How Google is planning to phase out third-party cookies

Comment Google prépare la fin des cookies tiers

It was becoming somewhat of a recurring question in recent months: was Google going to follow Apple’s example with ITP by waging war on cookies? The answer came at the beginning of the year. By unveiling its Privacy Sandbox as an alternative to third-party cookies, Google is taking the adtech industry in a new direction. Read on for an explanation…

It was the main existential question of the moment: one day will Google slip a mechanism into Chrome to filter out third-party cookies? These cookies, which are read from another domain to the site editor’s domain (unlike first-party cookies), power a large proportion of adtech solutions. Short-circuiting them is tantamount to injecting a strong flu virus into a wide range of advertising solutions (audience metrics, retargeting, attribution, etc.). The adtech industry has already had a taster with Apple’s ITP.

ITP? These three letters, which stand for Intelligent Tracking Prevention, refer to the feature that Apple has added to Safari to filter cookies. Currently available in version 2.3, ITP prevents third-party cookies from being stored and also restricts the lifecycle of first-party cookies created by tags to 24 hours, which is playing havoc with audience metrics, attribution metrics and retargeting devices. This stone in the shoe does not prevent adtech players walking, since Safari’s market share does not exceed 20% for all platforms combined and since Commanders Act offers solutions for extracting that stone.

Data stored and processed in the browser

When applied to Chrome, which boasts a market share in excess of 60%, what impact will a similar mechanism have? When this question was raised in conversations, it had adtech players cowering in fear. On 14 January, those fears were realised… Google disclosed its privacy roadmap, which can be summed up with a single sentence: “Bye bye cookies, hello Privacy Sandbox“. To be more specific, Google is planning to phase out third-party cookies within the next two years (meaning that they will no longer be accepted in Chrome) in favour of another solution, the famous Privacy Sandbox for which it has opened a consultation process.

Although many details are still lacking to fully understand the sandbox, a key principle has already been established, namely that the general mechanism involves storing data within the browser. Any data leaving the sandbox via APIs will be anonymised and shared across audience segments and interest groups. Basically, there is no way to recover individualised data. The Privacy Sandbox will turn browsers into a personal data vault.

APIs for accessing aggregated data

As far as users are concerned, the solution asks a question similar to a captcha (an interface that asks whether you are a robot or not to validate a form). Except in this case, we imagine that users will be prompted to define their confidentiality settings.

Several APIs will be available for working on these aggregated and anonymised data. A “Privacy Budget API” can be used to determine the amount of collectable data. There is also a “Conversion Measurement API” that acts as a real substitute for cookies, since it shows whether an ad has been seen, a page viewed or a product purchased as a result and basically whether an ad click has been converted. Unsurprisingly, this is the API that has sparked such debate. How exactly will it be implemented? Will it be a basic attribution on the last click with inevitable differences in interpretation? Answers should soon start coming in, since this is the first API that Google’s developers are intending to try out.

The Privacy Sandbox also includes other components, such as the “Federated Learning of Cohorts” for analysing similar user behaviour, or PIGIN (Private Interest Groups, Including Noise) for tracking interest groups. Google is promising to work with all players to transform these APIs into open standards that theoretically might end up in Safari or Firefox.

New rules already in force for third-party cookies

As confirmed in the Digiday article on the Privacy Sandbox, this good intention has yet to set every mind at rest. How will aggregated data be managed? Will Google’s teams have special access to these data? Will Google solutions (AdWords, DV360, etc.) be subject to the same rules as the rest of the market?

If the announced two-year transition schedule allows time for consultation and testing, note that the Chrome cookie management will be changing in February. With version 80 of the browser, the value of the SameSite attribute must be specified (updated this summer) for storing third-party cookies. If this value is not declared, the value assigned by default cannot be used to activate a third-party cookie. The aim is to require third-party cookies to be declared as such and thereby check that they are created and read from https connections. Cookies are not dead yet, but their days are numbered…