The goodbye that never was: Chrome to hold on to 3rd-party cookies, why?

Security padlock and circuit board to protect data
(Image credit: Getty Images)

The pain of saying goodbye is undeniable, often leading to drawn-out farewells. Such was the case with Google's planned phase-out of third-party cookies, the cornerstone of cross-site tracking and targeted advertising. After initially promising to eliminate third-party, or “tracking,” cookies “within two years” back in January 2020, Google repeatedly pushed back the deadline.

We say it "was" the case because Google has just changed its mind. Instead of bidding farewell to third-party cookies for good, the company now plans to hold on to them, potentially indefinitely.

In a blog post titled inconspicuously “A New Path for Privacy Sandbox on the Web,” Google’s VP Anthony Chavez quietly dropped a bombshell: he announced that while Google remains committed to implementing the Privacy Sandbox APIs—initially pitched as a more private alternative to third-party cookies—it will not be eliminating the tracking cookie.

“Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time”

The announcement buried deep into the post came like a bolt out of the blue. A Privacy Sandbox website still maintains a timeline indicating that the third-party cookie phase-out should happen by Q2 2025. At the moment, Chrome has already restricted third-party cookies by default for 1% of Chrome stable version users, and 20% of Canary, Dev, and Beta users have been affected.

Andrey Meshkov

CTO of Adguard.

Informed choice

Instead of getting rid of third-party cookies, Google says it will offer “a new experience” in Chrome that would allow users to “make an informed choice that applies across their web browsing.” Chavez was scant on details as to how this informed choice concept would be implemented. Since we don’t have much — or rather, nothing at all, in terms of details, we can only speculate.

An “informed choice” sounds good if it’s implemented right. Ideally, users should be able to choose which data they want to share (for whatever reason), and which data they do not want anyone to be prying upon. The qualifier “informed” implies that users have all the necessary information to make these decisions, understanding exactly what data is being collected, how it will be used, who will have access to it, and the potential implications for their privacy. This transparency ensures that users are not unwittingly sacrificing their privacy and can make conscious decisions about their data.

If we look deeper at what a third-party cookie does, the choice, if indeed informed, should seemingly be a no-brainer. Third-party cookies essentially have no other use cases than to help advertisers, data brokers, and others to spy on users across the Web. Unlike first-party cookies, which store useful site-specific data (like login information), third-party cookies track users across different websites. This creates a detailed profile of a user's browsing habits, interests, and online behavior.

Advertisers can then use this data to target users with ads that are eerily specific, often for products they've casually browsed but not necessarily purchased.

So the question is, with a clear understanding of what third-party cookies do, who would willingly allow them? Apple's App Tracking Transparency (ATT) feature provides a real-world example. When users were given a direct choice to opt-in to app tracking, the vast majority opted out. Gaming apps, generally known for their targeted advertising, were more successful in persuading users to allow them to track them, but even in their case the average opt-in rate for tracking was a meager 37% in Q2 2023.

Going out on a limb here, but It’s likely that if Google follows in Apple’s footsteps, the third-party cookie adoption rates should not be high. While details of Chrome's 'informed choice' are unclear, users rejecting third-party cookies might be directed to Google's replacement system, the Protected Audiences API within the Privacy Sandbox initiative. The Privacy Sandbox offers a more private approach than third-party cookies, but only in isolation. When context is added, it hinders user tracking for smaller companies, but not necessarily for giants like Meta or Google itself, who benefit from vast portfolios of interconnected services.

Our doubts extend beyond the concept itself. Google's history of using confusing interfaces, or 'dark patterns,' raises concerns about the genuineness of this 'informed choice.' For example, Chrome previously used a combination of settings to track user location. Even if users disabled Location History, Google could still track them through the default 'Web & App Activity' setting. This functionality of Web & App Activity for location harvesting wasn't disclosed by Google until mid-2018 at the earliest.

Advertisers were not thrilled either

Not only privacy advocates cried foul over Google's third-party cookie replacement, but also the advertisers themselves. Criteo, for example, reports that testing and publisher feedback suggest Google's Privacy Sandbox, in its current form, falls short of the company's stated goal of limiting publisher revenue loss to 5%. And that would be an understatement, since according to Criteo’s own analysis, if third-party cookies were deprecated today and the Privacy Sandbox released in its current state, publisher revenues would decrease “by an average of 60% for those that have fully integrated the Privacy Sandbox.”

It’s not much of a surprise either that the adoption rate for the new tech remained rather low, below 55%, according to Criteo. Criteo is far from being alone — many more advertising companies reported similar uninspiring results.

“We’re still seeing that 30% hit to revenue in Chrome cookieless world, and that’s a big amount of revenue for people to lose,” ad-tech company Raptive exec was recently cited as saying by Marketing Brew.

How will this impact privacy

Google’s decision to not sunset third-party cookies is a blow to privacy, make no mistake about it.

Almost all browsers are blocking them by default, while the others, like Microsoft’s Edge, are also on the path to phase them out (though, in the light of Google’s announcement, Microsoft may start having some second thoughts). That means then when all is said and done, Chrome will emerge as an outlier. At the same time it remains the most popular browser with an impressive 65% share of the market. What it means is that the majority of Internet users will be impacted by this decision, and in a bad way.

No matter how you twist the language, third-party cookies are an inherently non-private tracking mechanism. A tacit admission by Google that its replacement failed demonstrates that trying to have your cake and eat it too—protecting both privacy and advertisers' interests—is hardly viable at present, at least in the way that Google had envisioned. Ultimately, while it aimed to cater to both sides, it failed to meet the expectations of either.

Currently, the onus is on the users to protect themselves from encroachments on their privacy, and ad blockers are one of the many tools available to help them with that. Relying on Google for privacy protection always seemed like a far-fetched idea — and the latest events have shown that if anything, Google is going in the opposite direction.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://anngonsaigon.site/news/submit-your-story-to-techradar-pro

Andrey Meshkov is co-founder and CTO of Adguard.