How Google’s Privacy Sandbox and Chrome’s cookie deprecation will affect the web

When you browse the web, you may encounter various types of cookies. Cookies are small pieces of data that websites store on your browser when you visit them. They can serve different purposes. For example, they remember your preferences, settings, login information, or shopping cart items. Or, they show you targeted ads or personalized content.

However, not all cookies are the same, and some of them may have implications for your online privacy and security. Furthermore, the way that companies can and do use cookies is evolving in response to GDPR and other privacy concerns. Some browsers now, or will soon begin to, block some kinds of cookies. What does that mean for digital services, and what does that mean for users?

In this blog post, we'll explain the difference between first-party cookies and third-party cookies. We will discuss the privacy issues with third-party cookies. We will also discuss how Google's Privacy Sandbox and Chrome's cookie deprecation will affect the web.

First-party cookies vs third-party cookies

You can classify cookies into two types: first-party cookies and third-party cookies.

First-party cookies are set by the website you are visiting and can only be accessed by that website. They are typically used to remember your preferences, settings, login information, or shopping cart items.

They are called first-party cookies because they are set using the domain of the website you are visiting. For example, a first party cookie set when you are visiting stormid.com will be set on the domain .stormid.com. This means, only code on stormid.com (or its sub-domains) can read the contents of the cookie. Great for keeping data secure within the context of that website.

Third-party cookies are set by other domains that are not the website you are visiting, such as advertisers or social media platforms. They track your browsing across many websites. They use this to build a profile of your interests. This profile can then be used to deliver targeted advertising or personalized content to you.

They are called third-party cookies because they are set on a domain which is not the same as the website you are visiting, by code that is embedded within that website but not directly part of it. For example, an advertising cookie might be set using the domain adnxs.com. The code that sets this cookie might have access to data about you and the website you are visiting and store or transfer such data to its own servers. Later, on another website, code from adnxs.com might find that cookie. It could then link your visit on this website to other sites you've visited and data they gave it.

Such are the privacy concerns about third-party cookies. They allow services to link data across different websites and build a complex profile of users and their habits. They collect various data along the way. First-party cookies cannot do this as the data is kept within the confines of one website.

The privacy implications of third-party cookies

Third-party cookies enable targeted ads. These ads are the main source of revenue for many online publishers and platforms. Targeted ads can benefit users, showing them useful, relevant ads. They also benefit advertisers. They increase their return on investment and efficiency.

However, third-party cookies also pose big privacy risks. They can collect sensitive information about users without their consent or awareness. There are several privacy issues that arise from the use of third-party cookies.

Some users may find targeted ads intrusive, annoying, or irrelevant. They may opt out of receiving them or block them altogether. However, this may affect the functionality and quality of some websites. It may also limit the access to free content and services that rely on ads.

Some users may also fear misuse of their data. This could be by third parties, such as for identity theft, fraud, or discrimination. For example, third parties may use cookies to collect data. They may use it to infer users' health, finances, politics, or sexuality. Although they may not, it is possible they could use these inferences for unethical or illegal purposes. Moreover, the inferences themselves may be incorrect, even though they are inferred from correct source data.

Some users lack a clear understanding of third-party cookies and online privacy. They may not know how to manage cookie settings or opt out of targeted advertising. They may also be unsure how to access and delete their data held by third parties.

How Chrome will deprecate third-party cookies and when

Chrome is the most popular web browser in the world, with a market share of around 65% globally, or 51% in the UK (correct at June 2024). In January 2020, Google announced that Chrome will stop supporting third-party cookies. This follows other browsers like Safari and Firefox. The main reason for this decision is to improve user privacy and security. It is also to comply with growing demands for more transparency and control over online data use. In May 2023, Google announced it had reached the point of no return and that the process of deprecation would begin in January 2024.

Chrome will replace third-party cookies. It will do this with a set of alternative technologies and standards. They are collectively referred to as the Privacy Sandbox. The Privacy Sandbox aims to keep the good parts of online advertising. These include funding free content and services. It also aims to reduce the privacy and harms of third-party cookies.

The ramifications of Google's Privacy Sandbox

The Privacy Sandbox is complex and ambitious. It involves many proposals and experiments. Some are still in development or testing. Some of the key proposals include:

• Federated Learning of Cohorts (FLoC) groups users into large cohorts based on their browsing. It lets advertisers target them without identifying them. This way, users' privacy is protected. Their personal data is not shared with third parties. Only aggregated and anonymized data is used for advertising.
• Fenced Frames isolate embedded content from the main page. They prevent cross-site tracking and communication. This way, users' privacy is protected. Third parties cannot access or change the data or resources of the main page. Only content allowed by the user or the publisher is displayed.
• Trust Tokens are cryptographically signed tokens. They can tell apart bots and humans, and first-party and third-party contexts. This way, users' privacy is protected. Third parties cannot use cookies or other identifiers to track or impersonate users. Only trusted parties issue and verify the tokens used for authentication or fraud prevention.
• The Privacy Budget limits how much a website can learn about a user's browser and device. It also stops fingerprinting. This protects users' privacy. Third parties can't use the unique mix of browser and device traits to identify or track users. Only the needed and relevant information is available.

The Privacy Sandbox has big implications for online advertising. It will change how advertisers, publishers, and platforms measure, improve, and show ads.

It will reduce the accuracy of user targeting and personalisation. Third-party cookies will no longer provide a unique user identifier. This may affect some ad campaigns. It will hurt their effectiveness and performance. It will also hurt user satisfaction.

There will be a shift in power and revenue among players. Google will have more control over the design and implementation of the Privacy Sandbox. It may favor its own products and services, whether on purpose or not. This may affect the competitiveness and diversity of the online ad market. It will also affect the incentives for innovation and collaboration.

The Privacy Sandbox has interoperability and compatibility challenges. It must work with other browsers, platforms, and standards. But, Google may face resistance from its competitors or regulators. This may affect the consistency and quality of the online advertising ecosystem, as well as the user choice and convenience.

Critically, the industry stakeholders need more innovation and collaboration. They must adapt to new tech and methods. They need to find new ways to create value and trust for users and advertisers. Content developers will need to be aware of the requirements of privacy sandbox, such as fenced frames. This may also create new opportunities and challenges for online ads. It will also affect user privacy and security.

Interest from the Competitions and Markets Authority

The CMA is the UK's independent regulator. It promotes competition and protects consumers from unfair or illegal practices. The CMA has shown a strong interest in Google's Privacy Sandbox and Chrome's cookie deprecation. They may have big effects on the online ad market and the digital economy.

In January 2021, the CMA launched an investigation into Google's Privacy Sandbox. This followed complaints from industry groups. They said Google's proposals may harm competition and consumer choice. The CMA is concerned as it thinks Google's Privacy Sandbox may unfairly distort competition. This could reduce the quality and variety of content for UK users. It would ultimately harm their privacy and security.

It is likely that, on purpose or not, the technology would favour Google's advertising products and services. It would also hurt rivals' ability to compete. It may even mean Google might use its top position in search and browsers to get an unfair advantage over other advertisers and publishers. They might also use it to exclude or hurt them from using the Privacy Sandbox. Even without Google abusing its position, it would still mean the entire industry playing by Google's rulebook.

Publishers and platforms may lose money and reasons to invest and innovate. This would likely reduce the quality and variety of digital content and services. For example, publishers and platforms may get less ad revenue or face higher costs due to the changes in online advertising. They may also struggle to offer relevant content and services to users and advertisers.

Through Privacy Sandbox, Google may collect and use more data than needed. It also may limit users' options and control over their online privacy. For example, Google could use the data from the Privacy Sandbox for its own purposes. Or, it may not give users enough transparency and choice about their data collection and use.

The CMA is working closely with the UK's data protection authority, the Information Commissioner's Office (ICO). They are doing this to ensure that Google's Privacy Sandbox balances privacy and competition. The CMA is also talking to Google and others in the industry. They want to understand the impact of Google's Privacy Sandbox and to find ways to fix any problems.

The CMA can punish Google if it finds that Google's Privacy Sandbox breaks UK competition law or harms consumers. The CMA's investigation is ongoing, with further updates this year.