Marketers confused by what “the death of the cookie” will mean in practice should feel some comfort in the knowledge that what will happen in coming years is genuinely very unclear.

What is clear, is that third party cookies, and the digital advertising practices that these cookies enable, are being attacked on three fronts:

1. People are becoming better informed, and more actively concerned about privacy.
2. Regulators are legislating to limit the collection, sharing and use of people’s data.
3. Browser manufacturers and mobile app ecosystems are proactively limiting the ability of ad tech companies to track and target users.

Back in early 2020, removing third party cookies from Chrome in 2022 seemed very ambitious. Google has since pushed the date back to 2023. If Google maintains the position that it will not remove third party cookies without a replacement, 2023 still seems ambitious. Certainly third party cookies are going away. But it seems that the state of cookie purgatory will endure for some time yet.

A better understanding of the regulatory sphere, and the world of browser standards, can help us understand the context of how and why third party cookies are going away and the reasons for the delays. This article reviews the impact of regulation on digital advertising, the position of browsers manufacturers and the groups that produce new web standards, and the added complexity of Google’s ongoing antitrust cases in the US. We then review potential replacements, with a view to understanding what marketers can do about it.

Privacy regulation, consent and “reasonable expectations”

The initial impact of new privacy regulation on digital advertising was annoying, but pretty limited. The EU’s General Data Protection Regulation (GDPR) went into effect in the EU in May 2018. Since then, the most visible change has been the consent overlays that we are basically forced to click if we use European websites. Once a user gives consent, this typically enables tracking, targeting and measurement via third party cookies.

Numerous fines have been issued since GDPR went into effect. The first fines related to insufficient protection of personal information – mostly data breaches at banks, hospitals and telcos. Since then, an increasing number have been to do with inadequate disclosure of intent in gaining user consent for digital advertising. The first adtech fine was issued to Google in France – a €50 million penalty for inadequately informing users of their data consent policies, and providing inadequate consent controls to users. Since then, Meta, Google and Amazon have all been subject to significantly larger fines – as high as €746 million for Amazon in July 2021 – all related to inadequate consent.

With clear, adequately communicated consent, and appropriate security, there is nothing in GDPR to explicitly limit tracking, targeting and measurement via third party cookies. However consent is no longer clear cut under GDPR, with recent fines being for “inadequate consent” rather than the failure to gain consent at all.

This idea of inadequate consent makes it harder for companies to know if they are abiding by the law. The initial interpretation of GDPR saw responsibility largely shifted to the end-user. It is up to the entity gathering data to seek informed consent, but the onus is on the end user to actually read the consent pop-ups rather than blindly clicking on them. And if they don’t click yes, websites may not function properly.

The Australian approach requires the advertiser and the ad industry to gauge the expectations of consumers, and what consumers would “reasonably expect” to happen with their data. In common law countries like Australia, what is, and is not allowed, according to what a consumer would “reasonably expect” then gains clarity through case law, as various borderline instances are tested in court. While this standard is vague, it is perhaps preferable to the barrage of consent popups that emerged following the implementation of GDPR in Europe.

Under either the “informed consent” or the “reasonably expects” standard , digital advertising practices that are dependent on third party cookies may be narrowed by consent requirements, but can ultimately continue for now. The digital ad industry must certainly take more care, the risk is increasing, but there is no regulation that directly prohibits third party cookies.

Browser manufacturers and the end of third party cookies

Browser manufacturers can stop third party cookies from functioning, and disable the tracking, targeting and measurement that they facilitate. If they do this, tracking, targeting and measurement via third party cookies is finished.

In January 2020, Google announced their intent to end support for third party cookies in Chrome by 2022 (now pushed back to 2023). This followed Apple’s progressive degradation of third party cookies in Safari through Intelligent Tracking Prevention (ITP). Minor browsers, such as Firefox and Microsoft Edge, had already put similar limitations in place. Chrome was, until then, the last holdout.

User privacy is positioned as a key feature for all browsers, but particularly for the smaller browsers. The call to action for Firefox is “Get the browser that protects what's important. No shady privacy policies or back doors for advertisers. Just a lightning fast browser that doesn’t sell you out.” A not-so-veiled attempt to say that the unnamed leading browser does indeed “sell you out”. Since September 2019, third party cookies have been disabled in Firefox by default, and fingerprinting workarounds blocked since January 2020.

Apple’s ITP has consisted of a gradual degradation of the ability of adtech to track and target users of Safari. With successive iterations of ITP, Apple have been true to their intent, shutting down workarounds such as cname cloaking, fingerprinting and link decoration, and limiting the JavaScript cookies used by adtech and tracking tools well beyond third party cookies.

Browser manufacturers like Apple and Firefox are taking a more opinionated position than regulators. They can take the position that the user owns the browser, and that cookie-dependent tracking and targeting practices used in digital advertising compromise user privacy, and provide no benefit to the user. Most importantly, they can decide whether to disable these features by default – so the user has to make a change to enable tracking – or whether it is up to the user to disable them. This is important, because most people don’t change the defaults.

Ongoing antitrust cases and Google’s Privacy Sandbox

Google is subject to three ongoing antitrust cases in the United States. Two of these relate to search, and do not have major implications for third party cookies. The ad tech case, filed in Texas directly relates to third party cookies in Chrome.

The initial case alleges that Google has engaged in anti-competitive behaviour – owning the largest buy-side platform, the largest sell-side platform and the largest exchange that sits in the middle. In March 2021, this case was specifically amended to target Google’s proposed replacement to third party cookies, the Privacy Sandbox. The complaint states that Google’s proposed replacement would “wall off the entire portion of the internet that consumers access through Google’s Chrome browser”, and would require that advertisers use Google as a middleman, as well as making Google’s ad systems more attractive for their interoperability with the new Chrome features.

The competition regulators and privacy regulators seem to be working at crossed purposes. The privacy regulators are placing pressure on Google to do less tracking and enable more users to refuse cookies. But the competition regulators are pushing to keep the tracking functionality to enable continued functioning of competitor ad tech.

Beyond the legal risks, there is a clear risk of continuing to support third party cookies in Chrome. The risk is that an increasing end-user concern with privacy causes Chrome to lose its market dominance. Users may move to Safari, Edge, Firefox, or some new alternative en masse, just as they left Netscape Navigator for Internet Explorer in the 90s, and then moved to Chrome from 2008.

It certainly doesn’t suck to be Google. They’re doing great. They’re making great products, users love them, and investors have consistently recognised this over many years. But perhaps, right now, with regulators agitating on two fronts, and users getting more concerned, it sucks a bit…enough to kick the cookie can further down the road.

For marketers, even if there are further delays, we know that the end is coming. But it’s not just workarounds and replacements that we should be looking for. Consent is no longer a blank cheque, and we need to take more care. To understand what users expect, what they are comfortable with, and how to ensure we don’t breach their trust.