Good news or bad news? It depends. Are you an internet user who cares about privacy? An internet publisher who cares about making money? Or somewhere in between?
On Monday afternoon, Google shocked the online-advertising world by saying that, actually, despite years of promises, it wouldn’t be dropping cookies from its world-dominant web browser, Chrome. If you’re not deep into the surveillance-capitalism game, here’s Richard Lawler at The Verge to explain:
Google is putting the brakes on a change that would have made it more difficult to track users across different websites to serve them targeted ads. After years of testing, planning, and delays, Google has scrapped a plan to turn off third-party cookie tracking by default like Safari and Firefox already do. The change was supposed to reach Chrome users soon, despite concerns raised by competitors, regulators, and privacy advocates.Now, Chrome will ask users to “make an informed choice that applies across their web browsing” instead of deprecating third-party cookies, writes Google Privacy Sandbox VP Anthony Chavez. That could work more like Apple’s app tracking opt-in, a setting that reportedly cost social media platforms nearly $10 billion when it rolled out in 2021. Putting a prompt in front of Chrome’s billions of users wouldn’t be as drastic as changing the default entirely, but it still might cut the number of users allowing third-party tracking significantly.
Some background. The issue here rests on the uncomfortable truth that publishers’ ad revenue depends heavily on being able to know enough about their users to serve them a useful ad — or, at least, an ad that seems well enough aligned to the user that an advertiser is willing to pay more for it. In general, publishers themselves don’t know this information; they instead give a substantial cut of their ad revenue to an adtech company that has this data — the largest of these by far being Google itself. And the main way that data is gathered is via third-party cookies, the tiny data files stored in your browser that connect your activity on Sites A, B, C, and D to the same user profile.
These cookies are, understandably, anathema to privacy advocates. The idea that, on any given pageview, dozens of faceless companies might be updating their dossiers on your habits isn’t especially pleasant. And the two companies that had by far the largest caches of user data — Google and Facebook/Meta — used that setup to become the world-bestriding Duopoly they are today.
Enter Apple. Unlike Google and Facebook, Apple doesn’t make much of its money on selling advertising, and it considers privacy a core feature of its shiny glass rectangles. In 2020, it announced it was blocking all third-party cookies in Safari, the browser on iPhones and iPads. In 2021, it extended the system to apps by requiring users to approve (or disapprove) each app that wants to track users across the ecosystem. (You know, all those “Ask App Not to Track” buttons you’ve tapped.) This had a major impact on the adtech world, costing Facebook literal billions. Firefox later followed suit.
Google said it wanted to get on board, announcing it would start blocking third-party cookies by 2022. Then it postponed it to 2023. Then 2024. Then 2025. And now, 2025’s out. How about never — is never good for you?
Google proposed a number of replacements for the cookie regime over the years, most notably Privacy Sandbox, which promised cookie-like identifiability without tying the data so easily to an individual. But both competitors and regulators expressed concern that Privacy Sandbox didn’t go far enough in protecting privacy and would, in effect, lock in Google’s preeminence in online advertising. One adtech company estimated trading cookies for Privacy Sandbox would lead publishers to “lose an average of 60% of their revenue from Chrome.” In April, U.K. regulators said that it “leaves gaps that can be exploited to undermine privacy and identify users who should be kept anonymous.” Here’s the Electronic Frontier Foundation:
Privacy Sandbox might be less invasive than third-party cookies, but that doesn’t mean it’s good for your privacy. Instead of eliminating online tracking, Privacy Sandbox simply shifts control of online tracking from third-party trackers to Google. With Privacy Sandbox, tracking will be done by your Chrome browser itself, which shares insights gleaned from your browsing habits with different websites and advertisers. Despite sounding like a feature that protects your privacy, Privacy Sandbox ultimately protects Google’s advertising business.
So we’re back at square one. Cookies aren’t going anywhere in the world’s most-used web browser. For the adtech industry, that’s a win. But if you’re an online publisher, it’s not clear how to react. The old bad system that made Google a lot of money and you a pittance…sticks around. Yay, maybe? “Phew, we dodged that somewhat-less-privacy-violating but somewhat-less-money-making-for-us alternative to our current bad setup”? Privacy Sandbox was an imperfect replacement, but no replacement at all has its problems too. Google now says it wants instead to “elevate user choice” by letting Chrome users “make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.” That could, depending on how it’s enforced, lead to the loss of many third-party cookies — but we have no details, only a Google promise to “engage with the industry as we roll this out.”
The best solution for publishers, as always, is to work on gathering their own first-party data to allow targeting without all the privacy leaks. But that requires scale the vast majority don’t have, and publishers haven’t always proven themselves skilled at playing together. Either way, publishers are still pawns in a game they don’t control.