Google's cookie changes privacy

As the world’s most popular browser, changes to Google Chrome have far-reaching consequences. Google’s decision to end support for third-party cookies by the middle of 2024 has already caused advertisers a great deal of concern. But what about the rest of us?

Does this apparent win for privacy really mark the end of cross-site tracking? Let’s examine what Google’s cookie changes mean for our privacy.

Cookie cutting

In 2020, advertising made up 80% of Google’s revenue. However, with the arrival of generative AI and an increasingly privacy-conscious populace, that figure has shrunk – and is likely to continue shrinking. Bloomberg says the company is now moving toward a “healthier, diversified business model” that relies more on subscriptions and cloud services for income and less on advertising.

In the meantime, advertisers’ money is still vitally important, which might make it surprising that Google should want to restrict those advertisers’ access to user data. After all, third-party cookies provide advertisers with a relatively easy method for tracking users’ online behavior as they move from site to site.

Part of the reason is that third-party cookies are terrible for privacy, and plenty of other browsers—such as Mozilla Firefox, Apple Safari, and Brave—have been blocking cookies for years. Google itself quotes research that claims, “72% of people feel that almost all of what they do online is being tracked by advertisers, technology firms or other companies.”

Rather than lose its customer base, Google has tried to come up with a way to improve privacy while still being able to give something back to advertisers.

Privacy Sandbox

Google launched its Privacy Sandbox initiative in August 2019. This set of open standards was intended to enhance privacy on the web by minimizing improper cross-site and cross-app tracking. The idea was that ad-related data processing would be carried out within users’ browsers rather than externally.

Privacy Sandbox was initially short on details, though Google did say that its web products would be “powered by privacy-preserving APIs”.

The first was the Federated Learning of Cohorts (FLoC) API. The FLoC API would enable interest-based advertising using a cohort assignment algorithm that allocated a cohort ID to a user based on their browsing history. The same cohort ID would be shared between several users to ensure privacy. This appeared to align with Google’s claim that it would not build alternate identifiers to track individuals browsing between websites, nor would it use them in its products.

However, others were less than impressed. The Electronic Frontier Foundation (EFF) said that with FLoC, users’ browsers would each receive a “flock name” that “would essentially be a behavioral credit score”. While these flock names would “likely be inscrutable to users”, the EFF said that they “could reveal incredibly sensitive information to third parties”.

Google has since abandoned the FLoC API in favor of Topics, which it says offers greater anonymity than its predecessor.

The idea behind Topics is that users’ browsers learn about their interests as they move between sites. Google categorizes the sites visited based on one of 300 topics e.g Team Sports or Books and Literature. When users land on a page that supports the Topics API, their browser shares three topics they’re interested in.

A post by a member of the Technical Architecture Architecture Group (TAG) of the World Wide Web Consortium (W3C) criticized Topics for enabling the users’ browser to share information with any site that could call the API. “This is done in such a way that the user has no fine-grained control over what is revealed, and in what context, or to which parties,” the member said.

Another API proposal early in the Sandbox timeline was FLEDGE (First “Locally-Executed Decision over Groups” Experiment). This was an attempt to enable remarketing without using a personal identifier to track users.

However, John Mooring, senior software engineer at Microsoft, described how attackers could potentially craft code on web pages using FLEDGE that could track people across different websites.

The Fledge API was ultimately perfected and renamed as the Protected Audience API. It delivers targeted ads through an in-browser auction process without the use of third-party cookies.

Other Privacy Sandbox APIs include Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames. Google says that these are purpose-built for specific use cases and without the need for third-party cookies.

Despite being available to some users, Privacy Sandbox is still something of a work-in-progress. There’s a regular back-and-forth between Google developers and the various parties with skin in the game – including the UK’s competition regulator. This is why, in 2024, it’s still not certain whether Google will be able to fully roll out the tech it first announced back in 2020.

Advertiser worries

Understandably, there’s been a great deal of pushback from advertisers who don’t want to see the end of cross-site tracking. Third-party cookies have been their primary source of digital data for more than three decades.

In 2020, a joint statement from the Association of National Advertising and the American Association of Advertising Agencies said that Google’s decision to block third-party cookies “would threaten to substantially disrupt much of the infrastructure of today’s Internet without providing any viable alternative, and it may choke off the economic oxygen from advertising that startups and emerging companies need to survive”.

One year later, Google announced a two-year delay to its plans, though the reason behind this had little to do with the advertising industry’s opposition.

Regulatory concerns

In January 2021, the UK’s Competition and Markets Authority opened an investigation into Google’s proposals to remove third-party cookies and other functionalities from its Chrome browser. The CMA was concerned that “Google’s proposals, if implemented without regulatory scrutiny and oversight, would be likely to amount to an abuse of a dominant position”.

Specifically, the CMA worried that the Privacy Sandbox could:

  • Distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google
  • Distort competition by the self-preferencing of Google’s own advertising products and services and owned and operated ad inventory
  • Allow Google to deny Chrome web users substantial choice in terms of whether and how their Personal Data is used for the purpose of Targeting or Measurement and delivering advertising to them

By the end of 2021, Google had provided the CMA with a series of commitments – which the CMA accepted in February 2022.

In its most recent report, the CMA said that while Google had fulfilled its commitments to making competition fairer in the last quarter of 2023, it had ongoing concerns and would not allow Google to proceed with third-party cookie deprecation until these were resolved.

In a statement, a CMA spokesperson said that a key issue was ensuring that Google does not use the Privacy Sandbox tools “in a way that self-preferences its own advertising services”.

Whether Google makes any progress in satisfying the CMA will be the subject of future reports from the body. In the meantime, Google says it is “confident the industry can make the transition in 2024”. Google Chrome has already started blocking third-party cookies for 1% of users, and plans to increase this to 100% by mid-2024.

The end of cookies isn’t the end of tracking

While it would be nice if the phase-out of third-party cookies meant that users could browse in privacy, this isn’t likely the case. Advertisers still want data, and Google wants to give it to them. That said, the changes made to Privacy Sandbox over the years are all in the right direction. While Chrome is still far from being the best option privacy-wise, it’s far more private now than in 2019 when Privacy Sandbox was first announced – which can only be a good thing.