Third-Party Cookie Deprecation
August 9, 2024
August 9, 2024
It’s been a long time coming.
Google’s decision to phase out the third-party cookie in Chrome was initially announced in 2020, only to be postponed several times. Then, in May 2023, Google declared that they had reached a point of no return and would begin the process in January 2024.
First, the support for third-party cookies in Chrome would be turned off for 1% of its users worldwide (approximately 30 million people). And by the end of 2024, 100% of its users would be affected. The deprecation process began as planned.
But, at the end of April 2024, the Competition and Markets Authority (CMA) in the United Kingdom asked Google to hit the brakes. Because replacing a standard technology like the third-party cookie in a browser with a64% global market share is bound to affect a lot of people.
As of July 22nd, 2024, Google has announced that they won’t deprecate third-party cookies. Instead, Google says they will introduce a new experience in Chrome that lets people make an informed choice that applies across the users’ web browsing, and the user would be able to adjust that choice at any time.
Currently, Google are discussing this new path with regulators, and will engage with the industry as they roll this out. For now, Google states that it remains important for you as a developer to have privacy-preserving alternatives.
So, what does all this mean for you as a digital marketer? Did you buy yourself some more time, or are you still overdue?
AdFixus's view on Google's U-turn - Why the Google announcement doesn't change your strategy (adfixus.com)
Let’s break things down.
In the early 1990s, when the World Wide Web was new, and people weren’t sure if it would be “a fad,” there was a popular web browser called Netscape.
Surfing the web back then was a bit primitive. Browsers could not remember if you, for example, had put something in your shopping cart. So it was quite an “unmemorable” experience, one might say (pun intended).
So, a young engineer at Netscape, Lou Montulli, developed the cookie, or what we today call the “session cookie,” to address this lack-of-memory issue.
And Netscape shared its invention with other browsers.
The people at Netscape were internet pioneers. They cared for the success of the World Wide Web and for privacy, and were keen on not creating a solution with “too good of a memory.” Because they feared the implications for the web as a marketplace and community if browsers implemented technologies that could track people in a surveillance-like manner across sites. They believed that the session cookie was the least harmful solution.
But then the cookie was “hacked”.
This cookie made it possible to track visitors’ activities from one site to another. It was a feature which the “advertisers” (or their stakeholders) desired, because it offered a new way of reaching potential clients and customers.
The new technology made it possible to target a specific person with ads for products they had shown interest in along their browsing journey—a.k.a. remarketing.
Montulli said he was caught off guard. And realized that he, and Netscape, now had three choices:
The choice fell on no. 3.
As much as they feared the implications, they also wanted the web to take off. And they recognized that it needed a financially sustainable business model to do so. Micropayments weren’t a thing back then.
The discourse about the third-party cookie has thus been with us almost since the birth of the HTTP protocol. Lou Montulli has expressed that there will never be an absolute technical solution to safeguard website visitors’ integrity forever; for every restriction, ad blocker, etc., there would be a counter solution—a workaround. He therefore stressed the need for regulations and thought lawmakers had to keep pace and regulate the web accordingly.
With the ePrivacy directive in 2002, the GDPR in 2018, and subsequent privacy regulations in other parts of the world and on the state level in the US, we have, in some ways, gone full circle. These are privacy laws that view cookies containing identifiers as personal data, and require consent before a user is tracked or data about that user is collected.
Today, consumers and their legislators are requesting a sustainable business model for the web that respects users’ right to privacy and delivers more safe, transparent, and trustworthy experiences.
Please note, that there are no legal requirements to deprecate the third-party cookie. The third-party cookie is not “illegal” but using it to collect personal data about users without consent is. And the widespread use of cookies has enabled personal data to be shared in an uncontrolled manner. Data which can be, and are being, used by cybercriminals to impersonate users, gather financial data, steal passwords, etc.
We also see a growing movement amongst advertisers who requests more transparency and clarity about how their ad dollars are spent—rightfully so, seeing how ad fraud might be one of the biggest threats to the advertising industry.
So, we’ve kind of reached a point where the largest ad-tech stakeholder—Google—has decided to promote a supposedly more privacy-friendly browsing experience by deprecating the third-party cookie.
However, Chrome is not deprecating the third-party cookie in the same manner as, for example, Safari and Firefox.
But before we clarify what this means, let’s first address why first-party cookies are not going anywhere and why you will still need to collect consent in a post-third-party cookie world.
First-party cookies (like AdFixus) are often enabled, come from, or are placed on a visitor’s browser through a JavaScript code that you, as a website owner, have inserted on your site. But what makes them first-party—and not third-party—is that they are set by the domain of the website being visited. This is the core difference between them and third-party cookies which are set by domains other than the one being visited.
First-party cookies are often associated with short lived session cookies and essential cookies for website functionality, but first-party cookies can also be cookies used for tracking and analytics purposes. It is a common misconception to equate first-party cookies with mere short lived essential cookies.
Third-party cookies, on the other hand, are often used for cross-site tracking, allowing third-party services to track users across multiple websites for targeted advertising and analytics. This cross-site tracking capability, in combination with being set from another domain, is the critical difference that distinguishes a third-party cookie from a first-party cookie.
So, while remembering how they actually differ one must also keep in mind that they can be used for the same things:
These cookies can be defined as first-party or third-party, but regardless of this distinction you must still obtain consent from each visitor before the scripts are allowed to place cookies on the users’ browsers, unless the cookies are strictly essential for the website’s core functionality.
Also note that third-party cookies can come into play through indirect measures. They can get access to your visitors’ browsers through external services embedded on your site, such as:
These external elements can place cookies on your visitor’s browser for their own purposes, such as tracking across multiple sites for targeted advertising, which you might not have been aware of when you decided to include such services.
This is why a proper Consent Management Platform (CMP) is handy. It automatically separates third-party cookies from first-party cookies and classifies them according to their lifespan and purpose. This gives you a map of what services you have activated, knowingly or not, on your website so you can consider which you like to keep and which you need to adjust or delete.
Please note, that when placing a service on a website, like, for example, the Facebook pixel, it is essential that you calibrate that service so it does not set cookies that you do not want it to—regardless of whether they can be defined as first-party or third-party.
Ok, so with this clarified. Let’s get back to the deprecation of the third-party cookie and what is intended to “take its place.”
As mentioned, Firefox had restricted the third-party cookie by default in 2019 through their Enhanced Tracking Protection (ETP) program.
Apple’s Safari followed in 2020 through its Intelligent Tracking Prevention (ITP) feature. These features do not outright disable the possibility of retargeting but make it very challenging to show targeted ads for individuals based on their browsing history. And in addition to that, the include other privacy-enhancing features. (More on this further down this blogpost.)
Other smaller browsers have done something similar.
Google has not wanted Chrome to follow suit in the same way, probably because Google is a major ad-tech stakeholder and has, therefore, been invested in finding a new web standard that does not “kill off” this revenue stream. So they have, one could say, tried to find a way to both have the cookie and eat it through a cross-industry collaboration called the Privacy Sandbox (PS).
The Privacy Sandbox has been (and still is) an iterative process where different APIs have been developed and deployed for testing. This process seemed to have reached a breakthrough in mid-2023 when the Privacy Sandbox initiative announced that they would release six new (cookie-replacing) APIs for Chrome version 115.
These were/are:
These APIs are not necessarily “eternal,” and more will probably come. You can go to the Privacy Sandbox Website to track the progress. That site also gives you a comprehensive view of how Google is working to make Chrome more privacy-friendly while enabling non-invasive targeted advertising.
And then of course, the UK’s CMA, forced Google to halt it’s Privacy Sandbox-implementation process, due to a long line of concerns from both a privacy and an antitrust perspective. This was, however, not a surprise attack; Google has been in close dialogue with and under scrutiny from the CMA since the process began, which is also in part why their third-party cookie deprecation in Chrome process has been delayed previously.
The third-party cookie deprecation in Chrome, is a dynamic process with many moving parts.
And its story has several sides, depending on where you stand. I.e., depending on if you are a Consumer, Marketer, Publisher, or Adtech Vendor.
For a consumer or private person surfing the web through Chrome, it will mean specific prompts popping up asking for preferences and consent. One is the Tracking Prevention, which, from the URL bar, informs you that you are browsing with more privacy, which you can then say ok to or change. Tracking Prevention was launched in January 2024.
The web lowered the barriers to entry for anyone who wanted to create and distribute content. It became a network based on convenience, immediacy, and broadly available information online. And it has been revolutionizing.
A technology that has changed and rattled the publishing industry to its cories about to hit the history books, it seems. What does this mean for publishers today?
Publishers have rolled with the punches during the last two decades and diversified their revenue streams—introducing subscription paywalls, investing in sponsored content, and other strategies. These adaptations have not only helped them survive but also highlighted the importance of taking ownership of their own domains and leveraging consented first-party data.
As third-party cookies become obsolete, the strategic value of consented first-party data can not be undervalued. And that goes for all web enterprises seeking a trust-based relationship with their market, not just for publishers with a capital P.
Meanwhile, publishers and advertisers alike are beginning to scrutinize the current ad-tech paradigm, which is plagued by issues like Bot traffic, “made for advertising-sites”, poor placement reporting, lack of transparency, and often a misguided focus on impression counts over genuine user engagement and conversions.
It’s fair to say that the demand for a more trustworthy and transparent web is driven by increased awareness regarding compliance, as well as browser restrictions, and the need for better advertising ROI.
While publishers are well-positioned to leverage their first-party data, there is also a burgeoning opportunity to forge new partnerships. These collaborations, which could be ad-tech platform-ish, could for example offer advertisers more transparent and quality focused solutions that meet the brands safety concerns companies have.
At the heart of the cookie issue is advertising.
Ad-tech vendors are thus the stakeholders most acutely or directly affected by the deprecation of the third-party cookie and other tracking-limiting and privacy-enhancing features browsers impose.
Why?
Because third-party cookies are how ad-tech vendors can offer behavioural advertising solutions (to publishers and advertisers) based on information like where a visitor is located and what he or she is browsing and buying online.
The third-party cookie, therefore, also enables the technology that automates the instant sale and placement of ads, a.k.a. real-time bidding, by providing necessary data for these processes.
To summarize, the features and services that ad-tech vendors, specifically, and digital advertising, in general, can thank the third-party cookie for range from identification, frequency capping, measuring performance and attribution, audience activation, and cookie-syncing or matching between, for example, demand-side platforms and supply-side platforms.
Naturally, the ad tech industry stands to lose from the demise of the third-party cookie. Especially the vendors that operate outside the walled gardens.
To adapt, ad-tech vendors are seen to move in different directions.
On the one hand, some ad-tech companies are leveraging the value of first-party data by providing first-party data tools and services to businesses.
We also see how they diversify into Data Clean Rooms (DCRs). In this environment, first-party data from different sources can be aggregated and analyzed without, allegedly, exposing sensitive details or violating privacy regulations.
On the other hand, ad-tech vendors within the ad-tech ecosystem are developing alternative identifiers to take the third-party cookies place, but allegedly in a more privacy-friendly way. For example, Unified ID 2.0
If the third-party cookie “is no more,” then we need an alternative solution that can replace it. This is pretty much what the independent ad-tech industry, meaning the ad-tech industry outside of the walled gardens, has said.
What should an alternative ID solution to the third-party cookie look like, then?
Ideally, it should provide consumers with better control, work across channels, be transparent, and perhaps better explain its value to consumers than its predecessor.
All this is super hard to do, so there is not one solution on the market that every stakeholder has embraced. Instead, there are a couple of different universal IDs and so called ID & device graphs.
The above-mentioned Unified ID 2.0 and ID5 are two universal ID examples. In different ways, they enable ad-tech companies to identify users across different devices and websites. But unlike the third-party cookie, these IDs are created by using something called probabilistic data, deterministic data, or both.
And what is that then
Probabilistic data include IP address, browser type and model, and user-agent string.
If you’re going, “isn’t probabilistic data like fingerprinting”, then you’re right. Like fingerprinting, this data gathers information about a user’s device, such as IP address, browser type, and other system information. But unlike “actual” fingerprinting, the point here is to doit with user consent and with trust-building transparency and user control.
Deterministic data can be email addresses orphone numbers or a first-party ID for their anonymous audiences.
If Universal IDs are like a passport numbers that identifies users across websites and platforms, then ID and device graphs are like a map showing all the places each user visits. “Places” like phone, laptop, tablet.
These ID and device graphs can use universal IDs to better do their thing, but a universal ID can work independently without the need for a detailed mapping from and ID graph.
None of them are, however, lawful to use without valid consent.
Chrome phasing out the third-party cookie has become synonymous with the end of the third-party cookie. As mentioned, this is because Chrome has the largest global market share, with more than 60%. And as also mentioned, the cookie deprecation did not begin with Chrome.
Apple and Mozilla announced in 2017 that their Safari and Firefox browsers, respectively, would say goodbye to third-party cookies. Apple now blocks third-party cookies on Safari by default. Mozilla blocks third-party cookies by default and gives users control over the level of protection the prefer, with options to enable strict blocking or customized settings.
Also keep in mind the app echo system. For example, in 2022,Apple required third-party apps running on their devices to obtain opt-in consent before they were allowed to track user activity on other companies ’apps and websites by launching a privacy feature in iOS 14.5 called AppTracking Transparency Framework (ATT). This had huge monetary consequences for Meta and Snap.
The industry lacks a common standard for how the web is made privacy-friendly even though (almost) every web browser agrees that the third-party cookie is a thing of the past.
Browsers are offering a more privacy-safe experience. As we have learned, how they do it differs, meaning there is no industry standard for how the third-party cookie is blocked or phased out and how other tracking technologies are handled.
It highlights how uneven the digital landscape that lies before digital marketers and advertisers will be. It’s a coarse situation, making advertising and analytics complex, where one needs to consider how different browser restrictions affect analytics and retargeting for a certain part of one’s traffic and hence analytics, while also keeping track of what Chrome’s more permissive solution means.
Whether you see yourself as a digital marketing professional or if you represent a company and a website publisher, third-party cookie deprecation is an opportunity to take a step back to figure out what a sustainable marketing model would look like for you or your clients.
First-party data is the key and first-party can be data collected for your needs on a first-party cookie (like AdFixus) for your anonymous as well as the authenticated first-party data.
An excellent place to begin is on your website by doing a data and tracking-inventory and ensuring you collect legal consent.
1. Get a solid Consent Management Platform
By understanding how much data you currently collect and hold and where it came from, you can map out how much of that data you act on and how much is collecting dust and taking up unnecessary server space.
A solid CMP can scan your domains and point out data transfer risks, links to each vendor’s privacy policy, and more. This gives you a list of services placing trackers on your site.
Do you see services you didn’t know you had?
Do you need all of them?
With a Consent Management Platform at the heart of your digital marketing, you also ensure a consent-based approach when you set your post-third-party cookie strategy—enabling compliance with the GDPR, the ePrivacy directive, and other privacy laws worldwide.
2. Make sure you have legal grounds for collecting data
With a CMP in place, you also have a system for managing consent from your users/visitors, which is why a CMP is at the heart of a privacy-friendly marketing strategy—especially in a post-third-party-cookie world.
3. Understand your third- and first-party cookie situation
When mapping your cookie situation as described in point no1, leverage this information to analyze what role these cookies have in your current advertising strategy.
How much of your marketing budget and impressions are tied to behavioural profiling?
4. Rethink your KPIs
The widespread use of ad blockers, privacy-enhancing browser settings, and consumers acting on their distrust have made it increasingly challenging to trust web analytics data and whether what we, as digital marketers, are measuring is relevant.
With that in mind, the post-third-party cookie landscape can be viewed as an opportunity to become more quality-focused and less vanity-focused, to put things crudely.
5. Set up a first-party data strategy
Begin by auditing the first-party data you have. Is the quality good?
How are you leveraging it today? Could you increase the quality of it?
Do not just think about growing your existing first-party audience but also how to deepen the relationships.
And do not collect data about people you do not need or can motivate. The GDPR has a strict purpose limitation rule, and you do not need more information just for the sake of it.
With that said, be creative with it and use it for emails, newsletters, surveys, promotions, digital events, loyalty and reward programs, building communities, and so on—the sky’s the limit.