Google has eliminated third-party cookies for 1% of Chrome users as of January 2024, with the stated goal for cross-site tracking by third parties to be completely phased out by the end of the year.
Google settles $5 billion privacy lawsuit ahead of cookie phase-out
This will have an impact on businesses, which will need to adapt their data collection methods to focus on using first-party data for business analytics and digital marketing strategies. Industry experts also argue this change will help Google position itself as the go-to source for businesses to access analytics on user behavior, by expanding its monopoly over Chrome-harvested user data.
The end of cookies has been inevitable for a number of years and many of the best web browsers already push the idea of going ‘cookieless’. Matt White, vice president at SaaS specialist Quantcast, tells ITPro this move is by no means groundbreaking.
“While much is being made about Google’s removal of third-party cookies in 2024, more than 50% of internet users are already using ‘cookieless’ browsers like Safari and Firefox, meaning they aren’t addressable or measurable through third-party cookies.”
Chrome was the slowest of the mainstream browsers to crack down on cross-site tracking with competitors such as Firefox and Safari removing third-party cookies from their browsers years ago. Yet White adds that due to the considerable market share Google’s Chrome browser enjoys, businesses should be paying attention to how they will need to adapt.
“However, given Google Chrome’s reach, this will still be a significant change that business leaders can’t afford to ignore.”
FLoC failure – is Topics the answer for Google?
Google’s first proposed alternative to third-party cookies, the Federated Learning of Cohorts (FLoC) project, replaced cross-site tracking by third parties with an in-house user profiling system. Under FLoC, individual internet browsers would be sorted into groups, or ‘cohorts’, according to insights on their interests generated using their browsing data, which could be anonymized and shared with advertisers.
FloC suffered privacy and security flaws and was criticized by Wordpress over fears it could increase discrimination. One paper authored by MIT Media Lab doctoral students Alex Berke and Dan Calacci concluded. Berke and Calacci applied the FLoC profiling system to browsing data from 90,000 devices in the US over one year. They found the anonymized FLoC cohort ID sequences could be still used to generate unique identifiers for individual users.
“We estimate the number of users in our dataset that could be uniquely identified by FLoC IDs is more than 50% after 3 weeks and more than 95% after 4 weeks,” the pair wrote.
Google shelved the FLoC project in January 2022, announcing it would be looking at a different approach to interest-based advertising informed by its learnings from the FLoC trials: Topics. Topics, like FLoC, provide ad tech platforms with topics of interest for a given user, with the key difference between the two systems being Topics will assign three to five possible topics of interest every three weeks instead of weekly.
Google’s delay in phasing out third-party cookies reflects its commitment to continuing to profile individual users to serve them targeted advertisements. It has lagged behind competitors such as Mozilla, which introduced Enhanced Tracking Protection (ETP) in 2018 to block trackers based on a maintained list, or Safari which was the first major browser to block cross-site tracking by default in 2020.
Firefox added Total Cookie Protection in 2022, preventing sites from being able to read cookies created by third parties.
Is Topics Google’s way of “hoarding” Chrome browsing data?
CyberArk’s offensive security research evangelist Andy Thompson tells ITPro that blocking third parties’ ability to gather user data is a positive step from Google in terms of online privacy.
“From the data gathering perspective, these data aggregating organizations are now unable to track user behavior, so that is absolutely a positive aspect.”
But Thompson casts doubt on the motivations behind this move, suggesting it was in the search giant’s own business interests to eliminate third-party tracking in favor of its own, in-house user-profiling system.
“I mean, Edge does this, Brave does this, Firefox does this. So this isn't anything particularly groundbreaking. But this is Google's way of hoarding this data, considering they're the global leader in browsers.”
Asked if Google has ensured Topics and its updated privacy sandbox will not impact revenues, Thompson responds in the affirmative. “I completely agree and would even go a step further to say what Google is doing is monopolizing this functionality and removing the other competitors from the market, ultimately making Google the source in user behavior analytics.”
Google is not killing cookies or the tracking they enabled; it is instead putting an end to cross-site tracking by anyone other than itself. As it completes the transition away from third-party cookies, Google is tightening its grip on the data generated by the world’s browsing traffic, of which Chrome has a ~65% market share per Statcounter.
Security improvements matched with first-party cookies issues
There are security benefits to phasing out third-party cookies in Chrome, according to Thompson, as it will limit potentially malicious third-parties from accessing user data.
“I believe that there is some level of security improvement from the perspective of ‘prying eyes’," he says.
“This will prevent a rogue third party or threat actor from being able to track the behavior of a user. And that's critically important when we start talking about open source intelligence gathering and building a user profile.”
Although these security benefits will be welcomed by businesses, Thompson stressed there are still security vulnerabilities in first-party cookies which come bundled with elements essential for site functionality.
“[O]nce you compromise an endpoint, or you do some sort of cross-site scripting (XSS) attack, and get a hold of these cookies, it's incredibly easy to literally bypass multi-factor authentication (MFA). So it does not matter how complex your password is, it doesn't matter if you're using the latest and greatest MFA. Once you hack a cookie, you hijack the session and you bypass all that.
Online businesses must hone first-party data collection methods
Online marketing firms are facing even more significant changes. Daisy Sajnog, head of measurement at internet marketing specialists Fountain, believes organizations will need to focus on how they collect and utilize first-party data.
"Marketers will have to shift to focusing on collecting quality first-party data, especially around conversion measurement. Think utilizing [customer relationship management (CRM)] data. First-party cookies aren’t going anywhere, as they’re still incredibly important to site functionality”.
Sam Richardson, CX consultant at Twilio says there is no doubt businesses will have to rely on collecting first-party data in response to the change, but most organizations have some way to go before they will have safely navigated this transition.
“Most organizations, however, are still lagging in preparedness,” Richardson tells ITPro.
“Only 5% of brands use entirely first-party data in their marketing strategies, with many grappling with how to navigate this shift and others in complete denial”.
Ultimately, what businesses want to avoid is losing their ability to ascribe where their customers are coming from, also known as signal loss, which will negatively impact firms that do not adapt their data collection methods accordingly according to Richardson.
“Brands need to act now to make sure they can maintain and enhance strong customer engagement. Adjusting to having a greater reliance on first-party data is essential – or brands will risk not knowing their customers and their marketing campaigns will suffer”, Richardson explains.
