![How-To-Prepare-for-a-Cookieless-World-[Cookiepocalypse]](https://termly.io/wp-content/uploads/How-To-Prepare-for-a-Cookieless-World-Cookiepocalypse.svg){kind=small}
In 2024, cookies are going away in what is being called across the broadest reaches of the internet: the Cookiepocalypse. Ooh, that sounds ominous, right?
Well, if you’re a third-party cookie, it is ominous because, in 2024, the Google Chrome Browser will no longer support the use of any third-party cookies — rest in peace to tracking, ad-serving, and retargeting cookies.
If your website relies on third-party cookies for marketing and advertising, you might be panicked by this news, and we get it. There’s a lot of change on the horizon.
But cookieless advertising is more than possible, and remember, you’re not in it alone. Just think of this article as your handy cookiepocalypse survival guide.
Below, we discuss why Google is no longer supporting third-party cookies, make predictions about what the cookieless future will be like, and provide tips on how you can best adapt before we officially say goodbye to these little trackers forever.
Brief Overview of Cookies
Let’s briefly define what cookies are and how they’re commonly used.
Technically speaking, cookies are small text files that websites leave on users’ browsers that contain bits of data.
While there are many different types of internet cookies, some are considered essential, as they help websites function properly. The rest are all considered non-essential cookies.
Let’s discuss each of these categories in more detail.
First-Party Cookies (Essential)
First-party cookies, sometimes called essential cookies, are stored on users’ browsers directly from the website or domain they’re visiting.
They streamline the user experience and help websites work properly by performing functions like:
- Retaining account information to make logging in more convenient
- Remembering what items a user puts into their digital shopping cart
Overall, first-party cookies are not very controversial and have a limited scope. They don’t follow users around the internet, nor do they contain very personal information.
So the cookiepocalypse shouldn’t impact the use of essential or first-party cookies necessary for websites to function correctly.
Third-Party Cookies (Non-essential)
Third-party cookies are created by a party other than the website owner — these are the ones Google says are going away in 2024.
Non-essential and third-party cookies usually contain a unique identifier called a cookie ID, which can be linked to an individual. That means these cookies qualify as personal information under data privacy laws like the:
- General Data Protection Regulation (GDPR)
- California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (CDPA)
Some examples of third-party cookies include:
- Tracking cookies created by advertising companies
- Retargeting cookies that send users to a website that sells products they might like
These cookies can follow users around the internet and cause privacy concerns.
But is Google removing third-party cookies to give users more control over how their personal data is tracked and used? Or are their intentions more for self-interest?
In the next section, let’s unpack the real reasons for Google’s decisions.
Why Are Cookies Going Away?
Cookies are going away to enhance privacy on the web, at least that’s according to a blog post from 2019 announcing Google’s Privacy Sandbox, written by Director of Chrome Engineering Justin Schuh.
In the post, Schuh states that technology used by advertisers to make advertising more relevant — i.e., cookies — was being used in ways far beyond the original intent of the technology, subverting the data privacy expectations of the average user.
Even though other browsers have already attempted to address these issues by blocking third-party cookies, Schuh says that Google believes the large-scale blocking undermined people’s privacy because it encouraged less transparent data tracking techniques, like fingerprinting, highlighted for you in the screenshot below.
Wait, what’s fingerprinting?
Fingerprinting is when a company makes a unique profile for an individual based on computer hardware, add-ons, software, and other preferences.
It is said to be much more invasive than cookies.
According to Google, there needs to be an agreed-upon set of standards to improve user privacy without having unintended consequences, hence the announcement of their Privacy Sandbox and the official removal of third-party cookies from the Chrome browser.
Is the Cookiepocalypse Really About Data Privacy?
Some people might question if Google’s intentions surrounding the removal of third-party cookies are as pure as they claim, especially since the company already has access to a ton of first-party user data. We agree that, at the very least, there’s room for a conversation here.
It’s no secret that tech-giant Google doesn’t need to depend on any third party’s data processing for their advertising or marketing. In reality, everyone else relies on Google as a third party.
So you might interpret this decision as one that heavily benefits Google but may cause everyone else to become even more reliant on the solutions the tech giant offers, like the previously mentioned Privacy Sandbox.
Either way, it’s clear that Google doesn’t need to rely on third-party cookies or individual trackers like many other businesses do for advertising and marketing purposes.
When Are Cookies Going Away?
At the time of publishing this article, Google announced that cookies should go away during the second half of 2024.
However, this is the second time they’ve postponed the deadline.
Initially, Google aimed to remove cookies from the Chrome browser in 2022. But a new timeline was set for the end of 2023 until the company finally settled on 2024.
There’s no doubt a chance the date could change again, as Google is still finalizing a viable alternative to cookies.
But no matter what happens with the timeline, it’s in your best interest to start preparing for the cookieless future now. It will only help make the transition much smoother once Chrome officially stops supporting third-party cookies.
How “Cookieless” Will The World Really Be?
Once we enter the cookiepocalypse, there will still be plenty of first-party cookies in use online. However, they’ll perform different functions than we’re used to with third-party cookies.
The cookieless future will undoubtedly still have cookies. Anticlimactic, we know.
Let’s discuss this in more depth.
The Cookiepocalypse’s Potential Impact on First-Party Cookies
While we expect the scope of marketing and advertising to be heavily impacted by the cookiepocalypse, first-party cookies should remain mostly out of the radar.
Currently, there’s even discussion at the European Union (EU) about a new proposal, called the ePrivacy Regulation, that would replace the ePrivacy Directive — aka the EU Cookie Law.
It states, in part:
‘…that no consent is needed for non-privacy intrusive cookies that improve internet experience…’.
The types of cookies this potentially refers to include:
- Essentials cookies — session cookies, user input cookies, authentication cookies, etc.
- Some non-essentials — anaytics cookies, customization cookies
Our takeaway is that there is little to worry about regarding website functionality and user experience.
First-party cookies aren’t going anywhere anytime soon.
How Your Business Is Impacted By Cookies Going Away
Evidence suggests that third-party cookies going away will impact businesses in the following ways:
- Consent will remain an essential lawful basis for using first-party cookies
- Companies will have to adjust their advertising and marketing strategies
Let’s explain each of these predictions in more detail.
Consent in a Cookieless World
Even in a cookieless world, we anticipate that consent will remain an essential lawful basis businesses can rely on for using first-party cookies, like:
- Customization cookies
- All essential cookies
In the following sections, we highlight how consent remains relevant under data privacy laws in the European Union (EU) and the US.
Cookies, Consent, and the GDPR
Regardless of what happens with the ePrivacy Regulation we mentioned previously, the current EU law in place, the ePrivacy Directive, still requires informed, explicit consent from users before storing or accessing the information on their devices.
Similarly, the GDPR still requires businesses to be able to demonstrate a user’s consent, as stated in Article 7 of the law. Therefore cookie banners and thoroughly-written cookie policies will likely still be required for businesses.
Cookies, Consent, and US Data Privacy Laws
In the US, five states have recently enacted comprehensive privacy legislation that impacts cookies, including:
- California — California Privacy Rights Act (CPRA)
- Colorado — Colorado Privacy Act (CPA)
- Connecticut — Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
- Utah — Utah Consumer Privacy Act (UCPA)
- Virginia — Consumer Data Protection Act (CDPA)
Note that the California and Virginia laws are already in force, whereas the others are scheduled to come into effect later in 2023.
The CPRA is technically an amendment to a California law already in place, the California Consumer Protection Act (CCPA). With the new changes in effect, the law now covers the selling and sharing of personal data for cross-contextual behavioral advertising purposes where no monetary or other valuable consideration is involved.
This includes cookies that rely on targeted advertising, even if no material or other gain applies.
The CPRA grants consumers the right to opt out of the selling and sharing of their personal data, including what’s collected through cookies. The other four state laws have adopted a similar approach to data collection.
As a result, we expect posting a ‘Do Not Sell or Share My Personal Information’ link or button as required for the CCPA and the CPRA would also meet opt-out requirements under the CDPA, the UCPA, the CPA, and the CTDPA.
But opt-in consent is needed in the following instances under two of the five new US state data privacy laws:
- Colorado CPA: Requires explicit consumer consent for targeted advertising and sale of personal information (e.g., setting third-party cookies or trackers)
- Connecticut CTDPA: Requires a business to obtain consumer’s consent if it intends to process personal information for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal information is processed, as disclosed to the consumer
According to our data privacy experts, while cookies are still around, you should set your consent banner on EU opt-in settings for Colorado if you’re running any analytics or marketing cookies.
If you have any non-essential cookies, you should do the same for Connecticut.
Consent, Cookies, and Global Privacy Controls (GPC)
Some newer data privacy laws now account for consent technology, like Global Privacy Controls (GPC), stipulating that businesses should begin honoring users’ opt-out preference settings on their browsers regarding trackers and cookies.
For example, the amended CCPA and Colorado’s CPA both introduced a GPC signal that allows consumers to opt out by device or browser instead of being required to opt out on each site individually using a link.
The California Attorney General’s office has stated that businesses that sell personal information must honor GPC signals. This method should also become obligatory in Colorado after 1 July 2024.
As for Connecticut, the CTDPA outlines that you should enable consumers to opt out of the processing of their personal information for targeted advertising or the sale of their personal data through preference signals sent by:
- A platform
- Technology
- Other Mechanism
The projected date for this is no later than 1 January 2025, and third-party cookies should already be long gone by then. However, preparing for these changes sooner rather than later is worthwhile.
Changes in Marketing and Advertising Strategies
Once we enter the cookieless marketing world, companies will likely have to rethink their digital marketing and advertising strategies.
Even though Chrome is planning on removing third-party cookies by 2024, we already have some insight as to what a cookieless world will be like, because some browsers already block third-party cookies by default, including:
- Firefox
- Safari
- Edge
- Brave
But an estimated 3.2 billion internet users worldwide use Chrome as their default browser (Statista); that’s the majority of the market share.
This massive market share is why marketers and advertisers refer to Chrome’s plans to remove third-party cookies as the cookiepocalypse. Because once finalized, it will have a significant impact on all of their business models.
There is currently a wave of propositions by the Google Privacy Sandbox that would impact how companies would need to build their digital revenue moving forward, including:
- Topics API for interest-based advertising
- FLEDGE on on-device ad auctions
- Attribution reporting API on Digital Ads measurement
But other independent groups may also develop additional cookieless targeting methods, so be on the lookout.
In the meantime, consider relying more on first-party data and organic traffic derived from search engine optimization (SEO).
How Can You Prepare and Adapt
Our legal team and data privacy experts suggest the following actions to help prepare your website for the future cookie-free internet:
- Build a third-party-free cookie-compliant website
- Leverage first and zero-party data for marketing
- Rely on walled gardens for targeted ads
- Look out for upcoming regulations on cookies, i.e., the ePrivacy Regulation
Let’s go over these tips in more detail to prepare you for a cookie-free internet.
Build a Third-Party Free Cookie-Compliant Website
You should plan to adapt your website to block third-party cookies and adjust to new consent requirements. It will be good to set this up sooner rather than later.
When the shift does happen, you’ll already be prepared and aren’t left scrambling to catch up.
Enter your site into our scanner below to see which third-party cookies you currently use:
Leverage First and Zero-Party Data for Marketing
Even before cookies go away, you should start leveraging first-party data for your marketing strategies, but we also suggest learning how to use zero-party data.
Sources suggest that Forrester Research coined the term zero-party data, and it refers to data that a customer proactively chooses to share with you, such as:
- Details a user provides to you in a preference center
- Purchase intentions set by the user
- Personal contexts as set by the user
- Details about how the user wants a brand to recognize them
This zero-party data and any other data obtained directly from first parties will have an increased value for marketers in a cookieless world because it can indicate clear intent and be used compliantly, even under strict data privacy laws like the GDPR.
One of the Privacy Sandbox initiatives — First-Party Sets — also aims to support first-party data use for businesses.
Rely on Walled Gardens for Targeted Ads
Start familiarizing yourself with and relying on walled gardens for targeted advertising in a world without cookies.
A walled garden is an ad platform where the publisher handles all the buying, serving, tracking, and reporting. So think of companies like Google, Facebook, and Amazon, which already own, have access to and control massive amounts of first-party user data.
These gardens typically accompany first-party data targeting, self-serve advertiser portals, auction pricing, and more.
Walled gardens are a closed system where publishers own their entire ad platform, and they are likely to become essential resources once everyone shifts to cookieless advertising.
Look Out for Upcoming Regulations on Cookies
As we get closer to a cookieless future, pay attention to new, changing, and upcoming regulations on cookies and other trackers, like the ePrivacy Regulation we mentioned previously and the new state data privacy laws in the US.
Though it has been in discussion between EU institutions since 2017 and has yet to have a clear timeline, there’s a clear objective on the horizon to adapt the EU’s regulatory requirements to the rapid evolution of tracking technologies.
As with the GDPR, it may encourage other regulators to start a new wave of regulations.
We anticipate seeing several announcements and proposals for data privacy legislation the closer we get to the second half of 2024.
How Termly Is Preparing
We pride ourselves on always being up to date, so we’re preparing for the cookieless future ahead of us by following the development of Google Privacy Sandbox.
Our legal team is also closely watching to ensure our policies and products reflect the most recent changes in technology and legislation.
Along with tracking the implementation of Google Privacy Sandbox, we’re ensuring our Cookie Consent Manager keeps up with blocking third-party cookies by 2024.
Plus, we’re looking for other new privacy management features that could impact our products.
Our legal team will continue to monitor our policies and products to keep up with the evolution of the regulations on cookies and other tracking technologies.
Summary
Google’s plans to no longer support third-party cookies on the Chrome browser will change how most of us market and advertise to consumers, but not all cookies are going away.
Websites should still be able to rely on essential and first-party cookies, some of which will likely still require explicit user consent under laws like the GDPR.
But you can trust that our tools will remain in compliance with relevant data privacy laws as we transition to a world without cookies.
Until then, you should:
- Start building your website to block third-party cookies automatically
- Familiarize yourself with walled gardens and zero-party data
- Adapt your marketing and advertising strategies to rely more on first-party data and organic SEO traffic
- Start relying on the zero-party data your users choose to share with you
It’s possible to not only survive but thrive during the cookiepocalypse. But if the going gets rough, you can trust that we’ll be here to help you along the way.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
