Logo Logo
Cookiebot

The EU's GDPR and California's CCPA both affect how your website is allowed to handle the personal data of users.

Try our free website scan to see how your website tracks and handles personal information.

Google is ending third-party cookies in Chrome by 2022.

Updated September 23, 2020.


Google announced in early 2020 that they will stop the use of third-party cookies in Chrome before 2022, joining a growing list of browsers ditching the notorious tracking technology.

But the end of third-party cookies does not mean the end of tracking – and the need for true end-user consent to process personal data will persist long after third party cookies and the technologies replacing them.

In this blogpost, we look at the implications around the end of third-party cookies in Chrome, the misunderstandings, and why consent is the platform for compliant tracking now and in the future.


Quick summary


Google killing third-party cookies in Chrome and what this means

Let’s make it very clear: the end of third-party cookies is not the end of tracking.

Google ending Chrome’s support of third-party cookies is also not the end of tracking in Chrome.

Third-party cookies are far from the only technology used today for persistent and pervasive tracking of users across the Internet, and it won’t be the last either.

Existing technologies that can track users just like third-party cookies include –

Other browsers (like Safari) have been blocking third-party cookies for years, and we’ve seen repeatedly that trackers simply resort to workarounds, other methods and new technologies that make them able to track users just the same.

Cookiebot’s damning report about third-party tracking on EU government and health websites from 2019 revealed that Facebook bypassed third-party cookies by instead using first-party cookies combined with a pixel tracker to ensure continued, unconsented surveillance of EU citizens.

First-party cookies will still function by default in browsers that block third-party cookies (also in Google Chrome), and they will continue to require consent in most cases, unless the purpose of a cookie is ‘strictly necessary’ to the basic operation of a website.

Google’s plan to phase out third-party cookies in Chrome is part of a larger strategy of creating a privacy sandbox with open standards for tracking users while protecting their privacy (e.g. through new browser APIs like “trust tokens”).



Third-party cookies in Chrome is being phased out by Google.

Tracking technologies are changing, but data protection laws require the same: end-user consent.



Some of these new standards could very well end up strengthening tracking, since the new technologies (like trust tokens) will ensure an even greater level of certainty around reidentification of users, and thereby only fix issues in tracking precision and ad fraud by bots that remain two major headaches for the adtech industry today.

Even though they might replace third-party cookies in Chrome, trust tokens won’t exist in a vacuum.

There are numerous ways for trackers to determine a user's identity across sites, which means that unless Chrome and other browsers not only discontinue support of third party cookies, but also of any other kind of similar tracking techniques, trust tokens will most likely not provide a greater level of privacy protection and only benefit the adtech industry itself.


Consent - now and in the future

That's why consent remains the central requirement of the world’s major data protection laws, led by the EU’s General Data Protection Regulation (GDPR) and reflected in emerging laws like Brazil’s LGPD.

The end of third-party cookies also doesn’t mean the end of consent.

On the contrary, your website will still need to ask for and obtain the explicit consent of users before any data is allowed to be stored, on a user’s browser, regardless of what technology is used; be it third-party cookies, Local Storage or trust tokens.

Your website will still be required to inform its end-users about whatever technology you use to collect personal data, including its provider, purpose and duration, and to document safely the obtained consents, and to renew them at least annually.

Consent is the platform for compliant tracking today and in the future.

Consent not only remains fundamental to most data privacy laws, it is also becoming more and more central to the adtech industry itself – a movement solidified by Google’s launch in September 2020 of Google Consent Mode that lets websites run all Google-services based on the consent of their end-users – balancing compliance and tracking on the ground of consent.

Google Consent Mode is a clear signal of intention from one of the world’s biggest tech companies to move the adtech industry in the direction of consent, and to balance digital advertisement with data privacy.

So, while third-party cookies in Chrome might fade out of use within the next few years, consent is poised to take center stage, at Google and beyond, integrating even closer and more seamlessly with the tracking technologies of tomorrow and the adtech industry itself.


Is there a need for Cookiebot in two years?


Yes – plain and simple.

Cookiebot is a consent management platform (CMP) that – despite our name – manages end-user consents for personal data processing through myriads of technologies, including but in no way limited to third-party cookies!

The cookie is simply the most well-known name for a small part of the technologies available today for the tracking and surveillance of users online; most of which Cookiebot already detects and takes full control over to ensure true and transparent consent for your website’s users.



Google Chrome ends third-party cookies.

Any tracking technology (like 3rd-party cookies) collecting personal data is only legal if you have the prior consent from your end-users.



Today, Cookiebot scans for, detects and controls all Local Storage, IndexedDB, ultrasound beacons, pixel tags, Silverlight Isolated Storage, HTML5 Local Storage and many other tracking technologies in use on the Internet.

In the future without third-party cookies, Cookiebot will still detect whatever other technology is used to collect personal data from end-users, e.g. Google’s proposed browser API’s for conversion measurement, re-marketing and real time ad auctions.

Cookiebot’s world-leading consent management platform works by simulating multiple real-world users interacting with your website (clicking, scrolling and doing everything a human being would do on a site) in order to activate all cookies and trackers in operation.



Third-party cookies in Chrome will end by 2022.

Cookiebot’s consent banner that offers transparency and full control of all tracking technologies.



Cookiebot then blocks all trackers and presents your end-users with a simple, straightforward consent banner that informs them on a granular, detailed level of all the important specifications such as provider, purpose and duration of the tracking technologies in place on the website.

Cookiebot enables compliance with data protection laws such as the EU’s GDPR, California’s CCPA, Brazil’s LGPD and more.

Try Cookiebot free for 30 days – or forever if you have a small website.

Scan your website for free to see what tracking technologies are in operation

Get started with Google Consent Mode




Cookiebot secures consent even after the end of third-party cookies.



Google Chrome third-party cookies phase out, in detail


Let’s take a closer look at third-party cookies in general, Google’s decision to end third-party cookies in Chrome as part of its larger Privacy Sandbox initiative, as well as why consent is becoming hard to ignore for the adtech industry at large.


Third-party cookies, what’s the problem?

Third-party cookies are one among many tracking technologies provided by a third party – often an adtech company like Google – that you employ on your website for the benefit of running analytics solutions, marketing platforms and social media integrations.

However, third-party cookies not only serve you and your website, they also serve their providers, and the adtech industry at large revolves around mass data harvest, profiling and real-time bidding.

In return for optimization services on your website, a lot of third-party cookies will amass enormous amounts of personal data from your end-users that is sent, traded and sold in the digital advertising industries.

The types of personal data that third-party cookies harvest range from individual IP addresses, sensitive search and browser history, specific details about devices, to private information about health, sexuality, family, political convictions, religious beliefs and much more.



The end of third-party cookies in Chrome is not the end of consent.

Third-party cookies, one of many tracking technologies, form the supply chains of a giant adtech industry that starts on your website, with your users and their private data.



The problem with third-party cookies is not only the amount of personal data they collect, or the sensitive nature of that data – it’s also that all of the data that 3rd-party cookies collect can be put together to create extensive profiles on users consisting of thousands upon thousands of data points (your Google searches in the last five years, your credit card transactions, your profile on dating apps and so on).

Inferences are made about the user’s personality and life from these profiles, predictions about way of life and life situations that can be sold to advertisers, who in turn will target their ads on a micro, individual level.

Third-party cookies supply this raw, privacy-infringing data to a billion-dollar adtech industry that relies on these inferences to predict the behavior of users, which advertisers pay for every day in real-time bidding auctions that make up the mechanics of how personalized ads are shown to users on your website



Third-party cookies scanned and controlled by Cookiebot for compliance.

Third-party cookies scanned, detected and controlled by Cookiebot’s unmatched scanner on a customer website.



Cookiebot has been working since 2012 to combat the pervasive, unconsented third-party tracking of end-users on the Internet, and our consent management platform strikes a balance on your website so that you can use third-party cookies to run analytics and marketing, but entrust your users with a real, transparent choice of consent first – as is the core requirement of the GDPR.

Scan your website to see what cookies and trackers are in operation

Try Cookiebot free for 30 days – or forever if you have a small website.



Google’s Privacy Sandbox and third-party cookies in Chrome

In January 2020, Google published a blogpost announcing that Chrome would phase out support for third-party cookies in the browser within two years, starting with trials on conversion measurement and personalization by the end of 2020.

This made headlines across the Internet and led to a debate about what would happen after the end of third-party cookies, and what would replace them.

Google is not the first to move away from third-party cookies, both Safari and Brave have been blocking them for years, while major publishers and media houses, like the New York Times, also are in the process of transitioning away from third-party advertising data entirely.

But Google’s decision to phase out Chrome’s third-party cookie support is part of a larger Privacy Sandbox launched in August 2019 – a series of initiatives “to develop a set of open standards to fundamentally enhance privacy on the web.”

However, Google’s initiative to kill third-party cookies in Chrome has been met by resistance from the adtech industry, especially from marketers and advertisement agencies who are worried that the blanket stop to third-party cookies will hurt the internet economy and particularly start-ups, urging Google to keep third-party cookies in operation until tried and tested alternatives are in place.



Cookiebot detects and controls all cookies and tracking technologies on your website.

3rd-party cookies are being replaced with new technologies that have inbuilt privacy by design.



Google’s Privacy Sandbox initiatives focus on –

Some of these initiatives have already taken concrete form, such as the Google Consent Mode launched in September 2020 that lets websites collect aggregate and non-identifying data as well as display contextual advertisement, if end-users choose not to give their consent to statistics and marketing cookies.

Cookiebot is one of a handful of consent management platforms selected by Google to collaborate on Google Consent Mode.

Cookiebot integrates seamlessly with Google Consent Mode and makes compliance and optimization an easy all-in-one solution for your website.

Get started with Google Consent Mode

Try Cookiebot free for 30 days – or forever if you have a small website.

Learn more about the details of Google’s Privacy Sandbox


Trust token API

One of Google’s initiatives is to replace third-party cookies in Chrome with so-called trust tokens.

Google’s trust token API would replace third-party cookies in Chrome with non-personalized, cryptographically signed tokens to authenticate a user.

Websites can “spend” trust tokens to determine whether a user is real or a bot, i.e. ensuring a much greater level of certainty for advertisers when reidentifying users, but also ensuring a greater level of privacy for the individual user, who will not be tracked down to the level of detail of cookies described above that can be extremely privacy-infringing.

The trust token API would allow websites and advertisers to only know about users to a certain level and block attempts to know users on an individual level, unlike Google’s third-party cookies today.

However, Google’s proposal for trust tokens still means that users will have to give out personal data in combination with other API’s in the Privacy Sandbox that place users in aggregated ad target groups, requiring the processing of personal data.

These groups are in general based on the same principle as today’s system of real time bidding (RTB), where advertisers place bids on displaying an ad to a website visitor based on a tracking profile placing the user in specific, topic-based interest groups.

The Privacy Sandbox APIs will use similar groups, only they will be stored on the browser and not by a third-party company.

Nevertheless, placing users in a certain group will likely reveal personal details that can be related to your browser authentication profile either directly or by inference, thereby requiring consent.

These interest groups from the Privacy Sandbox have not yet been defined but could for example reveal information about your health, sexual orientation, religious beliefs – all information considered to be sensitive personal data under GDPR.

This could happen even when users are only placed in aggregated interest group as well.

Anything from IP addresses, emails, and device details might still be collected and processed via trust tokens, which means that according to most major data privacy laws in the world, you would still need the explicit consent of end-users before employing them on your website.

Google Privacy Sandbox APIs are at an early development stage and are facing basic challenges that still need to be solved, since a lot of tracking workarounds still exist at this stage, e.g. ad networks can still correlate requests from the same user, and the publisher's ad network can learn about which interest group the winning ad was targeted at if the advertiser's ad network cooperates with them.



Why consent is here to stay


The basic idea that a person online gets to say “yes” or “no” to strangers who want to collect their personal data is simple and powerful.

Consent lies at the very center of the most important data privacy law in the world, the EU’s General Data Protection Regulation (GDPR) and it is spreading fast around the world, to Brazil’s LGPD, Thailand’s PDPA, Singapore’s PDPA, South Africa’s POPIA and many other places.



Consent with Cookiebot for full GDPR compliance.

A simple, practical, yet powerful idea: end-user consent



Consent is such a powerful idea that Google – the largest tech company in the world – has taken a decisive turn towards it with Google Consent Mode, installing it as a core driver in how all their services run.

Google Consent Mode is a clear indication that the adtech industry at large sees consent and realizes that it isn’t something to be ignored.

Cookiebot welcomes new and less harmful tracking methods online that can help balance data privacy and digital advertising based on consent.

Cookiebot has been working since 2012 to strike a balance between end-user privacy and the adtech industry that enables the free content which has come to define the Internet as we know it. We will continue to provide full transparency with unmatched scanning technology and true end-user consent management now, after cookies, and whatever comes next.

Try Cookiebot free for 30 days – or forever if you have a small website.

Scan your website for free to see what tracking technologies are in operation

Get started with Google Consent Mode

Learn more about 3rd-party cookies and how they track


FAQ


Are third-party cookies in Chrome ending?

Yes, third-party cookies are on their way out – multiple browsers have been blocking them for years, and Google Chrome’s support of third-party cookies will end by 2022, as part of their larger Privacy Sandbox strategy. Google Consent Mode was launched in September 2020 and enables your website to run all Google-services based on end-user consent.

Learn more about Google Consent Mode


Does my website use third-party cookies?

Most likely yes. If you use any kind of analytics program, marketing platform or social media integration from larger tech companies, such as Facebook or Google, third-party cookies will be in operation on your website, collecting personal data from your users when they visit your domain.

Learn more about how website tracking works


Are third-party cookies legal?

Third-party cookies, in Chrome and everywhere else, collect personal data from your end-users, which means that they are only legal to use if you have asked for and obtained the prior and explicit consent from your users to do so. You are required by the EU’s General Data Protection Regulation (GDPR) to inform users of cookies and trackers, their provider, purpose and duration, as well as to document all obtained consents.

Learn more about GDPR and cookie consent


How can I make my website GDPR compliant?

Using a consent management platform ensures that your website detects and controls all cookies and trackers, delivers transparency and a choice of true consent to its end-users before collecting and processing their personal data.

Try Cookiebot free for 30 days – or forever if you have a small website.


Resources


Announcement: Google ends third-party cookies in Chrome

Cookiebot report on third-party tracking on EU government and health sites

How do websites track users? Technologies and methods

What is real-time bidding and how does it work?

Google’s trust tokens to replace third-party cookies in Chrome

GDPR and cookie consent

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free