Sign in Subscribe
7 min read

Google will get users to kill third-party cookies for them

About four years ago, in 2019, Google started a project called the Privacy Sandbox. According to the website, it “aims to create technologies that both protect people's online privacy and give companies and developers tools to build thriving businesses”. The idea was that the Privacy Sandbox would replace third-party cookies, support for which would then be dropped from Chrome. Given what a considerable share of the browser market Chrome has captured, this would effectively have been the end of third-party cookies. This change received a lot of push-back for being very anti-competitive and worsening privacy.

This week, Google dropped part of those plans. Privacy Sandbox would still exist, but so would third-party cookies, and users would be given a choice between them in Chrome.

I've heard a lot about the Privacy Sandbox but never really dug into it in detail, so I thought I would use this as an excuse to do precisely that.

What are cookies?

Cookies are a fundamental part of how the Internet works. They are small files containing information generated by a web server that is then stored in your browser. The data in these files is then sent to the same website on future requests, allowing them to recognise the user and use that to adapt the experience to that user. An example might be that they will enable you to stay logged in. These are examples of first-party cookies, meaning they've been put there by the website (domain) you're visiting.

Third-party cookies are likewise files storing information in your browser, but they are added to your browser by some third party, i.e. not the website you visit. Their most common use is in advertising. If you visit, for example, a holiday website that shows ads placed by an ad network, that network will often put a cookie in your browser. This allows them to identify you in the future, and they will remember (on the server side) that you seem interested in holidays and are a good target for holiday ads. Over time, these third-party cookies allow them to build up a view of your activity across the Internet, and based on that, the ad network can show you increasingly relevant ads. More relevant ads mean a higher chance of a click-through and more money for the ad network.

Unsurprisingly, there are concerns about privacy and security with third-party cookies. This tracking could allow a business to build a detailed profile of your online behaviour without your consent or even knowing it's happening. Motivated (at least partly) by these privacy concerns, Safari and Firefox have already stopped supporting third-party cookies, so Google is actually in some ways behind the curve.

Let's assume, for the time being, that we want to get rid of third-party cookies from a privacy and security standpoint but that we do want online advertising to continue. Based on what I've read, there are at least three ways to continue online advertising without third-party cookies. I'm not an expert in this area, though, so there are probably others. Anyway, some alternatives are:

  • First-party advertising: this is much less contentious. People tend to feel a lot more comfortable with a website they visit building up a profile of their behaviour on that site over time. This is the case, for example, with video ads shown on YouTube based on things you've watched on YouTube.
  • Contextual advertising: this is based on the information on the visited page, not the user's profile. We can all think of some contexts where this will probably work well (e.g., selling travel insurance on a flight booking website), but it only works for particular contexts. It results in a worse user experience (less relevant ads) and less money for the websites and ad networks.
  • Device-based tracking involves keeping user data on their device rather than in an ad network. The Privacy Sandbox seeks to do this; more below.

I know many people will read this and have minimal sympathy for digital advertisers and their ability to build profiles and make money. However, the fact is that digital advertising, in its current form, supports vast chunks of the open internet. No one feels bad if Google or Meta lose a bit of profit, but some of that money will support the free websites where the ads are displayed and which need that money to survive. If there's less money to go around, does it seem likely the ones to suffer will be the big businesses with all the power?

Google's Ad Revenue

Google is an ad business. It also runs a search engine and various other properties to show ads on, but its primary revenue source is ads. In 2023, 77% of its revenues came from advertising. About half of what's left came from GCP, and the rest from devices, subscriptions, and other services.

The chart below shows Google's advertising revenue only but does represent a massive chunk of their revenue:

Google's ad revenue, 2014-2023. Note that before 2019, Search and YouTube were not separated.

Google Network is the ad business that relies on third-party cookies, while the others are first-party properties. It represented 13% of advertising revenue in 2023, equating to 10% of overall company revenue in that same year. What's not apparent from this chart is that revenue from Google Network started to shrink year-on-year in Q3 2022 and has done so ever since. In Q2 2024, the quarterly revenue from Network was down 10%, to $7.4 billion, from $8.3 billion two years earlier in Q2 2022. So, while not negligible (it's still a $30 billion business) for Google, this is a comparatively small and shrinking part of their business.

This will help to give some context for Google's motivation, which will be discussed later. While there are almost certainly privacy-minded and well-meaning people working on this project, a company like Google is absolutely not investing in it out of the goodness of its heart. But first, we need to cover a little more about the Privacy Sandbox itself.

What is the Privacy Sandbox?

In the Privacy Sandbox (PS), a user's information is stored on their device in Chrome. The sandbox then provides several APIs that a website can call when visited to determine the best ad to show. The easiest to understand is the Topics API. Chrome will gather information on the topics you seem interested in as you browse the web, but that information will be stored in Chrome, not on some third-party servers. Then, when you visit a site, that site can call the Topics API to find out what interests you and show relevant ads. They won't get the complete list of topics each time, but enough to serve a relevant ad. Also, because these topics are stored on Chrome, you can see the list and remove things you disagree with or want to keep private.

Advertisers can call several other APIs to get other relevant information for advertising.

As far as I can tell, people have three main categories of concern with this approach:

1. It's not as good

In the old system, advertisers had, almost by definition, more information available. This allowed them to show more targeted, relevant ads that were more likely to get a click, and they could earn more money. Other factors besides relevance make this new approach less effective, such as a dramatic increase in latency while the browser and ad network figure out what ads to show.

Testing metrics and results seem to be all over the place, and I'm not going to try to summarise them. However, Google is the only company reporting a positive change in any of these metrics.

2. It's complicated

There is no 1:1 mapping between all the functionality that was previously available to ad networks and what will be available through the PS, nor was that the intention. The problem is that a massive ecosystem has been built over more than a decade based on what was possible before. Adapting this ecosystem to new sets of information is a Herculean task. It might be worth it if the result improved your business, but as above, this investment is required in order to then make your business worse.

3. Google runs it

As open-source and transparent as the PS is, you're going from trusting ad networks with your data to trusting it all to Google. This is more secure because Google will do a better job of cybersecurity than some random ad network. But it's hard not to notice that this proposal also moves all data into a product controlled by Google.

This is a very superficial overview of the concerns with the sandbox. In a future post, I would like to dig into the work of the CMA (the competition authority working closest with Google on this change), but this gives a starting point.

Google's motivations

The rest is conjecture on my part, but as I said above, I don't believe for one second that Google is doing this because it wants to do the right thing. Instead, I can think of two options:

  • Shifting ads to first-party: Google's third-party ad business is shrinking and will likely continue to do so. By wrecking the third-party ad model for everyone, Google is only giving up something they're losing anyway and could make their first-party ad platforms more attractive by comparison.
  • Being at the top of a worse ecosystem: as I mentioned above, the move to this new ecosystem is a Herculean effort for the digital ad community, but if anyone can make the best of it, then it's the company that designed it and has a bottomless pit of money to fund the move. Even if the revenue and profitability are lower, it seems likely that Google would own a much bigger portion of that ecosystem.

What does this announcement mean?

Before this week, Google was going to force the PS on all Chrome users. It would have been rolled out, and third-party cookies would have been deprecated in Chrome. Chrome is such a significant part of how people access the internet that this would seriously affect the open web and its monetisation. This had attracted a lot of scrutiny, and in particular, Google had to work very closely with the CMA in the UK to ensure the PS was not anti-competitive. As I said above, I would like to review the CMA's concerns at some point.

However, this week, Google announced that instead of this forced change, they would give users the choice between PS and third-party cookies. Some saw this as a win because now consumers have the right to choose.

Honestly, though, this feels a bit naïve; we all know what users will pick. Apple did something similar with ATT, where users were prompted with "Allow [app] to track your activity across other companies' apps and websites?" of course, most users picked no. It's hard to imagine a user prompt in Chrome asking users to select between "Tracking using third-party cookies" and "Using the Privacy Sandbox", resulting in many people choosing the former. The implication that you're likely handing more power and revenue to one of the biggest companies on earth is unclear to most people.

What this does do, though, is allow Google to absolve themselves of any responsibility for the transition. They can claim that they offered users an alternative, but third-party cookies (and competitor ad networks) died because of user choice, not because of Google's decisions. If this results in less oversight from competition authorities, then Google gets to have its cake and eat it, too.