At the start of 2020, Google revealed plans to block third-party cookies in its Chrome browser within two years. However, in July 2022, the tech giant announced a delay in phasing out third-party cookies until 2024, pushing the timeline back by approximately a year. Given Chrome's massive user base, this change is set to have considerable effects on the digital advertising ecosystem. Presently, third-party cookies play a vital role in targeting, measuring advertisements, and combating ad fraud.
Immediately after Google’s announcement, there were speculations about what will replace third-party cookies in the future. In this post, we’ll open up Google’s vision on the topic a bit. But let’s start with a little recap of what even is a cookie.
What is a cookie?
A cookie is a small text file that is stored on a user’s device by an Internet browser. Cookies are used, for example, to store user information when moving from one web page to another. First-party cookies are stored directly on the website you’re visiting. In addition, the website may use external services that store their own cookies. These are called third-party cookies. Cookies do not contain user’s personal information and as such are not used to identify individual users. Some cookies expire at the end of a site session, while others remain longer on your device.
Cookies are used for many different purposes. Cookies allow you to use the functions of the website and provide the best possible user experience. For example, when a browser has information about a visitor’s choice of language and device, it is possible to provide them directly with the appropriate language and device-specific page version, thus facilitating the use of the site. Cookies also allow, among other things, different tracking tools, as well as personalised content, offers, functionalities, and ads on a per-visitor basis.
Google’s idea is to replace cookies with browser-based open standards, the "Privacy Sandbox" project has been launched to find their final forms. The open-source initiative was launched in August 2019. It’s unquestionably said to be Google’s response to the growing pressure to improve privacy, ensure free advertising-funded content, and possibly block other parties’ cookies. According to Google, the goal is to create a secure standard for personalisation while respecting user privacy. Google says that reaching this goal requires new approaches to ensure relevant advertising in the future too.
The Privacy Sandbox project aims to minimise the information that is shared between websites and advertisers and to store a larger part of the visitor's information on the visitor’s device only. Google’s project envisions targeted advertising and measuring conversions through Application Programming Interfaces (APIs) in a browser environment. Numerous different APIs are planned, each meeting different needs. These interfaces would be used by all stakeholders.
Google Interface proposals (API)
The situation may change fast, text updated 16.6.2023
Show relevant content and ads:
- The Topics API - would be a new way that browsers could enable interest-based advertising on the web. Topics is based on the user's recent browser activity and site categorisation. Advertisers can then use these categories to target more relevant advertising to visitors. The initial testing of the Topics API began at the end of the first quarter of 2022, and it became generally available in September 2023.
- The Turtledove API - The interface is designed to enable targeted and retargeted advertising without allowing third parties to track users' browsing behavior across websites. The aim is to allow ad auctions in the browser instead of the server. The Protected Audience API is the first experiment to be implemented in Chromium within the TURTLEDOVE family of proposals. Other TURTLEDOVE proposals and discussions about them: W3C Web Advertising Business Group.
- FLoC API - FLoC was a proposal in the Privacy Sandbox designed to cluster people with similar browsing patterns into large groups, or "cohorts". This "safety in numbers" approach was designed to effectively blend any individuals into a crowd of people with similar interests. The development of FLoC stopped in 2021.
To fight spam, fraud, and DoS (denial of service):
- Private State Tokens API – With this API, publishers can verify real users without tracking technology, making it Google's alternative to CAPTCHA. The idea behind the Private State Tokens API is that once a visitor has performed actions on a site, based on which the API believes the user to be a real person, it stores a token in the user's browser. The browser token does not allow tracking of individual visitors but only verifies the visitor as a real person. The token remains in the user's browser, enabling the transfer of information from one website to another. Private State Tokens API testing began in early 2021, and testing has concluded with the API being updated according to new versions and token types.
Measure digital ads:
- Attribution Reporting API – The interface would allow the collection of data related to the performance of campaigns without user tracking. The information would include e.g. Reach, Views, Ad Impressions, and more in one report. The interface would allow data to be stored in a browser and passed on to the advertiser's systems. Several features have been planned for this interface, and they are generally available from September 2023 onwards. This API is a work in progress and will evolve over time, dependent on ecosystem feedback and input.
Strengthen cross-site privacy boundaries:
- First-Party Sets API - With this API, it would be possible to declare relationships between websites so that browsers could allow limited use of third-party cookies for specific purposes. In practice, FPS would be a collection of domain names reported to Chrome, with one set as primary and the others as members. First-Party Sets would be a solution for cases where it's necessary to share a single sign-on identity across different top-level sites.
- Shared Storage API - To prevent tracking users across websites, browsers partition all storage formats (cookies, localStorage, caches, etc.). However, there are several legitimate use cases that rely on unpartitioned storage.
- CHIPS API - The CHIPS (Cookies Having Independent Partitioned State) API would allow developers to choose "partitioned" storage for cookies for each top-level site. The goal of CHIPS would be to enable cookies to be set by third-party services, but they could only be read in the context of the top-level site where they were originally set.
- Fenced Frames API - A Fenced Frame would be an iframe-like HTML element for the embedded content. It would provide developers with a means to isolate content and functionality by creating a protected environment. With Fenced Frames, advertisers could, for example, display ads safely without gaining access to users' personal information. Additionally, Fenced Frames could help web application developers protect their users from harmful third-party scripts and content.
- Federated Credential Management API - Federated Credentials Management (FedCM) is an interface that would make it easier to integrate third-party authentication and credential services into browsers. The goal of FedCM is to provide a safer and more privacy-respecting way to manage user authentication information across different services. With this interface, developers could combine authentication information from different service providers in one place, reducing the need for users to remember multiple passwords and promoting privacy and security.
Limit convert tracking:
Browser resources like cookies, which allow users some measure of control, stand in contrast to other browser aspects that facilitate unregulated tracking and identification of users. Conversion tracking methods such as fingerprinting and cache inspection exploit intricate browser details, often unbeknownst to users, making it challenging for individuals to defend themselves. In response to these covert tracking tactics, Chrome is proposing several technologies designed to dismantle these hidden channels of information tracking. The current proposals aimed at limiting conversion tracking include User-Agent Client Hints, User-Agent Reduction, DNS-over-HTTPS, IP Protection, Privacy Budget, Storage Partitioning, Network State Partitioning, and Bounce Tracking Mitigations.
Testing for all the aforementioned APIs, designed to enhance privacy between websites, commenced in 2021-2022 for a partially limited audience. In May 2023, Google announced its intention to make targeting and measurement APIs generally available to all users by July, enabling developers to conduct scaled testing. In September 2023, Google announced that the interfaces are now generally available to everyone.
Speculations and gradual initiation
Google has expressed a commitment to open collaboration, ensuring that the Privacy Sandbox project benefits all stakeholders. They have also welcomed general feedback and suggestions on their Application Programming Interfaces (APIs).
Critics have suggested that Google's motivation might be to increase control over digital advertising. While this may be a point of contention, the move ostensibly represents a strategic and logical approach, capitalising on Google's extensive ecosystem, powerful data collection, and management capabilities to maintain its dominance.
There has been speculation that a shared digital identifier, accessible to the industry, is the ultimate objective of Google's Privacy Sandbox project. Yet, in March 2021, Google affirmed that they would not construct alternate identifiers to track individuals across the web once third-party cookies are phased out, nor would they utilise them in their products.
In May 2023, Google revealed that Chrome would start phasing out cookies for 1% of a randomly selected user group in Q1 2024, gradually expanding the deprecation to more users as the year progresses.
Long way to go
Although Chrome browser updates have seen rapid changes (e.g., blocking fingerprinting), Google has announced that projects of this magnitude are complex processes, and experience has shown that ecosystem changes take a long time. Privacy Sandbox proposals have changed significantly over the past year and are likely to change further in the future. Even though the proposals have potential, there is still a long road ahead.