Saying goodbye to third-party cookies

Since they were invented in 1994, cookies have played an essential role in the development of the web and the businesses that depend on it. But in recent years, partly through the introduction of legislations like GDPR, and partly through high-profile events such as the Facebook/Cambridge Analytica scandal, consumer awareness of privacy issues has dramatically increased. Third-party cookies have rightly been identified as a real threat to consumer privacy.

As a result, both Apple and Google are finally taking concrete steps to rein in the use of third-party cookies and their mobile app equivalent, Ad IDs. But what will life be like without them? And more importantly, will it be better than it was before?

Read next: Key takeaways from ‘What the FLoC? How do you prepare for a post-cookie future?’

How did we get to where we are today?

Cookies allow website owners to keep track of users both on their own sites and, through the use of third-party cookies, other organisations’ websites. They help advertisers keep track of the number of people they are reaching with their ads and help publishers to understand their own audience.

As the digital advertising industry grew and developed in the 2000s, a complex ecosystem of intermediaries started to emerge to connect advertisers efficiently to publishers, for whom third-party cookies proved similarly valuable. User data itself became an important part of the industry, supporting the highly targeted advertising experience that we are familiar with today. Two of the major players in this ecosystem are Google and Facebook, both of which have built very large-scale advertising networks that make extensive use of third-party data for targeting and measurement.

The result of this web of intermediaries is that whenever you visit a website or use a mobile app, your data can be passed on to a large number of different companies. These companies may then pass the data onto other third-parties - either for the purpose of ad targeting, or tracking, or both.

Until 2018, this third-party tracking and data processing was all going on largely behind the scenes, with sites not required to notify users or gather consent. This changed in 2018 with the introduction of GDPR. GDPR requires organisations to gain explicit consent to process user data and pass it to third parties. However, this has merely highlighted how widely consumer data is being shared via cookies, as the “Privacy Settings” interface below from The Guardian’s website shows:

In response to this, Apple and Google have started to take a much harder stance on third-party cookies and Ad IDs. However, there are some major differences to be seen in their approaches.

What’s Apple doing?

In 2017, Apple introduced “Intelligent Tracking Prevention” into its Safari browser. This limits the ability of sites to send or request data from third-party sites - also known as cross-site tracking. ITP aims to block third-party sites from amassing large amounts of information about the interests and behaviours of users — so-called “cookie pools”.

In 2020, Apple further tightened ITP to block all third-party cookies. Sites can still use a Safari feature called the Storage Access API to request a specific opt-in from a user, but given that the user will need to have some good reason to agree to the third-party storage, this has essentially spelled the end of third-party cookies on Safari.

Apple ID for Advertising (IDFA) restrictions

Apple introduced the “ID for Advertising” (IDFA) back in 2012 as a way to persistently identify the device an app is installed on. Any iOS app can access the IDFA and pass it to a service on the internet (such as an ad network). Because the IDFA is the same across apps, it works a bit like a third-party cookie. For example, if App A passes the device’s IDFA to a third-party service, and then App B passes the same ID, the third-party service knows that the user is using both apps.

The IDFA is anonymous and can be opted out of, but its use contributes to the somewhat disturbing sense that users have around their phones listening in on their conversations. This is because an interaction in one app can drive ad targeting in another app which the user doesn’t associate with that interaction.

In April, Apple released iOS 14.5. This changes the use of the IDFA to opt-in – apps that want to capture the value and share it must ask permission first. Facebook has made quite a fuss about this, even going to the lengths of creating a dedicated website to trumpet the value of targeted ads, and serving pop-ups in the Facebook and Instagram mobile apps to encourage people to opt in:

Despite these efforts, it is looking like opt-in rates for third-party sharing of the IDFA are pretty low. According to a recent study by Flurry, a whopping 96% of iPhone users in the US are choosing not to share their IDFA with third-parties.

What’s Google doing?

With all the noise about privacy that Apple has been making, Google couldn’t just sit by and do nothing. In January 2020, it announced that it would be phasing out third-party cookies in Chrome within two years (recently extended to three years). In their place, Google is creating an open-source initiative as part of the Chromium project, called Privacy Sandbox. An early version of Privacy Sandbox is already included in the latest versions of Chrome, though largely disabled in Europe.

Two of the most important technologies in Google’s Privacy Sandbox are called FLoC and FLEDGE. FloC (Federated Learning of Cohorts) aims to enable behavioural targeting without using third-party cookies - instead relying on Machine Learning within the browser to place the user in one or more targeting groups (“cohorts”) based on their site usage. FLEDGE then builds on this to enable publishers to create interest segments that they can expose to advertisers - all without sharing personal data to a third-party service.

Google hopes other Chromium-based browser makers (such as Microsoft) will adopt the Privacy Sandbox features and implement their own versions of the algorithm; but enthusiasm is low, with none of the major browser-makers signing on.

Google’s Android Advertising ID

Android also sets an Advertiser ID, called the Android Advertiser ID (AAID), which users can opt out of, but Google has not announced any plans to introduce a similar opt-in control in the way that Apple has done. Privacy advocate Max Schrems has brought a complaint about this to France’s Data Protection Authority, CNIL, claiming that the behaviour of the AAID is a violation of GDPR. As such, Google may be forced to implement a similar consent mechanism to Apple’s - at least in Europe.

Impact to businesses

If the data and ad targeting ecosystem enabled by third-party cookies goes away, companies like Google, Facebook, and Amazon (which manage very large first-party troves of consumer data) could actually end up benefiting. Advertisers may prefer to advertise on their closed networks in order to target the audiences they care about, and independent advertising networks may suffer.

In the medium-term, this could be bad for advertisers - especially smaller advertisers who do not have the resources to buy direct from publishers. These small advertisers will become almost completely dependent on these three major technology companies for their advertising and will be at the mercy of price rises and changes to ranking algorithms. Larger advertisers will be less affected but should make strenuous efforts to increase their own first-party data so that they can at least reach out to their own customers without having to go through the “Big three”.

Similarly, smaller publishers may suffer. According to a study by Google, they could expect to see a revenue decline through the loss of user-targeted ads of 52% (though another independent study predicted only a 4% drop in revenue). With a reduced ability to earn ‘easy’ advertising revenue from behaviourally targeted ads, publishers will need to focus more on generating real engagement with their content, which may cost them revenue in the short term, but could be a good thing for the consumer.

Impact to consumers

Finally, will consumers benefit from these changes? This is a more difficult question to answer.

On the one hand, making it harder for organisations to silently track individuals’ online behaviours is a good thing for consumers, as when offered the choice of whether to share this data, they overwhelmingly opt out.

On the other hand, if the death of third-party tracking does concentrate more power in the hands of Amazon, Google, and Facebook, this is unlikely to deliver much benefit to consumers. It will reduce choice without significantly improving transparency around the use of their data, and anyone who wants to opt out will likely not be able to use these services in a meaningful way.

Ultimately, the ability for consumers to effectively manage their own privacy will be dependent on the actions of a small number of very large technology companies. Legislators and regulators need to ensure that individuals can participate on the online world without having to make unacceptable trade-offs with their own privacy.