Editor’s note: As of July 22, 2024, Google announced a significant shift in its approach to third-party cookies. Instead of deprecating them entirely, Google plans to introduce a new Chrome experience that allows users to make informed, customizable choices across their web browsing. Users will retain the ability to adjust these choices at any time.
Google first announced its plan to phase out third-party cookies in Chrome back in 2020. However, the timeline faced multiple delays. Then, in May 2023, Google stated they had reached the point of no return, planning to begin the process in January 2024.
The initial step involved disabling support for third-party cookies for 1% of Chrome users worldwide (approximately 30 million people). By the end of 2024, the phase-out would impact 100% of users. As planned, the deprecation process began.
But in April 2024, the United Kingdom’s Competition and Markets Authority (CMA) stepped in and requested Google to pause the rollout. Replacing a standard technology like third-party cookies in a browser with a 64% global market share inevitably affects millions of people.
So, what does this mean for you as a digital marketer? Have you gained more time, or are you still playing catch-up?
But before we get into that: a quick history lesson.
Prefer to listen instead?
Catch our on-demand webinar featuring Cory Underwood, one of the world’s leading experts in data, analytics, and security. Discover actionable strategies to navigate the future of third-party cookies and adapt your digital marketing for success.
The invention of the cookie
In the early 1990s, when the World Wide Web was new and some dismissed it as a potential “fad,” a popular web browser called Netscape emerged.
To solve this, a young Netscape engineer named Lou Montulli invented the cookie—what we now know as the “session cookie.” This innovation addressed the browser’s inability to retain memory during a session.
The rise of third-party cookies
Two years after Netscape introduced the cookie, a more invasive version emerged—the third-party cookie.
This cookie enabled advertisers to track users’ activities across multiple websites. Advertisers and their stakeholders embraced this innovation because it allowed them to reach potential clients and customers in a more targeted way.
Lou Montulli, the creator of the original cookie, was caught off guard by this development. He and Netscape faced three choices:
- Do nothing.
- Block third-party cookies in Netscape.
- Implement a compromise where users could control which cookies were allowed on their devices.
Third-party cookies and calls for privacy protection
Lou Montulli, the inventor of the cookie, emphasized that no absolute technical solution can safeguard website visitors’ privacy forever. For every restriction or ad blocker, he warned, there would always be a workaround.
Third-party cookies are legal (but controversial)
At the same time, there is a growing movement among advertisers demanding more transparency and accountability in how their ad dollars are spent. This is understandable, considering ad fraud is now one of the biggest threats facing the advertising industry.
The difference between first- and third-party cookies
First-party cookies are placed on a visitor’s browser through JavaScript code that you, as a website owner, insert into your site. What makes them first-party—and not third-party—is that they are set by the domain of the website being visited. In contrast, third-party cookies are set by domains other than the one being visited.
First-party cookies
Third-party cookies
- Embedded YouTube videos
- Social media widgets
- Google Maps
- Ad widgets from ad networks
These elements may place cookies on visitors’ browsers for their own purposes, like cross-site tracking for targeted advertising, often without your full awareness.
Similarities between first- and third-party cookies
- Website functionality: Both types can remember user preferences or maintain session information.
- Session cookies: Both can be temporary and deleted when the user closes their browser.
What have other browsers done about third-party cookies?
It’s also important to consider the impact on app ecosystems. For example, in 2022, Apple introduced the App Tracking Transparency (ATT) Framework in iOS 14.5. This privacy feature requires third-party apps to obtain opt-in consent before tracking user activity across other apps and websites. The ATT Framework significantly impacted companies like Meta and Snap, leading to substantial monetary losses.
Safari's Intelligent Tracking Prevention
Apple’s Safari browser introduced Intelligent Tracking Prevention (ITP) in June 2017 as part of its WebKit browser engine. ITP was designed to limit cross-site tracking by restricting the use of cookies and, more recently, limiting all browser storage.
- Third-party cookies are entirely blocked.
- First-party cookie restrictions: If a user does not interact with a website for seven days, Safari erases first-party cookies set client-side (via the browser) and other browser storage items—regardless of user consent.
- Server-side cookie exceptions: First-party cookies set server-side are exempt from the seven-day rule unless they involve CNAME cloaking, a technique used to disguise third-party cookies as first-party cookies to evade tracking protections like ITP.
*Since the spring of 2024, Apple can no longer require iOS users to use Safari or browsers built on WebKit, opening the market to browsers with different engines.
How does Safari's ITP affect digital marketers?
- Tracking and retargeting limitations: Cross-site tracking is severely restricted, making retargeting and personalized content strategies much harder to implement.
- Misrepresentation of returning visitors: Since first-party cookies and site data are erased after seven days without user interaction, returning visitor counts may appear artificially low, leading to an underestimation of user engagement.
- Attribution difficulties: Accurately attributing conversions or engagement to specific marketing efforts becomes increasingly difficult.
Firefox’s Enhanced Tracking Protection
Firefox’s version of Intelligent Tracking Prevention (ITP) is called Enhanced Tracking Protection (ETP), introduced in 2019. Firefox, developed by Mozilla—an open-source project that originated from Netscape—has a smaller market share than Safari but remains one of the more prominent browsers available.
- Blocks known third-party tracking cookies: ETP uses a regularly updated list of trackers to restrict third-party cookies right out of the box.
- Prevents fingerprinting and hidden tracking methods: ETP blocks fingerprinting techniques and hidden trackers, including crypto miners that exploit device resources without user consent.
- Enforces Total Cookie Protection: This feature ensures first-party cookies cannot be misused for cross-site tracking.
How Does Firefox’s ETP Affect Digital Marketers?
- It makes retargeting more challenging: Like Safari’s ITP, ETP restricts cross-site tracking, making retargeting ads based on users’ browsing history much harder to execute.
- It may impact the accuracy of your analytics: While first-party analytics generally perform better with Firefox than with Safari’s ITP, ETP’s blocking of third-party trackers may result in incomplete data, potentially missing some user behaviors and interactions.
Brave browser
Microsoft Edge
Why Chrome took a different path
The Privacy Sandbox
The Privacy Sandbox is an iterative initiative where various APIs are developed and tested. In mid-2023, the Privacy Sandbox announced a major milestone: the release of six new APIs in Chrome version 115. These APIs aim to replace third-party cookies:
- Topics API
- Protected Audience
- Attribution Reporting
- Private Aggregation
- Shared Storage
- Fenced Frames
These APIs are not necessarily permanent, and more may be developed in the future. You can track progress on the Privacy Sandbox website.
Regulatory challenges and CMA interventions
The CMA’s main concern is Google and Chrome’s market dominance. They aim to ensure that the changes do not give Google or the Chrome browser an unfair competitive advantage. Although the CMA only has jurisdiction in the UK, its enforcement decisions will have global implications. Google has agreed to operate under the CMA’s scrutiny, committing to transparency and fairness.
What Has the CMA Said?
In February 2024, the CMA stated that Google “must not design, develop, or use the Privacy Sandbox proposals in ways that reinforce the existing market position of its advertising products and services, including Google Ad Manager.” They also demanded clearer plans for the long-term governance of the Privacy Sandbox.
In response, Google stated: “We continue to move forward with our plans to phase out third-party cookies in H2 2024, subject to addressing any remaining competition concerns from the UK CMA. We are confident the industry can make the transition in 2024 based on all the tremendous progress we’ve seen from leading companies.”
The lack of an industry standard for web browsers
The future of cookies in Chrome
In the following section, we’ll explore the Privacy Sandbox APIs aim to achieve and address the CMA’s specific concerns regarding each one. If you’re interested, the CMA’s full 99-page report is available here.
Fenced Frames API
The Fenced Frames API provides a privacy-safe way to display ads, functioning like a secure iFrame. It prevents the ad display from tracking or collecting visitor data across the web.
- Google must mitigate cross-site tracking risks within Fenced Frames.
- Google cannot enforce requirements until major ad formats are fully supported.
Protected Audience API
Traditionally, ad platforms determined user interests by tracking behavior across websites. This API shifts that responsibility to the user’s browser, ensuring that interest data stays with the user rather than being shared with advertisers or ad-tech platforms.
- Improving Chrome’s user experience to make data handling by website owners and advertisers more transparent.
- Addressing privacy and competition issues with Google Ad Manager to prevent it from unfairly limiting competition.
- Ensuring publishers can access and understand auction details as thoroughly as Google Ad Manager.
Attribution Reporting API
This API helps advertisers measure the effectiveness of ads without revealing who viewed the ad or who converted.
- Google must provide more details about its measures to prevent hidden tracking.
- Google needs to establish oversight systems to ensure the API uses minimal data and responds effectively to misuse.
- Google should work to standardize tracking systems for ad performance to reduce costs and complications for businesses.
Private Aggregation API
The Private Aggregation API, now fully available, aggregates data for reporting purposes. It combines data from the Topics API and Shared Storage API to provide insights without revealing individual user data.
Shared Storage API
The Shared Storage API allows advertisers to display relevant ads without accessing personal visitor information. It enables websites to retain some visitor activity data across sites in a privacy-preserving way.
- Google must clarify decision-making processes and improve transparency.
The user interface needs refinement. - Collaboration with customers is necessary to adjust settings and balance data protection with functionality.
Topics API
The Topics API allows browsers to show people ads based on their interests—without tracking them. These interests, or “topics,” might include categories like fitness, travel, or books. Currently, there are about 469 topics curated by humans.
- The user consent interface needs to be clearer so visitors understand how their data will be used.
- Google must implement safeguards to monitor and prevent abuse of the Topics API.
- Decisions about the taxonomy of topics must be transparent and include input from market participants.
What will replace third-party cookies?
Universal IDs
Universal IDs, like Unified ID 2.0 and ID5, are examples of solutions that help ad-tech companies identify users across devices and websites. Unlike third-party cookies, universal IDs are created using probabilistic data, deterministic data, or a combination of both.
- Probabilistic data includes information like IP addresses, browser types, models, and user-agent strings.
- Deterministic data involves directly identifiable details, such as email addresses or phone numbers.
ID & device graphs
How Chrome's third-party cookie deprecation impacts stakeholders
Consumers and the third-party cookie deprecation
For consumers browsing the web through Chrome, this shift brings specific prompts asking for preferences and consent. One feature, Tracking Prevention, launched in January 2024, notifies users via the URL bar that they are browsing with enhanced privacy. Users can either accept these settings or modify them.
Marketers and the third-party cookie deprecation
- Familiarize yourself with GA4 and Consent Mode v2 to maintain accurate web analytics and ad efficiency.
- Build a durable first-party data strategy to align with privacy-friendly trends.
- Explore alternatives like contextual advertising platforms.
Marketers must also note that Chrome isn’t the only browser phasing out third-party cookies. Rising consumer awareness about privacy and the link between digital trust and brand value are influencing these changes.
For a deeper dive, check out our FAQ on third-party cookie deprecation.
Publishers and the third-party cookie deprecation
The decline of third-party cookies marks a pivotal moment for publishers. Their strategic advantage lies in leveraging consented first-party data—a resource crucial not only for publishers but for any web enterprise aiming to build trust with its audience.
- Bot traffic and fraudulent activities.
- “Made for advertising” sites that prioritize revenue over user experience.
- Poor placement reporting and a lack of transparency.
- A misguided emphasis on impression counts instead of genuine engagement and conversions.
Ad-tech vendors and the third-party cookie deprecation
Ad-tech vendors are perhaps the most directly affected stakeholders. The reason being that third-party cookies have long enabled:
- Behavioral advertising.
- Real-time bidding processes.
- Audience targeting, frequency capping, and performance measurement.
- Developing first-party data tools to help businesses capitalize on their own data.
- Leveraging Data Clean Rooms (DCRs) to analyze aggregated first-party data without violating privacy regulations.
- Creating alternative identifiers such as Unified ID 2.0 and ID5, which aim to replace third-party cookies with more privacy-focused solutions.
Six strategies for thriving without third-party cookies
Keep in mind that there is no one-size-fits-all template for building a post-cookie strategy. However, a great starting point is to audit your website by conducting a data and tracking inventory and ensuring that you collect legal user consent.
1. Implement a Consent Management Platform
Start by installing a Consent Management Platform (CMP), such as Cookie Information, on your website. A good CMP can:
- Scan your domains to identify data transfer risks.
- Provide links to vendor privacy policies.
- Generate a list of services placing trackers on your site.
- Are there services you didn’t know were active?
- Do you really need all of them?
With a CMP at the core of your strategy, you ensure a consent-based approach to digital marketing while staying compliant with GDPR, the ePrivacy Directive, and other global privacy laws.
2. Ensure you have legal grounds for collecting data
A CMP helps you manage user consent effectively, making it a critical part of any privacy-friendly marketing strategy. Additionally, make sure your CMP integrates with Google Consent Mode v2 if you rely on Google Ads or Analytics.
Consent Mode v2 enables APIs that communicate with tools like GA4, Google Ads, and other Google ad-tech products, making it essential for Chrome’s post-third-party cookie environment. Google has made Consent Mode v2 mandatory for optimal use of its ad products, further emphasizing its importance.
3. Understand your third- and first-party cookie use
- How much of your budget and impressions rely on behavioral profiling?
- Are you prepared to adapt to changes in Chrome’s Privacy Sandbox and evaluate the new retargeting systems?
- Consider diversifying into contextual advertising, a growing market segment, and keep an eye on other platforms like Meta’s Facebook, which, while under scrutiny, remains influential.
4. Rethink your KPIs
With privacy-enhancing measures and ad blockers reducing tracking accuracy, the post-cookie era provides an opportunity to focus on quality metrics rather than vanity metrics:
- Prioritize engagement and conversions: Metrics like session length, conversion rate, and specific action completions offer a clearer picture of performance.
- Consider privacy-focused analytics tools: Platforms like Piwik PRO offer stronger data ownership and compliance features, along with a robust customer data platform for first-party strategies.
5. Build a first-party data strategy
- Is the quality high?
- Are you leveraging it effectively?
Focus on growing your audience and deepening relationships through creative uses like emails, newsletters, promotions, surveys, loyalty programs, and digital events. Collect only the data you genuinely need and can justify under GDPR’s purpose limitation rules.
6. Consider a server-side setup
Server-side setups provide better control over data collection and are less susceptible to browser-based restrictions like third-party cookie blocking. However, this solution may not fit every budget.
- Adjust your CMP to block scripts set server-side based on user consent.
- Use tools like Google Tag Manager with Consent Mode v2 or Piwik PRO’s Tag Manager to manage and transmit consent signals effectively.
Are you ready for a world without third-party cookies?
The future of data collection starts with user trust. Building that trust requires the right tools to collect valid consent and manage your data responsibly.
With a 14-day free trial of Cookie Information, you’ll see how easy it is to streamline your consent management and stay compliant with global privacy laws. Start today and future-proof your data strategy!