Less tracking means a more privacy-focused online experience, but does Google really value user trust over ad dollars?
In 2020, Google announced that over the next two years it would phase out the use of third-party cookies in an attempt to enhance user privacy online.
This initiative —a series of proposals called the Privacy Sandbox project—takes into account opinions from the greater online community including users, publishers, and advertisers to build a privacy-focused browsing experience while still maintaining an ad-supported internet. Yet a year and a half later, the search giant, which dominates browsers, ads, and other elements of the web, is further delaying what’s been dubbed the “Cookiepocalypse” until 2023.
We break down how it all works, why it’s raising red flags for privacy experts, and what’s accounting for the delay, below. Stay tuned for our forthcoming article where we ask Dashlane experts to share the challenges and tradeoffs of digital marketing while maintaining security and privacy principles.
Back up. What exactly is a third-party cookie?
Far less scrumptious than it sounds, a third-party cookie is a code that tracks a user’s online behavior across the internet. The “third party” in this scenario is likely an advertiser who’s able to compile data on a user, including the purchases they make and the sites they browse. Third-party cookies are the reason you see ads for the yoga pants you browsed on multiple sites—an example what’s called “ad retargeting.” Additionally, if you click on a social media plug-in to, say, share a quote directly from an article on your Twitter feed, the social platform is likely dropping a cookie on your device to continue to track your behavior. And no, you do not need to be logged in to your social media accounts to be tracked this way; advertisers have developed other ways to identify users, including device fingerprinting.
Third-party vs. first-party cookies
Not all cookies are created equal. By contrast, first-party cookies are dropped onto your browser when you visit a site, but that only enables the website’s host to track your behavior within that site. Often, the user experience is enhanced by first-party cookies because they enable a site to remember your info and preferences—what you’ve already added to your shopping cart, for example—but they don’t share it with third-party advertisers.
This feels a bit like déjà vu
In 2013, Firefox and Safari blocked third-party tracking. Announcing their plan almost a decade later, Google is slow to catch up—but they have their reasons. In this post from 2020, Google argues that blocking third-party cookies has unintended negative consequences, like encouraging insidious workarounds including device fingerprinting.
Causes for concern
Google’s and Facebook’s revenues are dependent on tracking user behavior, and third-party cookies have enabled a lucrative form of advertising. But it’s not only large corporations that rely on this type of tracking. Small businesses, and those dependent on ads to keep their content free to consumers (like many news outlets), would likely get hit in the crossfire if Google were to phase out this method of advertising. Those small businesses use third-party cookies to effectively target consumers, but because the data is being funneled through Google, users have concerns over just how much they’re being tracked.
In 2019, lawmakers in Europe ruled that cookie “consent banners”—which pop up on a website telling users that third-party cookies have already been dropped on their device or browser—are not legal. Users instead need to consent to cookies before they’ve been dropped. Globally, user privacy and the need for transparency are top of mind now more than ever when it comes to navigating the internet.
The four elements of the Privacy Sandbox
According to Google’s Privacy Sandbox website, the initiative seeks to replace third-party cookies and other potentially invasive technologies with more privacy-focused methods:
- Restrict tracking of users across the web
- Fight fraud and spam by verifying user identity without compromising privacy
- Show users ads that are more relevant to them
- Measure the effectiveness of digital ads through anonymized reporting
Yet with the Privacy Sandbox proposal, many questions are left unanswered: namely, what’s the alternative? Would it be more privacy-focused? And would it enable Google to have a complete monopoly over online advertising?
Though Google originally planned to deploy the Cookiepocalypse by 2022, there’s been a slight change in plans according to The Verge. In their most recent announcement, Google divulged that they will be working closely with CMA (Competition and Markets Authority), the UK’s competition regulator, to phase out third-party cookies in a two-stage attempt lasting until late 2023. This was announced after the CMA investigated the Privacy Sandbox project, leading to concerns of other publishers losing ad revenue and Google undercutting the competition in the digital ad space.
Rethinking the alternative to third-party cookies
While third-party tracking has enabled a large portion of their business model, it’s not Google’s only source of ad revenue, nor is it their biggest. According to Jason Aten in his article for Inc., Google’s search advertising accounts for 84% of their entire ad revenue, and 70% of their total revenue.
And their original proposed alternative to third-party cookies isn’t quite as privacy-focused as some might have hoped. Federated Learning of Cohorts (FLoC) is a new technology that tracks and collects user data within the Chrome browser rather than on Google’s servers, a major privacy concern with third-party cookies. FLoC creates a profile of users based on online behavior within the browser, then groups them with thousands of other users in a “cohort” or “flock” (FLoC! Get it?). Advertisers can then target cohorts, but not individuals. With FLoC’s method of tracking, IDs associated with an individual user’s browser are anonymized, so online activity cannot be traced directly to one user by Google or by the advertisers they sell data to.
Tech blog How To Geek points out that other browsers including Firefox, Brave, Vivaldi, Safari, and Microsoft Edge will not use or have disabled FLoC. The blog also points out several privacy concerns, including that grouping users in this way will make it easier for trackers to identify individuals through device fingerprinting, which uses multiple pieces of information from a browser to identify you. All in all, many are skeptical—even Google itself, as they continue to develop a suitable alternative to third-party cookies in cooperation with CMA.
Google’s (somewhat vague) schedule to build a more private web is as follows:
After this public development process, and subject to our engagement with the CMA, our plan for Chrome is to phase out support for third-party cookies in two stages:
Stage 1 (Starting late-2022): Once testing is complete and APIs are launched in Chrome, we will announce the start of stage 1. During stage 1, publishers and the advertising industry will have time to migrate their services. We expect this stage to last for nine months, and we will monitor adoption and feedback carefully before moving to stage 2.
Stage 2 (Starting mid-2023): Chrome will phase out support for third-party cookies over a three month period finishing in late 2023.
Perhaps this delay signals the beginning of a better web—at least, we can hope.
For more on this topic, stay tuned to our blog for a roundtable interview with some marketing experts at Dashlane!