Blogthird-party cookiesbrowser privacy features

Google Chrome's Third-Party Cookie Deprecation: What It Means for AdTech

third-party cookiesPrivacy SandboxChromeSameSite cookiesHTTPSdevice fingerprintingDMPsDSPscookie syncingretargetingview-through attributionGDPRITPfirst-party cookiesIDFAAAIDSafariFirefoxW3C

First came new privacy controls, then the Privacy Sandbox initiative, and finally the announcement that shook the online advertising industry to its core: Google Chrome would phase out third-party cookies entirely. Below is a timeline of the major announcements and an honest assessment of what they mean for AdTech.

Google Chrome's Privacy Features: Transparency, Choice, and Control

On May 7, 2019, at the Google I/O conference, Google announced a new set of privacy and transparency features for Chrome, framed around three principles: transparency, choice, and control over personalized digital advertising.

At the time, the rollout date was unconfirmed — Q4 2019 was the working assumption — but the changes ultimately came into force in February 2020.

The announcement followed moves by Safari and Firefox, both of which had already introduced similar (though more aggressive) privacy controls. Google's approach, at least initially, aimed for something more measured.

Here's what those changes involved:

Transparency

Google introduced an open-source browser extension designed to show users which companies are involved in serving any given ad — including intermediaries like ad networks, demand-side platforms (DSPs), and supply-side platforms (SSPs). The extension works across browsers, explains why specific ads were shown, and surfaces a recent ad history for the user. An open API was also made available for AdTech companies to surface the same information directly.

Choice and Control

Two new privacy controls were added to Chrome:

The first lets users see which cookies are stored in their browser and selectively block or delete them. The focus is on third-party cookies — the kind used for ad targeting, measurement, and attribution — while first-party cookies (which handle things like shopping cart state and login sessions) were largely left untouched. Additionally, cross-site cookies were required to be transmitted over HTTPS to prevent interception or tampering as they pass between servers.

The second was intended to address device fingerprinting, though Google offered little detail at the time on the mechanics or timeline.

Once Chrome eventually drops third-party cookie support — targeted for the second half of 2024 — these granular cookie controls become largely beside the point.

Cross-Site and Same-Site Cookies

On October 23, 2019, Google's Chromium blog published details on how cookies would need to be handled going forward.

To enable users to delete third-party cookies while preserving first-party ones, developers were required to explicitly label cookies using the SameSite attribute — specifically SameSite=None — to signal that a given cookie is intended for cross-site use. The Secure attribute also became mandatory, meaning cookies could only be set over HTTPS.

Set-Cookie: name=value; SameSite=None; Secure

Chrome was the first browser to support this attribute, though the change was designed not to break other browsers that didn't. More detail on the specification is available here.

The practical effect: once Chrome had a reliable way to distinguish first-party from third-party cookies, it could surface a user-facing prompt to block the latter. Cookies set with SameSite=None would be the ones in scope for blocking.

The Privacy Sandbox Initiative

On August 22, 2019, Google announced Privacy Sandbox, a fundamentally different approach to the privacy problem than what Safari and Firefox had taken.

Rather than blocking third-party cookies outright, Privacy Sandbox proposes a secure environment where personalization can still occur — but only on the basis of anonymous, aggregated data. Key characteristics:

  • It's positioned as a new web standard, not simply a Chrome-specific feature, and Google invited input from other browsers, publishers, and AdTech companies through the W3C.
  • Most user data would stay on-device rather than being shared with ad tech vendors.
  • Personalization would shift toward interest-based cohort targeting rather than individual-level identification.
  • Google acknowledged the initiative would take years to fully develop.

Google was also explicit about its view on the blunter approach taken by other browsers: blocking cookies without a credible alternative pushes companies toward workarounds like device fingerprinting, which undermines privacy even more while giving users less recourse. It's a fair point — history in this space backs it up.

Google Announces Plans to Kill Third-Party Cookies by 2022

On January 14, 2020, Google's Chromium blog confirmed that Chrome would stop supporting third-party cookies by 2022. For most of the AdTech industry, this was the moment the abstract became concrete.

The key details from that announcement:

  • Chrome would phase out third-party cookies by 2022.
  • A series of trials would run through 2020 to assess how conversion measurement and audience personalization could function without them, primarily through Privacy Sandbox APIs.
  • The personalization model being explored was interest-based and aggregated — a significant step back from the 1:1 targeting that the industry had optimized around for over a decade.
  • The long-term goal was to replace cookie-based ad selection and measurement with Privacy Sandbox as a complete substitute.

First Delay: The 2022 Deadline Pushed to 2024

On June 24, 2021, Google announced a two-year extension to its original timeline. Two factors drove the decision:

1. Privacy Sandbox wasn't ready.

Work on the Privacy Sandbox standards and APIs had been progressing through the W3C Business Group, but the initiative was not sufficiently mature to serve as a full replacement on the original schedule. More testing time was needed across the ecosystem.

2. Antitrust pressure.

Governments and competition regulators in multiple jurisdictions had opened investigations into Google's AdTech practices. Most notably, the UK's Competition and Markets Authority (CMA) launched a formal investigation into Google's intent to remove third-party cookies from Chrome and replace them with Privacy Sandbox. Google committed to working with both the CMA and the UK's Information Commissioner's Office (ICO) on the concerns raised, and that regulatory scrutiny clearly influenced the revised timeline.

Second Delay: Pushed to the Second Half of 2024

On July 27, 2022, Google confirmed another delay, pushing the start of third-party cookie phase-out to the second half of 2024. The stated reason was the same: more time was needed to evaluate and test Privacy Sandbox before pulling the plug on third-party cookies entirely.

What This Means for AdTech

The eventual disappearance of third-party cookies from Chrome is not a minor adjustment — it's a structural shift in how digital advertising works on the open web.

What stops working:

Audience buying based on third-party data — DMPs that sell third-party audience segments (such as Oracle BlueKai and Lotame) or map offline data to online identifiers (such as LiveRamp) are directly in the line of fire.

Data activation on the web — Cookie syncing, which enables platforms to identify and target users across sites (for example, exporting an audience segment from a DMP to a DSP for media buying), will no longer function.

Retargeting on the web — Companies with heavy dependence on retargeting campaigns — Criteo's stock dropped roughly 20% on the day of the January 2020 announcement — and DSPs allocating significant spend to retargeting are exposed here.

View-through attribution — Attributing ad impressions (not just clicks) to downstream conversions relies on third-party cookie mechanics that will no longer be available.

Other third-party tracking technologies that depend on cross-site cookies will similarly break.

To put the scale in perspective: Safari and Firefox's privacy features had already reduced third-party cookie availability across the web by approximately 30–40%. Because of Chrome's dominant worldwide browser market share, removing third-party cookie support from Chrome would push that figure close to 100%.

AdTech companies will need to rely on the Privacy Sandbox API to retrieve clicks and conversion data — but the data will be anonymized, making it substantially harder to tie a specific click or conversion to an individual user.

What is not affected:

First-party cookie tracking — Tracking users within a single website domain, as used by tools like Google Analytics and Piwik PRO, is unaffected. First-party data strategies remain fully viable.

Retargeting and tracking in mobile apps — Advertisers can still retarget and track users across native iOS and Android apps using mobile identifiers: IDFA (Identifier for Advertisers, iOS) and AAID (Google Advertising ID, Android).

Offline data onboarding via email or phone — Uploading CRM data and activating it through Facebook Custom Audiences from customer lists or Google Ads Customer Match is not impacted by this change.

These changes are scoped entirely to the Chrome browser on desktop and mobile — they do not extend to the broader digital advertising ecosystem beyond the web.

Closing Thoughts

Google Chrome's moves on third-party cookies are part of a broader, industry-wide shift toward a more privacy-respecting web. The signals have been visible for years — GDPR, Safari's Intelligent Tracking Prevention (ITP), Firefox's Enhanced Tracking Protection — but much of the AdTech industry responded with workarounds rather than genuine adaptation.

The difference now is that Chrome's market dominance means there is no comparable workaround at scale. Browsers that serve the ads are leading the change, whether AdTech vendors are ready or not.

<Related />