Google is ending its long-running work to phaseout third-party cookies. The company announced 22 July intentions to leave cookies available on its Chrome browser while reworking its Privacy Sandbox initiative to address a balance between consumer privacy and sustainable advertising.
The reversal marks the end of a five-year endeavor by Google to deprecate cookies, a digital advertising tool that compiles consumers' internet activity across websites. The proposed phaseout faced several technical challenges that forced the company to change its approach multiple times, necessitating several delays around the planned timeline for a full elimination.
Google was primed for a full phaseout in January 2024 before the U.K. Competition and Markets Authority ordered a pause on the initiative over multiple competition-related concerns.
Google Vice President of Privacy Sandbox Anthony Chavez indicated that while cookies will remain, the work on alternatives within Privacy Sandbox will continue. In a blog post, Chavez explained the transition from cookies to a final product from the sandbox "requires significant work by many participants," but ongoing sandbox testing shows the application program interfaces will be successful "as industry adoption increases."
Chavez said Google's focus will now shift to an updated approach to privacy-preserving user tracking that "elevates user choice."
"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time," Chavez said. "We're discussing this new path with regulators, and will engage with the industry as we roll this out."
Twists and turns
The work to move away from cookies actually began for Google May 2019 when it announced cookie transparency tools would be added to Chrome browsers. The offerings included specific details around the cookies being placed and optional settings to limit some cookie use.
That plan was followed less than a year later by the broader initiative to eliminate cookies altogether, which Google planned within a two-year process that would conclude in 2022.
Justin Schuh, Google Chrome's former engineering director, explained the move in a 2020 blog, noting that "it’s clear the web ecosystem needs to evolve to meet" increasing consumer privacy demands. He added the Privacy Sandbox initiative would work against "blunt approaches to cookies" that "encourage the use of opaque techniques," referring specifically to web browsers blocking third-party cookies as a privacy solution.
Various delays arose after the initial deprecation announcement due to changing approaches to the potential cookie alternative.
Google maintained confidence in its sandbox work, announcing March 2021 that it would forgo cross-site tracking altogether once its planned alternative, Federated Learning of Cohorts, was finalized. FLoC, a machine learning-powered concept that grouped users based on their common browsing behavior, was replaced a year later before its full launch by "Topics" following revelations of FLoC's reidentification capabilities.
Google Senior Manager of Government Affairs and Public Policy Ari Levenfeld told the IAPP in March 2022 that Google would not eliminate cookies fully until rolling out a viable replacement.
The fallout
Sticking with cookies at least for the foreseeable future comes with disappointment from the U.K. Information Commissioner's Office. Google acknowledged consulting with the U.K. CMA and the ICO before arriving at their latest decision, but ICO Deputy Commissioner Stephen Bonner, CIPP/E, CIPM, expressed disappointment in Google's pivot.
"Our ambition to support the creation of a more privacy friendly internet continues," Bonner said in a statement. "Despite Google’s decision, we continue to encourage the digital advertising industry to move to more private alternatives to third party cookies."
Bonner added the ICO would not rule out future regulatory moves, including potential action against Google, if it observes "systemic non-compliance" around advertising technology privacy.
Google already faced a degree of regulatory scrutiny over cookies in the EU. France's data protection authority, the Commission nationale de l'informatique et des libertés, fined the company's Ireland and U.S. offices up to 60 million and 90 million euros, respectively, in December 2020 over alleged violations of the ePrivacy Directive related to cookie compliance.
The EU has a hard stance on cookies through the ePrivacy Directive and the EU General Data Protection Regulation. The U.S. has provisions in the
The Network Advertising Initiative issued a statement supporting Google's move, noting the move away from cookies without a tested replacement "would have posed a significant threat to competition in advertising that is essential to the free and open internet." However, the NAI stood by the need "to develop and implement privacy-enhancing approaches to data-driven advertising."
Joe Duball is the news editor for the IAPP.