At the start of 2020, Google revealed plans to block third-party cookies in its Chrome browser within two years. However, in July 2022, the tech giant announced a delay in phasing out third-party cookies until 2024, pushing the timeline back by approximately a year.
Starting January 4th, 2024, Chrome has begun restricting third-party cookies by default for 1% of Chrome browsers.
In their first quarter 2024 report, Google and the UK Competition and Markets Authority (CMA) announced that removing third-party cookies from Chrome will be postponed until 2025. The delay is due to diverse feedback from the industry, regulators, and developers and a thorough examination by the CMA.
Given Chrome's massive user base, this change will considerably affect the digital advertising ecosystem. Third-party cookies are vital in targeting and measuring advertisements and combating ad fraud.
Immediately after Google’s announcement, there were speculations about what will replace third-party cookies. This post will briefly open up Google’s vision on the topic. But let’s start with a little recap of what even is a cookie.
What is a cookie?
A cookie is a small text file stored by an Internet browser on a user’s device. Cookies are used, for example, to store user information when moving from one web page to another. First-party cookies are stored directly on the website you’re visiting. In addition, the website may use external services to store its cookies. These are called third-party cookies. Cookies do not contain user’s personal information and, as such, are not used to identify individual users. Some cookies expire at the end of a site session, while others remain on your device longer.
Cookies are used for many different purposes. They allow you to use the website's functions and provide the best possible user experience. For example, when a browser has information about a visitor’s choice of language and device, it is possible to provide them directly with the appropriate language and device-specific page version, thus facilitating the site's use. Cookies also allow, among other things, different tracking tools, as well as personalised content, offers, functionalities, and ads on a per-visitor basis.
Privacy Sandbox
Google’s idea is to replace cookies with browser-based open standards, and the "Privacy Sandbox" project has been launched to find their final forms. The open-source initiative was launched in August 2019. It’s unquestionably said to be Google’s response to the growing pressure to improve privacy, ensure free advertising-funded content, and possibly block other parties’ cookies. According to Google, the goal is to create a secure standard for personalisation while respecting user privacy. Google says that reaching this goal requires new approaches to ensure relevant advertising in the future, too.
The Privacy Sandbox project aims to minimise the information shared between websites and advertisers and store a greater part of the visitor's information on the visitor’s device only. Google’s project envisions targeted advertising and measuring conversions through Application Programming Interfaces (APIs) in a browser environment. Numerous different APIs are planned, each meeting other needs. All stakeholders will use these interfaces.
Google Interface proposals (API)
The situation may change fast; text updated 29.4.2024
Show relevant content and ads:
- The Topics API - would be a new way for browsers to enable interest-based advertising on the web. Topics is based on the user's recent browser activity and site categorisation. Advertisers can then use these categories to target more relevant advertising to visitors. The initial testing of the Topics API began at the end of the first quarter of 2022, and it became generally available in September 2023.
- The Turtledove API - The interface is designed to enable targeted and retargeted advertising without allowing third parties to track users' browsing behaviour across websites. The aim is to allow ad auctions in the browser instead of the server. The Protected Audience API is the first experiment implemented in Chromium within the TURTLEDOVE family of proposals—other TURTLEDOVE proposals and discussions about them: W3C Web Advertising Business Group.
- FLoC API - FLoC was a proposal in the Privacy Sandbox designed to cluster people with similar browsing patterns into large groups, or "cohorts." This "safety in numbers" approach effectively blended any individual into a crowd of people with similar interests. The development of FLoC stopped in 2021.
To fight spam, fraud, and DoS (denial of service):
- Private State Tokens API – With this API, publishers can verify real users without tracking technology, making it Google's alternative to CAPTCHA. The idea behind the Private State Tokens API is that once a visitor has performed actions on a site, based on which the API believes the user to be a natural person, it stores a token in the user's browser. The browser token does not allow tracking individual visitors but only verifies the visitor as a natural person. The token remains in the user's browser, enabling the transfer of information from one website to another. Private State Tokens API testing began in early 2021, and testing has concluded with the API being updated according to new versions and token types.
Measure digital ads:
- Attribution Reporting API - The interface would allow the collection of data related to campaign performance without user tracking. The information would include, e.g., Reach, Views, Ad Impressions, and more in one report. The interface would allow data to be stored in a browser and passed on to the advertiser's systems. Several features have been planned for this interface, which will be generally available from September 2023 onwards. This API is a work in progress and will evolve, dependent on ecosystem feedback and input.
Strengthen cross-site privacy boundaries:
- Related Website Sets - With this API, it would be possible to declare relationships between websites so that browsers could allow limited use of third-party cookies for specific purposes. In practice, RWS would be a collection of domain names reported to Chrome, with one set as primary and the others as members. Related Website Sets would be a solution for cases where sharing a single sign-on identity is necessary across different top-level sites.
- Shared Storage API - To prevent tracking users across websites, browsers partition all storage formats (cookies, localStorage, caches, etc.). However, several legitimate use cases rely on unpartitioned storage.
- CHIPS API - The CHIPS (Cookies Having Independent Partitioned State) API would allow developers to choose "partitioned" storage for cookies for each top-level site. The goal of CHIPS would be to enable cookies to be set by third-party services, but they could only be read in the context of the top-level site where they were initially set.
- Fenced Frames API - A Fenced Frame would be an iframe-like HTML element for the embedded content. It would allow developers to isolate content and functionality by creating a protected environment. With Fenced Frames, advertisers could, for example, display ads safely without gaining access to users' personal information. Additionally, Fenced Frames could help web application developers protect their users from harmful third-party scripts and content.
- Federated Credential Management API - Federated Credentials Management (FedCM) is an interface that makes integrating third-party authentication and credential services into browsers easier. FedCM aims to provide a safer, more privacy-respecting way to manage user authentication information across different services. With this interface, developers could combine authentication information from various service providers in one place, reducing the need for users to remember multiple passwords and promoting privacy and security.
Limit convert tracking:
Browser resources like cookies, which allow users some control, stand in contrast to other browser aspects that facilitate unregulated tracking and identification of users. Conversion tracking methods such as fingerprinting and cache inspection exploit intricate browser details, often unbeknownst to users, making it challenging for individuals to defend themselves. In response to these covert tracking tactics, Chrome proposes several technologies designed to dismantle these hidden channels of information tracking. The current proposals to limit conversion tracking include User-Agent Client Hints, User-Agent Reduction, DNS-over-HTTPS, IP Protection, Privacy Budget, Storage Partitioning, Network State Partitioning, and Bounce Tracking Mitigations.
Testing for all the APIs above, designed to enhance privacy between websites, commenced in 2021-2022 for a partially limited audience. In May 2023, Google announced its intention to make targeting and measurement APIs generally available to all users by July, enabling developers to conduct scaled testing. In September 2023, Google announced that the interfaces are available to everyone.
Speculations and gradual initiation
Google has committed to open collaboration, ensuring the Privacy Sandbox project benefits all stakeholders. They have also welcomed general feedback and suggestions on their Application Programming Interfaces (APIs).
Critics have suggested that Google's motivation might be to increase control over digital advertising. While this may be a point of contention, the move ostensibly represents a strategic and logical approach, capitalising on Google's extensive ecosystem, powerful data collection, and management capabilities to maintain its dominance.
There has been speculation that a shared digital identifier accessible to the industry is the ultimate objective of Google's Privacy Sandbox project. Yet, in March 2021, Google affirmed that they would not construct alternate identifiers to track individuals across the web once third-party cookies are phased out, nor would they use them in their products.
In May 2023, Google revealed that Chrome would start phasing out cookies for 1% of a randomly selected user group in Q1 2024, gradually expanding the deprecation to more users as the year progresses. Based on current information, the final support removal will occur in 2025. Still, it depends on the outcomes of ongoing regulatory reviews and further industry feedback, which may influence the timeline or specific implementation details.
There is a long way to go
Although Chrome browser updates have seen rapid changes (e.g., blocking fingerprinting), Google has announced that projects of this magnitude are complex processes, and experience has shown that ecosystem changes take a long time. Privacy Sandbox proposals have changed significantly over the past year and will likely change further. Even though the proposals have potential, there is still a long road ahead.
