How Should Publishers Prepare for the Third-Party Cookie Phaseout?
For over 25 years, the web ecosystem relied heavily on cross-site cookies. However, the doomsday has finally arrived–cookies are going away. This time, for good. Therefore, applying a coordinated approach to this significant change is crucial.
Let’s find out how publishers can prepare for the shift and what it means for the industry in general!
What Did Google Do?
Google Chrome started disabling third-party cookies for 1% of users from January 4th, 2024, as part of a testing phase. Google describes this move as a test phase, with plans to fully eliminate third-party cookies by the third quarter of 2024, contingent upon resolving any competition concerns with the UK’s Competition and Markets Authority (CMA).
This change is significant as Google Chrome is the most widely used internet browser. Competitors like Apple’s Safari and Mozilla Firefox already offer options to block these cookies.
The move is part of Google’s efforts to enhance internet privacy. However, it has raised concerns among advertisers who rely on cookies for targeted advertising.
Phil Duffield, UK Vice President at The Trade Desk, criticized Google’s approach, suggesting it benefits Google more than consumers or publishers. He advocates for a balance between consumer privacy and the ability of publishers to generate revenue through advertising.
There are also concerns about whether the Privacy Sandbox might not go far enough in protecting user privacy. Critics argue that the alternative technologies proposed by Google could still allow for extensive data collection and user tracking, albeit in a less direct manner.
Below is a timeline of the two main milestones approaching in Q4 2023 and Q1 2024 as part of Chrome-facilitated testing modes (testing modes that allow sites to preview how site behavior and functionality will change without third-party cookies).
Source: Google
This means that from the start of 2024, publishers can expect to see an increased portion of Chrome users on your site with third-party cookies disabled even if they aren’t actively participating in the Chrome-facilitated testing.
What is Privacy Sandbox and Why Is It Important?
Privacy Sandbox is Google’s initiative for enhanced privacy and more private browsing experience. The goal of Privacy Sandbox is to balance the reduction of cross-site tracking while maintaining functionalities that support free online content and services.
Third-party cookies, which are crucial for functionalities like sign-in, fraud protection, and advertising, also facilitate cross-site tracking. The Privacy Sandbox initiative aims to offer privacy-focused alternatives for these use cases.
The key function of Privacy Sandbox is a range of new APIs designed to replace the functionality of third-party cookies. However, the effectiveness of these technologies in balancing privacy with advertising needs is still being evaluated.
The are 4 main mechanisms of Privacy Sandbox:
- Advertising: Enabling interest-based advertising without individual tracking, such as through the use of aggregated data and anonymization techniques.
- Fraud Prevention: Providing tools to combat fraud and maintain security without invasive tracking methods.
- Federated Identity Services: Allowing users to sign in to websites and services without third-party cookies.
- Measurement: Offering ways to measure advertising effectiveness in a privacy-preserving manner.
However, the effectiveness of these technologies in balancing privacy with advertising needs is still being evaluated. For example, Google is incorporating the Private State Token to authenticate interactions between issuers and requesters. However, the Electronic Frontier Foundation (EFF) has raised concerns about the Topics API, suggesting it might still allow Google to access granular details on user interests, among other things.
Privacy Sandbox APIs
The 5 main APIs design to replaced third-party cookies are:
- Federated Credential Management (FedCM): For federated identity services (such as “Sign in with…”) .
- Private State Tokens: For anti-fraud and anti-spam measures.
- Topics: For interest-based advertising and content personalization.
- Protected Audience: For remarketing and custom audiences.
- Attribution Reporting: For measuring ad impressions and conversions.
5 Steps to Prepare for Cookie Phaseout
1. Audit Third-Party Cookies
In order to audit your third-party cookies, you must first understand how they work. Third-party cookies are sent in cross-site contexts, like through iframes or subresource requests. Common uses include embedded content from other sites, external widgets for various functionalities, and remote resources on a page like images or scripts often used for tracking pixels and content personalization.
Since 2019, browsers have started restricting cookies to first-party access by default. Cookies used in cross-site contexts now must be set with the SameSite=None attribute to function properly.
To audit your third-party cookie usage:
- Identify cookies marked for third-party usage by looking for the SameSite=None value in your code.
- Use tools like Chrome DevTools to inspect cookies set and sent on requests. The Network panel and the Application panel under Storage are useful for this.
- From Chrome 118, the DevTools Issues tab will highlight cookies that will be blocked in future Chrome versions due to cross-site context.
2. Check In with Third-Party Providers
If upon auditing your third-party cookie you identify cookies set by third parties, check with those providers about their plans for the third-party cookie phaseout. This might involve updating a library version, changing a service configuration, or relying on the third party to handle necessary changes.
3. Improve First-Party Cookies
You should know by now that first-party or same-site cookies are those never used on a third-party site. Usually, these cookies allow website owners to collect analytics data, remember language settings, and perform other useful functions that provide a good user experience. They are typically set without any SameSite attribute or with SameSite set to Lax or Strict.
It’s important to explicitly set the SameSite attribute on your first-party cookies to ensure consistent behavior across browsers.
Use the following configuration as a best practice (recommended by Google), ensuring security and cross-browser compatibility for most first-party cookies.
Source: Google
This article by Google also covers configuration variations for some specific use-cases.
4. Test for Breakage
This step is crucial for publishers and their developers to ensure their sites function correctly without third-party cookies, thereby maintaining a smooth user experience.
To begin testing your site’s functionality without third-party cookies:
- Set Up Chrome for Testing: To simulate the post-phaseout environment, you can launch Chrome with the –test-third-party-cookie-phaseout command-line flag. From Chrome version 118, this functionality can also be enabled through chrome://flags/#test-third-party-cookie-phaseout. This setup will block third-party cookies and activate new functionalities and mitigations to best represent the state after the phaseout.
- Try Alternative Testing Method: Another way to test is by blocking third-party cookies through chrome://settings/cookies. However, this method may not enable all the new and updated functionalities. While blocking third-party cookies can help detect issues, it might not validate whether the issues have been fixed.
- Conduct Comparative Tests: If you have an active test suite for your sites, it’s recommended to perform two parallel tests: one with the usual Chrome settings and another with Chrome launched using the –test-third-party-cookie-phaseout flag. Comparing the results of these two tests can help identify issues related to third-party cookie dependencies. It’s important to report any issues you find during this testing process.
5. Migrate to Privacy-Preserving Solutions
Google recommends using alternatives for partitioned cookies like Cookies Having Independent Partitioned State (CHIPS), the Storage Access API for storage access permissions, and Related Website Sets for cookies across linked sites.
Google also suggests exploring temporary options like the third-party deprecation trial and enterprise controls. It also encourages reporting issues related to third-party cookies to Google for further assistance.
Conclusion
For publishers, the depreciation of third-party cookies means adapting to new technologies and strategies. Many ad tech and programmatic technology companies are already aligning with the new framework. We encourage publishers to focus on direct interactions with their audience and develop robust first-party measurement solutions.
