Google Delays Removal of Third-Party Cookies in Chrome

Privacy rights are an issue that is just starting to heat up globally. Online privacy is crucial for protecting individuals from a range of potential harms, including criminal activities such as identity theft, financial fraud, and personal harassment. In some cases, privacy is legally protected by laws to prevent potential discrimination based on personal data that could be used inappropriately in settings like employment, health insurance, and access to credit, helping to sustain personal autonomy in society and allowing individuals to engage in their lifestyle activities without interference. In most US states, private investigators must be licensed to collect information about their targets. 

The use of third-party cookies within Internet browsers have long been considered a privacy concern since they are used by online data brokers and marketing agencies to track user activities across the web. Google has publicly claimed that they are moving to phase out third-party cookies in their Chrome browser as early as 2020, however, in 2024 third-party cookies are still part of Chrome and continue to impact individual privacy.

The General Data Protection Regulation (GDPR) requires that websites obtain explicit consent from users before placing non-essential cookies on their devices, while in the US, the California Consumer Privacy Act (CCPA) grants California residents the right to request that a business delete any personal information about them which the business has collected. In this article we will examine what "third-party cookies" really are, and update readers about Google's recent decision to delay the removal of third-party cookies from Chrome. 

What Are Third-Party Cookies?

First we should generally explain cookies. Cookies small data files created by a website you are visiting and stored locally on the user's computer. The information stored in some cookies is not particularly sensitive, but on the other hand, some cookies contain highly sensitive information and are constantly a target for hackers that gain access to your computer. For example, session cookies (aka session tokens) are essential for managing user login status and authorization. Other less sensitive cookies can be used to store settings, user preferences, on the client-side to reduce network traffic and speed up the Internet.  

However, unlike first-party cookies, which collect data only when users interact with the website they originated from, third-party cookies can be accessed by others and can be used to track user activity across multiple websites. This broader tracking makes these cookies particularly useful for advertisers and marketers for targeted advertising and tracking user behaviors​.

Third-party cookies work by embedding JavaScript from an external website into the one being visited. For example, a website might include third-party JavaScript for advertisements or social media integration. These cookies remember stateful information in the otherwise stateless HTTP environment of web browsing. Attributes specified in the HTTP response header determine whether a cookie is first or third-party, with the 'SameSite' attribute playing a crucial role in this determination.

Google Won't Remove Third-Party Cookies From Chrome Until 2025

Google has postponed the removal of third-party cookies from its Chrome browser several times since initially announcing the change in January 2020. So far Google has only conducted a test to phase out cookies for about 1% of its user base, but received criticism from the adtech industry that the alternatives do not fully replicate the current functionality of cookies. Apple and Mozilla announced in 2017 they were going to phase out 3rd party cookies, three years before Google made the commitment. Both Apple's Safari and Mozilla Firefox now block 3rd party cookies by default, and Firefox offers users control over the level of protection, with strict blocking or less strict settings.

The company attributes these delays to significant feedback and pushback from industry participants, regulators, and developers. At the heart of the problem, the transition away from 3rd party cookies is complicated by Google's heavy reliance on advertising revenues and the critical role cookies play in ad targeting and measurement. To rectify this loss of revenue, Google has introduced the Privacy Sandbox initiative, which aims to develop a set of technologies that protect consumer privacy while still enabling effective advertising. However, this has also been complicated by regulatory challenges, particularly from the UK's Competition and Markets Authority (CMA), and the Information Commissioner's Office (ICO) which must approve the new technologies to ensure they don't impede competition.

Google now targets early 2025 to begin phasing out third-party cookies and full implementation of their new Privacy Sandbox, contingent on receiving the necessary regulatory approvals from both the CMA and the ICO.

How Do Data Brokers Benefit From Third-Party Cookies?

Third-party cookies are a crucial tool for data brokers, enabling them to gather extensive data about individuals across multiple websites and build a comprehensive behavior profile that includes a list of interests and daily activities, and lifestyle choices.  Data brokers can then analyze, package, and sell this information, benefiting from the lucrative market for personalized marketing data. However, due to growing privacy concerns and regulatory changes, the use of third-party cookies is facing increasing restrictions, prompting data brokers and advertisers to explore alternative data collection methods.

Here’s some ways that third-party cookies benefit data brokers:

1. Tracking User Behavior: Third-party cookies are placed on websites by entities other than the site owner (hence "third-party"). These cookies track users as they browse different websites, collecting data on their online behavior, preferences, and interests. This information can include pages visited, items purchased, searches made, and even time spent on specific content

2. Building Detailed Profiles: Data brokers use the collected data to build detailed profiles of individuals. These profiles can include not just browsing habits but also inferred information such as likely income level, family size, religion, politics, lifestyle, and interests

3. Segmentation and Targeting: With detailed user profiles, data brokers can segment the population into various categories based on demographics, behavior, or other criteria. These segments are sold to marketers, advertisers, and other businesses looking to target specific groups of people with tailored marketing campaigns and special offers

4. Selling Data and Insights: Data brokers sell the information and insights gleaned from third-party cookies to various companies, including advertisers, retailers, and financial services. These businesses use the data to tailor their marketing strategies, improve customer understanding, and optimize their advertising campaigns for better ROI

5. Ad Personalization: One of the direct uses of data collected through third-party cookies is to personalize ads based on a user's past browsing behavior. This increases the effectiveness of ads, as they are more relevant to the user's interests, leading to higher engagement and conversion rates

Conclusion

Google's ongoing delay in phasing out third-party cookies in Chrome underscores a significant challenge in balancing privacy concerns with the practicalities of digital advertising. Initially proposed in 2017 by Apple and Mozilla, Google made its first promise to remove 3rd party cookies in 2020. However, the removal has been postponed multiple times, now targeting early 2025 due to adtech industry feedback and regulatory scrutiny, particularly from the UK's Competition and Markets Authority (CMA) and the Information Commissioner's Office (ICO), which must ensure that new technologies like Google's Privacy Sandbox do not harm competition or consumer privacy.

Also, as third-party cookies face increasing restrictions due to privacy concerns and laws such as the EU's GDPR and California's CCPA, data brokers and advertisers are compelled to explore alternative data collection methods, indicating a significant shift in how personal data is gathered and used.

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.