Skip to Content

So Much for the “Privacy Sandbox”: Google Backtracks on Commitment to Deprecate Third-Party Cookies

Google’s recent announcement that it will abandon its plan to phase out the availability of third-party cookies in its Chrome browser, after repeatedly delaying the implementation of the Privacy Sandbox it first announced in 2019, is a massive disappointment for privacy advocates. Instead, at some point in the future Google says it will “introduce a new experience in Chrome” that will put the onus on internet users to “make an informed choice” about third-party cookies.

As we noted in an April 2024 blog post, cookies are a widely abused, multi-purpose technology whose legitimate use cases can, and should, be addressed by designed-for-purpose mechanisms such as the Privacy Sandbox APIs proposed by Google itself. Falling back on the flawed “notice-and-choice” paradigm is out of step with today’s privacy discourse, which emphasizes data minimization and privacy-respecting default settings. While users may have the right, and should have the option, to communicate opt-out preferences, it doesn’t make sense to require users to make complex decisions with unclear implications about technical mechanisms like third-party cookies.

Google’s announcement suggests that the change is rooted in concerns from regulators and in industry’s low uptake of the Privacy Sandbox APIs. We find these explanations unpersuasive. 

First, at least one regulator known to be closely scrutinizing Privacy Sandbox, the UK’s Information Commissioner’s Office (ICO), reacted negatively to Google’s announcement, while the Competition and Markets Authority (CMA) is soliciting comments on the new approach. It’s also hard to imagine data protection agencies objecting to the elimination of tracking tools that are notoriously prone to abuse.

Second, as we noted in April, the shifting timeline for deprecation created a disincentive for industry to stop relying on cookies and instead adopt the Sandbox APIs or other privacy-respecting, designed-for-purpose mechanisms. It seems disingenuous for Google to blame its decision on a situation of its own creation.

It has been clear since at least the failure of Do Not Track that industry would not voluntarily relinquish its ability to surveil internet users’ online behavior in the name of more granular ad targeting, regardless of the documented privacy violations and real-world harms linked to such tracking. But despite the shifting implementation timeline, Google’s 2019 commitment to deprecating cookies on Chrome, the world’s most widely used browser, lent credence to the notion that the online advertising industry was capable of regulating itself. Even as the EU labored to enforce its General Data Protection Regulation (GDPR), and the rest of the world (including the U.S.) struggled to enact meaningful privacy protections, Google invited civil society—and the world’s internet users—to trust that it was working to guide an industry of titanic proportions in a more privacy-respecting direction. That trust has now been broken. 

That breach of faith will have more long-term implications for the web than just the ongoing abuses of online tracking for ad targeting. Backtracking on this years-long project will undermine other privacy proposals Chrome makes, as many in industry will see little benefit in adopting more private technology when they can instead lobby Google or some industry-friendly regulator to block privacy improvements. Privacy advocates and consumer protection agencies will have little reason to collaborate on new privacy technology if the largest vendor cannot be relied upon to stick with long-term multistakeholder commitments. And while other browser vendors remain motivated to move forward with privacy protections, the repeated delays in deprecating third-party cookies in Chrome have disincentivized websites from adopting more privacy-friendly technology, choosing instead to support only Chrome and leaving users of more privacy-forward browsers with a worse user experience. With this new announcement, Chrome is entrenching a status quo that is hostile to interoperability, frustrating to users, and damaging to smaller competitors’ privacy efforts. 

Google should re-think this decision and move forward more promptly with its long overdue shift to removing access to third-party cookies, as regulators, advocates, researcherstechnical experts, and even parts of the advertising industry have called for. 

If Google declines to reconsider, the implementation details of its promised “new user experience” will be important. Google should make it easy for users to opt out of tracking and sale and sharing of their data altogether, including but not limited to the third-party cookie mechanism. What the company shouldn’t do is rely on deceptive design and a byzantine user experience to get users to acquiesce to tracking, following the established industry playbook. Tactics like burying key information in a long policy document, requiring users to repeatedly confirm their choices (as with GDPR cookie banners), forcing users to jump through hoops (like “configuring” cookies instead of simply choosing not to allow third party cookies), and warning, scolding, or cajoling users with threats of a worse advertising experience all fail to clear even a low bar for enabling user choice. Choices about technical details shouldn’t be used to confuse or burden users: Google and others should engage civil society in developing user controls and other meaningful privacy improvements. 

We expect that Google is in dialogue with regulators about its plans, and it should publish details about those plans–including a binding implementation timeline–as quickly as possible. CDT, and the rest of civil society, will be watching closely. While Google has announced a significant step backwards for privacy and for community trust, we believe a more private web is achievable, and we will continue to work with government, civil society, and industry to get there.