.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Google’s Cookie Deprecation: What to Know About Chrome’s Data Collection
If you’re feeling out of the loop about Chrome’s personal data...
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
If you’re feeling out of the loop about Chrome’s personal data collection, you’re not the only one. Google had announced that it would be deprecating third-party cookies. Then it delayed the deprecation. Then they called the whole thing off. Meanwhile, Google is promoting a third-party cookie alternative known as the Privacy Sandbox.
That brings us to today: Businesses are still wondering what Google’s actions mean for their privacy programs. Since Google is no longer deprecating third-party cookies, does it mean for businesses that collect personal information from Chrome users? And what is the future of third-party cookies?
Third-Party Cookies: On the Decline, But Not Going Anywhere Soon
For many businesses, third-party cookies are already a thing of the past. Some moved away from collecting third-party cookies in response to Google’s now-defunct plans to sunset them in Chrome. Other browsers, like Mozilla Firefox and Safari from Apple, already block third-party cookies by default. (We dive deeper into what third-party cookies are and why they can be problematic in How Cookies Work and How to Conduct a Cookie Audit.)
But third-party cookies aren’t inherently evil; they just require closer collaboration between marketing and privacy teams to deploy them in a compliant way that respects consumer rights. Plenty of businesses can benefit from third-party cookies without running afoul of data privacy regulations, and these cookies can exist for consumers without compromising their privacy.
But third-party cookies are by no means essential for advertisers hoping to target Chrome users. Google is still investing in its third-party cookie alternative, the Privacy Sandbox, which could be a viable approach to targeted advertising in the future.
What Is the Privacy Sandbox?
Google’s Privacy Sandbox is intended to reduce tracking of consumer behaviors across websites and apps (i.e., the core criticism behind third-party cookies), while still giving businesses a way to target their advertisements to consumers. The essential problem that the Privacy Sandbox is meant to solve is targeting advertisements to a consumer without excessively tracking that consumer.
The Privacy Sandbox proposes to accomplish this through a series of APIs, namely:
- The Topics API, which gives businesses a high-level overview of a user’s interests. This API tags each website with a label (like “Fashion” or “Sports”). A user’s browser tracks which tags are the most common to that user and feeds that information to an advertiser. In theory, advertisers learn the general preferences of a consumer without needing to see every website (relevant or not) that the consumer visits.
- The Protected Audience API, which stores user preference data in a protected environment in the browser. In contrast, third-party cookies may pass this same data across websites and adtech networks. Websites and adtech networks detect the Protected Audience API on a user’s browser and then generate relevant ads without needing to know precisely what the user’s preferences are. It’s like the Topics API but allows for more precise audience segmentation.
- The Attribution Reporting API, which stores reporting data in the browser before sending it to advertisers, minimizing exposure. It also obfuscates the user identity by incorporating some noise and delays in the data—tweaks that make it harder to see individual users’ actions but leave the overall data useful for reporting (in theory).
There’s a slew of additional APIs involved in the Privacy Sandbox but are the three major ones to be familiar with.
Since the Privacy Sandbox is still in development, a random subset of users visiting a participating website are presented with a pop-up that gives them the option of opting in or out of the Privacy Sandbox's APIs and tracking. Currently, businesses interested in deploying the Privacy Sandbox can still enroll in the program. Even with the reversal of Google’s cookie deprecation, Google has promised it intends to ramp up development efforts on the project.
In theory, the Privacy Sandbox sounds great! Why wouldn’t it be able to replace third-party cookies? Turns out, it’s not quite that easy. To understand why, we need to explore the events leading up to Google’s cookie deprecation reversal.
Google’s Cookie Deprecation Timeline
In 2019, Google promised it would phase out the use of third-party cookies in Chrome by 2022. However, both regulators and advertisers alike argued that the Privacy Sandbox was an inadequate replacement for third-party cookies.
Regulators construed the Privacy Sandbox as anti-competitive and still liable to privacy violations, while industry players asserted that it failed to support common advertising use cases, such as robust reporting and brand protection.
For example, researchers discovered that the Privacy Sandbox’s Topics API was an effective means of browser fingerprinting. In essence, browser fingerprinting is a method of tracking an individual device (and its associated user) without relying on third-party cookies; instead, websites can simply analyze browser and device configuration data, package that up into a profile (or “fingerprint”).
With this fingerprint, they can track user behavior and preferences across sites and send that data to whichever third party asks for it—just like you can with third-party cookies. A study from the University of Wisconsin-Madison discovered that analyzing just three topics associated with a user was sufficient to uniquely identify that user 60% of the time.
Google’s Decision to Cancel Third-Party Cookie Deprecation
As time went on and these criticisms persisted, Google announced it was delaying cookie deprecation to 2025.
By the time July 2024 rolled around, it had become clear that the Privacy Sandbox was a long way away from meeting industry and regulatory stakeholders’ requirements. At that time, Google announced it would scrap its planned phaseout of third-party cookies in a blog post.
The Big Picture: How to Compliantly Manage Privacy for Chrome Users
So, how to proceed? Third-party cookies? Privacy Sandbox? Neither? Obviously, it’s complicated. In fact, the complexity of the Privacy Sandbox for users and businesses was another big reason why Google decided to reverse its decision on the third-party cookie phaseout.
Many consumers, businesses, and privacy professionals have a decent understanding of third-party cookies and what they mean for privacy. That doesn’t mean everyone understands third-party cookies or the precise way they impact privacy, but they are much more widely understood than the Privacy Sandbox. Whether they use the Privacy Sandbox, third-party cookies, or neither, how should marketers and privacy professionals handle consent management for Chrome users?
If You’re Enrolled in the Privacy Sandbox:
If your organization is enrolled in the Privacy Sandbox program or considering it, err on the side of caution. The Privacy Sandbox is a work in progress, and it’s something of a novelty in the context of data privacy regulations. Even though Privacy Sandbox’s APIs secures most user data within the browser itself rather than circulating it among different websites, it’s still arguably tracking users as they navigate the web.
That’s what data privacy advocacy group, noyb (or “none of your business”) contends. Noyb recently filed a complaint to this effect, additionally claiming that the Privacy Sandbox’s pop-up banner deceptively presented itself as a privacy-enabling tool rather than another kind of tracker.
Given the gray area here, following data privacy best practices is a good idea. If your website uses the Privacy Sandbox, the French data protection authority CNIL suggests you:
- Obtain the user's consent under the conditions required by the GDPR.
- Inform users about this new tracking method.
To accomplish this, the CNIL recommends that websites update the consent collection banners to indicate that they are using this new tracking method as well as any other tracking methods they use. If you use a consent management platform for your banners, you’ll likely be able to update the language on your banner to include this information. Naturally, this would be in addition to the pop-up served by Google’s Privacy Sandbox, given the complaint filed against it for deceptive design.
If You’re Using Third-Party Cookies:
There are benefits to using third-party cookies rather than the Privacy Sandbox. The technology has been around for longer, and there are solutions and best practices to ensure you’re using it compliantly.
As with the Privacy Sandbox, you’ll want to ensure you’re collecting the right kind of consent and providing the right kind of notice based on your governing law. Our What Is Cookie Compliance blog provides an overview of what the major laws require.
If You’re Not Using Third-Party Cookies or the Privacy Sandbox:
You’re not off the hook—in most cases, you still need to collect and manage consent from consumers visiting your website.
There’s no business on the planet that can operate without collecting some information from its consumers; data privacy regulations still protect that information. Your website likely still collects personal information through first-party cookies or zero-party data. Data privacy regulations require you to notify consumers about this collection, secure their consent, honor subject rights requests, and meet all other obligations imposed on businesses.
The good news is that providers like Osano can help you make sense of the different ways you process personal information and stay compliant, no matter what technologies and approaches you use—third-party cookies, first-party cookies, zero-party data, or emerging data collection techniques like the Privacy Sandbox.
Still Have Questions?
Understandable. You can find more answers in the Ultimate Guide to Consent & Preference Management—it dives into everything, including:
- Opt-in versus opt-out consent
- The difference between cookies, pixels, and tags
- Universal opt-out mechanisms
- What the GDPR and state laws say about consent management.
Sick of Reading?
Also understandable. You can talk to a human being instead. Request a demo of Osano, and we’ll take time to answer your consent management questions.
.png?width=250&height=250&name=CTA%20Popup%20-%20Consent%20and%20Preference%20Management%20Guide%20(1).png)
