytelling, and a clear value proposition. 

By building a solid brand identity, companies can ensure they remain top-of-mind for consumers, even in the absence of persistent tracking. A strong brand can drive customer loyalty, word-of-mouth referrals, and repeat visits, ultimately reducing the need for intrusive tracking methods.

First-Party Data Collection

Publishers that use contextual advertising, social advertising, community management, and branding effectively can access greater opportunities by gathering data directly from their customers through methods such as email subscriptions, loyalty programs, and direct interactions. 

This data is not only more accurate but also more respectful of user privacy. By leveraging first-party data, marketers can create more personalized and relevant customer experiences, enhancing satisfaction and retention.

Google's Alternatives to Cookies

In 2020, Google announced plans to phase out support for Chrome cookies within the next two years to enhance user privacy. As part of this effort, they introduced the Privacy Sandbox initiative—a set of APIs designed to allow cross-site tracking and targeting based on anonymized user behavior data.

While Apple and Mozilla’s moves emphasized consumer protection in their privacy-focused browser updates, Google’s goals seemed to be oriented towards maintaining an ad-targeting infrastructure and protecting ad-supported services.

Federated Learning of Cohorts (FLoC)

One of Google’s initial Privacy Sandbox proposals, FLoC, entailed grouping users into cohorts with similar web browsing behaviors. User identities are anonymized, but advertisers could still target cohorts, which sounded similar to the status quo. It did not go over well.

Privacy researchers expressed concern that FLoC might enable more nefarious tracking.  Mozilla, Brave, Microsoft, and DuckDuckGo announced they wanted no part of it, and Google eventually admitted defeat, ending development on FLoC and introducing Topics API.

Topics API

Topics API drop flags indicating recent topical interest in users’ browsers as they surf, which advertisers would then target. Alexandre Gilotte, a data scientist at Criteo, wrote about how a bad actor could attack Topics API to build “some cross-domains unique user identifiers from the API, potentially on a large scale.” 

Google never properly patched the vulnerability, instead requiring advertisers to promise to abuse, and Mozilla and Apple expressed deep concerns, electing to leave Topics API out of their browsers. The EFF acknowledged that Topics API was marginally better than FLoC but insufficient in protecting privacy and instructed users to disable Privacy Sandbox in Chrome.

Client Hints

Client Hints (aka User-Agent Client Hints, or UA-CH), designed to optimize web performance by providing granular device and network information without JavaScript, pose significant privacy concerns as they can enhance fingerprinting, facilitate cross-site tracking, and serve as persistent identifiers. The detailed data these headers provide, such as device models and network conditions, can be exploited to build comprehensive user profiles and infer behaviors. 

It seems that the adoption of Client Hints is high across the web, but several have leveled harsh critiques. On DeviceAtlas’s blog, Ronan Cremin offers a year-in-review of the standard, noting that Client Hints seems to enable deeper tracking while correcting for a rather minor issue of the exposure of “passively available information on web requests,” writing:

“This was exactly our problem with the UA-CH proposal in the first place: it reduced the prevalence of something that nobody was able to demonstrate was a problem (despite multiple requests for evidence) while leaving unsolved the thing that most agree is actually a problem.”

The Brave team also raised the alarm about Client HInts, acknowledging some positive aspects of the standard while claiming that “most of the suggested values shared in Client-Hints are privacy harming, and so we are negative on the proposal in general.”

Privacy Sandbox

Google's Privacy Sandbox is a collection of APIs designed to balance user privacy with sustainable online advertising. It replaces third-party cookies with privacy-focused alternatives, such as the ones discussed. 

Some of the scrutiny leveled at Google on this topic frames Privacy Sandbox as a Trojan horse, built openly and in consultation with other ad platforms and competitors but secretly designed to entrench the dominance of its platform in the ad space. 

Mark MacCarthy at Brookings highlights the efforts of US state attorneys general to block the implementation of the Privacy Sandbox, noting that “law enforcement agents see the Privacy Sandbox as Google’s attempt to disadvantage its ad competitors by drying up their access to detailed information about consumer web behavior.”

Google's Privacy Promises: A Closer Look at the Reality

Considering the significant revenue Google generates from ad support for its services and ad spending through its platforms, it's unsurprising that Google would hesitate to limit advertisers' capabilities. Yet, its attempts to mask user-tracking innovations with consumer-friendly language have consistently failed to appeal to privacy experts.

At Aeon, we’ve been peeking into a slice of this unfolding Cookie story ourselves, covering the API documentation leak that confirmed some of the not-so-secret parts of Google’s inner workings and the undeniable accumulation of evidence that Google is enshittifying, slowly transitioning from groundbreaking problem-solver to industrialized attention farmer.

This latest cookie u-turn is not just a piece with Google’s billowing history of climb-downs. Google has a habit of announcing a high-minded initiative to protect user privacy, developing an alternative to tracking cookies that appear self-interested, failing to impress the web community, rinsing, and repeating. 

The result is a series of privacy-focused press releases with little actual privacy enforcement, as seen with this latest announcement.

Conclusion

Google’s decision to maintain support for third-party cookies is a natural play at maintaining the complex balance between consumer privacy, regulatory pressures, and the interests of the advertising industry, particularly after its repeated attempts to provide an alternative were met with disgust. While this move provides temporary relief for publishers, it underscores the need for other approaches to digital advertising that are decoupled from cookies. By embracing alternatives such as contextual advertising, social media marketing, robust branding, and first-party data strategies, publishers can adapt to a future that better respects consumer privacy.