Do You Need To Prepare for a Future Cookieless World?

A while back, Google announced that in 2024, third-party cookies would go away and the Chrome Browser would no longer support them.

The news was so big, it was known across the internet as the Cookiepocalypse. Sounds ominous, right?

Don’t worry, in June of 2024, Google officially canceled these plans, and it’s looking like tracking, ad-serving, and retargeting cookies are here to stay.

If your website relies on third-party cookies for marketing and advertising, you might be confused by this constantly-changing news.

To help clear things up, I explain why Google eventually changed their minds about no longer supporting third-party cookies and walk you through what their original plans were and how it might’ve impacted businesses across the internet.

Google’s Most Recent Update About Third Party Cookies

In a Privacy Sandbox blog post from July 22, 2024, the Vice President of Google’s Privacy Sandbox, Anthony Chavez, announced that Google canceled plans to stop supporting third party cookies after getting feedback from advertisers and regulators.

Instead of depreciating third party cookies, Chavez says they will introduce a new experience in Chrome allowing users to make informed choices applicable across all their web browsing.

Users will be able to adjust their choice at any time.

Google is reportedly discussing this new path with regulators and plans to also involve the industry as this new experience is rolled out.

In the meantime, the Privacy Sandbox API is still available and Google plans to continue to invest in them to continue making improvements in privacy and utility.

Brief Overview of Cookies

Let’s briefly define what cookies are and how they’re commonly used.

Technically speaking, cookies are small text files that websites leave on users’ browsers that contain bits of data.

While there are many different types of internet cookies, some are considered essential, as they help websites function properly. The rest are all considered non-essential cookies.

Let’s discuss each of these categories in more detail.

First-Party Cookies (Essential)

First-party cookies, sometimes called essential cookies, are stored on users’ browsers directly from the website or domain they’re visiting.

They streamline the user experience and help websites work properly by performing functions like:

• Retaining account information to make logging in more convenient
• Remembering what items a user puts into their digital shopping cart

Overall, first-party cookies are not very controversial and have a limited scope. They don’t follow users around the internet, nor do they contain very personal information.

Third-Party Cookies (Non-essential)

Third-party cookies are created by a party other than the website owner — these were the ones Google said would go away in 2024, but have since changed their minds.

Non-essential and third-party cookies usually contain a unique identifier called a cookie ID, which can be linked to an individual. That means these cookies qualify as personal information under data privacy laws like the:

• General Data Protection Regulation (GDPR)
• California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (CDPA)

Some examples of third-party cookies include:

• Tracking cookies created by advertising companies
• Retargeting cookies that send users to a website that sells products they might like

These cookies can follow users around the internet and cause privacy concerns.

But was Google removing third-party cookies to give users more control over how their personal data is tracked and used? Or were their intentions more for self-interest?

In the next section, let’s unpack the reasons for initial Google’s decisions.

Why Were Cookies Going Away?

Cookies were going to go away to enhance privacy on the web, at least that’s according to a blog post from 2019 announcing Google’s Privacy Sandbox, written by Director of Chrome Engineering Justin Schuh.

In the post, Schuh states that technology used by advertisers to make advertising more relevant — i.e., cookies — was being used in ways far beyond the original intent of the technology, subverting the data privacy expectations of the average user.

Even though other browsers have already attempted to address these issues by blocking third-party cookies, Schuh says that Google believes the large-scale blocking undermined people’s privacy because it encouraged less transparent data tracking techniques, like fingerprinting, highlighted for you in the screenshot below.

Wait, what’s fingerprinting?

Fingerprinting is when a company makes a unique profile for an individual based on computer hardware, add-ons, software, and other preferences.

It is said to be much more invasive than cookies.

According to Google, there needs to be an agreed-upon set of standards to improve user privacy without having unintended consequences, hence the announcement of their Privacy Sandbox and the original plan to remove third-party cookies from the Chrome browser.

Was the Cookiepocalypse Really About Data Privacy?

Some people might question if Google’s intentions surrounding the removal of third-party cookies were as pure as they claim, especially since the company already has access to a ton of first-party user data. I agree that, at the very least, there’s room for a conversation here.

It’s no secret that tech-giant Google doesn’t need to depend on any third party’s data processing for their advertising or marketing. In reality, everyone else relies on Google as a third party.

So you might interpret the original plan as one that may have heavily benefited Google but cause everyone else to become even more reliant on the solutions the tech giant offers, like the Privacy Sandbox.

Either way, it appears that Google doesn’t need to rely on third-party cookies or individual trackers like many other businesses do for advertising and marketing purposes.

Now that Google has canceled the plans to remove third party cookies, it’s clear they’ve listened to the concerns of advertisers and others in the industry.

When Were Cookies Supposed to Go Away?

Before going back on the initial decisions, Google announced that cookies would go away during the second half of 2024.

However, that was the second planned date, which came after they postponed the original deadline.

Initially, Google aimed to remove cookies from the Chrome browser in 2022.

How “Cookieless” Would The World Really Have Been?

If the cookiepocalypse came to fruition, there would still have been plenty of first-party cookies in use online.

Let’s discuss this in more depth.

The Cookiepocalypse’s Potential Impact on First-Party Cookies

While the scope of marketing and advertising would have been heavily impacted by the cookiepocalypse, first-party cookies most likely would’ve remained out of the radar.

There have even been discussions at the European Union (EU) about a new proposal, called the ePrivacy Regulation, that would replace the ePrivacy Directive — aka the EU Cookie Law.

It states, in part:

‘…that no consent is needed for non-privacy intrusive cookies that improve internet experience…’.

The types of cookies this potentially refers to include:

• Essentials cookies — session cookies, user input cookies, authentication cookies, etc.
• Some non-essentials — anaytics cookies, customization cookies

My takeaway is that there would’ve been little to worry about regarding website functionality and user experience.

How Your Business Could Have Been Impacted By Cookies Going Away

Evidence suggested that third-party cookies going away could’ve impact businesses in the following ways:

• Consent would remain an essential lawful basis for using first-party cookies
• Companies would have had to adjust their advertising and marketing strategies

I’ll explain each of these predictions in more detail.

Consent in a Cookieless World

Even in a cookieless world, I believe consent would have remained an essential lawful basis businesses could’ve relied on for using first-party cookies, like:

• Customization cookies
• All essential cookies

In the following sections, we highlight how consent remains relevant under data privacy laws in the European Union (EU) and the US.

Cookies, Consent, and the GDPR

Regardless of what happens with the ePrivacy Regulation we mentioned previously, the current EU law in place, the ePrivacy Directive, still requires informed, explicit consent from users before storing or accessing the information on their devices.

Similarly, the GDPR still requires businesses to be able to demonstrate a user’s consent, as stated in Article 7 of the law. Therefore cookie banners and thoroughly-written cookie policies would’ve likely still been required for businesses.

Cookies, Consent, and US Data Privacy Laws

In the US, several states have recently enacted comprehensive privacy legislation that impacts cookies, including:

• California — California Privacy Rights Act (CPRA)
• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
• Utah — Utah Consumer Privacy Act (UCPA)
• Virginia — Consumer Data Protection Act (CDPA)

The CPRA is technically an amendment to a California law already in place, the California Consumer Protection Act (CCPA). With the new changes in effect, the law now covers the selling and sharing of personal data for cross-contextual behavioral advertising purposes where no monetary or other valuable consideration is involved.

This includes cookies that rely on targeted advertising, even if no material or other gain applies.

The CPRA grants consumers the right to opt out of the selling and sharing of their personal data, including what’s collected through cookies. The other four state laws have adopted a similar approach to data collection.

As a result, I expect posting a ‘Do Not Sell or Share My Personal Information’ link or button as required for the CCPA and the CPRA would have possibly also met opt-out requirements under the CDPA, the UCPA, the CPA, and the CTDPA.

But opt-in consent is needed in the following instances under two of the five new US state data privacy laws:

• Colorado CPA: Requires explicit consumer consent for targeted advertising and sale of personal information (e.g., setting third-party cookies or trackers)
• Connecticut CTDPA: Requires a business to obtain consumer’s consent if it intends to process personal information for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal information is processed, as disclosed to the consumer

According to our data privacy experts, while cookies are still around, you should set your consent banner on EU opt-in settings for Colorado if you’re running any analytics or marketing cookies.

If you have any non-essential cookies, you should do the same for Connecticut.

Consent, Cookies, and Global Privacy Controls (GPC)

Some newer data privacy laws now account for consent technology, like Global Privacy Controls (GPC), stipulating that businesses should begin honoring users’ opt-out preference settings on their browsers regarding trackers and cookies.

For example, the amended CCPA and Colorado’s CPA both introduced a GPC signal that allows consumers to opt out by device or browser instead of being required to opt out on each site individually using a link.

The California Attorney General’s office has stated that businesses that sell personal information must honor GPC signal, which is also obligatory in Colorado as of July 1, 2024.

As for Connecticut, the CTDPA outlines that you should enable consumers to opt out of the processing of their personal information for targeted advertising or the sale of their personal data through preference signals sent by:

• A platform
• Technology
• Other Mechanism

The projected date for this is no later than 1 January 2025 (and third-party cookies, we now know, will still be around at that time).

Changes in Marketing and Advertising Strategies

If we entered a cookieless marketing world, companies would likely have had to rethink their digital marketing and advertising strategies.

Even though Chrome is no longer planning on removing third-party cookies by 2024, we do have some insight as to what a cookieless world could’ve been like, because some browsers already block third-party cookies by default, including:

• Firefox
• Safari
• Edge
• Brave

But an estimated 3.2 billion internet users worldwide use Chrome as their default browser (Statista); that’s the majority of the market share.

This massive market share is why marketers and advertisers refered to Chrome’s plans to remove third-party cookies as the cookiepocalypse. Because if it has finalized, it would have had a significant impact on all of their business models.

There was even a wave of propositions by the Google Privacy Sandbox that would impact how companies would need to build their digital revenue moving forward, including:

• Topics API for interest-based advertising
• FLEDGE on on-device ad auctions
• Attribution reporting API on Digital Ads measurement

How Can You Prepare and Adapt

Our legal team and data privacy experts suggest the following actions to help prepare your website for the future cookie-free internet:

• Build a third-party-free cookie-compliant website
• Leverage first and zero-party data for marketing
• Rely on walled gardens for targeted ads
• Look out for upcoming regulations on cookies, i.e., the ePrivacy Regulation

Let’s go over these tips in more detail to prepare you for a cookie-free internet.

Build a Third-Party Free Cookie-Compliant Website

You should plan to adapt your website to block third-party cookies and adjust to new consent requirements. It will be good to set this up sooner rather than later.

When the shift does happen, you’ll already be prepared and aren’t left scrambling to catch up.

Enter your site into our scanner below to see which third-party cookies you currently use:

Leverage First and Zero-Party Data for Marketing

Even before cookies go away, you should start leveraging first-party data for your marketing strategies, but we also suggest learning how to use zero-party data.

Sources suggest that Forrester Research coined the term zero-party data, and it refers to data that a customer proactively chooses to share with you, such as:

• Details a user provides to you in a preference center
• Purchase intentions set by the user
• Personal contexts as set by the user
• Details about how the user wants a brand to recognize them

This zero-party data and any other data obtained directly from first parties will have an increased value for marketers in a cookieless world because it can indicate clear intent and be used compliantly, even under strict data privacy laws like the GDPR.

One of the Privacy Sandbox initiatives — First-Party Sets — also aims to support first-party data use for businesses.

Rely on Walled Gardens for Targeted Ads

Start familiarizing yourself with and relying on walled gardens for targeted advertising in a world without cookies.

A walled garden is an ad platform where the publisher handles all the buying, serving, tracking, and reporting. So think of companies like Google, Facebook, and Amazon, which already own, have access to and control massive amounts of first-party user data.

These gardens typically accompany first-party data targeting, self-serve advertiser portals, auction pricing, and more.

Walled gardens are a closed system where publishers own their entire ad platform, and they are likely to become essential resources once everyone shifts to cookieless advertising.

Look Out for Upcoming Regulations on Cookies

As we get closer to a cookieless future, pay attention to new, changing, and upcoming regulations on cookies and other trackers, like the ePrivacy Regulation we mentioned previously and the new state data privacy laws in the US.

Though it has been in discussion between EU institutions since 2017 and has yet to have a clear timeline, there’s a clear objective on the horizon to adapt the EU’s regulatory requirements to the rapid evolution of tracking technologies.

As with the GDPR, it may encourage other regulators to start a new wave of regulations.

We anticipate seeing several announcements and proposals for data privacy legislation the closer we get to the second half of 2024.

How Termly Is Preparing

We pride ourselves on always being up to date, so we’re preparing for the cookieless future ahead of us by following the development of Google Privacy Sandbox.

Our legal team is also closely watching to ensure our policies and products reflect the most recent changes in technology and legislation.

Along with tracking the implementation of Google Privacy Sandbox, we’re ensuring our Cookie Consent Manager keeps up with blocking third-party cookies by 2024.

Plus, we’re looking for other new privacy management features that could impact our products.

Our legal team will continue to monitor our policies and products to keep up with the evolution of the regulations on cookies and other tracking technologies.

Summary

Google’s plans to no longer support third-party cookies on the Chrome browser will change how most of us market and advertise to consumers, but not all cookies are going away.

Websites should still be able to rely on essential and first-party cookies, some of which will likely still require explicit user consent under laws like the GDPR.

But you can trust that our tools will remain in compliance with relevant data privacy laws as we transition to a world without cookies.

Until then, you should:

• Start building your website to block third-party cookies automatically
• Familiarize yourself with walled gardens and zero-party data
• Adapt your marketing and advertising strategies to rely more on first-party data and organic SEO traffic
• Start relying on the zero-party data your users choose to share with you

It’s possible to not only survive but thrive during the cookiepocalypse. But if the going gets rough, you can trust that we’ll be here to help you along the way.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author