The End of The Third-Party Cookie | All You Need To Know

Blog
Vibeke Specht
2024 is a decisive year for digital marketers, even though Google has been forced to delay the third-party cookie deprecation in Chrome. But what does this mean, technically and strategically? And did you buy yourself some more time, or are you still overdue?
Table of Contents
ON-DEMAND WEBINAR: Will the 3rd party cookie ever die?

It’s been a long time coming.

Google’s decision to phase out the third-party cookie in Chrome was initially announced in 2020, only to be postponed several times. Then, in May 2023, Google declared that they had reached a point of no return and would begin the process in January 2024.

First, the support for third-party cookies in Chrome would be turned off for 1% of its users worldwide (approximately 30 million people). And by the end of 2024, 100% of its users would be affected. The deprecation process began as planned.  

But, at the end of April 2024, the Competition and Markets Authority (CMA) in the United Kingdom asked Google to hit the brakes. Because replacing a standard technology like the third-party cookie in a browser with a 64% global market share is bound to affect a lot of people.

(NB: As of July 22nd, 2024, Google has announced that they won’t deprecate third-party cookies. Instead, Google says they will introduce a new experience in Chrome that lets people make an informed choice that applies across the users’ web browsing, and the user would be able to adjust that choice at any time. 
Currently, Google are discussing this new path with regulators, and will engage with the industry as they roll this out. For now, Google states that it remains important for you as a developer to have privacy-preserving alternatives.)

So, what does all this mean for you as a digital marketer? Did you buy yourself some more time, or are you still overdue?

Let’s break things down.

What is a cookie?

In the early 1990s, when the World Wide Web was new, and people weren’t sure if it would be “a fad,” there was a popular web browser called Netscape.

Surfing the web back then was a bit primitive. Browsers could not remember if you, for example, had put something in your shopping cart. So it was quite an “unmemorable” experience, one might say (pun intended).

So, a young engineer at Netscape, Lou Montulli, developed the cookie, or what we today call the “session cookie,” to address this lack-of-memory issue.

And Netscape shared its invention with other browsers. 

The people at Netscape were internet pioneers. They cared for the success of the World Wide Web and for privacy, and were keen on not creating a solution with “too good of a memory.” Because they feared the implications for the web as a marketplace and community if browsers implemented technologies that could track people in a surveillance-like manner across sites. They believed that the session cookie was the least harmful solution.

But then the cookie was “hacked”.

What is a third-party cookie?

Two years after the Netscape cookie was introduced, a more invasive cookie came into force—the third-party cookie.

This cookie made it possible to track visitors’ activities from one site to another. It was a feature which the “advertisers” (or their stakeholders) desired, because it offered a new way of reaching potential clients and customers.

The new technology made it possible to target a specific person with ads for products they had shown interest in along their browsing journey—a.k.a. remarketing.

Montulli said he was caught off guard. And realized that he, and Netscape, now had three choices:

  1. Do nothing.
  2. Block third-party cookies on Netscape.
  3. A compromise where each Netscape user would get the option to control which cookies were allowed to tag along on their device.

 

The choice fell on no. 3.

As much as they feared the implications, they also wanted the web to take off. And they recognized that it needed a financially sustainable business model to do so. Micropayments weren’t a thing back then.

Regulating the third-party cookie

The discourse about the third-party cookie has thus been with us almost since the birth of the HTTP protocol. Lou Montulli has expressed that there will never be an absolute technical solution to safeguard website visitors’ integrity forever; for every restriction, ad blocker, etc., there would be a counter solution—a workaround. He therefore stressed the need for regulations and thought lawmakers had to keep pace and regulate the web accordingly.

With the ePrivacy directive in 2002, the GDPR in 2018, and subsequent privacy regulations in other parts of the world and on the state level in the US, we have, in some ways, gone full circle. These are privacy laws that view cookies containing identifiers as personal data, and require consent before a user is tracked or data about that user is collected.

Today, consumers and their legislators are requesting a sustainable business model for the web that respects users’ right to privacy and delivers more safe, transparent, and trustworthy experiences.

The third party cookie is not illegal

Please note, that there are no legal requirements to deprecate the third party cookie. The third party cookie is not “illegal”, but using it to collect personal data about users without consent is. And the widespread use of cookies has enabled personal data to be shared in an uncontrolled manner. Data which can be, and are being, used by cybercriminals to impersonate users, gather financial data, steal passwords, etc.

We also see a growing movement amongst advertisers who requests more transparency and clarity about how their ad dollars are spent—rightfully so, seeing how ad fraud might be one of the biggest threats to the advertising industry.

So, we’ve kind of reached a point where the largest ad-tech stakeholder—Google—has decided to promote a supposedly more privacy-friendly browsing experience by deprecating the third-party cookie.

However, Chrome is not deprecating the third-party cookie in the same manner as, for example, Safari and Firefox.

But before we clarify what this means, let’s first address why first-party cookies are not going anywhere and why you will still need to collect consent in a post-third-party cookie world.

A third-party cookie is not a first-party cookie

First-party cookies are often enabled, come from, or are placed on a visitor’s browser through a JavaScript code that you, as a website owner, have inserted on your site. But what makes them first-party—and not third-party—is that they are set by the domain of the website being visited. This is the core difference between them and third-party cookies which are set by domains other than the one being visited. 

First-party cookies are often associated with short lived session cookies and essential cookies for website functionality, but first-party cookies can also be cookies used for tracking and analytics purposes. It is a common misconception to equate first-party cookies with mere short lived essential cookies.

Third-party cookies, on the other hand, are often used for cross-site tracking, allowing third-party services to track users across multiple websites for targeted advertising and analytics. This cross-site tracking capability, in combination with being set from another domain, is the critical difference that distinguishes a third-party cookie from a first-party cookie.

So, while remembering how they actually differ one must also keep in mind that they can be used for the same things:

  • Both first-party and third-party cookies can be used for functionality purposes on a website, such as remembering user preferences or maintaining session information.
  • Both first-party and third-party cookies can also be session cookies, which are deleted when a user closes their browser.

 

For example, when you enable a service like Google Analytics, Hojtar or Facebook on your website by placing a small script into the HTML code of your site. These scripts can then place cookies on your visitor’s web browser. How many cookies a certain script places, and each of their purpose, depends on who the service provider or vendor is. For example, cookies placed by Hubspot do their “thing,” as do cookies set by Meta/Facebook, etc.

These cookies can be defined as first-party or third-party, but regardless of this distinction you must still obtain consent from each visitor before the scripts are allowed to place cookies on the users’ browsers, unless the cookies are strictly essential for the website’s core functionality. 

Also note that third-party cookies can come into play through indirect measures. They can get access to your visitors’ browsers through external services embedded on your site, such as:

  • An embedded YouTube video,
  • A social media widget,
  • Google Maps,
  • An ad widget from an ad display network.

 

These external elements can place cookies on your visitor’s browser for their own purposes, such as tracking across multiple sites for targeted advertising, which you might not have been aware of when you decided to include such services.

This is why a proper Consent Management Platform (CMP) is handy. It automatically separates third-party cookies from first-party cookies and classifies them according to their lifespan and purpose. This gives you a map of what services you have activated, knowingly or not, on your website so you can consider which you like to keep and which you need to adjust or delete.

Please note, that when placing a service on a website, like, for example, the Facebook pixel, it is essential that you calibrate that service so it does not set cookies that you do not want it to—regardless of whether they can be defined as first-party or third-party.

Ok, so with this clarified. Let’s get back to the deprecation of the third-party cookie and what is intended to “take its place.”

What will replace the third-party cookie in Chrome?

As mentioned, Firefox had restricted the third-party cookie by default in 2019 through their Enhanced Tracking Protection (ETP) program.

Apple’s Safari followed in 2020 through its Intelligent Tracking Prevention (ITP) feature. These features do not outright disable the possibility of retargeting but make it very challenging to show targeted ads for individuals based on their browsing history. And in addition to that, they include other privacy-enhancing features. (More on this further down this blog post.)

Other smaller browsers have done something similar.

Google has not wanted Chrome to follow suit in the same way, probably because Google is a major ad-tech stakeholder and has, therefore, been invested in finding a new web standard that does not “kill off” this revenue stream. So they have, one could say, tried to find a way to both have the cookie and eat it through a cross-industry collaboration called the Privacy Sandbox (PS).

The Privacy Sandbox has been (and still is) an iterative process where different APIs have been developed and deployed for testing. This process seemed to have reached a breakthrough in mid-2023 when the Privacy Sandbox initiative announced that they would release six new (cookie-replacing) APIs for Chrome version 115.

These were/are:

  1. Topics API
  2. Protected Audience
  3. Attribution Reporting
  4. Private Aggregation
  5. Shared Storage 
  6. Fenced Frames

These APIs are not necessarily “eternal,” and more will probably come. You can go to the Privacy Sandbox Website to track the progress. That site also gives you a comprehensive view of how Google is working to make Chrome more privacy-friendly while enabling non-invasive targeted advertising.

And then of course, the UK’s CMA, forced Google to halt it’s Privacy Sandbox-implementation process, due to a long line of concerns from both a privacy and an antitrust perspective. This was, however, not a surprise attack; Google has been in close dialogue with and under scrutiny from the CMA since the process began, which is also in part why their third-party cookie deprecation in Chrome process has been delayed previously.

In the following rundown you will get a sense of what these Privacy Sandbox APIs are trying to do or solve, as well as some of the specific concerns the MCA has regarding each of them. If you want to read the full, 99-pages, report from the CMA, you can find it here.

Also note that the full report from the CMA addresses an additional 9 tools/features/APIs, one of which is IP protection. If you have the time it is quite an interesting read.

Topics API

This API enables the browser to show people ads based on what people like or are interested in—based on what “topics” they care about – without tracking them. A topic can, for example, be fitness, travel and transportation, or books and literature. Currently, there are supposed to be about 469 topics “curated by humans.” #taxonomy

For the Topics API to work, it has to have been activated on a website. If you are a website owner who writes about and sells books, then a visitor who frequently visits your site can be categorized into the “books and literature” topic.

The CMA has around 7 pages of concerns regarding the Topics API.

Here are 3 of the concerned items:

  1. The Topics API user consent interface needs to be more clear, so the visitor or users understands how their data is intended to be used.
  2. Google needs to implement ways to monitor potential abuse of the Topics API.
  3. Adequate governance of the #taxonomy, so it is transparent for other market participants how decisions are made and why.

Protected Audience API

Note that the Topics API, as described above, categorizes users into broad topic areas. Also, note that it is website-basedProtected Audience API, on the other hand, is about specific interest groups. And it is a browser-based membership.

If a user visits a site that wants to advertise its products, an “interest group owner” can ask the user’s Chrome browser to add a membership for that interest group.

This API is illustrative because, traditionally, ad platforms have learned about user interests by tracking their behavior across sites. This API wants the user’s browser to hold the information about what the person is interested in—instead of the advertiser or ad tech platforms.

The CMA has 12 pages of concerns regarding the Topics API.

Here are 3 of the concerned items:

  1. Google has to improve the user experience in Chrome so that when website owners and their advertising partners handle user data, the users are clearly informed. This is particularly important when they allow other companies to create interest groups or when they mix data from different sources.
  2. Fix problems with how Google Ad Manager* handles privacy-assured advertising; make sure it does not unfairly limit competition in digital advertising between Google and other companies in a way that could make Google even stronger. Specifically …
  3. … address worries about using an ad server from a different company (not Google Ad Manager) to manage the main privacy-assured auction while Google Ad Manager joins in as a buyer in this auction. Also, make sure that publishers can see and understand the auction details just as well as Google Ad Manager can.
 
*Google Ad Manager is a platform that helps publishers streamline their ad operations and manager their advertising sales. It’s basically Google’s supply side platform.

Attribution reporting API

This one helps the advertisers understand which ads work the best—without giving away who looked at the ad and who converted.

The CMA has approximately 8 pages of concerns regarding the Attribution reporting API.

Here are 3 of the items:

  1. Google need to give more information about the their planned measure to make hidden tracking harder to do.
  2. Google need to create a strong system for oversight and monitoring to ensure that the Attribution reporting API only uses the smallest amount of data needed for its function. As well as ensuring that if there are any misuses of the API, Google takes the right actions in response.
  3. Work on making different systems for tracking ad performance more compatible or standardized. The lack of consistency could lead to higher costs and more complications for businesses trying to analyze the effectiveness of their online ads.

Private aggregation API

This one is no longer featured on the Privacy Sandbox Timeline because the trials for it has ended, and it is fully (99%) available.

Private Aggregation API is like Attribution Reporting API but in an aggregated way—a reporting based on the data from the Topics API and Shared Storage (see below).

Shared storage API

Shared Storage allows advertisers to show the most relevant ads to visitors without accessing any personal information about the visitor.

So, under the Privacy Sandbox initiative, it lets the website remember information about what a visitor does on different sites, but in a way that keeps the visitor’s browsing activities private. 

The data is said to be processed in a secure place that keeps the visitor’s information hidden from the advertisers. 

Google claim that the Shared Storage supports functionalities like rotating ads and testing different website features, all while protecting user privacy.

The CMA has approximately 1 page of concerns regarding the Shared storage API.

Here are 3 of the items:

  1. Google needs to offer more details about how decisions are made and ensure that these processes are sufficient.
  2. Google needs to review and improve the user interface.
  3. Google needs work with customers to test and slowly adjust the settings that control how much individual data is protected while still getting useful information from it over time.

Fenced frames API

Fenced Frames API allows websites to display ads without that display window being able to track or collect information about the visitor looking at the ad or tracking the visitor across the web. Think “a privacy-safe iFrame.”

The CMA has almost 2 pages of concerns regarding the Fenced Frames API.

Here are 2 of the items:

  1. Google needs to provide further assurance on how it will mitigate cross-site tracking risks within Fenced Frames.
  2. Google can not enforce its requirements until major ad formats are supported.

How the third party cookie deprecation in Chrome impacts different stakeholders

The third-party cookie deprecation in Chrome, is a dynamic process with many moving parts.

And its story has several sides, depending on where you stand. I.e., depending on if you are a Consumer, Marketer, Publisher, or Adtech Vendor.

The consumer & the third party cookie deprecation

For a consumer or private person surfing the web through Chrome, it will mean specific prompts popping up asking for preferences and consent. One is the Tracking Prevention, which, from the URL bar, informs you that you are browsing with more privacy, which you can then say ok to or change. Tracking Prevention was launched in January 2024.

The digital marketer & the third party cookie deprecation

For you as a digital marketer, it is not so much that Chrome is deprecating the third-party cookie as what they are replacing this technology with—see the section above about the new APIs. But the most essential part of the latter is understanding the Google products you have or want to keep using:

So, hone in on how Google’s web analytics and advertising products fit into this new “privacy-friendly” browser ecosystem. Do so by becoming friends with GA4 and staying on top of Consent Mode v2. This is a good starting point, at least if you want to continue understanding the accuracy of your web analytics, the efficiency of your ads, and how to optimize the latter when we move into this new Chrome experience.

In parallel, it is also wise to get comfortable with the concept of first-party data and how to set up your durable first-party data strategy. Looking for ways to diversify your ad strategy by, for example, exploring new independent options for contextual advertising, like this one from Kobler, is also advisable.

Chrome is, after all, not the only soon(-ish) to be third-party-cookie-less browser on the market, and the reason for this is not only more enforcement and additional regulations but steadily increased consumer awareness around privacy and a positive correlation between digital trust and brand value. 

For a deeper understanding of what the deprecation of the third-party cookie means for you as a digital marketer, see a bit further down in this blog post.

The publisher & the third-party cookie deprecation

The web lowered the barriers to entry for anyone who wanted to create and distribute content. It became a network based on convenience, immediacy, and broadly available information online. And it has been revolutionizing.

However, this transformation presented a particular challenge for traditional publishers within journalism. As the web evolved—especially during its Web 2.0 phase—it began to undermine their advertisement-driven revenue models, compelling them to adapt not merely to survive online but to find relevance in an ad ecosystem increasingly dominated by walled gardens like Google and Meta.

The real problem wasn’t the challenge to old publishing models. What made the situation problematic was the nature of the ad revenue model underpinning the change and growth of the World Wide Web. Since it was fueled by unconsented personal data made available with third-party cookies. The tracking technology enabled the rise of big ad-tech companies that offered hyper-targeted ads based on detailed user profiles—within and outside the walled gardens.

Anyway.

A technology that has changed and rattled the publishing industry to its core is about to hit the history books, it seems. What does this mean for publishers today?

Publishers have rolled with the punches during the last two decades and diversified their revenue streams—introducing subscription paywalls, investing in sponsored content, and other strategies. These adaptations have not only helped them survive but also highlighted the importance of taking ownership of their own domains and leveraging consented first-party data.

As third-party cookies become obsolete, the strategic value of consented first-party data can not be undervalued. And that goes for all web enterprises seeking a trust-based relationship with their market, not just for publishers with a capital P.

Meanwhile, publishers and advertisers alike are beginning to scrutinize the current ad-tech paradigm, which is plagued by issues like bot traffic, “made for advertising-sites”, poor placement reporting, lack of transparency, and often a misguided focus on impression counts over genuine user engagement and conversions.

So it’s fair to say that the demand for a more trustworthy and transparent web is driven by increased awareness regarding compliance, as well as browser restrictions, and the need for better advertising ROI.

While publishers are well-positioned to leverage their first-party data, there is also a burgeoning opportunity to forge new partnerships. These collaborations, which could be ad-tech platform-ish, could for example offer advertisers more transparent and quality focused solutions that meet the brands safety concerns companies have.

The AdTech vendors & the third-party cookie deprecation

At the heart of the cookie issue is advertising.

Ad-tech vendors are thus the stakeholders most acutely or directly affected by the deprecation of the third-party cookie and other tracking-limiting and privacy-enhancing features browsers impose.

Why?

Because third-party cookies are how ad-tech vendors can offer behavioral advertising solutions (to publishers and advertisers) based on information like where a visitor is located and what he or she is browsing and buying online.

The third-party cookie, therefore, also enables the technology that automates the instant sale and placement of ads, a.k.a. real-time bidding, by providing necessary data for these processes.

To summarize, the features and services that ad-tech vendors, specifically, and digital advertising, in general, can thank the third-party cookie for range from identification, frequency capping, measuring performance and attribution, audience activation, and cookie-syncing or matching between, for example, demand-side platforms and supply-side platforms.

Naturally, the ad tech industry stands to lose from the demise of the third-party cookie. Especially the vendors that operate outside the walled gardens. Because walled gardens—like Google’s Play Store, Google’s own ad-tech ecosystem, Google’s Youtube, Meta’s Facebook, Apple App Store, and other such closed platforms or ecosystems—have access to vast amounts of first-party data they can capitalize on in an third-party-cookie-less era.

To adapt, ad-tech vendors are seen to move in different directions.

On the one hand, some ad-tech companies are leveraging the value of first-party data by providing first-party data tools and services to businesses.

We also see how they diversify into Data Clean Rooms (DCRs). In this environment, first-party data from different sources can be aggregated and analyzed without, allegedly, exposing sensitive details or violating privacy regulations.

On the other hand, ad-tech vendors within the ad-tech ecosystem are developing alternative identifiers to take the third-party cookies place, but allegedly in a more privacy-friendly way. For example, Unified ID 2.0 and ID5.

What are cookieless identifiers?

If the third-party cookie “is no more,” then we need an alternative solution that can replace it. This is pretty much what the independent ad-tech industry, meaning the ad-tech industry outside of the walled gardens, has said.

What should an alternative ID solution to the third-party cookie look like, then?

Ideally, it should provide consumers with better control, work across channels, be transparent, and perhaps better explain its value to consumers than its predecessor.

All this is super hard to do, so there is not one solution on the market that every stakeholder has embraced. Instead, there are a couple of different universal IDs and so called ID & device graphs.

The above-mentioned Unified ID 2.0 and ID5 are two universal ID examples. In different ways, they enable ad-tech companies to identify users across different devices and websites. But unlike the third-party cookie, these IDs are created by using something called probabilistic data, deterministic data, or both.

And what is that then

Probabilistic data include IP address, browser type and model, and user-agent string.

While deterministic data can be email addresses or phone numbers.

If you’re going, “isn’t probabilistic data like fingerprinting”, then you’re right. Like fingerprinting, this data gathers information about a user’s device, such as IP address, browser type, and other system information. But unlike “actual” fingerprinting, the point here is to do it with user consent and with trust-building transparency and user control.

What about ID & Device graphs, then?

If Universal IDs are like a passport numbers that identifies users across websites and platforms, then ID and device graphs are like a map showing all the places each user visits. “Places” like phone, laptop, tablet.

These ID and device graphs can use universal IDs to better do their thing,  but a universal ID can work independently without the need for a detailed mapping from and ID graph.

None of them are, however, lawful to use without valid consent.

The third-party cookie deprecation & other web browsers

Chrome phasing out the third-party cookie has become synonymous with the end of the third-party cookie. As mentioned, this is because Chrome has the largest global market share, with more than 60%. And as also mentioned, the cookie deprecation did not begin with Chrome.

Apple and Mozilla announced in 2017 that their Safari and Firefox browsers, respectively, would say goodbye to third-party cookies. Apple now blocks first- and third-party cookies on Safari by default. Mozilla blocks third-party cookies by default and gives users control over the level of protection they prefer, with options to enable strict blocking or customized settings. 

Also keep in mind the app echo system. For example, in 2022, Apple required third-party apps running on their devices to obtain opt-in consent before they were allowed to track user activity on other companies’ apps and websites by launching a privacy feature in iOS 14.5 called App Tracking Transparency Framework (ATT). This had huge monetary consequences for Meta and Snap.

Safari's Intelligent Tracking Protection

Apple’s web browser Safari introduced Intelligent Tracking Prevention (ITP) in June 2017. This means that ITP became a feature of Safari’s WebKit browser engine. The ITP was designed to limit cross-site tracking by restricting the use of cookies and (as of lately) limiting all browser storage.

The impact of ITP extended across the market, particularly because Apple mandates that all web browsers on iOS use WebKit as their underlying browser engine. This requirement means that ITP’s tracking limitations affect not only Safari but also other browsers running on iOS devices, including Chrome for iOS, Firefox for iOS, Microsoft Edge for iOS, and Opera for iOS.**

What does this mean?

Broadly, ITP has had three implications:

  1. Third-party cookies are entirely blocked.
  2. First-party cookie restrictions: If a user does not interact with a website for seven (7) days, Safari erases first-party cookies set from the client side (the browser) and other browser storage items—regardless of whether the user has consented.
  3. Certain first-party cookies are exempted from the 7-day rule: Cookies set from the server side are good to go if they are not part of the so-called CNAME cloaking, which is a technique used to disguise third-party cookies as first-party to avoid detection by tracking protections like the ITP.
 

How does Safari's ITP affect digital marketers?

As with the third-party cookie deprecation in Chrome, what Safari is doing in Chrome affects you as a digital marketer in broadly three (3) ways:

  1. Your ability to track users’ activities across sites is very restricted, making it challenging to work with retargeting and personalized content strategies. 
  2. Since first-party cookie storage and other site data are erased if a user does not interact with the site for seven days, it skews how your returning visitors are counted, potentially underestimating repeat engagement and deflating your returning cohort—meaning that it might look like fewer users are coming back to your site than there actually are.
  3. Attributing conversions or engagement to specific marketing efforts becomes difficult.

 

So in one sentence: It makes it harder for you to trust the numbers you are used to study.

Firefox Enhanced Tracking Protection

Firefox’s version of ITP is called Enhanced Tracking Protection (ETP) and was rolled out in 2019. Firefox, by the way, belongs to Mozilla, which is an open-source project that sprung from Netscape. Firefox has a smaller market share than Safari but is still one of the more prominent browsers on the market.

What does the ETP mean?

Broadly, the ETP has, similar to Safari’s ITP, three implications:

  1. ETP restricts known third-party tracking cookies straight out of the box, using a regularly updated list of trackers.
  2. ETP also blocks fingerprinting and other hidden tracking methods, including “crypto miners,” which can use your device’s power without your permission.
  3. And with ETP’s Total Cookie Protection Firefox  ensures that first-party cookies are not misused for cross-site tracking.

How does Firefox ETP affect digital marketers?

For digital marketers, Firefox’s ETP shakes up the scene in two key ways:

  1. Retargeting gets rougher: Like with Safari’s ITP, tracking users across different websites becomes harder. If your marketing relies heavily on retargeting ads based on users’ browsing history, ETP’s blocking of third-party cookies will throw a wrench in your plans.
  2. Your analytics might miss some marks: Although first-party analytics generally fare better with Firefox than with Safari’s ITP, the blocking of third-party trackers means some data points and user behaviors might not be captured as comprehensively as before.

Being Brave & Living on the Edge

Several other browsers on the market have also taken steps towards blocking third-party cookies and/or implement other privacy-enhancing measurements.

Two worth mentioning are Brave and Microsoft Edge.

Brave Web Browser

Brave has been a privacy-focused browser from the get-go, blocking third-party cookies by default. It also incorporates additional features like HTTPS Everywhere. It also allows the user to customize its privacy settings more granularly.

Microsoft Edge Web Browser

Microsoft Edge is based on Chromium, meaning it runs on the same engine as Chrome. It, therefore, has privacy features similar to those in Chrome. But it has not (yet) blocked third-party cookies by default. Instead, it offers users an option called “Strict” if he or she wants to block third-party cookies.

In conclusion, the industry lacks a common standard for how the web is made privacy-friendly even though (almost) every web browser agrees that the third-party cookie is a thing of the past.

The lack of an industry standard for web browsers

Browsers are offering a more privacy-safe experience. As we have learned, how they do it differs, meaning there is no industry standard for how the third-party cookie is blocked or phased out and how other tracking technologies are handled.

Google has, however, strived to get broad industry acceptance for the solutions from the Privacy Sandbox Initiative. To succeed with that, they have needed other browsers and the World Wide Web-consortium (W3C) to approve—which has not happened.

Hence, when Google announced that they would go ahead with their process to phase out the third-party cookie and enforce the new APIs, they did so, knowing there would not be an industry-accept for it.

Albeit this may not have come as a surprise, it still highlights how uneven the digital landscape that lies before digital marketers and advertisers will be. It’s a coarse situation, making advertising and analytics complex, where one needs to consider how different browser restrictions affect analytics and retargeting for a certain part of one’s traffic and hence analytics, while also keeping track of what Chrome’s more permissive solution means.

So, how, then, should a digital marketer navigate this new landscape deprived of the third-party cookie?

Best practices for the post-third-party cookie web

Whether you see yourself as a digital marketing professional or if you represent a company and a website publisher, third-party cookie deprecation is an opportunity to take a step back to figure out what a sustainable marketing model would look like for you or your clients. 

And keep in mind that there isn’t a one-size-fits-all template when navigating and setting up a post-cookie strategy. But an excellent place to begin is on your website by doing a data and tracking-inventory and ensuring you collect legal consent.

1. Get a solid Consent Management Platform

By understanding how much data you currently collect and hold and where it came from, you can map out how much of that data you act on and how much is collecting dust and taking up unnecessary server space.

Begin by installing a Consent Management Platform (CMP), like, for example, Cookie Information, on your website. A solid CMP can scan your domains and point out data transfer risks, links to each vendor’s privacy policy, and more. This gives you a list of services placing trackers on your site.

Do you see services you didn’t know you had?

Do you need all of them?

With a Consent Management Platform at the heart of your digital marketing, you also ensure a consent-based approach when you set your post-third-party cookie strategy—enabling compliance with the GDPR, the ePrivacy directive, and other privacy laws worldwide.

2. Make sure you have legal grounds for collecting data

With a CMP in place, you also have a system for managing consent from your users/visitors, which is why a CMP is at the heart of a privacy-friendly marketing strategy—especially in a post-third-party-cookie world. Also, ensure that the CMP has built-in integration with Google Consent Mode v2—if you want to use Google Ads and Analytics.

The Consent Mode v2 APIs communicate with GA4, Google Ads, and a range of Google’s other ad-tech products—making it a vital gear in Chrome’s post-third-party clockwork. Google has also made Consent Mode v2 mandatory and thus more unavoidable than their third-party cookie deprecation. At least if you want to get the most out of your Google Ads-operations.

3. Understand your third- and first-party cookie situation

When mapping your cookie situation as described in point no 1, leverage this information to analyze what role these cookies have in your current advertising strategy.

How much of your marketing budget and impressions are tied to behavioral profiling?

Depending on what you see, keep the following in mind:

  1. Google’s display network is vast; keep track of how the new retargeting system, based on the Privacy Sandbox initiative, will pan out in Chrome and evaluate its efficiency. Other Walled gardens like Meta’s Facebook are still alive, albeit pressure from enforcement authorities is getting stronger.
  2. Diversify with contextual advertising solutions, which is a growing market.

4. Rethink your KPIs

The widespread use of ad blockers, privacy-enhancing browser settings, and consumers acting on their distrust have made it increasingly challenging to trust web analytics data and whether what we, as digital marketers, are measuring is relevant.

With that in mind, the post-third-party cookie landscape can be viewed as an opportunity to become more quality-focused and less vanity-focused, to put things crudely.

  1. Prioritize engagement and conversion metrics: With the effectiveness of retargeting ads impacted by privacy measures across browsers and platforms—focus on KPIs (Key Performance Indicators) that reflect direct engagement and conversion on your site, such as session length, conversion rate, and specific action completions.
  2. Consider a privacy-focused web analytics tool: With GA4, Google has made significant changes to how data is collected and processed, and it primarily uses first-party cookies to track user interactions. So, it naturally fits into Chrome’s third-party cookie deprecation plan and with regulations. 


But depending on your needs, consider moving to an analytics tool with a higher privacy-compliance profile and data ownership, like Piwik PRO, which also offers a robust customer data platform to handle your first-party data strategy.

5. Set up a first-party data strategy

Begin by auditing the first-party data you have. Is the quality good?

How are you leveraging it today? Could you increase the quality of it?

Do not just think about growing your existing first-party audience but also how to deepen the relationships.

And do not collect data about people you do not need or can motivate. The GDPR has a strict purpose limitation rule, and you do not need more information just for the sake of it.

With that said, be creative with it and use it for emails, newsletters, surveys, promotions, digital events, loyalty and reward programs, building communities, and so on—the sky’s the limit.

6. Is server-side an option for you?

A server-side setup is less susceptible to browser-based restrictions, like blocking third-party cookies; it also gives you better control over the data collection process. So, this is becoming a natural step for many website owners and marketers. Albeit it may not fit every marketing department’s budget.

Do note, that there are different ways of “going server side”. The most common one is called the hybrid-server side solution, which is what we are referring to here. Read more about server-side consent here. 

Most platforms and services offer APIs to set up measurement and tracking from your servers, or a server, instead of the client side (meaning the visitor’s browser), including GA4 and Piwik Pro, Meta, etc.

If you choose to run things server-side, it is crucial that you adjust your Consent Management Solution (CMP) so it blocks scripts set from the server, based on user consent.

Luckily, this can be easy—if you run with a tag manager setup and a CMP with Google Consent Mode v2. For example, if you use Google Tag Manager with Consent Mode v2, the consent signals can be accurately managed and sent from there; the same goes for PiwikPro’s Tag Manager.

This demo show how it can be done.

Marrying a (hybrid) server-side setup with a consent centered digital marketing strategy will give you reduced reliance on browser-based “limitations” and better control over your data collection process—which are good foundations for building a more trustworthy relationship with your leads, customers, and markets.

At least if you do the server-side set-up for all the right, compliant, reasons.

Get Post 3P🍪 Prepared Today
Get your engine for consented data, and set up your digital marketing for some serious future-proofed success.
Try it for free!

Can Chrome's third-party cookie deprecation be stopped?

The Competition and Markets Authority (CMA) in The United Kingdom, has decided to oversee Google’s move to phase out third-party cookies in Chrome—and implement the Privacy Sandbox APIs.

Why?

They are concerned about Google and Chrome’s market dominance and want to ensure that the oncoming changes do not give Google and the Chrome browser an unfair competitive edge.

CMA only has jurisdiction in the UK, but what they enforce Google to comply with will impact all markets. Google has also agreed to work under the CMA’s scrutiny, promising transparency and fairness.

So what have they said?

At the beginning of February 2024, CMA stated that Google “must not design, develop or use the Privacy Sandbox proposals in ways that reinforce the existing market position of its advertising products and services, including Google Ad Manage,” and that it should be clearer on its plan for the long-term governance of its Privacy Sandbox.

To this, Google has answered: 

“We continue to move forward with our plans to phase out third-party cookies in H2 2024, subject to addressing any remaining competition concerns from the UK CMA. We are confident the industry can make the transition in 2024 based on all the tremendous progress we’ve seen from leading companies.”

And then at the end of April 2024, the CMA pulled the brakes by giving Google homework on their Privacy Sandbox API’s. They were not cutting it from an antitrust and privacy standpoint.

This means that Google had to postpone the third-party cookie deprecation until 2025.

Regardless of how the Chrome-saga will continue, the third-party cookie is living on borrowed time.

Existing, and continuously evolving, privacy restrictions in other browsers, as well as in Chrome,will continue to affect your analytics numbers, your ability to retarget. Things will not get easier from a privacy standpoint. 

Luckily there is a lot to gain from a privacy centered approach. So don’t wait to future proof your digital marketing approach.

GET PREPARED NOW