What are third-party cookies?
Cookies are small text files placed on a user’s browser when visiting a website. There are two types of cookies:
- First-party cookies are created by the website the user is visiting. They enable the site to recognize the user’s device and store information that can improve their browsing experience, like saving items in a shopping cart or remembering that the user is logged in.
- Third-party cookies are placed on a user’s browser by a website other than the one they’re currently visiting. They can track visitors across websites, which enables you to gather data about users’ browsing habits, preferences, and interests. This information is then used to deliver personalized advertising experiences.
Third-party cookies are one among many tracking technologies that you can employ on websites for the benefit of running analytics solutions, marketing platforms and social media integrations in addition to online advertising.
Why are third-party cookies under scrutiny?
Third-party cookies not only serve the website they’re placed on, they also serve their providers, and the adtech industry at large revolves around mass data harvesting, profiling, and real-time bidding.
In return for optimization services on your website, a lot of third-party cookies will amass enormous amounts of personal data from your end users — without their consent or often even their knowledge — that is sent, traded and sold in the digital advertising industries.
The types of personal data that third-party cookies harvest range from individual IP addresses, sensitive search and browser history, specific details about devices, to private information about health, sexuality, family, political convictions, religious beliefs and much more.
The problem with third-party cookies is not only the amount of personal data they collect, or the sensitive nature of that data. All of the data that third-party cookies collect can be put together to create extensive profiles on users consisting of thousands upon thousands of data points, such as your Google searches in the last five years, your credit card transactions, your profile on dating apps, and so on.
Inferences are made about the user’s personality and life from these profiles, which can be sold to advertisers, who in turn will target their ads on a micro, individual level.
Third-party cookies supply this raw, privacy-infringing data to a nearly trillion-US-dollar adtech industry that relies on these inferences to predict the behavior of users, which advertisers pay for every day in real-time bidding auctions that make up the mechanics of how personalized ads are shown to users on your website.
Why is Google removing third-party cookies in Chrome, and what does it mean?
In January 2020, Google announced that Chrome would phase out support for third-party cookies in the browser, starting with trials on conversion measurement and personalization by the end of 2020.
Google’s decision to remove Chrome’s third-party cookie support is part of a larger Privacy Sandbox launched in August 2019, a series of initiatives “to develop a set of open standards to fundamentally enhance privacy on the web.”
Google’s Privacy Sandbox initiatives focus on:
- How to deliver ads to people without collecting identifying data from users’ browsers.
- How to enable conversion measurements for advertisers without individual user tracking across the web.
- How to detect and prevent fraud on ads, e.g. bots clicking on ads instead of real users, and fight spam.
- How to strengthen user privacy on the web against cross-site tracking.
- How to safeguard users from hidden data tracking practices.
On June 24, 2021, after considerable industry pushback and a debate about what would replace them, Google announced a two-year delay for the third-party cookie phase out to the end of 2024.
Google is not the first to make the shift away from third-party cookies. Mozilla’s Firefox, Brave Software’s Brave, and Apple’s Safari browsers have been blocking third-party cookies for years, while major publishers and media houses like the New York Times also are in the process of transitioning away from third-party advertising data entirely.
However, Google’s initiative to kill third-party cookies in Chrome has been met by resistance from the ad tech industry, especially from marketers and advertising agencies. They’re worried that the blanket stop to third-party cookies will hurt the internet economy and particularly startups. They have urged Google to keep third-party cookies in operation until tried and tested alternatives are in place.
If third-party cookies are going away, do websites still need consent?
The end of third-party cookies doesn’t mean the end of the need for user consent.
There are numerous tracking technologies available to determine a user’s identity across websites. Unless Chrome and other web browsers discontinue support not only for third-party cookies, but also for any other kind of similar website tracking techniques, users will still be tracked by some technologies as they browse the internet.
Tracking technologies can also be nested in the services used on websites and apps, so site owners may not always even know what data is being collected by third parties without deep scanning.
That’s why consent remains the central requirement of many of the world’s major data protection laws, led by the European Union’s General Data Protection Regulation (GDPR) and reflected in laws the GDPR has influenced, like Brazil’s LGPD.
Under the jurisdiction of these laws, your website must obtain the explicit consent from users before activating cookies, or collecting or storing any data on their browsers, or processing personal data for tracking and advertising, regardless of the technology used.
Your website is also obliged to clearly inform end users about the tracking technologies you use, detailing the providers, purposes, and duration of data collection.
You must also safely document the consents obtained and be able to provide the data in the event of an audit or data subject access request. New consent must typically be obtained if the processing conditions — like purpose — change, or after a certain period of time, the length of which is different under each law. Under many laws, users must also be able to change or revoke their consent preferences as easily as they gave consent..
Consent is the cornerstone of privacy-compliant tracking practices, today and in the future.
Consent and Google ads and analytics platforms
Google has already started introducing features and requirements that make consent pivotal to use some of its services and protect user privacy. Recent laws with strong data privacy components, like the EU’s Digital Markets Act (DMA), with requirements that explicitly target Google and other influential tech companies, are at least one likely catalyst for such changes.
Google Consent Mode launched in September 2020 and enabled websites to collect aggregate and non-identifying data as well as display contextual advertisement if end users chose not to give their consent to statistics and marketing cookies. With Google Consent Mode v2, implemented in November 2023, it has evolved into more of a signaling tool, and users’ consent preferences determine whether Google tags collect and process full or anonymized data.
As of January 2024, publishers who use Google’s AdSense, Ad Manager, or AdMob products must use a Google-certified consent management platform (CMP) to serve ads to website visitors from the European Union (EU), European Economic Area (EEA) and the United Kingdom (UK). To receive certification, a CMP must integrate with the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (IAB TCF v2.2), which aids in aligning with data privacy laws like the GDPR and its strict consent requirements.
What is replacing third-party cookies in Chrome?
Google’s Privacy Sandbox includes APIs and measures designed to support advertising functionalities without relying on tracking users across different websites. Some of these include the following functions.
Topics enables browsers to convey information about users’ interests with third parties without tracking user activity or disclosing their personal information. Topics is “designed to preserve privacy while showing relevant content and ads.” Google has released a list of topics, which it expects to evolve over time.
Private State Tokens
Formerly called Trust Tokens, Private State Tokens are designed to enable websites to determine whether a user is real or a bot without engaging in passive tracking. According to Google, these tokens are encrypted and cannot be used to identify individual users. They can be used to protect advertisers against fraud and enhance user privacy by eliminating the invasive tracking commonly associated with third-party cookies.
Attribution Reporting enables measurement of conversions from ad clicks and views, as well as ads on other platforms, without tracking user activity across websites. It groups user interactions (like ad clicks or views) into large sets, obscuring individual users’ actions. It employs two types of reporting: event-level, which provides detailed conversion data without revealing user identities, and aggregate-level, which presents summarized data across large groups of users.
For a full list of APIs and other measures, you can view Google’s Privacy Sandbox website.
The effectiveness of these new approaches remains unproven, and many details are still being worked out. Website owners and advertisers may need to rely more on first-party data as the move away from using third-party cookies unfolds.
Preparing for Google’s third-party cookie deprecation
Google intends to eliminate the use of third-party cookies for all Chrome users by Q3 2024, and website owners must prepare for how their websites will work once these cookies are deprecated.
To prepare for these changes, you need to know which third-party cookies your website uses and you can use a cookie scanner to find out.
Cookiebot consent management platform (CMP)’s cookie checker enables you to conduct a free audit of your website’s cookies. Cookiebot CMP finds all cookies and online trackers used on a website, including:
- Dynamic cookies set during the user’s interaction with the website
- HTML5 Local Storage trackers
- Flash Local Shared Object trackers
- Silverlight Isolated Storage cookies/trackers
- IndexedDB trackers
- Pixel tags
- Ultrasound beacons
In a future without third-party cookies, Cookiebot CMP will still detect the technologies in use to collect personal data from end users, such as Google’s proposed browser APIs for conversion measurement, remarketing and real time ad auctions.
Cookiebot CMP can also help you obtain valid consent under data privacy laws like the GDPR, which is required not only for cookies, but also for other similar website tracking techniques in a cookieless world.
Yes, third-party cookies are on their way out. Multiple browsers have been blocking them for years, and in January 2024, Google Chrome restricted third-party cookies for 1% of its users. The browser’s support of third-party cookies will stop by the end of 2024 for all users as part of their larger Privacy Sandbox strategy. Google Consent Mode was launched in September 2020 and enables your website to run all Google-services based on end-user consent.
Most likely, yes. If you use any kind of analytics program, marketing platform or social media integration from larger tech companies, such as Facebook or Google, third-party cookies will be in operation on your website, collecting personal data from your users when they visit your domain.
Tracking cookies are small text files that are placed on a user’s browser when they visit a website. They collect data about the user’s online activities and store information such as device specifications, geographic location, and browsing history. First-party tracking cookies are set by the website the user is visiting, and third-party tracking cookies are set by domains other than the website the user is visiting.
Third-party cookies, in Chrome and everywhere else, collect personal data from your end users, which means that they are only legal to use if you have asked for and obtained the prior and explicit consent from your users to do so, if the users reside in a jurisdiction where a data privacy law requiring prior consent is in place. You are required by the EU’s General Data Protection Regulation (GDPR) to inform users of cookies and trackers, their provider, purpose and duration, as well as to document all obtained consents.
Google’s Privacy Sandbox initiative is developing several APIs and other measures designed to support advertising functionalities without relying on third-party tracking cookies. These include interest-based advertising, encrypted tokens to identify real users vs. bots, and conversion measurement that doesn’t reveal user identities.
Using a consent management platform that includes a cookie scanner helps to ensure that your website detects and controls all cookies and trackers in use, delivering transparency and a choice of true consent to end users before collecting and processing their personal data.
monthly user consents
Scan your website for third-party tracking cookies
Sign up for Cookiebot CMP for free today