Google Announces Third-Party Cookies are Here to Stay

On 14 January 2020, Google published a blog post detailing a shock announcement that was lauded as a victory in the battle for greater user privacy. Entitled ‘Building a more private web: A path towards making third-party cookies obsolete,’ Google outlined its plan to phase out support for the divisive tracking technology in Chrome—a move that will be made once it has worked out how to address the “needs of users, publishers, and advertisers” and has developed tools to “mitigate workarounds.”

Fast-forward to 22 July 2024, following years of delays to its proposed two-year deprecation timeline, Google released another blog post that caught the world’s attention: ‘A new path for Privacy Sandbox on the web’. Contained within was the startling announcement that Google is abandoning its long-standing plan to block third-party cookies in Chrome after all.

Let’s explore Google’s revised plans, third-party cookies, their benefits and pitfalls for client-side security and compliance, and reactions to the announcement.

Third-party cookies: Google’s new path

Having announced its U-turn, the tech behemoth said it’s pursuing an updated approach that will “introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.”

While Google already gives users the option to disable third-party cookies within the browser, it recognizes that it could do more to make the option more transparent – and used the blog to communicate that it’s “discussing this new path with regulators and will engage with the industry as we roll this out”.

With the bombshell dropped, Google appeared to have learned from the series of delays to its initial plans by remaining coy about what comes next – particularly a timeline for implementing the new controls.

What are third-party cookies?

Third-party cookies are small pieces of data, stored in the browser, that are inserted on a user's device by a website other than the one they are currently visiting. Advertisers and data analytics companies usually use them to track users across multiple websites, enabling them to gather information about browsing habits, preferences, and behaviors.

Unlike first-party cookies, created by the website the user is visiting for functionality like remaining logged in, third-party cookies are set by a domain that’s separate from the one in the browser's address bar. For example, if you visit a site that contains an advertisement or embedded social media content, that ad or social media service may set a cookie to track you across different sites.

Benefits and pitfalls of third-party cookies

While third-party cookies have revolutionized digital advertising this century, they are increasingly being scrutinized for data privacy and security concerns.

Benefits

Personalized advertising

They allow advertisers to track users across multiple websites, enabling them to create highly targeted ads based on their behavior, preferences, and interests. They also provide the opportunity to show retargeted ads to users who have previously visited their websites by tracking their browser history, increasing conversion rates by reminding users of products they’ve already browsed.

Cross-site analytics

They provide third parties, like marketers and website owners, with insights into user activity across different websites by gathering data about how they interact with them. This is known as cross-site analytics and includes techniques like behavior profiling based on interests, demographics, or browsing habits.

The resulting data can be harnessed to help businesses understand the broader customer journey and refine their marketing strategies.

Improved user experience

Their power to drive retargeting and personalization allows users to see more relevant ads and recommendations, improving the browsing experience by aligning it with their interests.

Storing data on third-party platforms gives users a better and more consistent experience across multiple devices. For example, if you’re browsing a website on your phone before switching to your laptop later, cookies allow the website to remember your preferences, making for a seamless experience.

Improved marketing

They help advertisers and marketers to segment users into different groups based on browsing history, enabling more efficient and tailored marketing campaigns that can be synchronized across platforms and devices. This ensures that ads seen on social media, search engines, and other channels are part of a coherent and integrated campaign strategy, elevating their impact.

Pitfalls

Privacy concerns

By enabling extensive tracking across multiple websites, they can be leveraged to build detailed user profiles – including behavior, preferences, and interests – without their knowledge or explicit consent. The pervasive nature of this online tracking technology prompted Safari and Firefox to block third-party cookies in 2020 and to robust data privacy regulations like the GDPR (General Data Protection Regulation) in the EU.

Data security risks

The vast amounts of user data collected by these cookies could be vulnerable to hacks, leaks, or misuse by third parties, putting sensitive information at risk. Hackers can exploit vulnerabilities to track users, verify stolen data, or impersonate them by hijacking session data, resulting in data breaches. This compromises an overwhelming amount of sensitive information, much of it collected and stored using third-party cookies without the user’s knowledge or permission.

Regulatory challenges

The regulatory screw has been tightened amid the introduction of rigorous data privacy regulations like the GDPR and the California Consumer Privacy Act (CCPA) that impose strict restrictions on how user data can be collected and used. Companies that fail to comply with these laws can be hit with hefty fines and experience reputational damage. Third-party cookies can complicate regulatory compliance, as users must be informed and consent tracking.

Lack of transparency

Users usually don’t know who is tracking them, for what purpose, and how their data is used. When they learn about the extent of data collected via third-party cookies, it can lead to a lack of trust in websites and online platforms, potentially damaging brand reputation.

Google’s U-turn

The reaction to Google’s sudden announcement was both swift and mixed. Some think getting rid of third-party cookies would have been a strategic mistake for Google. Others were more measured, believing that allowing users to “make an informed choice” is a good idea, provided they have all the necessary information to decide about sharing data. Meanwhile, many were concerned, claiming that Google, which makes over 77% of its revenue from tracker-driven, behaviourally targeted ads, put profits before privacy.

For instance, the Information Commissioner’s Office (ICO), the UK's data privacy watchdog, said it was "disappointed" by the decision. Stephen Bonner of the ICO said: “It has been our view that blocking third-party cookies would be a positive step for consumers". This backlash underscores that Google’s decision represents a blow to improving data privacy and security online amid the ubiquity and all-encompassing nature of third-party cookie tracking.

While other search engines didn’t renege on their promise to phase third-party cookies out, Google’s domination of the worldwide search engine market, 92% share, means their privacy and security implications are here to stay for businesses and their online customers.