The future of cookies has been hard to predict, with twists and turns and surprises, including Google’s struggles with regulators, and rising tide of data privacy fines for brands. Currently, Google is promoting its Privacy Sandbox as the path forward while it threads the needle between consumer choice and regulatory risk due to its monopoly status.
Google’s Privacy Sandbox is a complex initiative that aims to reshape the landscape of online privacy and targeted advertising. At the heart of this initiative lies the will-they-won’t-they, often-delayed demise of third-party cookies in the Chrome browser. We’ll dig deeper into what this means for marketers and how it will impact your strategies.
But first, we need context about two things: Google’s own strategies regarding regulators and monopolies, and what it means for all the cookies marketers have come to rely on.
Google’s Two Monopolies? Three? Four?
Let’s take a look at why Google is the sole arbiter of the future of cookies.
In August 2024, a ruling by Judge Amit Mehta found Google guilty of maintaining monopolies in the US general search services and general search advertising markets.
In October, the US Department of Justice suggested that the monopoly may extend beyond search and advertising to the browser and Android ecosystems.
If there are so many browser choices, how can Google be a monopoly? Because nearly every major browser other than Firefox is now powered by Chromium, the open source browser at the heart of Chrome. As seen in many memes.
This matters for cookies and privacy, because the DOJ is arguing that Google’s dominance of both browsers and search “significantly narrows the available channels of distribution and thus disincentivizes the emergence of new competition.”
This regulatory scrutiny reduced the likelihood of Google single-handedly ending the use of cookies, which could be seen as an anti-competitive move, particularly against its adtech competitors, through the use of its browser monopoly.
So what exactly is going on with cookies, and what might Google do next? Let’s dig into cookies and parties. Both sound fun, but in this case, sadly, not really.
Users and parties and cookies
What are the parties involved in cookies?
The userhaha just kidding. You would think that the user is one of the three parties, but no. We don’t count. First party in this case refers to the publisher of the website or app.- Second-party cookies are not consistently defined. Some definitions don’t acknowledge second-party cookies. Others use this to refer to trusted data partners defined under the Data Processing Agreement required by GDPR.
- Providers of advertising, audience profiling, tracking, analytics, etc., that are not directly affiliated with the first party.
First-party cookies can track things like authentication status, session data, user interactions with what’s on the screen, in order for the app to function, etc.
Third-party cookies track user behavior across multiple websites and devices. This information enables personalized advertising, retargeting campaigns, and detailed audience profiling.
Are Martech vendors caught in the middle?
It seems simple enough, but there is a whole category of martech vendors that don’t fit neatly in either the second or third party. Think about the tools a typical marketer uses for analytics, heat mapping, identification of visitors, progressive forms, and a dozen other categories. From a business definition, these can be seen as second-party cookies, and might even be listed on your data processing agreement as a “third party” doing work on behalf of the second party.
Depending on exactly how the “end of third party cookies” comes about, there could be a whole lot of marketers, and martech vendors, experiencing a whole lot of pain and confusion.
Currently, Google’s efforts at moving to cookie alternatives don’t seem to be focused on these vendors. The focus is on advertising platforms, and other adtech. But as we’ll talk about in a bit, Google has muddied the waters by putting deprecation notices on a wide swath of cookies, not just third-party adtech.
Later on we’ll explore different scenarios and how martech vendors might be affected. But for now, let’s look at Google’s approach to third-party cookies and the Privacy Sandbox.
Why is Google eliminating third-party cookies?
Google believes third-party cookies pose several privacy concerns. They argue that these cookies allow for intrusive tracking without users’ explicit knowledge or consent. Furthermore, Google contends that third-party cookies often lead to subpar and intrusive targeted advertising. And, of course, because they own the ecosystems, they have some potential advantages in a post-cookie advertising world.
Alternatives to third-party cookies
Google has proposed several potential alternatives to third-party cookies, including:
First-Party Cookies: These cookies are stored by the website you’re currently visiting and can track your activity on that specific site but not across different domains.
Privacy Sandbox APIs: These APIs grant businesses limited access to specific types of user data, such as browsing history and location data, without the use of third-party cookies.
Federated Learning of Cohorts (FLoC): This technology enables businesses to target ads to groups of users with similar interests without collecting individual user data.
Google has been quite active with the Privacy Sandbox, rolling out updates, tools, and guides for adtech providers who are working on using the new APIS or FloC. September’s updates included:
- Enhanced deal support
- New “clickiness” signals for bidding
- Extended interest group lifespan
Note that these are all aimed at adtech platforms dealing in the supply and demand of audiences and ad inventory, measuring user engagement, and tracking users and cohorts across larger time spans. Nothing has been provided for martech vendors looking to upgrade the performance or privacy of their tools.
What about cookie managers?
Privacy platforms like OneTrust and Osano provide robust tools for managing cookies, publishing data policies and consent policies. This can be a huge help to brands who are wrestling with cookie compliance. It’s important to note that most of these tools do not automatically implement compliance, either in terms of technical behavior, or in alignment of the digital behavior of your website or app with your stated cookie and data policies. Testing and monitoring is still critical to protect user intent and mitigate risk of regulatory fines.
At least one vendor, Osano, does offer a guarantee to customers. If you’re using their platform and you receive a penalty or fine under a privacy regulation issued by a data protection authority (DPA) that is the result of their platform, they will pay the fine or penalty, up to $200,000. Which could bring some peace of mind for brands trying to reduce regulatory risk.
What about server-side tracking?
Server-side tracking technologies from companies such as Elevar and Metarouter help brands to minimize signal loss caused by client-side user consent choices, browser privacy features, and ad blockers. This may be a good interim solution for brands looking to increase their signal from user behavior.
If you have the developer bandwidth, there are a number of methods you can deploy yourself to minimize signal loss, such as moving your analytics to server-side, or building out your own reverse proxy service, which can enable client-side data collection while avoiding browsers and extensions that block third-party data collection.
Whether this is a long-term solution depends on which cookie scenario plays out over the next few quarters. See the next section.
Speculation: Potential Scenarios
Possible scenario: Cookies never phased out
If Privacy Sandbox techniques like API and FLoC do not see wide adoption by adtech vendors, Google may decide it’s not worth the regulatory risk to phase out cookies. In this scenario, we may see iterative privacy improvements from browser providers, and a gradual move toward server-side by brands. In this scenario, signal loss would continue to grow, and server-side technologies would become more critical.
Possible scenario: Adtech cookies only
If Google clarifies their stance and their technique to phase out only the third-party cookies that are not affiliated with the first party brand, then we could be in a situation where adtech changes, but most martech continues to be powered by cookies, at least in the short term. In this scenario, any user consent mechanisms around cookies implemented for users in Chrome would be highly targeted at third party cookies from adtech vendors.
Possible scenario: All third party cookies affected, including martech vendors
If Google does not clarify the adtech / martech difference between cookies, and if they do roll out consent options to users (think the “ask app not to track” option in the iPhone), it is possible that we will see widespread breakage of martech app functionality, including user tracking, analytics, forms, heat mapping, click tracking, and more.
Timeline
Not clear. Google has promised to appeal their monopoly ruling, and earlier this week, they rolled out additional user privacy and security protections for Chrome that hint at a new direction toward AI-assisted and automated ways to protect users and their data.
Google has also begun marking cookies as deprecated in Chrome Inspector, with the following language: “Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.” If you’re up at night worrying that this will impact martech vendors, you will have some fuel for your anxiety. Because this deprecation message is broadly applied to both martech and adtech cookies.
Implications for brands
The elimination of third-party cookies will undoubtedly disrupt businesses that rely heavily on targeted advertising. Marketers will need to adapt their strategies and explore alternative methods to connect with their target audience and measure the effectiveness of their campaigns.
Beyond advertising, it’s critical for every business to know which parts of their revenue infrastructure relies on cookies, and what if anything the vendors of those tools are doing to plan for obsolescence.
Stack Moxie recommends the following steps:
- Review your published privacy, data, and cookie policies to ensure they reflect your current legal position as an organization
- Test your implementation of cookies, scripts, and network requests on your website and apps to make sure they are working as intended
- Validate that various user consent choices are consistently honored by changes in cookie and script behavior
- Set up monitoring so that you get alerted when anything changes with your published policies, cookie behavior, or the user browser experience.
- Consider making changes now that could help with signal loss, and could also be a partial solution should cookies become obsolete.
Conclusion
Google’s Privacy Sandbox and the elimination of third-party cookies present both challenges and opportunities for marketers. And also for Google. They have to navigate the waters carefully, protecting users and advancing the technology of their platforms, while regulators watch to make sure they don’t introduce unfair advantages for Google.
Regardless of what happens and when, cookies don’t appear to be going away entirely. You’re still going to be responsible for maintaining first-party cookies, protecting user data, and possibly collecting and properly responding to user consent for first party cookies.
So Google’s cookie dilemma may not mean that cookie management tools may not be going away any time soon. And neither will the need for external validation that your scripts, cookies, network requests, are working as expected.
If you want a better understanding of exactly how scripts and cookies are behaving on your site, and whether you are actually compliant with your own privacy and cookie policies, Stack Moxie can help.