Will the Cookie Crumble? Google Chrome Reverses the End of Third-party Cookies (Part 1)

A while ago, there were talks about entirely phasing out third-party cookies in 2024. Google Chrome also restricted third-party cookies to 1% of its browsers. In July, the search engine giant announced reversing its plan to deprecate third-party cookies and continue developments in Privacy Sandbox APIs to enhance user consent and web privacy.   

Web browsers such as Apple’s Safari, Brave Software’s Brave, and Mozilla’s Firefox are already ahead in removing third-party cookies. Leading media houses and publishers also began adapting to the change. It is yet another existential threat with the probability of drastic revenue decline.   

Google’s decision to backtrack on its word seems like bad news for regulators and user privacy vigilantes concerned about prioritizing user privacy and non-consensual tracking. However, it is a welcome move for advertisers, publishers, and marketers. In the rest of this blog, we will explore third-party cookies and the movement to first-party cookies.   

Is cookie deprecation realistic? How will it impact targeted advertising and personalized marketing initiatives? What does it mean for personal data privacy? Let’s find out!  

You can also explore informed and simplified pathways for privacy reporting and risk management with IBM OpenPages Data Privacy Management. Or connect iTech GRC’s advisory team to understand your enterprise’s data protection and IT governance needs.   

What are Third-Party Cookies? 

Cookies, also known as browser cookies or web cookies, are placed on the user’s device through a website to store information that the browser or a third party can access. The information is used by advertising and marketing companies to track users’ online and browsing actions, personalization, and session management. Modern web browsers use different types of cookies to perform specific tasks. They include:  

1. First-party Cookies: These are also called SameSite cookies and are stored on the website. They allow website owners to gather user data for analysis, track user behaviors, and update user settings. They cannot track user activities on other websites or monitor users when they are not on the website. For example, they store information such as language settings, login credentials, items added to the shopping cart, payment details, likes, etc.   
2. Third-party Cookies: Third-party cookies are tracking cookies placed by entities other than the website that users visit. They enable third parties to access and collect user data across several websites they visit to gather holistic insights into online behavior. For instance, if a user looks for a product on the browser, third-party cookies track their data to target product-related ads on websites or social media platforms like Facebook, Instagram, etc.   
3. Strictly Necessary Cookies: Apart from third-party and first-party cookies, there are purely necessary cookies that are vital for providing a website’s basic functions and allowing users to access features required to sign in, make online purchases, save products or services for later, etc. Strictly necessary cookies do not require user consent. Global data protection regulations, including the EU’s General Data Protection Regulations (GDPR), allow strictly essential cookies to proceed with data collection and processing without seeking user consent.  
4. Functional Cookies: As the name suggests, functional cookies are essential for improving website performance by adding specific functions. For example, they include selecting user locations or choosing a price or language filter option to personalize content or product searches. These cookies require user consent and are anonymous but do not track user behavior across websites. They can be first-party or third-party cookies.   
5. Performance Cookies: These cookies regulate and track website performance but do not collect users’ personally identifiable information. However, they track data anonymously, such as page visits, time spent per visit or page, and website loading speed, to improve overall website performance. Performance cookies are usually first-party cookies, but in a few instances, they can also be third-party cookies.   
6. Targeting Cookies: These are mostly third-party cookies that track users’ data across websites and share it with advertisers to target ads and measure their performance. These cookies are responsible for displaying hyper-personalized advertisement banners to users even when they are on different websites or online platforms.   
7. HTTP Cookies: Also known as a renewed version of the magic cookie, the HTTP cookie was built for modern browsers to track users’ sensitive information as embedded scripts. This cookie prevents inadvertently sharing browser data with third parties or transferring it outside of the server.   
8. Secure Cookies: Secure cookies ensure they go through the HTTPS channel to protect them from network attacks or tracking by unauthorized third parties.   

Why are Third-party Cookies Important for Advertisers and Marketers?

Most online businesses, e-commerce companies, advertisers, publishers, and marketing agencies leverage user information through third-party cookies to target buyers with relevant and personalized ads for products and services. Third-party cookies give insights into online user preferences, needs, online activities, demographics, and personal information. They increase the possibilities of a purchase, driving revenue and online sales. Despite arguments about wrongful tracking and implications to users’ online privacy, third-party cookies benefit both users and online businesses with:  

• Personalization: Online businesses can optimize their advertising and marketing budgets by targeting only those ads that meet specific user needs or preferences, driving sales possibilities. From the users’ perspective, third-party cookies help them easily find the right products or services they require.    

• User or Customer Insights: Third-party cookies not only help position personalized ads but are also responsible for recommending content on social media or related products or services on e-commerce websites. They reveal many insights into how users, existing customers, or potential customers engage with websites or online business platforms to improve performance.  

• User Experience: Adobe research suggests that 75% of global marketing and customer experience leaders are reliant on third-party cookies. Third-party cookies leverage user data from past online behaviors, forms, location, payment details, etc., to target users towards relevant content or products better suited to their needs, enabling better user experiences.   

Third-party cookies created the $600 billion online advertising industry. The slow erasing of cookies due to privacy concerns and browser updates will impact ad spending, revenue from digital advertising, and additional costs to move to first-party or zero-party cookies.   

GDPR & CCPA on Third-party Cookies  

Third-party cookies and other types of cookies pose significant data and user privacy risks that can allow external actors to hijack cookie information and hack users’ online accounts. The most common cybersecurity attack modalities involving cookies include session hijacking, cross-site request forgery, and cross-site scripting. Moreover, cookies do not offer transparency in how the user’s personal data is collected and processed.   

Regulations such as GDPR and the California Consumer Privacy Act (CCPA) exercise limitations on online companies’ personal data collection and processing activities. Here’s what these regulations say about cookie control in a digital age:  

GDPR: It requires websites or third parties to seek user consent before storing third-party cookies on their devices and provides comprehensive options to opt out or deny cookies.  

CCPA: This regulation does not mandate user consent for storing cookies on browsers’ devices but requires providing an option to decline cookies that sell users’ personal information. CCPA also recommends sharing information with users, such as the type of cookies used and how they can be managed.   

These regulations impose legal penalties for failing to inform users about the presence of cookies.   

End of Third-party Cookies: Implications on the AdTech and Marketing 

Leading web browsers have phased out third-party cookies for over half a decade. In 2017, Apple launched its Intelligent Tracking Prevention (ITP), followed by Mozilla and Safari, which blocked third-party cookies. Google announced in 2020 that it would block third-party cookies in 2022. This decision was part of its privacy enhancement initiatives, such as the launch of Privacy Sandbox, an alternative to third-party cookies that can deliver ads without collecting user data from the browsers. It also blocks spam ads and prevents cross-site trafficking.   

However, Google delayed the full deprecation process until this year to allow advertisers, online marketing firms, and web publishers sufficient time to switch to less invasive targeted advertising methods.   

The end of third-party cookies would heavily affect different entities, including web browsers like Google Chrome. Here’s what you should know:  

• Hard Hit on Browsers’ Advertising Revenue: Google Chrome leads the web browser industry with a 67% global market share and close to 3 billion worldwide users. Almost 90% of Google’s revenue comes from advertising. Complete deprecation of third-party cookies will impact their advertising and revenue from ads. This could be one of the reasons for its delay in blocking third-party cookies. Apple’s   

• Increase Cost Per Mile/Impressions: With third-party cookie blocking, the cost per mile (CMP) increases by two to three times. Publishing executives noticed that the average price per impression in cookie-less browsers like Safari is 50% less than third-party cookie-enabled impressions. l  

• Loss of Web Publishers’ Ad Revenue: A global survey of 555 publishers found that only 38% have commenced preparation to adapt without third-party cookies on Google Chrome. Nearly 45% of publishers heavily dependent on third-party cookies can experience a significant dip in revenues.   

• Overwhelming Alternatives to Third-party Cookies: Google’s Privacy Sandbox was created to preserve privacy and support an ad-driven community. Its early testing revealed a promising outcome from Privacy Sandbox APIs. However, this hasn’t been the only alternative, leaving 53% of publishers overwhelmed with decision paralysis. Other options include first-party data, contextual advertising, universal IDs, cookie-less strategies, etc.   

• Internet-Based Targeting Worse Without Cookies: Privacy Sandbox’s Topics API is a mechanism for internet-based targeting (IBA) offered for advertisers to collate user insights based on the sites visited while keeping them anonymous. A commerce platform that ran tests with 1 million of its users found that IBA was five times worse than third-party cookies. Moreover, it is known to have several problems that would reduce ad effectiveness.  

Is it possible to imagine a cookie-less future? The answer is yes, but it is somewhat confounding due to the pushback from adtech and online marketing companies. Google’s plan to not pull the trigger on third-party cookies on the browser also stated the need for ‘significant work by many participants.’ The company also announced the introduction of a new feature on the Chrome browser that will allow users to make more informed decisions about web browsing behaviors. As per reports, Google has discussed this with regulators and others in the industry.   

Stay tuned for part two of this blog.  

In the meantime, talk to our expert GRC team to speed up your privacy assessment and compliance initiatives!