As Google has announced an end to third-party cookies, we look at the issues that have led to the decision, and at what may replace these cookies.
The Difference Between First and Third-Party Cookies
A cookie is a piece of code (used for tracking) that takes the form of a small text file that is stored on the browser of someone who visits a website. A 'first party' cookie is only generated when a person visits one particular website (domain) and is only used for finding out what that person did when they visited that site, recording how often they visit in future, and for recording details such as remembering passwords, basic data about the visitor, and some other preferences. This type of cookie does not record details about a person’s activities when they go on to visit other websites after leaving that website (i.e. websites that are not affiliated with the first website).
A third-party cookie, on the other hand, is created by a third-party, perhaps an advertiser, and is placed on a visitor's computer when they visit your website and other websites. Its main purpose is to track a web user and gather data about their activities and preferences (e.g. websites they visit frequently, what they purchased online and what they show interest in). This enables the building of a visitor profile which, in turn, leads to them being shown ‘relevant’ targeted adverts. For example, after showing interest in products on one particular website one day, they can then be shown adverts about that product type when visiting completely different websites at different times.
Google announced that it will not only get rid of third-party cookies but that it will not use other technology to replace these cookies or build features into its Chrome Browser to allow itself access to that data. Google plans to not simply remove third-party cookies but to phase them out over two years before rendering them obsolete. The reason for the slow phase-out is given as allowing time to develop workarounds that address the need of not just users, but also of businesses, publishers, and advertisers.
There are many reasons why Google is phasing out third-party cookies in Chrome. These are essentially the same reasons why other browsers such as Firefox and Safari have already phased out third-party cookies. For example:
- Legislation. Improved and new data privacy laws. The introduction of GDPR, the California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) and others have meant that tech companies can no longer track everything that users do without permission and share that data with multiple other third parties as they wish. For example, in the UK, websites now have cookie consent and privacy information displayed on the home page following the introduction of GDPR.
- Privacy Campaigners. Many privacy campaign groups and others have challenged tech companies and advertisers over the years about privacy and tracking users. For example, in November 2020 Big Brother Watch, Oxford University and UCL were among 38 signatories of an open letter to the UK charity sector asking them to look at how advertising companies are allowed to build profiles of users based on sensitive information gained from trackers in websites and the impact that cookie consent processes had on these trackers.
- High profile Criticism. Among other things, in January the UK Competition and Markets Authority started investigating whether restricting cookies on Chrome could help Google increase its dominance in the online ad industry. For example, some commentators have questioned Google’s motives for removing third-party cookies, suggesting that forcing a reliance upon first-party cookies may simply be a way for Google to get more of a grip on the ad market and receive the revenue that would have been spent on third-party platforms.
Competition Between Browsers
Some browser companies have been publicly at the forefront of restricting the use of third-party cookies e.g., Safari (Apple), Mozilla’s Firefox (Mozilla) and Brave. This has put pressure on the browser market-leading company Google to follow suit.
As part of the phasing out of third-party cookies, Google is putting some Interim measures in place. These include Google’s Chrome limiting insecure cross-site tracking (started in February 2021). For example, Google’s Chrome is treating cookies that don’t have a SameSite label as first-party only, and requiring cookies labelled for third-party use to be accessed over HTTPS, thereby making third-party cookies more secure and giving users more precise browser cookie controls for now. Also, Google is trying to stop covert tracking using new anti-fingerprinting measures (to launch later this year).
Although the phasing out of third-party cookies by Google was not unexpected, it has, of course, worried advertisers, publishers and owners of ad-supported websites who need to know how they can continue to rely upon the generation of effective adverts and revenue. For example, Google Ad manager data shows that when advertising is made less relevant by removing cookies, funding for publishers falls by 52 per cent on average.
Although Google has said that it doesn’t plan to use other technology to replace third-party cookies there are alternatives. These include:
- Google’s Privacy Sandbox, which it originally announced last August, and touched upon again on in January this year. Google describes this as “a new initiative to develop a set of open standards to fundamentally enhance privacy on the web” and a “a secure environment for personalisation that also protects user privacy”. Exact details are thin on the ground. The idea of Sandbox, however, is to move all user data into the Google Chrome browser where it can be securely stored and processed so that it stays on the user’s device and is, therefore, making it compliant with privacy laws. It is understood that the Privacy Sandbox may also include an algorithm to group people according to their common web browsing and thereby create ‘clusters’ of people (who can’t be directly identified) with similar interests. These clusters can then be targeted by adverts without affecting the privacy of the individuals in a cluster.
- Systems made by rivals of Google Ads (e.g. Trade Desk Inc) where people can protect their privacy by logging on to websites using encrypted copies of email addresses. Also, Criteo SA, an AdTech company is reported to have developed a possible alternative.
Even though this is a big change, it is not unexpected and it will take place over a two-year phase out period within which time alternatives will have been introduced. Getting rid of third-party cookies is going to have the biggest impact on third-party ad platforms that are reliant on cookies for their revenue and for those who rely upon lots of data for their online advertising, pop-up ads, or a really focused audience-targeting strategy. For everyone else, considering third-party cookies aren’t used by most other (admittedly less popular) browsers, it’s unlikely to have a massive impact. It’s worth remembering that first-party cookies will still be used for Google Ads and that Google is likely to be investing money and effort into getting its alternative Privacy Sandbox tools up and running.