What’s happening with third-party cookies in 2021?

Analytics & Data Digital Strategy Article
10 mins

Cookies have been a key component of the web since the mid-nineties – but some instances of this divisive technology could soon crumble into internet history. Join us as we discuss the latest plans to phase out third-party tracking cookies, including a Google initiative to replace intrusive tracking tech with a new suite of APIs designed to give advertisers the data they need while preserving user anonymity.

Recap: what are web cookies?

Cookies are snippets of data that can be installed on an internet user’s web browser when they visit a website. These cookies can tell their owner about the internet user’s online activity – for example, which web pages the user has visited, or which actions they have taken while using a website.

There are lots of uses for cookies. In some cases, they save the user’s activity or preferences on a certain website, enabling the website to do things like keeping a user’s shopping cart populated between visits, or enabling forms to autocomplete with user data. Cookies with uses like these are almost universally accepted as a positive use of visitor data that benefits all parties.

Another use for cookies is tracking online user activity to facilitate personalised marketing. If ever while reading an online article you have seen adverts or links to third-party articles that seem uncannily relevant to your recent online activity, this could be the result of a web cookie tracking your behaviour. While important to current digital marketing and ecommerce practices, such uses of cookies are controversial, since a significant share of users believe these tactics impinge upon their privacy.

For more on the basics of cookies, see our guide to web cookies for digital marketers.

How do first-party cookies differ from third-party cookies?

first-party cookie belongs to the same domain that installs it on the user’s browser. This facilitates a one-on-one exchange of information between the website/cookie owner and the user. For example, Amazon installs first-party cookies on visitors’ browsers in order to save their Basket status (and for various other reasons too).

third-party cookie belongs to a different domain to the one which installs it on the user’s browser. Often, this domain is a service provider or commercial partner of the installing domain. The third party domain has access to the user’s data. Common examples of third-party cookies include the cookies installed by online advertising service providers such as Xaxis and Tribal Fusion on their clients’ sites.

While some marketers, publishers and web users consider third-party cookies essential to the monetisation and mechanics of the internet, others have condemned them as a threat to online privacy. There is truth to both sides of this argument, and this has left major digital players including Google, Apple and Firefox with a tricky question to answer: what should be done about third-party cookies?

What’s the situation with third-party cookies in 2021?

Third-party cookies have been under threat since at least 2017, when Apple rolled out iOS 11 and macOS High Sierra. Both of the new operating systems had a version of the Safari browser equipped with a feature called Intelligent Tracking Prevention, which automatically removed cookies identified as being unimportant to user experience. The next year, Mozilla set its browser Firefox to block third-party cookies by default.

Here were the makers of two of the world’s most popular browsers, painting third-party cookies as the villain – and at the same time getting one over on their mutual rival Google, which has used third-party ad cookies with its products.

Despite these events, third-party cookies are still widely used today. They may be controversial, and they may even be useless on certain browsers, but we simply don’t have anything to replace third-party cookies with just yet. However, based on recent developments, this finally looks set to change.

Google to replace third-party cookies with Privacy Sandbox APIs

Google is positioning itself as a mediator between commercial interests and online privacy rights – and it plans to do so by finding a middle way between preserving the anonymity of web users and providing valuable insight to advertisers.

In August 2019, the search giant announced an initiative to create a set of open privacy standards for the internet, called Privacy Sandbox, which could protect online publishers’ user-data-driven revenues while aligning online privacy standards with users’ expectations. In a blog post announcing the scheme, Justin Schuh, Director of Chrome Engineering at Google, wrote: “Some ideas include new approaches to ensure that ads continue to be relevant for users, but user data shared with websites and advertisers would be minimized by anonymously aggregating user information, and keeping much more user information on-device only.”

Google has revealed its intent to phase out third-party cookies on its browser Chrome by 2022, as part of the Privacy Sandbox project. Writing on the Chromium blog in January 2020, Schuh announced:

“After initial dialogue with the web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.”

In march 2021 a further announcement was made by Google’s David Temkin, Director of Product Management, Ads Privacy and Trust, indicating Google’s commitment to implementing their new approach to tracking.

“Chrome also will offer the first iteration of new user controls in April and will expand on these controls in future releases, as more proposals reach the origin trial stage, and they receive more feedback from end users and the industry.”

What options will Privacy Sandbox provide for advertisers?

Privacy Sandbox has started to take a clearer form in recent months, as development work on the project continues. It looks like the initiative will comprise five application programming interfaces (APIs), which advertisers will be able to use in place of third-party tracking cookies.

The Privacy Sandbox APIs will give advertisers aggregated data on key areas of activity such as conversions and conversion attributions, rather than giving them the personally identifiable information (PII) that currently renders third-party cookies problematic. It is hoped that the insights provided through this approach will deliver sufficient insight to advertisers, without making it necessary to track individual web users using their personal data.

The five Privacy Sandbox APIs are not yet set in stone, but at this stage they are shaping up roughly as follows:

  1. Trust Tokens API: this API will replace captchas, a widely used verification test, with a system whereby users fill out a captcha-like form just once, after which point their humanity is verified using anonymous trust tokens.
  2. Privacy Budget API: this API will allocate websites a budget which limits the amount of data they can access from each individual, thereby preventing the identification and tracking of users across the web.
  3. Conversion Measurement API: this API will replace the common identifiers currently used to track conversions with an alternative solution which better preserves user privacy. The GitHub documentation for Privacy Sandbox notes that this API will not be able to support all conversion measurement use cases, with view conversions and detailed click conversions both likely to be excluded.
  4. Federated Learning of Cohorts (FLoC): this solution will observe users’ behaviour and group them together into cohorts, or ‘flocks’. The users will then be delivered ads which are tailored to the group they have been assigned to. FLoC is set to use machine learning to create effective groupings.
  5. Two Uncorrelated Requests, Then Locally Executed Decision on Victory (TURTLEDOVE): a privacy-focused solution for targeted advertising, with an eye-catching name.

Original trials for two of the new Privacy Sandbox APIs launched in 2020. There’s no word as yet on how online advertisers can get involved.

Google’s Privacy Sandbox is about more than just third-party cookies

An interesting facet of Privacy Sandbox that some industry commentators have missed is that Google has signalled its intent to phase out other user-linked tracking methods besides third-party cookies. The overview of the Chromium Projects documentation for Privacy Sandbox states:

“We will aggressively combat the current techniques for non-cookie based cross-site tracking, such as fingerprinting, cache inspection, link decoration, network tracking and Personally Identifying Information (PII) joins.”

A move away from these methods would have far-reaching consequences in the digital marketing industry. To take one example, link decoration has long been used by affiliate marketers as well as by Google itself, to pass on information from one site to the next via users’ address bars. Without either third-party cookies or link decoration, attributing affiliate sales becomes very challenging.

It seems that the phasing out of cookies is just one part of a wider move away from online technologies that can be regarded as invasive. This isn’t just a technical tweak; it’s a cultural shift for digital marketing.

From Safari ITP to MAIDs, the bigger picture looks ominous for third-party cookies

Google is far from a lone crusader against third-party cookies. It would be more accurate to say the company is moving with the tide, since other companies have been actively phasing out third-party cookies for years. One such company is Apple, whose browser Safari has long-since blocked certain  third-party cookies.

In April 2020, Apple went further, by blocking all third-party cookies by default on its Safari browser, using its Intelligent Tracking Protection (ITP) feature. This means third-party cookies simply won’t have any traction with Safari users – apart from users who go out of their way to enable them.

And just as there are already web browsers with measures to restrict third-party cookies, there are also existing technologies which replicate some of their features, arguably without the same privacy fears. One such tech is mobile advertising IDs, or MAIDs for short. A MAID is a string of digits which is linked to an anonymous identifier provided by the operating system of a mobile device. In other words, it can tell an advertiser about a device and its behaviour, without tying that info to personally identifiable information.

Despite their theoretical promise, MAIDs look unlike to replace third-party cookies in the long-run. This begs the questions: will Google’s Privacy Sandbox succeed where other alternatives to third-party cookies have fallen short? We suspect the project’s APIs won’t be rolled out until the answer seems sure to be a resounding yes.

Conclusion: what should marketers be doing about third-party cookies?

It’s hard to imagine the internet without third-party cookies. This technology has been around since the 1990s, and it has come to play a key role in internet marketing and user experience.

But like it or not, now would seem to be a smart time for marketers to start reducing their reliance on third-party cookies and any other user-tracking methods that rely on personally identifiable information.

This is no longer a case of key online players navigating away from third-party cookies at some distant point in the future; the reality is that many have already done so, and even Google is now excluding some instances of the technology on the Chrome browser, by implementing technical measures to limit cross-site tracking. Chrome developers are also reportedly working on measures to discourage fingerprinting, an illicit covert tracking technique that certainly has no place on the modern web.

This all raises a number of important questions for marketers. In a web without third-party cookies and related technologies, how will we monitor cross-channel marketing funnels? How can advertising providers keep up the quality of the intelligence they give to advertisers, after switching to anonymised data? And is personalised marketing itself under threat? These are just a few of the many unanswered questions marketers should be pondering, as we head towards a future that seems increasingly likely to be without third-party cookies.

Useful Resources

Looking for the latest updates on tracking protection in different web browers? Check out the cookiestatus.com website, a knowledge sharing resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.

Build a ü free personalised ¥ learning plan to see our course recommendations î for you

Free for 30 days

Build a å free personalised ¥ learning plan to see our course recommendations î for you

Free for 30 days