At the start of 2020, Google revealed plans to block third-party cookies in its Chrome browser within two years. However, in July 2022, the tech giant announced a delay in phasing out third-party cookies until 2024, pushing the timeline back by approximately a year. Given Chrome's massive user base, this change is set to have considerable effects on the digital advertising ecosystem. Presently, third-party cookies play a vital role in targeting, measuring advertisements, and combating ad fraud.
Immediately after Google’s announcement, there were speculations about what will replace third-party cookies in the future. In this post, we’ll open up Google’s vision on the topic a bit. But let’s start with a little recap of what even is a cookie.
What is a cookie?
A cookie is a small text file that is stored on a user’s device by an Internet browser. Cookies are used, for example, to store user information when moving from one web page to another. First-party cookies are stored directly on the website you’re visiting. In addition, the website may use external services that store their own cookies. These are called third-party cookies. Cookies do not contain user’s personal information and as such are not used to identify individual users. Some cookies expire at the end of a site session, while others remain longer on your device.
Cookies are used for many different purposes. Cookies allow you to use the functions of the website and provide the best possible user experience. For example, when a browser has information about a visitor’s choice of language and device, it is possible to provide them directly with the appropriate language and device-specific page version, thus facilitating the use of the site. Cookies also allow, among other things, different tracking tools, as well as personalised content, offers, functionalities, and ads on a per-visitor basis.
Privacy Sandbox
Google’s idea is to replace cookies with browser-based open standards, the "Privacy Sandbox" project has been launched to find their final forms. The open-source initiative was launched in August 2019. It’s unquestionably said to be Google’s response to the growing pressure to improve privacy, ensure free advertising-funded content, and possibly block other parties’ cookies. According to Google, the goal is to create a secure standard for personalisation while respecting user privacy. Google says that reaching this goal requires new approaches to ensure relevant advertising in the future too.
The Privacy Sandbox project aims to minimise the information that is shared between websites and advertisers and to store a larger part of the visitor's information on the visitor’s device only. Google’s project envisions targeted advertising and measuring conversions through Application Programming Interfaces (APIs) in a browser environment. Numerous different APIs are planned, each meeting different needs. These interfaces would be used by all stakeholders.
Google Interface proposals (API)
The situation may change fast, text updated 23.3.2023
Show relevant content and ads:
- The Topics API - would be a new way that browsers could enable interest-based advertising on the web. Topics is based on the user's recent browser activity and site categorisation. Advertisers can then use these categories to target more relevant advertising to visitors. The initial testing of the Topics API began at the end of the first quarter of 2022, but testing is still in its early stages. Google has announced its intention to improve the availability of the Topics API in 2023 and continue the public development process.
- The Turtledove API - The interface is designed to enable targeted and retargeted advertising without allowing third parties to track users' browsing behavior across websites. The aim is to allow ad auctions in the browser instead of the server.
To fight spam, fraud, and DoS (denial of service):
- Private State Tokens API – With this API, publishers can verify real users without tracking technology, making it Google's alternative to CAPTCHA. The idea behind the Private State Tokens API is that once a visitor has performed actions on a site, based on which the API believes the user to be a real person, it stores a token in the user's browser. The browser token does not allow tracking of individual visitors but only verifies the visitor as a real person. The token remains in the user's browser, enabling the transfer of information from one website to another. Private State Tokens API testing began in early 2021, and testing has concluded with the API being updated according to new versions and token types.
Measure digital ads:
- Attribution Reporting API – The interface would allow the collection of data related to the performance of campaigns without user tracking. The information would include e.g. Reach, Views, Ad Impressions, and more in one report. The interface would allow data to be stored in a browser and passed on to the advertiser's systems. Several features have been planned for this interface, some of which have already begun testing, while others will begin later in 2023.
Strengthen cross-site privacy boundaries:
- First-Party Sets API - With this API, it would be possible to declare relationships between websites so that browsers could allow limited use of third-party cookies for specific purposes. In practice, FPS would be a collection of domain names reported to Chrome, with one set as primary and the others as members. First-Party Sets would be a solution for cases where it's necessary to share a single sign-on identity across different top-level sites.
- Shared Storage API - To prevent tracking users across websites, browsers partition all storage formats (cookies, localStorage, caches, etc.). However, there are several legitimate use cases that rely on unpartitioned storage.
- CHIPS API - The CHIPS (Cookies Having Independent Partitioned State) API would allow developers to choose "partitioned" storage for cookies for each top-level site. The goal of CHIPS would be to enable cookies to be set by third-party services, but they could only be read in the context of the top-level site where they were originally set.
- Fenced Frames API - A Fenced Frame would be an iframe-like HTML element for the embedded content. It would provide developers with a means to isolate content and functionality by creating a protected environment. With Fenced Frames, advertisers could, for example, display ads safely without gaining access to users' personal information. Additionally, Fenced Frames could help web application developers protect their users from harmful third-party scripts and content.
- Federated Credential Management API - Federated Credentials Management (FedCM) is an interface that would make it easier to integrate third-party authentication and credential services into browsers. The goal of FedCM is to provide a safer and more privacy-respecting way to manage user authentication information across different services. With this interface, developers could combine authentication information from different service providers in one place, reducing the need for users to remember multiple passwords and promoting privacy and security.
Testing for all the aforementioned APIs aimed at enhancing privacy between websites has begun during the years 2021-2022.
Google has announced its willingness to work together openly to ensure that the Privacy Sandbox -project benefits all stakeholders. Google also wants general feedback and suggestions on Application Programming Interfaces (API).
Critics have speculated that Google would just like to have more control over digital advertising. At least in principle, the move is a deliberate and sensible approach that leverages strengths – a vast ecosystem combined with powerful data collection and management capabilities – to maintain Google’s dominance.
A shared digital identifier, which would also be available to the industry, has been predicted as the ultimate goal of the Google Privacy Sandbox project. In March 2021, however, Google confirmed that once third-party cookies are phased out, they will not build alternate identifiers to track individuals as they browse across the web, or will not use them in their products.
Long way to go
Although Chrome browser updates have seen rapid changes (e.g., blocking fingerprinting), Google has announced that projects of this magnitude are complex processes, and experience has shown that ecosystem changes take a long time. Privacy Sandbox proposals have changed significantly over the past year and are likely to change further in the future. Even though the proposals have potential, there is still a long road ahead.