And so, the time has finally come. As of January 4, 2024, Chrome is disabling third-party cookies for 1% of its users. This will, then, gradually roll out to 100% of Chrome users from the third quarter of 2024.
Google first announced the deprecation plan in a January 2020 blogpost with an original timeline of “within two years.” The deadline has since been repeatedly delayed due to pushback from the advertising industry.
For almost thirty years, third-party cookies have fulfilled a key role in how advertising platforms function, as it has enabled advertisers to track ad engagement, build audiences, and target users based on their behavior. However, third-party cookies have also become synonymous with data privacy issues as they allow websites to track users' online activity without their explicit consent, and they can be used to build detailed profiles of users' interests and behaviors.
To understand how we got here, and what is likely to happen next, it helps to start by looking at the history of cookies, their (mis)use, and how it ultimately culminated with the deprecation of third-party cookies in Chrome in 2024.
What are cookies?
Developed in 1994 by Netscape programmer Lou Montulli, cookies addressed a key shortcoming with the web at the time: it lacked memory. Many things that we take for granted today, such as being automatically logged into a website when you revisit it, or how an ecommerce store can save a shopping cart you’ve assembled, utilize cookies for this purpose.
Montulli's invention functioned like a unique digital wristband for each website visited, allowing sites to recognize individual users and offer personalized experiences, such as maintaining that shopping cart or saving your credentials. Seeing the potential in this new invention, cookies were integrated into the Netscape browser in 1995, and the browser was quick to gain a dominant 90% market share shortly after being released.
Cookie adoption
While initially intended to store user preferences and facilitate easier logins, cookies were quickly adopted as a valuable tool for advertising platforms. Pioneers like Doubleclick (later acquired by Google) figured out that, if it placed ads on different websites, cookies could be used to track how many times and on which website a particular browser loaded an ad. Consequently, this allowed advertisers to learn which websites a particular browser had visited, and helped them to target users based on their behavior.
Upon realizing how his invention was being used for ad targeting and tracking, Montulli faced a moral dilemma. He learned that cookies dramatically increased website revenues, as advertisers were willing to pay a lot more for ads when they are able to do precise targeting, which in turn paves the way for a thriving, open internet. However, he also realized that cookies had the potential to seriously compromise user privacy.
Seeking a compromise between the economic advantages of improved ad targeting and the need for user privacy, Netscape introduced features to notify users about cookie usage and started providing options to delete cookies. Just a few months after Netscape had been out, the tech-giant Microsoft released its browser, Internet Explorer, which also supported cookies. With that move, cookies became the foundation for advertising on the internet for the coming three decades.
The beginning of the end of third-party cookies
Ever since Lou Montulli’s invention of the cookie, concerns around user privacy and how the data is being used by tech companies has only grown. During the 2010s, public demand for products that protected personal data led to a surge of ad blocking software and entirely new browsers like Brave (which blocks third-party cookies by default). Even though Brave still has not captured a large portion of the browser market, it triggered more popular browsers to follow suit.
Of the larger browsers, Apple's Safari was quick to implement intelligent tracking prevention (ITP) by default. Whilst ITP does not entirely block third-party cookies, it restricts their storage to 7 days. It also restricts the frequency at which websites can access and update third-party cookies, as well as randomizing the identifiers used in cookies. This makes it more difficult to track users across various websites.
While privacy groups embraced this step by Apple, trade groups within the advertising sector expressed concerns that these changes would further consolidate the advertising industry under the dominance of the tech giants Google and Facebook. These two giants, already commanding a majority of digital ad spending, benefit primarily from first-party data (as opposed to third-party data gathered via cookies). As a result, they would be less impacted by restrictions on third-party cookies compared to others in the space — potentially further increasing their market advantage.
At the same time, the General Data Protection Regulation (GDPR) regulation was developed and implemented across the European Union. The goal of GDPR is to give individuals control over their personal data, simplify data protection regulations, and enhance data protection across the EU.
The US state of California would soon follow with its own regulations: the California Consumer Privacy Act (CCPA).
Third-party cookies in Google Chrome
For the advertising industry, the introduction of ITP in Apple’s Safari browser can be seen as the beginning of the end for third-party cookies. Safari commands about 20% of market share amongst browsers. While this is a sizable chunk of internet users, it still doesn't compare to the 60% market share of Google Chrome, though.
While the advertising industry may have held out hope that their beloved third-party cookies would live on in Chrome, those hopes were dashed with Google's January 2020 announcement. This prompted a significant pushback from the advertising industry, echoing Montulli’s 30-year-old concerns that this would seriously harm publisher revenues and threaten the open internet.
Since the announcement, Google has tried to appease advertisers by introducing new experimental ways of targeting and measurement. In 2019, Google announced its Privacy Sandbox as, “a secure environment for personalization that also protects user privacy.” The aim was to create a new set of standards and tools for ad targeting and measurement and get feedback from the advertising industry.
In 2021, Google released its first major initiative aimed to replace third-party cookies, called Federated Learning of Cohorts (FLoC). FLoC was based on grouping individuals to allow targeting cohorts of people with similar characteristics as opposed to individuals.
When released, Google claimed that FLoC was “95% as effective” as cookie-based ads when tested in simulations, which the advertising industry reacted to with significant skepticism. Low advertiser adoption rates contributed to Google halting testing of FLoC just a few months after it was introduced.
As a new alternative, Google introduced the Topics API in 2022. Instead of grouping individuals based on interest like FLoC, the Topics API infers recognizable, interest-based categories based on recent browsing history to help sites serve relevant ads. The Topics API was rolled out widely in Chrome in 2023, even though the reception from the advertising industry so far has been mixed.
What does the future look like without third-party cookies?
As third-party cookies continue to be phased out, it's becoming increasingly evident that the future of digital advertising will be significantly different from the one we've grown accustomed to. The once-ubiquitous cookies, while undeniably useful for facilitating seamless website experiences, have also been the cornerstone of a vast and complex advertising ecosystem that has raised concerns about user privacy and the concentration of power among a few tech giants.
The resistance of the advertising ecosystem to the phase out of third-party cookies is a testament to just how much the industry relies upon this critical piece of technology.
Advertisers continue to have concerns over solutions proposed by established and powerful players like Google, who will wield even more power in an internet without third-party cookies. Meanwhile, other ad tech companies have responded to the demise of third-party cookies by proposing new alternatives such as the Unified ID (initiative started by The Trade Desk, later handed to Prebid), RampID (initiative led by LiveRamp), SharedID (also operated by Prebid), and many others.
Similar to third-party cookies, many of these solutions would be based on a voluntary opt-in from users that allow certain information to be used by advertisers. It is very likely that, once ad platforms have started testing the different potential identifiers, the market will gradually consolidate towards using one standard.
Such a standard will likely be necessary to create the cross-platform spanning audiences and insights that third-party cookies allow(ed) advertisers to do. Which solution will be adopted, and how well it’s able to balance protecting consumer privacy with the ability for advertisers to serve relevant ads is yet to be seen. Until then, advertisers will need to balance the tools available to them right now.
