On Tuesday the 14th of January, 2020, Google made an announcement that most people in the online advertising industry never thought they would hear — Google will kill off third-party cookies by 2022.
Then, on Thursday, June 24, 2021, Google Chrome announced that it would be extending its planned sunset of third-party cookies by 2 years. Chrome said it will shut off support for third-party cookies starting from the middle of 2023.
On Wednesday July 27, 2022, Google Chrome once again announced that it would be delaying the deprecation of third-party cookies by another year, stating that it will start shutting off third-party cookies in the second half of 2024.
Eventually, Google withdrew from phasing out cookies and decided it’ll give users the freedom to opt in or opt out of allowing third-party cookies in the future.
Third-party cookies have been the backbone of online advertising for over a decade and power a number of key advertising processes.
What would blocking them mean for the digital advertising industry, and what impact would it have on publishers, AdTech companies, and advertisers?
Check out our infographic to find out!
About Google Chrome
Google Chrome was first released on September 2, 2008, and is the most widely used web browser with a global market share of around 65% as of January 2023.
For this reason, any privacy change that Google Chrome makes will have far reaching effects.
Over the years, Google Chrome has implemented a number of changes to strengthen privacy for its users.
Below is a snapshot of the main privacy changes Google Chrome has released over the years.
A Timeline of Google Chrome’s Main Privacy Changes
May 7, 2019: Google announced that it would introduce a set of new privacy and transparency features to its Chrome browser to give users more transparency, choice, and control over personalized digital advertising.
October 23, 2019: Google Chrome introduced its “SameSite” attribute whereby website developers have to state whether the cookies they set are to be used only by the current site or current URL that the user is on, and which ones are cross-site cookies. This is to allow users to delete third-party cookies and keep first-party cookies intact.
August 22, 2019: Google announced its Privacy Sandbox — a new initiative that aims to make the web more privacy friendly, but still allows online advertising to work in a limited capacity. Read more about Privacy Sandbox below.
January 14, 2020: Google announced that it will shut off support for third-party cookies by 2022 and replace the programmatic advertising processes currently carried out by third-party cookies with its Privacy Sandbox.
June 24, 2021: Google Chrome announced that it would be extending its plan to shut off third-party cookies by an extra 2 years.
July 27, 2022: Google Chrome announced that it won’t start phasing out third-party cookies until the second half of 2024.
December 14, 2023: Google announced that it will soon block third-party cookies by default as a test for 1% of Chrome and roll out the Tracking Prevention feature to limit tracking by third-party cookies.
April 23, 2024: Google announced that it won’t kill off third-party cookies and introduce new features for users to control whether they opt in or out of them.
A Timeline of Other Google Chrome Privacy and Security Updates
Below is a timeline of other privacy and security updates that Google Chrome has released over the years.
March 17, 2010
Google Chrome 4 introduced the first privacy settings that provide site-by-site control over how browser cookies, images, JavaScript, plug-ins, and pop-ups are treated.
June 07, 2011
Google Chrome 12 implemented New Safe Browsing protection to help prevent users downloading malicious files and giving users the ability to delete Flash cookies from inside Chrome.
September 09, 2011
Google Chrome 14 added Sync Encryption for all data and DNSSEC validation of HTTPS sites to identify and mark non-secure pages that contain password and credit card information.
November 06, 2012
Chrome 23 added the Do Not Track (DNT) standard to allow users to disable tracking while surfing the web.
January 14, 2014
Google Chrome 32 enabled a feature that allows users to reduce the usage of their data online and automatically block malware files.
January, 2017
Chrome 56 started to label HTTP pages as “not secure” to improve the way Chrome handles the connection security of HTTP pages and informs users about insecure sites.
January 24, 2018
Chrome 64 started to prevent sites with abusive ad experiences from opening new windows or tabs without the user’s permission.
May 7, 2019
Google announced that they would introduce a set of new privacy and transparency features to their Chrome browser to give users more transparency, choice, and control over personalized digital advertising.
August 22, 2019
Google announced its Privacy Sandbox — a new initiative that aims to make the web more privacy friendly, but still allows online advertising to work in a limited capacity.
October 12, 2019
Chrome 79 introduced a few new privacy features, including the Built-In Password CheckUp Tool that checks if passwords saved by Google Chrome have been leaked in data breaches, as well as the Sync and Google services section that allows users to enable scanning of bad sites in real time.
October 23, 2019
Google Chrome introduced its “SameSite” attribute whereby website developers have to state whether the cookies they set are to be used only by the current site or current URL that the user is on, and which ones are cross-site cookies. This is to allow users to delete third-party cookies and keep first-party cookies intact.
January, 2020
Google announced that it will shut off support for third-party cookies by 2022 and replace the programmatic advertising processes currently carried out by third-party cookies with its Privacy Sandbox.
Chrome 80 introduced a new default value for the SameSite cookie attribute that limits the use of cookies in the third-party context to increase web privacy and security of personal data shared across domains.
Chrome 83 started to roll out Secure DNS, a feature built on top of a secure DNS protocol called DNS-over_HTTPS, which is designed to improve safety and privacy while browsing the web.
May 19, 2020
Chrome 83 introduced Safe Browsing that provides users with security alerts regarding malware, risky extensions, phishing, and sites on Google’s list of potentially unsafe sites. Users are also able to block third-party cookies in the Incognito mode, allow or block all cookies, and set preferences for certain websites.
Chrome 84 automatically enrolls sites with abusive permission requests or abusive notifications in the quieter notifications UI and displays notification enrollment prompts to users, which advises them that some sites may be trying to trick them.
Manual Enrollment (and Opt-Out)
Manually enroll on Desktop or Mobile via Notifications Settings
August 25, 2020
Chrome 85 started to automatically block heavy ads that use more than 4KBs of network data or 60 seconds of total CPU. Examples of these are cryptocurrency miners and mini-games.
September 3, 2020
Chrome 86 deprecates and removes support for FTP URLs. As FTP is an insecure protocol which relies on clear-text usernames and passwords for authentication and does not use encryption, the data sent via FTP is vulnerable to sniffing, spoofing and other attack methods.
Chrome 86 automatically displays the permission requests using a quieter UI to prevent tricking users into accepting the notification permission for malicious purposes, with which senders could, for instance, obtain user login credentials.
Google introduced new data policies for Chrome Extensions developers. The policies require them to provide their products’ Chrome Web Store pages with transparent, easy to understand and certified information on the data collected by their extensions.
Chrome 88 added rel=noopener attribute to anchor target=blank by default to prevent unspotted web content changes and possible phishing attacks.
Chrome 89 introduced First-Party Sets. The ‘SameParty’ cookie attribute allows browsers to identify which domains belong to the same organization and treat them as first-party. The origin trial for FPS ran from Chrome 89-93. Additionally, Chrome introduced password generation features to help users create strong and unique passwords.
Chrome 91 proposed Network State Partitioning to prevent cross-site tracking through the use of side channels.
January 25, 2021
Chrome announced early testing of the Federated Learning of Cohorts (FloC) algorithm. The FLoC idea was about providing users with more privacy and running audience targeting ad campaigns based on cohorts. Trials of FLoC’s initial version ran from Chrome 89-91. FLoC was shut down on January 25, 2022, and replaced by Chrome’s Topics API. The development of FLoC has stopped.
June 24, 2021
Google Chrome announced that it would be extending its plan to shut off third-party cookies by an extra 2 years.
July 21, 2021
For mobile phones, Chrome 92 introduced convenient browser permission management panels. In addition, each page and extensions running on it has its own “sandbox”. Protection against phishing sites has also been improved.
September 1, 2021
Due to its vulnerability to Sweet32 attacks, Chrome 93 stopped supporting the 3DES algorithm in TLS. The browser also blocks HTTP, HTTPS, and FTP connections over ports 989 and 990 and added WebOTP API support. WebOTP API allows developers to enter one-time, SMS-sent passwords and synchronize them between Google accounts on different devices.
September 22, 2021
Chrome 94 increased security by removing AppCache.
October 20, 2021
Chrome 95 rejects cookies larger than 4096 bits for name and size and 1024 bits for each attribute. User Agent (UA) has gained the ability to detect different versions of Windows. The browser stopped supporting the FTP protocol, and URLs without IPv4 support are not supported.
January 4, 2022
Chrome 97 introduced the Keyboard MAP API, a controversial solution that allows web applications to detect key presses on keyboard layouts.
February 1, 2022
Chrome 98 updated the Keyboard API and SDED (Simple Data Encryption Standard) encryption, which was supposed to increase privacy protections.
July 27, 2022: Google Chrome announced that it won’t start phasing out third-party cookies until the second half of 2024.
What Are Third-Party Cookies?
Web cookies are a storage mechanism in web browsers that are used to store data. There are generally two types of cookies: first-party and third-party cookies.
First-party cookies are created by the domain (aka website) the user is currently visiting. Third-party cookies are created by domains other than the one the user is visiting.
Third-party cookies have been the backbone of online advertising for over a decade and power a number of key advertising processes.
What Processes Are Powered by Third-Party Cookies?
The main goal of third-party cookies is to identify users across different websites to power:
- Behavioral ad targeting — showing ads to users based on their behavior across different websites.
- Audience targeting via cookie syncing — showing ads to specific users by exporting audiences created in data platforms (e.g. DMPs) to DSPs for targeting.
- Ad retargeting — showing ads to users across the web who have previously visited your website.
- Frequency capping — limiting the number of times an ad is shown to the same user in a given time frame (e.g. max 5 ad impressions in a given 24-hour period).
- Audience extension — showing ads to a publisher’s audience across different websites.
- View-through attribution — attributing an ad view with a conversion (e.g. online purchase).
The Impact on AdTech
Although third-party cookies are blocked by default in other popular web browsers like Safari and Firefox, the real impact would be felt if Google shut off support for third-party cookies due to its large global market share (~64%).
Currently, it’s expected that Google has cancelled shutting off support for third-party cookies. Instead, the company will help users decide whether to opt in or out of them.
In the scenario with phasing out third-party cookies, many companies in the programmatic advertising industry would be severely impacted even more than they are today.
Below is a snapshot of the impact that companies would feel without the availability of third-party cookies.
Publishers
Publishers see a big drop in ad revenue as advertisers aren’t able to identify the publisher’s audience, meaning they don’t pay as much for the impressions.
Other revenue-making activities like audience extension are also heavily impacted.
SSPs and ad exchangers
Because most SSPs and ad exchanges make money by adding a margin on top of the price of media, when publishers earn less, so do they.
Without third-party cookies, SSPs and ad exchanges aren’t able to identify users on a publisher’s website, which impacts behavioral ad targeting, attribution, and measurement.
Ad networks
Although ad networks are still able to display ads on different websites without the use of third-party cookies, activities like behavioral targeting, attribution, and reach are affected.
DSPs
Showing ads to an advertiser’s target audience is much harder to do because DSPs aren’t able to identify whether a publisher’s audience matches the advertiser’s target criteria.
Activities like behavioral targeting and retargeting are limited and don’t scale as well as they do with third-party cookies.
DMPs
A majority of DMPs use third-party cookies to identify users and build profiles about them, which advertisers and DSPs then use for ad targeting.
Without third-party cookies, advertisers and publishers aren’t able to use these audiences, meaning the core business offering of most DMPs is severely impacted.
Advertisers
Because SSPs and DSPs aren’t able to identify audiences on websites, advertisers aren’t able to run behavioral and retargeted ad campaigns, which lowers the reach and performance of their campaigns and lead to less conversions, sales, etc.
It Wouldn’t Be Game Over for AdTech…
But it would just have to play by a different set of rules.
There are several alternatives to third-party cookies that AdTech companies can implement to power audience targeting and measurement:
Google Chrome’s Privacy Sandbox
Google Chrome’s Privacy Sandbox provides a secure environment for personalization while still protecting user privacy.
It contains a number of standards and APIs that will replace the processes currently carried out by third-party cookies.
The standards are being discussed and worked on between AdTech companies, agencies, publishers, Google Chrome and Google’s ad teams via the W3C Improving Web Advertising Business Group.
Privacy Sandbox will likely be released sometime in 2024.
Universal IDs and Device Graphs
A universal ID is a unique ID that allows AdTech companies to identify users across different websites and devices.
Universal IDs are created using probabilistic data (e.g. IP address, browser type and model, and user-agent string) or deterministic data (e.g. an email address or phone number), or both, to produce an ID.
Both publishers and advertisers can use their first-party data to produce universal IDs.
While universal IDs are the closest alternative to third-party cookie IDs, they’re not as readily available on websites as third-party cookies.
Data Clean Rooms
A data clean room is a piece of software that allows two companies, e.g. a publisher and an advertiser, to match their data together without either party gaining access to it.
This type of secure data collaboration can power many programmatic advertising processes, such as ad targeting and measurement.
There are essentially two main types of data clean rooms: centralized and decentralized data clean rooms.
Centralized data clean rooms store the data in one location, whereas decentralized data clean rooms store the data in separate locations (e.g. different servers).
The IAB Tech Lab’s Seller Defined Audiences (SDA)
On February 24, 2022, the IAB Tech Lab released its first addressability specification from the Project Rearc initiative: Seller Defined Audiences (SDA).
This new standard is designed to help publishers monetize their first-party data by creating audience cohorts that can then be passed on to demand partners (i.e. DSPs) via the OpenRTB protocol and Prebid.
SDA leverages other IAB Tech Lab standards, notably Audience Taxonomy, the IAB Tech Lab Data Transparency Standard, and the IAB Tech Lab’s Transparency Center.
Self-Serve Ad Platforms
While publishers can use universal IDs and Seller Defined Audiences to activate their first-party data, they can also give advertisers direct access to their audiences by using or building a self-serve ad platform.
Compared to selling their inventory via their ad server or supply-side platform (SSP), publishers can use a self-serve ad platform to allow advertisers to create ad campaigns directly on their websites or mobile apps.
Contextual Targeting
Contextual targeting allows advertisers to display relevant ads based on the website’s content rather than using the data about the visitor.
Before the advent of the Internet, contextual targeting was widely used in magazine and newspaper ads.
Contextual targeting has had a resurgence in recent years due to the introduction of various privacy laws and policy changes by Google Chrome.
What Can We Expect From Google Chrome in the Future?
The developers of Chrome are trying to reconcile the interests of users and advertisers — sometimes with varying success. The community does not always approve of controversial ideas like FLoC, once part of its Privacy Sandbox, or Keyboard MAP API.
After a wave of criticism, Google withdrew from FLoC and switched from cohorts to a topic catalog (Topics API) to better anonymize users for ad targeting. In the case of the Keyboard API, we are already seeing the first changes.
On the other hand, a lot has changed over time in Chrome’s privacy policies in favor of users, e.g., Chrome proposed Network State Partitioning to prevent cross-site tracking through the use of side channels.
Chrome is developing on many levels but often focuses on UI / UX more than securing privacy. Is that good? Despite the media hype surrounding the topic of privacy, users are more likely to use this browser than others.
Where There’s Change, There’s Opportunity
Despite the constant challenges on the horizon, there are numerous opportunities to be had for each player in AdTech.
These changes, and other privacy changes (GDPR, Safari’s ITP, etc.), don’t spell the end of AdTech, but AdTech vendors will need to change the way their platforms work to survive the next decade and prosper in a privacy-focused world.