Google has announced that the end of cookies is definitive and already has a deadline. The US multinational has confirmed that third-party cookies will be completely gone by 2022, although the exact date is still unknown and waiting for an agreement between browser owners.
What will a world without cookies be like? What will happen to digital advertising and online marketing companies? This article describes the latest news on the demise of third-party cookies and attempts to answer the business dilemmas posed by Google's decision.
Google warned the world of its intention to reduce the cookies to powder for the first time in 2019, in a blog post published on August 22 of that year. In that post the company already made clear that they were going to cut off support for third-party cookies in Chrome, as well as to block other covert tracking techniques such as fingerprinting —developers use fingerprints to link users to other websites and which, unlike cookies, cannot be deleted or managed by users.— Justin Schuh, Chrome's director of engineering, told Frederic Lardinois: “This is our strategy to re-architect the standards of the web, to make it privacy-preserving by default. There’s been a lot of focus around third-party cookies, and that certainly is one of the tracking mechanisms, but that’s just a tracking mechanism and we’re calling it out because it’s the one that people are paying attention to.”
In early March 2021 Google proved that their intentions were serious through the article 'Building a more private web', in which they took the opportunity to warn the world that they are already changing their cookies policy and that third-party cookies will be progressively replaced until 2022, this being the ultimate deadline for the elimination of third-party cookies in Chrome. Thus, Google intends to create a number of measures included in the plan 'Privacy Sandbox' that, according to the multinational, will protect users' privacy.
Since the arrival of Chrome 89 in March, some of the new techniques are already being implemented in a test phase with the expectation of being offered to Google Ads customers from April onwards.
While the initiative has been well received by the public, the prospect of a cookie-free world has not thrilled companies and advertisers and, in fact, has alarmed the world about what will happen to digital marketing and advertising.
To help companies, Bismart has developed a practical guide that lists specific practices businesses need to take in order to survive in a world with no cookies. You can download the 'Guide to Survive in a Cookie-Free World' below.
The context of Google's decision
David Temkin, Google's director of product management, advertising privacy and trust, explained what motivated the company's decision: "Our industry strives to provide consumers with relevant ads on the web. This provides thousands of companies with an enormous amount of individual user data, usually collected through third-party cookies. This has led to an erosion of trust, to the point where 72% of users are convinced that almost everything they do online is being tracked by advertisers and technology or other companies, and 81% say the potential risks of having their data captured outweigh the benefits. If digital advertising does not evolve to address users' growing concerns about their privacy and how their identity is used, the future of the free and open web is at risk [...] users should not have to accept being tracked online to benefit from relevant advertising and advertisers should not have to track consumers online to benefit from digital advertising."
However, Google's decision was not fortuitous. Before Google, many browser owners decided to implement control measures on cookies as a result of a fight for privacy led by Tim Cook, Apple's CEO. The difference in the community's reaction is self-explanatory: Google Chrome is the most widely used browser with 70% market share. Therefore, from the perspective of the companies affected, the fragmentation of the cookies has not arrived until Google has decided to.
The determination made by the technology giant cannot be understood without taking into account the strengthening of global privacy regulations, led by the General Data Protection Regulation (GDPR) in Europe and soon followed by the California Consumer Privacy Act (CCPA) in the United States. Since the increasement of sanctioning measures, Google has already faced several multimillion-dollar fines. Temkin himself has acknowledged his concern about the "rapidly evolving regulatory restrictions."
On the other hand, some see Google's initiative as a strategy to increase its almost monopoly in digital advertising. Reuters published an exclusive on March 18, announcing that the U.S. Department of Justice —which already has other investigations opened against Google— is analyzing whether the new measures could be illegal, since Google could now use other techniques to collect user data, creating an unfairly disadvantage for its opponents: "Online advertising is at the very heart of the digital economy and its reliance on invasive data collection is fast becoming a flash point as privacy considerations move to center stage. Google’s critics dismiss the company’s apparent beneficence when it comes to protecting user privacy, accusing them of weaponizing it for their own gain." Joining the cause, 14 U.S. states have filed a lawsuit against Google —accusing the company of blocking an open Internet— initiated by the state of Texas. Concerns have also crossed the pond to Europe. The UK's Financial Conduct Authority is also investigating the browser's new initiative. David Temkin has denied the allegations, stating that "once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products."
The cookie recipe: from user convenience to information trafficking
Cookies are micro-data files that contain information about a user's navigation and are stored in the web browser. They were originally designed with good intentions, to facilitate navigation and create more comfortable user experiences. Let's not forget that cookies are in charge of remembering our user names and passwords, our e-mails, addresses, etc.; and they make possible that we don't have to fill in the same information over and over again while surfing the Internet.
Nonetheless, over time, the role of the cookies has been transformed to the point that their primary function is no longer to simplify the user experience and today they are mainly used for the accumulating and exchanging user data. Thus, cookies have become enterprises' best weapon to obtain information about their customers or potential customers and, consequently, offer them personalized advertising or marketing content. In Google's words: "Technology that publishers and advertisers use to make advertising even more relevant to people is now being used far beyond its original design intent - to a point where some data practices don’t match up to user expectations for privacy. Recently, some other browsers have attempted to address this problem, but without an agreed upon set of standards, attempts to improve user privacy are having unintended consequences."
However, Google's intention has never been to completely demolish the cookie recipe, but only to reinvent it so that third-party cookies are not part of it. Third-party cookies are those that allow entities to access the browsing data of users on other websites beyond their own. That is to say, to know which sites the user has passed through before or after entering our page. Therefore, from 2022 onwards, companies will continue to have access to information on interaction with their site, but they will no longer be able know the movements of users outside the scope of their domain.
The end of cookies, the end of personalized advertising?
Google's intentions has evidently been a hard blow for the business world and online advertising companies. The end of cookies could mean the breakdown of current advertising and digital marketing strategies. Disabling third-party cookies in Chrome means that advertisers —that is, any company advertising on Chrome— will no longer be able to use them to reach more audiences, gauge the performance of their content, target and retarget consumers, or perform meaningful digital attribution.
However, Google has been winning the game for many years and, of course, its executives have been smart enough to calm advertisers down by assuring that they have no intention whatsoever of dispatching personalized ads: "Blocking cookies without another way to deliver relevant ads significantly reduces publishers’ primary means of funding, which jeopardizes the future of the vibrant web. Many publishers have been able to continue to invest in freely accessible content because they can be confident that their advertising will fund their costs. If this funding is cut, we are concerned that we will see much less accessible content for everyone. Recent studies have shown that when advertising is made less relevant by removing cookies, funding for publishers falls by 52% on average. So we are doing something different. We want to find a solution that both really protects user privacy and also helps content remain freely accessible on the web." In other words, improve user privacy without harming advertisers. But is that even possible?
Perhaps the right question to ask would be whether Google would have made this decision if it were not. With Chrome being the most used browser on the planet, Google has a multi-billion dollar business in ad sales, so thinking that the company would want that to change would simply be bizarre. It's hard to imagine Google making the same mistake as Safari, a browser that has seen its ad sales plummet after tricking advertisers by showing them random cookies.
With the intention of not losing a slice of the pie —or, in this case, of the cookie— Google has already tested some of the measures included in 'Privacy Sandbox' and has been quick to warn advertisers that the results show that the new Chrome algorithms have no negative impact on personalized adverts.
But what are these measures and how will they affect businesses?
Privacy Sandbox: Google's recipe for a more private web that won't degrade advertisers
As the date of the cookie apocalypse approaches, Google is releasing more details about Privacy Sandbox, its plan to "ensure that ads remain relevant to users, but user data shared with websites and advertisers is minimized."
Below, we review the specific measures Google is proposing to replace third-party cookies, some of which are already in place and some of which are being piloted.
Those already operating
SameSite: With the latest browser update at the beginning of March, the strategy was put into action. 'Chrome 89' already includes modifications to the cookies' functioning based on the attribute SameSite, whereby third-party cookies are only accessible via an HTTPS connection. Thus, now developers must explicitly specify the cookies used and the information collected by each website. In addition, those who want others to be able to take advantage of their cookies will have to explicitly label them. Therefore, users can now know what information each website stores, how and why their data is used and delete all cookies without involving those from a single domain. Also, users will still retain information that facilitates their navigation such as user settings or logins.
If you want to see for yourself, just go to the Chrome settings: Settings > Privacy and Security
Ben Galbraith, Chrome's product management director and Justin Schuh, Chrome's engineering director, state that this new measure is "a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default."
Google has complied with its own rule and has made public the data collected by Chrome. The results, however, do not seem to have pleased all users:
After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it.— DuckDuckGo (@DuckDuckGo) March 15, 2021
Spying on users has nothing to do with building a great web browser or search engine. We would know (our app is both in one). pic.twitter.com/lJBbLTjMuu
Those in testing phase
FLoC: The launch of 'Chrome 89' also marked the start of the Federated Learning of Cohorts API (FLoC) testing period. FLoC is Google's big bet on Chrome's continued promotion of personalized content offerings. It consists of replacing the collection of data from individual users with the collection of information of groups of users with similar profiles. According to Google, it "proposes a new way for businesses to reach people with relevant content and ads by clustering large groups of people with similar interests. This approach effectively hides individuals 'in the crowd' and uses on-device processing to keep a person’s web history private on the browser." The algorithm has already been tested and Google claims that "advertisers can expect to see at least 95% of the conversions per dollar spent when compared to cookie-based advertising." Of all of them, this is the idea that has gained the most traction and Google expects advertisers to be able to test FLoC soon, although companies that wish to do so can already start doing their own simulations.
Those to come
FLEDGE: Designed so that advertisers can create their own audiences. It was born from the dialogue between Google and other technology companies such as Criteo, NextRoll, Magnite or RTB House. In practice, FLEDGE is intended to be a trusted server that will allow advertisers to interact with repeat visitors to their website and will store information about specific campaigns.
Conversion APIs: Google is also working on new conversion technologies that allow advertisers to measure their performance without using third-party cookies. An event-level iteration of the API is already available in origin trials for measuring click-through conversions: "It protects privacy by introducing noise and limiting the bits of conversion data that the API can send at a time. As a result, advertisers will have to prioritize which conversions are most important for their reporting needs [...] More decisions will have to be made before a prototype is built — including what the right level of noise should be and what's the minimum number of conversions to include when sending an aggregate-level report."
Trust token API: Organizations will be able to detect fraudulent traffic by using the Trust Token API which verifies authentic traffic without revealing users' identities. The 'Trust Token' will soon begin to be tested on mobile devices with the collaboration of trusted users.
Gnatcatcher: It is Google's weapon to dynamite fingerprinting and other covert tracking techniques such as the use of IP address for hidden user identification. Gnatcatcher will allow IP addresses to be disguised without interfering with the operation of websites.
What to expect from other browsers?
As mentioned above, Google has not made public the exact date for the end of third-party cookies in Chrome since they are waiting to reach an agreement with the other browser owners. Their goal is that 'Pricavy Sandbox' measures become a standard for all browsers. Justin Schuh, Chrome's engineering director, explained: "We don't want the web to be fragmented. We don't want people to have to figure out every single thing they need to do in every browser with different options. We want a level of consistency, even if there are details that browsers choose to be different."
Becoming a standard will not be an easy task for Google given Mozilla and Apple's refusal to apply any tracking technologies to their browsers. In fact, Apple has its own device, SKAdNetwork, a source of ad network data that allows advertisers to measure the success of their campaigns while protecting users' privacy. Regarding the refusal of other companies to follow Google's lead, Schuh commented, "I'm not going to say that everyone has been on board with our proposals, but some of them have been very well received. For those that have not, we are open to alternative solutions as long as they have the degree of predictability that we expect, because we don't want to implement momentary solutions."
Then there is Facebook, which, by all indications, is not going to stop collecting massive amounts of user data anytime soon. Facebook's duel with Apple is for another time, but their completely opposite views —Facebook argues that users are the primary beneficiaries of personalized ads and that their approach helps small and medium-sized businesses which are disadvantaged by Apple's restrictions— exemplify the polarization of technology companies on the use and privacy of user data.
What will the new digital ecosystem be like and what should companies expect?
Businesses have been using third-party cookies to monitor user behavior and deliver personalized content since the 1990s. In less than 12 months, this practice will be a thing of the past, forcing brands to start from scratch and to create new online marketing and advertising strategies. Despite the seriousness of the situation, a recent report by WARC indicates that only 9% of organizations are prepared or have defined strategies for the new scenario and only 13% of the surveyed entities claim to be concerned about the end of cookies.
Despite companies' apparent serenity the digital innovation company Ebiquity lists some of the consequences that the non-existence of third-party cookies could have for companies:
- Difficulty measuring performance: Third-party cookies allow brands to measure their advertising campaigns and adapt the exposure of their ads to users' viewing frequency. The end of cookies could force companies to redefine their marketing strategies, business objectives and performance indicators. Users could also be affected, having to see the same ads over and over again.
- Weakening of targeting and retargeting, since the data management platforms used for this purpose are mostly based on third-party cookies.
- Ineffective attribution measures, primarily focused on monitoring user navigation.
- More power to the big boys: A cookie-free world may contribute to increase the power of three biggest players in digital advertising: Google, Amazon and Facebook. The inability of other companies to track users on third-party websites will make Google, Amazon and Facebook an even more attractive option for advertisers.
What should companies do?
In this context, it is critical for companies to understand that the demise of cookies affects all businesses, not just those involved in digital advertising. Most organizations use cookie data to measure business performance, campaign success and conversions. It is therefore paramount that companies begin to map out a plan to survive the early dystopia of a cookie-free world.
As we already mentioned in a previous post, despite the fact that we produce and collect more data than ever before, companies are still not data-driven or, in other words, they are still not taking advantage of the potential of data. In this sense, the end of third-party cookies is just another indication that organizations still don't know how to make the most of their data assets, something that would be largely solved with data quality, data governance and data management measures. Bismart has a specific and comprehensive solution to solve the demands of data quality, data governance and data management: Enterprise Information Integration & Master Data Management (EII/MDM).
Likewise, the disappearance of cookies could mean the obsolescence of some of the business strategies and performance indicators that businesses currently use to measure the success of their business activity. The new paradigm should be leveraged by companies to optimize their metrics, indicators and strategies and start using KPIs that are more aligned with reality and less tied to third-party information. Bismart has a specific solution created to help organizations understand, analyze and consult their performance indicators and dimensions: Indicators & Dimensions Definition Tool.
In addition, we have prepared a 'Guide to Survive In a World Without Cookies' in which we detail strategies and specific measures to survive in the post-cookie era and transform uncertainty into business opportunities.
To cut a long story short, two years after the first warning, the disappearance of third-party cookies in the world's most used browser, Google Chrome, is just around the corner and companies are still unprepared for the new scenario. The multinational's decision is yet another sign of where the future of data collection in the digital ecosystem is heading, with several browsers having already changed their cookies policy and opted for privacy before Google. With all this, it seems that the time has come to rethink the use we make of data and to create advertising and marketing strategies adapted to a more private web.