Google has announced that it will phase out the usage of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers that have abandoned the infamous tracking technique.
However, the end of third-party cookies does not signal the end of tracking – and the requirement for actual end-user Consent to handle personal data will exist long after third-party cookies and the technologies that replace them have been phased out.
This blog article examines the ramifications of Chrome’s removal of third-party cookies, the misconceptions, and why permission is the foundation for compliance tracking today and in the future.
In a nutshell:
What is Google Chrome doing to destroy third-party cookies, and what does this mean?
Let’s be clear: the end of third-party cookies does not mean the end of the track.
The removal of Google Chrome’s support for third-party cookies does not mean the end of tracking in Chrome.
Third-party cookies are far from the only tool utilized today for permanent and ubiquitous tracking of Internet users, and they will not be the last.
Existing tools that can track users in the same way that third-party cookies can include :
-IndexedDB Local Storage
-Web SQL and other technology allow browsers to save data on a user’s device (as cookies do).
-Alternative browsers (like Safari) have been banning third-party cookies for years. We’ve seen trackers regularly turn to workarounds, other ways, and new technologies that allow them to follow users in the same way.
First-party cookies will continue to work by default in browsers that block third-party cookies (including Google Chrome). Consent will be required in most situations unless the purpose of a cookie is strictly necessary to a website’s fundamental operation.
Google’s plan to phase out third-party cookies in Chrome is part of a larger strategy to create a privacy sandbox with open standards for tracking users while protecting their privacy (e.g., through new browser APIs like trust tokens), but it is being met with stiff opposition in the form of antitrust investigations from the EU Commission and the UK’s Competition and Markets Authority (CMA).
Some of these new standards may end up strengthening tracking because new technologies (such as trust tokens) will ensure an even greater level of certainty around user reidentification and thus only address issues in tracking precision and ad fraud by bots, which are still significant headaches for the ad tech industry today.
Even if they replace third-party cookies in Chrome, trust tokens will not exist in a vacuum.
There are multiple ways for trackers to identify a user’s identity across sites, implying that trust tokens will most likely not give a higher degree of privacy protection and enrich the adtech sector.
Consent is required now and in the future.
As a result, permission remains a core criterion of the world’s primary data protection laws, led by the EU’s General Data Protection Regulation (GDPR) and mirrored in new legislation such as Brazil’s LGPD.
The removal of third-party cookies does not imply the disposal of Consent.
On the contrary, regardless of the technology used, your website will still need to ask for and receive the express agreement of users before any data is permitted to be saved on a user’s browser, whether it be third-party cookies, Local Storage, or trust tokens.
Your website will still be obligated to tell its end-users about any technology you employ to collect personal data, including its supplier, purpose, and duration, and safely document and renew consents received.
Today and in the future, Consent is the platform for compliance tracking.
Consent is not only fundamental to most data privacy laws; it is also becoming increasingly central to the ad tech industry itself, as evidenced by Google’s September 2020 launch of Google Consent Mode, which allows websites to run all Google services based on the Consent of their end-users – balancing compliance and tracking based on Consent.
Google Consent Mode is a strong indication of intent from one of the world’s largest tech corporations to steer the adtech sector toward Consent and balance digital advertising with data privacy.
So, while third-party cookies in Chrome may be phased away in the coming years, Consent is ready to take centre stage, both at Google and elsewhere, integrating even more closely and smoothly with future tracking technologies and the ad tech sector itself.
FLoC and trust token API
Google is working on replacing third-party cookies in Chrome with so-called trust tokens.
Google’s trust token API would replace third-party cookies in Chrome with non-personalized, cryptographically signed tokens to authenticate a user.
Websites can “spend” trust tokens to determine whether a user is genuine or a bot, ensuring a much higher level of certainty for advertisers when reidentifying users while also ensuring a higher level of privacy for the individual user, who will not be tracked down to the level of detail described above, which can be increased/privacy-invading.