Updated July 25 with new industry report into the potential implications of Google’s proposed consent-driven privacy shift in Chrome.
In a shock move, Google abruptly confirmed on Monday that its long-awaited killing of Chrome’s dreaded tracking cookies has just crashed and burned. The company was struggling to agree on an approach with regulators that balanced its own interests with those of the wider marketing industry—but no one expected this.
“We are proposing an updated approach that elevates user choice,” the company teased on July 22, before dropping its bombshell. “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”
But before you ask too many questions as to what that means, we don’t yet know. It likely means you can choose between tracking cookies, Google’s semi-anonymous Topics API, and its semi-private browsing. You’ll be able to change your choice—which will apply across the web—at any time. But there’s still a catch—even this isn’t yet agreed. “We’re discussing this new path with regulators,” Google said, with the U.K.’s Competition and Markets Authority (CMA) replying “we will need to carefully consider Google’s new approach… We welcome views on Google’s revised approach, including possible implications for consumers and market outcomes.”
This is bad news for Chrome’s 3 billion users, most of whom will never change their settings and would be much better served by a browser that’s more private by default. This was the focus of Apple’s not-so-subtle attack ad on Chrome, dressed up as a pro-Safari promotion, which recreated scenes from Hitchcock’s The Birds to depict users being spied upon as they browse the web, before Safari comes to the rescue.
Ironically, just hours before this shock news, EFF warned that “Privacy Sandbox is Google’s way of letting advertisers keep targeting ads based on your online behavior, even after Chrome completes its long overdue phaseout of third-party cookies.”
Google’s Privacy Sandbox program, which was intended to find a replacement for tracking cookies, has seemed plagued since its inception with various false starts. The latest iteration has been the collation of users into like-minded groups, but Apple made its view clear in a WebKit update released alongside its attack ads that such a move would not prevent digital fingerprinting as promised.
“We look forward to continued collaboration with the ecosystem on the next phase of the journey to a more private web,” Google signed off its announcement. But its decision to keep tracking cookies in place, while admitting that plan B toward the goal of a more private web has failed, risks sounding hollow. Let’s not forget, Google’s promise to kill tracking cookies celebrated its fourth birthday earlier this year.
EFF warns that Google’s decision “underscores their ongoing commitment to profits over user privacy. Safari and Firefox have blocked third-party cookies by default since 2020, when Google pledged to do the same. Third-party cookies are one of the most pervasive tracking technologies, enabling advertising companies and data brokers to collect and sell information about users’ online activities.”
Regulators are now coming to terms with this shock decision from Google—it has clearly caught them off-guard. The CMA says that “given these developments, we will not publish our planned quarterly update report at the end of this month.” How that organization responds will be critical—it is the ongoing debate with the CMA that has caused so much angst for Google’s Privacy Sandbox deployment.
Meanwhile, the U.K.’s Information Commissioner says “we are disappointed that Google has changed its plans and no longer intends to deprecate third party cookies from the Chrome Browser. From the start of Google’s Sandbox project in 2019, it has been our view that blocking third party cookies would be a positive step for consumers. The new plan set out by Google is a significant change and we will reflect on this new course of action when more detail is available.”
Contrast this with the view from the other side of the fence, the digital trackers. The Washington-based NAI is a “self–regulatory association dedicated to responsible data collection and its use for digital advertising.” Unsurprisingly it welcomed the news, “supporting Google’s decision to maintain third-party cookie support while enhancing user transparency and control,” and adding that “the deprecation of third-party cookie support by Chrome in the absence of alternative technologies that provide for equivalent scale and interoperability would have posed a significant threat to competition in advertising that is essential to the free and open internet.”
But, as ever, the digital advertising industry might find itself falling foul of the sage old advice to be careful what you wish for; Google’s backing away from its Privacy Sandbox toward a consent-driven privacy model might not be all the industry hopes. As Digiday puts it, “Google’s not exactly killing third-party cookies; it’s just handing the job over to the users.” And that brings up another interesting twist—Apple, again.
What is clear is the complex relationship between Google and Apple reverberates throughout this story. Whether that’s the uncannily acute timing with which Apple launched a Safari privacy campaign and Chrome attack ads just days before the cookie news, or the echoes of Apple’s own approach to controlled privacy that could very well emerge as the driver behind this user-centric approach.
“Three years ago,” Digiday explains, “[Apple] introduced what could be called a polite doorman for each app on a person’s phone. Before letting an app follow that person to other apps or sites, the doorman asks, ‘Is it OK if this app keeps an eye on what you’re doing elsewhere?’ They get to say yes or no. While Google hasn’t explicitly said it will do the same, it has hinted at doing something similar. It said it will introduce a ‘new experience in Chrome’ that lets users make an informed choice across their web browsing, which they’d be able to adjust at any time.”
This is Apple’s App Tracking Transparency, of course, which caused a seismic shock to Meta’s tracking business model and changed the game for smartphone privacy.
Arguably, the risk is that with such a move Google may achieve the imbalance in data access that was central to the regulatory pushback on the Privacy Sandbox, just by this other means. “How this [user] prompt will work remains to be seen, but it’s clear that Chrome is moving toward a consent-driven privacy model. This shift means web advertising is beginning to mirror mobile app advertising, where both Google and Apple already use consent-based prompts to manage privacy settings.”
Digiday cites one anonymous ad exec who framed the concern: “Privacy is the scapegoat here, the one [Google and Apple] use to create benefits for their own stack. Google still accesses all their data on transactional level, both operate ID frameworks that highly preference large platforms and own huge amounts of login-data on top.”
The battlefield for all this is mobile and AI, of course. Google has been reluctantly following Apple’s lead on privacy for several years—just look at how much more locked down Android is now than before. But where Apple’s gatekeeper control is broadly acceptable to privacy analysts, Google’s will come across very differently.
The primary issue with Google’s Privacy Sandbox has been the tech giant’s dual roles—on the one hand playing guardian-in-chief of its users’ privacy, while on the other being beneficiary-in-chief from the monetization of all that data. In the mobile realm at least, Google (as with Apple on iOS) sits atop a vast array of data and single sign-ons and unified accounts that fill in a lot of gaps. This is an obvious concern.
On the subject of that Apple-Google spat stitched throughout this Chrome cookie story, there is a new twist from The Register, which has just aired an interesting pushback against Apple’s claim that Google’s most recent Privacy Sandbox offering, its Topics API, would enable digital fingerprinting after all.
Taking issue with the original research paper behind Apple’s claim, “Google Topics engineer Josh Karlin last week opened a GitHub issue challenging the research methodology. ‘I took a brief look at your code after seeing rather surprising results in the related paper and it’s important to point out an issue that I came across as it has a significant impact on the simulation (and therefore the paper’s) results.’ Fixing this bug… reduces the reidentification rate from about 57% to roughly 3%.”
But the horse has now bolted of course, and it’s the Privacy Sandbox rather than tracking cookies that appears to have crumbled.