Updated August 4, 2022.
Google has announced that it will stop the use of third-party cookies in Chrome by the end of 2024, joining a growing list of browsers ditching the notorious tracking technology.
But the end of third-party cookies does not mean the end of tracking – and the need for true end-user consent to process personal data will persist long after third party cookies and the technologies replacing them.
In this blogpost, we look at the implications around the end of third-party cookies in Chrome, the misunderstandings, and why consent is the platform for compliant tracking now and in the future.
Google killing third-party cookies in Chrome and what this means
Let’s make it very clear: the end of third-party cookies is not the end of tracking.
Google ending Chrome’s support of third-party cookies is also not the end of tracking in Chrome.
Third-party cookies are far from the only technology used today for persistent and pervasive tracking of users across the Internet, and it won’t be the last either.
Existing technologies that can track users just like third-party cookies include –
- Local Storage
- Web SQL
- and any other technology that makes it possible to save data on a user’s device from browsers (as cookies do).
Other browsers (like Safari) have been blocking third-party cookies for years, and we’ve seen repeatedly that trackers simply resort to workarounds, other methods and new technologies that make them able to track users just the same.
The damning report by Cookiebot CMP about third-party tracking on EU government and health websites from 2019 revealed that Facebook bypassed third-party cookies by instead using first-party cookies combined with a pixel tracker to ensure continued, unconsented surveillance of EU citizens.
First-party cookies will still function by default in browsers that block third-party cookies (also in Google Chrome), and they will continue to require consent in most cases, unless the purpose of a cookie is ‘strictly necessary’ to the basic operation of a website.
Google’s plan to phase out third-party cookies in Chrome is part of a larger strategy of creating a privacy sandbox with open standards for tracking users while protecting their privacy (e.g. through new browser APIs like trust tokens), but it’s facing heavy challenges in the forms of antitrust investigations from both the EU Commission and the UK’s Competition and Markets Authority (CMA).
Tracking technologies are changing, but data protection laws require the same: end-user consent.
Some of these new standards could very well end up strengthening tracking, since the new technologies (like trust tokens) will ensure an even greater level of certainty around reidentification of users, and thereby only fix issues in tracking precision and ad fraud by bots that remain two major headaches for the adtech industry today.
Even though they might replace third-party cookies in Chrome, trust tokens won’t exist in a vacuum.
There are numerous ways for trackers to determine a user’s identity across sites, which means that unless Chrome and other browsers not only discontinue support of third-party cookies, but also of any other kind of similar tracking techniques, trust tokens will most likely not provide a greater level of privacy protection and only benefit the ad tech industry itself.
Consent – now and in the future
That’s why consent remains the central requirement of the world’s major data protection laws, led by the EU’s General Data Protection Regulation (GDPR) and reflected in emerging laws like Brazil’s LGPD.
The end of third-party cookies also doesn’t mean the end of consent.
On the contrary, your website will still need to ask for and obtain the explicit consent of users before any data is allowed to be stored, on a user’s browser, regardless of what technology is used; be it third-party cookies, Local Storage or trust tokens.
Your website will still be required to inform its end-users about whatever technology you use to collect personal data, including its provider, purpose and duration, and to document safely the obtained consents, and to renew them at least annually.
Consent is the platform for compliant tracking today and in the future.
Consent not only remains fundamental to most data privacy laws, it is also becoming more and more central to the adtech industry itself – a movement solidified by Google’s launch in September 2020 of Google Consent Mode that lets websites run all Google-services based on the consent of their end-users – balancing compliance and tracking on the ground of consent.
Google Consent Mode is a clear signal of intention from one of the world’s biggest tech companies to move the adtech industry in the direction of consent, and to balance digital advertisement with data privacy.
So, while third-party cookies in Chrome might fade out of use within the next few years, consent is poised to take center stage, at Google and beyond, integrating even closer and more seamlessly with the tracking technologies of tomorrow and the adtech industry itself.
Is there a need for Cookiebot CMP when third-party cookies are phased out?
Yes – plain and simple.
Cookiebot CMP by Usercentrics is a consent management platform (CMP) that – despite our name – manages end-user consents for personal data processing through myriads of technologies, including but in no way limited to third-party cookies!
The cookie is simply the most well-known name for a small part of the technologies available today for the tracking and surveillance of users online; most of which Cookiebot CMP already detects and takes full control over to ensure true and transparent consent for your website’s users.
Any tracking technology (like 3rd-party cookies) collecting personal data is only legal if you have the prior consent from your end-users.
Today, Cookiebot CMP scans for, detects and controls all Local Storage, IndexedDB, ultrasound beacons, pixel tags, Silverlight Isolated Storage, HTML5 Local Storage and many other tracking technologies in use on the Internet.
In the future without third-party cookies, Cookiebot CMP will still detect whatever other technology is used to collect personal data from end-users, e.g. Google’s proposed browser API’s for conversion measurement, re-marketing and real time ad auctions.
Cookiebot CMP is a world-leading solution that works by simulating multiple real-world users interacting with your website (clicking, scrolling and doing everything a human being would do on a site) in order to activate all cookies and trackers in operation.
Cookiebot CMP consent banner that offers transparency and full control of all tracking technologies.
Cookiebot CMP then blocks all trackers and presents your end-users with a simple, straightforward consent banner that informs them on a granular, detailed level of all the important specifications such as provider, purpose and duration of the tracking technologies in place on the website.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Google Chrome third-party cookies phase out, in detail
Let’s take a closer look at third-party cookies in general, Google’s decision to end third-party cookies in Chrome as part of its larger Privacy Sandbox initiative, as well as why consent is becoming hard to ignore for the adtech industry at large.
Third-party cookies, what’s the problem?
Third-party cookies are one among many tracking technologies provided by a third party – often an adtech company like Google – that you employ on your website for the benefit of running analytics solutions, marketing platforms and social media integrations.
However, third-party cookies not only serve you and your website, they also serve their providers, and the adtech industry at large revolves around mass data harvest, profiling and real-time bidding.
In return for optimization services on your website, a lot of third-party cookies will amass enormous amounts of personal data from your end-users that is sent, traded and sold in the digital advertising industries.
The types of personal data that third-party cookies harvest range from individual IP addresses, sensitive search and browser history, specific details about devices, to private information about health, sexuality, family, political convictions, religious beliefs and much more.
Third-party cookies, one of many tracking technologies, form the supply chains of a giant adtech industry that starts on your website, with your users and their private data.
The problem with third-party cookies is not only the amount of personal data they collect, or the sensitive nature of that data – it’s also that all of the data that 3rd-party cookies collect can be put together to create extensive profiles on users consisting of thousands upon thousands of data points (your Google searches in the last five years, your credit card transactions, your profile on dating apps and so on).
Inferences are made about the user’s personality and life from these profiles, predictions about way of life and life situations that can be sold to advertisers, who in turn will target their ads on a micro, individual level.
Third-party cookies supply this raw, privacy-infringing data to a billion-dollar adtech industry that relies on these inferences topredict the behavior of users, which advertisers pay for every day in real-time bidding auctions that make up the mechanics of how personalized ads are shown to users on your website.
Third-party cookies scanned, detected and controlled by Cookiebot CMP’s unmatched scanner on a customer website.
Usercentrics, the parent company of Cookiebot CMP, works to combat the pervasive, unconsented third-party tracking of end-users on the Internet, and our consent management platform strikes a balance on your website so that you can use third-party cookies to run analytics and marketing, but entrust your users with a real, transparent choice of consent first – as is the core requirement of the GDPR.
Google’s Privacy Sandbox and third-party cookies in Chrome
In January 2020, Google published a blogpost announcing that Chrome would phase out support for third-party cookies in the browser, starting with trials on conversion measurement and personalization by the end of 2020.
On June 24, 2021, after considerable industry pushback and a debate about what would replace them, Google announced a two-year delay for the third-party cookie phase out to end of 2024.
The timeline for Google’s third-party cookie phaseout is set to begin in 2024.
Google is not the first to move away from third-party cookies, both Safari and Brave have been blocking them for years, while major publishers and media houses, like the New York Times, also are in the process of transitioning away from third-party advertising data entirely.
But Google’s decision to phase out Chrome’s third-party cookie support is part of a larger Privacy Sandbox launched in August 2019 – a series of initiatives “to develop a set of open standards to fundamentally enhance privacy on the web.”
However, Google’s initiative to kill third-party cookies in Chrome has been met by resistance from the ad tech industry, especially from marketers and advertising agencies who are worried that the blanket stop to third-party cookies will hurt the internet economy and particularly start-ups, urging Google to keep third-party cookies in operation until tried and tested alternatives are in place.
3rd-party cookies are being replaced with new technologies that have inbuilt privacy by design.
Google’s Privacy Sandbox initiatives focus on –
- How to deliver ads to large groups of people without collecting identifying data from users’ browsers.
- How to enable conversion measurements for advertisers without individual user tracking across the web.
- How to detect and prevent fraud on ads, e.g. bots clicking on ads instead of real users.
- How to let websites collect user data from browser API’s that maintain the anonymity of individual users.
Some of these initiatives have already taken concrete form, such as the Google Consent Mode launched in September 2020 that lets websites collect aggregate and non-identifying data as well as display contextual advertisement, if end-users choose not to give their consent to statistics and marketing cookies.
Cookiebot CMP integrates seamlessly with Google Consent Mode and makes compliance and optimization an easy all-in-one solution for your website.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Trust token API & FLoC
One of Google’s initiatives is to replace third-party cookies in Chrome with so-called trust tokens.
Google’s trust token API would replace third-party cookies in Chrome with non-personalized, cryptographically signed tokens to authenticate a user.
Websites can “spend” trust tokens to determine whether a user is real or a bot, i.e. ensuring a much greater level of certainty for advertisers when reidentifying users, but also ensuring a greater level of privacy for the individual user, who will not be tracked down to the level of detail of cookies described above that can be extremely privacy-infringing.
The trust token API would allow websites and advertisers to only know about users to a certain level and block attempts to know users on an individual level, unlike Google’s third-party cookies today.
However, Google’s proposal for trust tokens still means that users will have to give out personal data in combination with other API’s in the Privacy Sandbox (such as Google’s Federated Learning of Cohorts or FLoC), which place users in aggregated ad target groups (so-called “flocks”), requiring the processing of personal data.
While processing of personal data by trust tokens and FLoC would be done on the user’s browser and not by third parties, Chrome would still be processing data such as browsing history in order to group users into flocks – groups of similar users that advertisers can target for marketing.
Flocks are in general based on the same principle as today’s system of real time bidding (RTB), where advertisers place bids on displaying an ad to a website visitor based on a tracking profile placing the user in specific, topic-based interest groups.
The FLoC and other of Google’s Privacy Sandbox APIs will use similar groups, only they will be stored on the browser and not by a third-party company.
Nevertheless, placing users in flocks will likely reveal personal details that can be related to your browser authentication profile either directly or by inference, thereby requiring consent under the EU’s General Data Protection Regulation (GDPR).
These “interest groups” from the Privacy Sandbox have not yet been defined but could for example reveal information about your health, sexual orientation, religious beliefs – all information considered to be sensitive personal data under GDPR.
This could happen even when users are only placed in aggregated interest group (flocks) as well.
Anything from IP addresses, emails, and device details might still be collected and processed via trust tokens, which means that according to most major data privacy laws in the world, you would still need the explicit consent of end-users before employing them on your website.
The Electronic Frontier Foundation (EFF) describes Google’s FLoC technology as “bad for privacy”, emphasizing that putting users into groups, or “flocks”, would be a “behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate.”
Google Privacy Sandbox APIs are at an early development stage and are facing basic challenges that still need to be solved, since a lot of tracking workarounds still exist at this stage, e.g. ad networks can still correlate requests from the same user, and the publisher’s ad network can learn about which interest group the winning ad was targeted at if the advertiser’s ad network cooperates with them.
But the road ahead for Google’s testing and implementation of FLoC might not be a straight and easy one.
Google has already decided not to run preliminary tests of FLoC in Europe fearing that it won’t be compatible with the EU’s General Data Protection Regulation (GDPR), specifically when it comes to determining who will be the designated as data controller and data processor – to central provisions in the EU-wide data protection regulation.
Meanwhile, news that the browsers DuckDuckGo and Brave will block FLoCs by default while millions of Chrome users have been added to Google’s FLoC testing project without notice or opt-out option spells troubled waters for one of Google’s core Privacy Sandbox initiatives. The major publisher The Guardian has also decided to opt-out of the FLoC trials, citing privacy implications assessments.
Why consent is here to stay
The basic idea that a person online gets to say “yes” or “no” to strangers who want to collect their personal data is simple and powerful.
Consent lies at the very center of the most important data privacy law in the world, the EU’s General Data Protection Regulation (GDPR) and it is spreading fast around the world, to Brazil’s LGPD, Thailand’s PDPA, Singapore’s PDPA, South Africa’s POPIA and many other places.
A simple, practical, yet powerful idea: end-user consent
Consent is such a powerful idea that Google – the largest tech company in the world – has taken a decisive turn towards it with Google Consent Mode, installing it as a core driver in how all their services run.
Google Consent Mode is a clear indication that the adtech industry at large sees consent and realizes that it isn’t something to be ignored.
Cookiebot CMP by Usercentrics works to strike a balance between end-user privacy and the adtech industry that enables the free content which has come to define the Internet as we know it. We at Usercentrics will continue to provide full transparency with unmatched scanning technology and true end-user consent management now, after cookies, and whatever comes next.
Are third-party cookies in Chrome ending?
Yes, third-party cookies are on their way out – multiple browsers have been blocking them for years, and Google Chrome’s support of third-party cookies will stop by the end of 2024, as part of their larger Privacy Sandbox strategy. Google Consent Mode was launched in September 2020 and enables your website to run all Google-services based on end-user consent.
Does my website use third-party cookies?
Most likely yes. If you use any kind of analytics program, marketing platform or social media integration from larger tech companies, such as Facebook or Google, third-party cookies will be in operation on your website, collecting personal data from your users when they visit your domain.
Are third-party cookies legal?
Third-party cookies, in Chrome and everywhere else, collect personal data from your end-users, which means that they are only legal to use if you have asked for and obtained the prior and explicit consent from your users to do so. You are required by the EU’s General Data Protection Regulation (GDPR) to inform users of cookies and trackers, their provider, purpose and duration, as well as to document all obtained consents.
How can I make my website GDPR compliant?
Using a consent management platform ensures that your website detects and controls all cookies and trackers, delivers transparency and a choice of true consent to its end-users before collecting and processing their personal data.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.