Skip to Content
Article

Google’s 3P Cookie Deprecation Plan

by Sam Tomlinson
January 15, 2024

Over the past 10 days, I’ve been inundated with questions about Google’s recent announcement that 1% of Chrome browsers will no longer support third-party (3P) cookies. Earlier this week, I shared my initial, top-line thoughts via a Twitter thread (LINK BELOW) 

After the overwhelmingly positive response to that (along with a surge in DMs), I decided to dedicate a full newsletter issue to the topic, where I can provide additional insight, nuance and context (something that’s famously absent from most Twitter discussions).

In an effort to make this as helpful and comprehensive as possible, I’ve compiled and consolidated all of the questions that have been shared with me over the past week-plus below as section headings. Where possible and applicable, I’ve also provided links to additional materials that you can reference or share with colleagues and stakeholders, if and where appropriate. 

And with all of that, let’s dive in!

So, What’s Going On, Exactly? 

Google is (finally) following through on their years-long promise to phase out third-party cookies in the Chrome browser. This is the culmination of a years-long initiative, which has been riddled with delays (first in 2020, then in 2021, then again in 2022). 

This follows similar announcements and implementations from Apple (Safari), Microsoft (Edge/Internet Explorer) and Mozilla (Firefox), first in 2013, then more comprehensively and globally in 2020 (ITP protection for Safari) and 2023 (Firefox global default 3P cookie blocking). 

Google’s just-enacted roll-out to 1% of Chrome users globally on January 4, 2024 marks the first concrete step the platform has taken to remove 3P cookies in the world’s largest and most popular browser.  This initial rollout is a key milestone in Google’s long-awaited Privacy Sandbox Initiative, the goal of which is to make the web a safer, more secure and more private place for users. 

Assuming the rollout is successful, and that Google is able to address the remaining questions posed to it by the UK Competition & Markets Authority (CMA) during the 1% trial, Google’s plan is to roll out a full 3P Cookie removal for 100% of users globally in Q4, 2024. Yes, you read that correctly: Google’s plan is to go from 1% to 100%, with no specific, intermediate steps. 

If all that’s a bit much to take in, the summary is pretty simple: the long-awaited end of the 3P cookie is upon us.

What are 3P Cookies? How Do They Work?   

A helpful place to start in this conversation is understanding data “parties” and what they mean. There are (at least) four common ones:  

Zero-Party (0P): this is data explicitly and intentionally provided by a user to a known party, like a brand. For instance, when a user submits a quiz or a lead form, the data provided qualifies as zero-party. 

First Party (1P): this is data observed by a brand on an owned property, that may or may not be known by the user. For example, most data collected in a brand’s Google Analytics 4 (such as page views, specific events, video watch time, etc.) qualifies as 1P data. Some definitions expand 1P data to include purchase and loyalty data, discounts used, subscription status, and logged-in status as well. The modern web (overwhelmingly) uses first-party cookies (1P) cookies to collect data that is used for personalization and tailored web experiences. 

Second-Party (2P): Easily the most confusing of the “parties” – 2P data refers to any 1P data that is sourced from a known partner. For example, if Ridge Wallets shares a customer file with the NBA for the purposes of marketing their new line of NBA-branded wallets, the NBA data is considered 2P for Ridge (the NBA is providing their own 0P/1P data to a known partner for a clear and definite purpose). 

Third-Party (3P): To this point, the definitions have been quite clear, specific and limited; third-party data (and the cookies used in its collection) are none of those things. 3P data refers to any data collected, aggregated and used by a third party. In many cases, 3P data is stitched together from multiple sources of varying quality and fidelity, then sold, bought, adjusted, and re-sold again, and again, and again. 

There are virtually no standards for 3P data – meaning that 10 year old data could be stitched together with purchase history data from last Spring, along with recent browsing data, and 2020 subscription data to create a (maybe, possibly accurate) profile, which is then used to inform ad targeting for that user. Third party cookies have given advertisers the illusion of accuracy and precision, vs. actual accuracy and precision.  

Third-Party Cookies are one collection mechanism for third-party data. As their name suggests, 3P cookies is a piece of code that is placed on a user’s device (computer, tablet, smartphone) by a website, and from a domain other than the one that the user is visiting. As a practical, real-world example, many sites set tracking cookies (or pixels, or tags) for third-parties like Meta, Pinterest, Google & Microsoft, along with cookies for other platforms, ad publisher sites, third-party attribution tools, and service provides (including email sending platforms, SMS platforms, chat platforms, and many, many others). In each case, the 3P cookie sends user data from the website where it is set (website.com) to each third-party (like Meta, Klaviyo, Attentive, AdSense, DoubleClick, etc.), along with user-level identifiers that can be used as primary keys. 

The use of these 3P cookies has exploded as digital media has become a dominant aspect of the modern world, to the point where it isn’t uncommon for a website to send user data via 10, 20 or even 50 third-party cookies. 

Since each of these 3P companies has 3P cookies set by thousands (or millions) of websites, each of which sends data (along with identifiers) from thousands (or hundreds of thousands, or millions, or billions) of sessions, it isn’t difficult to see how this got out of hand. The reality is that many of these third-party companies have created detailed user profiles on millions of users, which is then used to enable ad targeting, attribution, analytics, and a host of other things. 

To be very, very blunt: the current use profile for 3P cookies is galaxies (not miles, not light years, galaxies) removed from the purpose for which they were created back in 1994 by a 23 year old Netscape engineer named Lou Montelli. They were originally intended as a tool to help browsers improve web experiences – a role that they filled quite nicely. They were never intended to be the central core of the modern adtech universe. 

But (as things often go), a good thing was co-opted for less-than-good purposes, when DoubleClick came along in 1995/96, recognized that they could exploit cookies to track users across the web, and in so doing, create more valuable ad targeting. That kicked off a 3P data arms race, which only accelerated when Google purchased DoubleClick in 2008. In the intervening years, everyone else got in on the 3P cookie gold rush, and what was originally intended to be a helpful tool for users turned into a parasitic infection that fed on users’ data. 

The Simple Summary: 1P cookies are used to enable consented* personalization of content + user experience (something that adds value to most users’ web experiences); 3P cookies are used for personalization of ad units, with or without consent or a pre-existing relationship. 

Is This Another iOS14.5 Moment / Is This A Big Deal? 

Any time there’s a significant change to a browser with ~65% market share (Source: StatCounter), it’s going to be a thing. And there are substantial similarities between Google’s 3P cookie removal and Apple’s ITP (14.5) that could lead one to believe that this will be an equally (if not more) massive event. 

However, there are also three core differences: 

  1. Meta (and other platforms) have adapted in the wake of iOS14.5 (and 15, and subsequent versions), particularly with the use of the Conversions API and Offline Conversion Tracking. Three-plus years after iOS14.5, Meta remains a dominant, effective force in online advertising. 
  2. When iOS14.5 was rolled out, Meta didn’t have the advantage of the world’s most-used browser (Chrome, ~65% market share), the most used Smartphone OS (Android, ~80% market share), the world’s most-used Search Engine (90% market share), 30% market share in email clients (gmail), the largest video engine on the planet (YouTube), the world’s most extensive index of the web, or the best AI + ML team on the planet. Google has all of those things. Don’t underestimate their importance to ensuring Google remains a-OK during this transition. 
  3. This isn’t a case of an ecosystem owner (Apple) with a hardware-centric revenue stream implementing a change that will adversely impact ecosystem participants (Meta). Google derives ~90% of global revenues from online advertising. If you think they are going to roll out a change that crushes their business, you have another thing coming. Google electing to roll out this change now is a clear, unmistakable signal that they believe doing so is to their advantage. 

In short: there’s a well-known, established and proven playbook that major ad platforms can use to overcome the data loss that occurs when 3P cookies are shut down, and Google believes that enacting this change will actually help their ad business. 

So, yes, it’s a big deal. But no, probably not in the way many online talking heads are saying.

How Will This Impact The Online Ecosystem? 

To be blunt and candid, there’s a reason that many Ad Networks, Legacy Media Executives, Data Brokers, Publishers & DSPs are up in arms about this change: it will adversely impact their businesses, and many of them have drug their feet on updating their tech stack for this new reality.

As with any major change, there will be winners and losers. 

Here’s how I see that breaking down (as of now): 

Winners:

  1. Users – unrestricted data collection by thousands of unknown ad tech companies was never good for anyone. Removing 3P cookies will result in better, faster, cleaner and more private web experiences (online privacy is never an absolute – and it always comes with tradeoffs). 
  2. Major Platforms – Google (obviously), Apple, Meta, Microsoft & Amazon will emerge stronger. Each platform has massive 0P/1P data moats, along with massive platforms where users continually provide more data that can be used to fuel ML algorithms.
  3. Smart Publishers  – Any publisher that has proactively implemented privacy-friendly alternatives to cookies will win – both financially and from a user experience standpoint. Advertisers will want to advertise with smart publishers (since they’ll have better data), and users will want to visit them (since they’ll have more relevant ad experiences).
  4. Savvy Marketers – The days of 3P cookie dominated advertising are over – which means that marketers who can think holistically will have a huge advantage. Marketers who understand the importance of 0P/1P data, segmentation, user research/analysis, data passback and user experience will be at a huge advantage.
  5. Marketing Mix Models – This is a banner day for automated MMMs. The demise of 3P cookies is going to be a major blow for third-party attribution solutions (many of which aren’t any better than GA4 or Meta attribution, anyway). On the flip side, MMMs (which don’t rely on cookie-based data), and get far closer to true incrementality than attribution ever could, are poised for a breakout. 
  6. GA4 – In news that should surprise exactly no-one, GA4 is tailor-made for a post-3P cookie world. The organizations that have configured their GA4 are going to be at a huge advantage. 

Losers:

  1. Data Leeches – There are thousands of companies whose business is collecting untold reams of user data, packaging it up, and selling it off. 
  2. 3P-Centric Brands – For sellers to remain in business, there needs to be willing buyers. In the case of 3P data, there’s certainly not a shortage. Brands that have relied on the 3P audiences, to the exclusion of building their own 0P/1P data, will find themselves in a tough place. 
  3. Certain Publishers – Publishers that continue to rely on 3P cookies – and have not heeded repeated warnings to update their ad tech infrastructure – will find themselves with lower per-user revenues, inferior experiences and declining user (and revenue) bases. 
  4. 3P Marketers – Just as 3P-centric brands will find themselves falling on hard times, so too will marketers who have made a career out of using 3P data in place of things like audience research & understanding, 0P/1P data capture, and smart segmentation. 
  5. Smaller Ad Tech – While big ad platforms will thrive, smaller ad tech will find itself in a tough position. The demise of 3P cookies, along with the limitations of more privacy-friendly alternatives (like the Privacy Sandbox, the Birds (Sparrow, Parrot, FLoC, Pelican, Dovekey, etc.), ID Replacements (Admixer ID, Prebid SharedID, ID5, TTD United ID, etc.) and/or 1P Data Coops) will result in those platforms having less user data (and thus, less robust targeting) than larger alternatives. In the short-run, that likely means an outflow of ad dollars from those platforms to larger players. The same is true for other ad tech that is reliant on 3P cookies. 
  6. Attribution Platforms – Finally, 3P attribution tools are likely to take a huge hit – most of them rely on pixel (3P cookie) data to fuel their models, and most of them are not ready for the deprecation of cookies. 

At the end of the day, major platforms will be just fine. Platforms that have enabled robust offline conversion tracking (via things like the Conversions API, Offline Conversion Upload, Enhanced Conversions, etc.) will be just fine. Those that haven’t will find themselves having a bad time. 

What Should We Do? 

For brands + advertisers, this announcement should be a proverbial kick-in-the-pants to implement the changes that should have been done years ago: 

  1. Confirm That Current 3P Providers Remain Effective – A primary rationale for Google’s decision to only block 3P cookies for 1% of Chrome users globally is to give everyone ample time to confirm their current tech stack is compatible with the overall phaseout (in fact, if it isn’t, Google is allowing all websites to request a temporary exception to ensure your business isn’t negatively impacted. That’s much nicer than Apple was with iOS14.5. 
  1. Migrate to Alternative, Privacy-Friendly Solutions – The deprecation of third-party cookies has been a topic for a decade (yes, going back to 2013). In the intervening years, hundreds of solutions have been developed. Google’s collection of those is known as the Privacy Sandbox, which includes a set of solutions tailored to replace cookies based on individual use cases:
  • Cookies Having Independent Partitioned States (CHIPS) – this allows developers to opt a cookie into  “partitioned” storage, which restricts access to the cookie on a per-top-level site basis. This is a good solution for many third-party service embeds (chats, maps, payments, CMS providers, CDNs, any state-scoped per publisher, etc.). 
  • Storage Access API – Allows iFrames to request storage access permissions when access would otherwise be blocked. 
  • Related Website Sets – This enables 2P data cooperatives, where companies can declare relationships and enable limited data sharing for specific purposes. 
  • Federated Credential Management API – Privacy-preserving Identity federation toolkit. 

Of course, using any of these requires a brand or website to first audit + understand their 3P cookie usage – something that should definitely be done ASAP if it hasn’t been already. 

  1. Build 0P/1P Data Capabilities – There is an inherent trade-off between privacy and data sharing. The deprecation of 3P cookies will reduce the amount and specificity of data shared about users. That creates a gap that brands will need to close – and the best way to do that is to invest in a real, coherent, comprehensive 0P/1P data collection initiative. The more accurate, relevant data you can collect – via forms, quizzes, subscriptions, user sign-ons, etc. – the better off you’ll be. 

The real key here is not just collecting 0P/1P data, but having a true end-to-end strategy to deploy it. Offline Conversion Uploads and the Meta Conversions API are two fantastic examples of how this data can be used in a privacy-compliant way, to provide data to platforms on ad performance (data which also will help those platforms enhance their own identity graphs, which, in turn, makes them more valuable as advertising channels – as I said at the open, Google isn’t going to lose). 

  1. Implement Server-Side Tracking (SST) – Most brands have drug their feet in implementing SST; I think this is going to be a wake-up call. SST processes user data directly on the server (vs. a 3P cookie, which processes data on the user or client side). Google itself created and rolled out a Server-Side Google Tag Manager (GTM) container years ago, and they will continue to support it moving forward. 
Server-SideBrowser-Side
Location:The Website’s ServerThe Users’ Browser
Set Up & ConfigurationServer-Side Tagging (i.e. GTM SST)Client-Side Tagging (i.e. GTM)
Speed & ExperienceMinimal code runs on the client side, resulting in lighter, faster-loading websitesSignificant additional code runs on the client side, either directly on the website or via a third-party tag manager (like GTM). 
Third-Party Code:No 3P code is added to the client side; data is collected on the server, which is then sent to third-parties. 3P code is added to the website code, which is used to send user information to third parties. 
Measurement:No data gaps in conversion paths, as all data is processed on the website’s serverSignificant gaps can be caused by browser/client-side data blocks/restrictions, as well as by incomplete page loads and other factors. 
Reliability:Since all processing + transmission is done on the website’s own server, ad blockers + 3P cookie blockers (including Google’s deprecation of 3P cookies) have zero effect. Can be blocked by both browsers (i.e. Google Chrome, Safari, Firefox), as well as by other, third-party Ad Blocking software. 
Privacy Compliance: Compliant with Privacy Regulations. Not Compliant

Server-Side Tracking is going to play a major role in the online ecosystem moving forward; the brands that have adopted it will be at a huge advantage moving forward. 

  1. Get Your Privacy Ducks In a Row – The next era of web tracking + measurement will be built on brands + websites sharing 0P/1P data with ad platforms. In order for this to happen, brands need to have their privacy house in order – from an up-to-date website privacy policy, to proper data capture, storage and management practices, to secure uploads. From the perspective of major ad networks, this is a great thing – not only do they get better data (since it’s coming from you!), they also get de-risked data (since you are responsible for it!). As long as your data + privacy house is in order, this isn’t a problem; but if it isn’t, take this opportunity to address it. 
  1. And Most Importantly: Create Value For Users – As I think about this change, the overarching thing I come back to is that the brands who create value for their target audience will be at a massive advantage. That means conducting real, ongoing, high-quality user research. It means thinking creatively about how that research can be actioned into privacy-friendly targeting strategies (like contextual ads). It means investing in the creation of high-quality content that users are willing to share 0P/1P data to obtain. It means taking the time to create remarkable (not just good, but remarkable) user experiences that keep users engaged on your site and coming back for more. 

Why Now & Why 1%? 

The most logical reason I can give as to why Google is rolling this out now is this: they believe they can mitigate any data loss and emerge from this stronger. 

The 1% gives Google and regulators like the CMA a valid sample, ensures the rest of the ecosystem doesn’t go “boom” while we’re all figuring this out, and provides individual sites with enough data to ensure that they are ready for a full phase-out. 

What Have The Effects Been So Far?

Everyone’s data is quite limited, since this change just began rolling out on January 4, 2024. That being said, Paul Bannister, the CSO of Raptive, published some incredible data on Twitter last week: 

The jist of the thread is as follows: 

Uncooked users are monetizing about 30% lower than cookied users. While this may seem like a huge decrease (and is, in the short-run), it is a significant improvement from the decline observed when Safari deprecated 3P cookies a few years ago (~60% decline). 

This gap will likely be closed (and closed rather quickly) via the combination of modeled data, machine learning, privacy sandbox, SST, and other privacy-compliant ID solutions.

Prebid demand (not Google DSP demand) is performing better among non-cookied users, as Google is firmly committed to the Privacy Sandbox, whereas other SSPs are using Privacy Sandbox AND other solutions. 

This data is incredibly early, and is likely to evolve quite substantially as the full 1% rollout concludes; however, I think this is a promising initial data point that (1) the full impact will be less–than-catastrophics and (2) that there is a viable path forward for high-quality advertising online that does not rely on 3P cookies. 

In any event, give Paul a follow – he’s one of the few providing truly exceptional, high-quality content on this topic. 

Where Are The Opportunities?

Chaos is a ladder – and this announcement has certainly created a fair bit of pandemonium in the digital ad world. As I see it, there are three kinds of opportunities created by this announcement: 

  1. The 0P/1P Data Opportunity – the brands/companies/publishers who can collect + deploy better user data will be at a massive, massive advantage moving forward. The same is true for platforms – the ones who can reliably collect reams of 1P user data (i.e. Meta, Apple, Amazon, Netflix, Microsoft) will be at a huge advantage vs. upstarts. 
  2. The Arbitrage Opportunity – Not all losses look the same. Publishers/sites that have not invested in privacy-first solutions will find their ad inventory is monetizing at far, far lower levels than it had prior to this change. Fundamentally, that’s a result of lower demand from DSPs; lower-information impressions have a higher risk profile and a less accurate expected value. However, just because those impressions cost less doesn’t necessarily mean they are *worth* less to you. If you have data (user research!) that shows particular sites are widely used by your target audience, then you can likely get high-quality impressions at a discount. This is arbitrage. In the short-run, more spend will move from smaller platforms/networks to major platforms (which have reliable data). Buy the underpriced inventory. 
  3. The Big Picture Opportunity – finally, I think this change represents a tectonic shift in online marketing measurement. I’m not sad to see Third-Party Attribution tools go – most of them helped marketers re-arrange peas on their plate, and called it eating a meal. This change will usher in a new, more financially-accountable era of marketing measurement, focused on incrementality, bigger-picture metrics, and more honesty. At least, that’s my hope. Invest in your aMMM tools now – after all, that’s where the data necessary to do (1) and (2) will come from in the future. 

At the end of the day, Google is an advertising juggernaut that employs thousands of truly brilliant, strategic, circumspect and absolutely ruthless people. They are not going to do anything that harms their core business, or the other businesses that are essential to that core business (read: advertisers). 

The deprecation of third-party cookies represents a much-needed paradigm shift in online advertising. There will be winners and losers. But at the end of the day, I firmly believe that Google (and Google’s advertisers) will be just fine. I believe that brands who truly understand and create value for their users will be fine. I believe that the brands who invest in privacy-forward solutions and robust, 0P/1P data collection will be just fine. 

So do those things. 

Sam

Related Insights