Deprecating third-party cookies: a small step towards a more private web

For the past four years, Google has been talking about its Privacy Sandbox project: a shift away from existing online tracking mechanisms towards more specific online advertising tools intended to be more respectful of privacy. In brief, Google has proposed to deprecate third-party cookies in its Chrome browser while simultaneously providing alternative methods for ad targeting, measurement, fraud prevention, and authentication. While the deprecation of third-party cookies is a sign of progress, much work remains to be done to transition to a privacy-respecting advertising ecosystem that serves the needs of users, publishers and advertisers.

The need for deprecation 

Third-party cookies are primarily used for tracking people’s online browsing behavior – connecting what they do on one site with what they do on every other site on the web. This is motivated by the potential to use that tracking data to build profiles for behaviorally-targeted advertising. Once collected, data about people’s online activities can be used and sold in unaccountable ways, contributing to a range of serious harms at both the individual and societal levels. Pervasive online tracking is neither transparent to users nor easy for them to control; for the sake of user privacy, we welcome steps towards the deprecation of this widely abused technology.

While voluntary, cooperative solutions like Do Not Track were promising, the ad tech industry made it clear a decade ago that it would not, after all, voluntarily respect users’ preferences expressed through simple browser-based controls, and instead would continue to use cookies and fingerprinting to track users’ online behavior whether they wanted to be tracked or not. Google Chrome is now taking a step to join other browsers, including Apple Safari, Mozilla Firefox and DuckDuckGo, in actively limiting this form of ubiquitous online surveillance.

Moving forward with deprecation provides a concrete incentive for sites to shift towards more privacy-respectful behaviors, like contextual advertising, aggregate analytics, refraining from embedding numerous tracking elements, and genuine user consent – but only when that process moves toward implementation. Published timelines can be useful, but when those timelines are repeatedly delayed, some online services won’t see any reason to develop alternative privacy-respectful mechanisms while they can continue to profit from a status quo that we believe is unsustainable. Using technical measures in browsers to directly limit abusive online tracking is necessary, and, in the most widely used web browser, Google Chrome, long overdue. 

Implementation of Privacy Sandbox begins

CDT has been following Privacy Sandbox and other proposals for privacy-preserving advertising in standard-setting bodies and regulatory filings for years, even as Google’s implementation timeline continued to shift. During that time, Privacy Sandbox has faced criticism from several angles. Privacy advocates, competing browser vendors, and the World Wide Web Consortium’s (W3C) Technical Architecture Group have raised concerns that the Privacy Sandbox proposals will continue to reveal too much information about a user’s online browsing activity to sites and advertisers, without providing the opt-in controls that one should expect. On the industry side, some advertisers and ad-tech intermediaries have resisted the shift because it would make individual targeting of users more difficult, while some in publishing are concerned that the proposals could provide more benefit for larger or more generic services, at the expense of smaller or niche publications.

In part, these critiques from different angles depend on what alternative the proposals are compared against. Some advertisers lament the loss of tracking data that third-party cookies enable. Some privacy advocates view replacing some of the cookie’s ad targeting functionality as a loss compared to their preferred alternative. Finally, some publishers may see competition issues in alternative mechanisms for interest-based advertising when they would otherwise anticipate a shift towards increased revenue from contextual advertising.

Notwithstanding these criticisms, web users and websites are both starting to see concrete changes. Starting late last year, users of Google’s Chrome browser may have seen pop-ups talking about “Enhanced ad privacy,” announcing new mechanisms whereby Chrome will help determine which ads users see based on the sites they visit, and provide controls in browser settings for users to review, change, and disable those inferences.

While the user interface varies across jurisdictions, most users haven’t been offered a clear way to indicate whether they want these different kinds of customized ads or to have those inferences from their browsing habits shared with sites and advertisers. Some users will want these features and some won’t; but failing to inform most users about the control they could have is a missed opportunity. With clearer presentation and an opt-in choice, this tool could have established some confidence that users wanted this form of ad targeting.

Starting early this year, websites (and their advertising providers) may have seen a change in the functionality available for a small portion of their visitors; 1% of Chrome users now have third-party cookies (largely) blocked by default. Sites that serve behaviorally-targeted ads based on identifying a user’s activity on other sites won’t be able to recognize those users as easily as before.

Designed-for-purpose mechanisms

The third-party cookie was an open-ended technical design that has primarily been abused for online surveillance, but also enabled important functionality, including some forms of authentication, mitigations for certain types of online fraud, and measurement of online advertising. Deprecation provides an opportunity to consider those use cases directly and provide designed-for-purpose mechanisms. Standards bodies, including the W3C and Internet Engineering Task Force (IETF), are hosting debates over numerous proposals, from Google and others, to standardize more privacy-preserving advertising, authentication, fraud prevention, and measurement. 

We still need to directly evaluate the various proposals that are more specific to their purposes. Those reviews may need to be detailed, but, in brief, we ask, does each proposal:

• … reasonably minimize individuals’ data combined across contexts?

• … provide meaningful transparency and control to users?
• … facilitate interoperability and competition, rather than market consolidation?
• … effectively fund creativity and journalism?

Not every functionality of the third-party cookie – especially when it’s privacy-invasive – needs to be replicated. A vibrant online advertising ecosystem doesn’t have to hinge on tracking individual online behavior, and privacy protection shouldn’t have to wait for the longer-term development of alternatives for cookies’ other functionalities.

As we have described when talking about the future of online advertising, we believe that online advertising can better serve the needs of internet users, publishers, and advertisers than it does today, providing support for independent media and content creation while respecting human rights. 

What’s next?

As technical protections like the deprecation of third-party cookies continue, what do we expect to happen next?

Deprecation brings a range of implications for the online-advertising industry, and privacy-respectful alternatives to third-party cookies will see increased attention and development. Measurement and attribution, for example, are goals that can be accomplished without tracking individual behavior, and new technology is under active development and standardization at the W3C’s Private Advertising Technology groups.

Technical protections alone won’t be enough to protect web users from surveillance. Legal protections are also necessary, and simple tools will be needed to help people exercise their rights. It’s time to standardize the Global Privacy Control, a universal opt-out mechanism, and we look forward to continuing that work. Privacy laws, rules, and enforcement must complement technical mechanisms, and we expect to see continued expansion of regulatory involvement in advertising and privacy around the world.

But we also anticipate seeing more pushback against new privacy-preserving technology, especially from companies who prefer to profit off the ubiquitous invisible surveillance of users’ browsing and offline activity. Whether it’s in technical standard-setting, in platform rules, regulations, or legislative proposals, some will argue that privacy is being used as a pretext to hide some other business motive. We believe that privacy is both important and typically well-aligned with competition, and that we should work for both competitive marketplaces and privacy protections. To both identify significant privacy protections and to distinguish them from self-preferencing, we should – without delay – establish privacy principles and thoroughly evaluate the details of new designed-for-purpose mechanisms.