Google Chrome's Impact on AdTech and MarTech [Infographic]
On January 14, 2020, Google made an announcement that most people in the online advertising industry never thought they would hear — Google would kill off third-party cookies by 2022.
Then, on June 24, 2021, Google Chrome announced it would extend its planned sunset of third-party cookies by two years, pushing the deadline to mid-2023.
On July 27, 2022, Chrome announced yet another delay — deprecation of third-party cookies would now begin in the second half of 2024.
Third-party cookies have been the backbone of online advertising for over a decade and power a number of key advertising processes. So what does this all mean for the digital advertising industry, and how will it affect publishers, AdTech companies, and advertisers?
About Google Chrome
Google Chrome was first released on September 2, 2008, and is the most widely used web browser in the world, holding a global market share of around 65% as of January 2023.
That scale is precisely why any privacy change Chrome makes carries far-reaching consequences for the entire advertising ecosystem.
Over the years, Chrome has rolled out a steady stream of changes aimed at strengthening user privacy. Below is a snapshot of the main milestones.
A Timeline of Google Chrome's Main Privacy Changes
May 7, 2019: Google announced plans to introduce new privacy and transparency features in Chrome, giving users more control over personalized digital advertising.
August 22, 2019: Google announced the Privacy Sandbox — an initiative designed to make the web more privacy-friendly while still allowing online advertising to function in a limited capacity. (More on Privacy Sandbox below.)
October 23, 2019: Chrome introduced its "SameSite" cookie attribute, requiring website developers to declare whether their cookies are first-party or cross-site. This change was designed to let users delete third-party cookies while keeping first-party cookies intact.
January 2020: Google announced it would shut off support for third-party cookies by 2022, replacing programmatic advertising processes with its Privacy Sandbox.
June 24, 2021: Chrome extended its third-party cookie phase-out by two years.
July 27, 2022: Chrome announced it would not begin phasing out third-party cookies until the second half of 2024.
A Timeline of Other Google Chrome Privacy and Security Updates
The cookie deprecation saga is only part of the story. Chrome has been making incremental privacy and security improvements for well over a decade.
March 17, 2010
Chrome 4 introduced the first privacy settings providing site-by-site control over cookies, images, JavaScript, plug-ins, and pop-ups.
June 7, 2011
Chrome 12 added Safe Browsing protections against malicious file downloads and gave users the ability to delete Flash cookies from within the browser.
September 9, 2011
Chrome 14 added Sync Encryption for all data and DNSSEC validation of HTTPS sites, identifying and marking non-secure pages containing passwords or credit card information.
November 6, 2012
Chrome 23 added the Do Not Track (DNT) standard, allowing users to disable tracking while browsing.
January 14, 2014
Chrome 32 enabled a feature that lets users reduce their data usage online and automatically block malware files.
January 2017
Chrome 56 began labelling HTTP pages as "not secure," improving how Chrome communicates connection security to users.
January 24, 2018
Chrome 64 started preventing sites with abusive ad experiences from opening new windows or tabs without user permission.
May 7, 2019
Google announced new privacy and transparency features for Chrome to give users more choice and control over personalized advertising.
August 22, 2019
Google announced the Privacy Sandbox initiative.
October 12, 2019
Chrome 79 introduced the Built-In Password CheckUp Tool to flag passwords exposed in data breaches, along with a Sync and Google services section allowing real-time scanning of malicious sites.
October 23, 2019
Chrome introduced the SameSite cookie attribute.
January 2020
Google announced third-party cookie deprecation by 2022, with Privacy Sandbox as the intended replacement.
February 2020
Chrome 80 introduced a new default value for the SameSite cookie attribute, limiting cookie use in third-party contexts to improve web privacy and the security of personal data shared across domains.
May 19, 2020
Chrome 83 began rolling out Secure DNS, built on DNS-over-HTTPS, to improve safety and privacy while browsing. It also introduced enhanced Safe Browsing alerts for malware, phishing, and risky extensions, and gave users the ability to block third-party cookies in Incognito mode.
July 14, 2020
Chrome 84 automatically enrolled sites with abusive permission requests into a quieter notifications UI, warning users when sites might be attempting to trick them.
Manual Enrollment (and Opt-Out)
Manually enroll on Desktop or Mobile via Notifications Settings
August 25, 2020
Chrome 85 began automatically blocking heavy ads that use more than 4KBs of network data or 60 seconds of total CPU — targeting things like cryptocurrency miners and embedded mini-games.
September 3, 2020
Chrome 86 deprecated and removed support for FTP URLs, citing FTP's reliance on clear-text credentials and its lack of encryption, which leaves data vulnerable to sniffing and spoofing.
October 21, 2020
Chrome 86 also began displaying permission requests using a quieter UI to reduce the risk of users being tricked into granting notification permissions.
November 18, 2020
Google introduced new data policies for Chrome Extensions developers, requiring transparent, certified disclosures about the data collected by their extensions on Chrome Web Store pages.
December 3, 2020
Chrome 88 added the rel=noopener attribute to anchor target=blank by default, preventing undetected web content changes and reducing phishing attack vectors.
December 8, 2020
Chrome 89 introduced First-Party Sets, using a SameParty cookie attribute to let browsers identify which domains belong to the same organization and treat them as first-party. The origin trial for First-Party Sets ran from Chrome 89–93. Chrome 89 also introduced password generation features.
January 11, 2021
Chrome 91 proposed Network State Partitioning to prevent cross-site tracking via side channels.
January 25, 2021
Chrome announced early testing of the Federated Learning of Cohorts (FLoC) algorithm — a proposal to provide privacy-friendly audience targeting based on cohorts rather than individual tracking. Trials ran from Chrome 89–91. FLoC was shut down on January 25, 2022, and replaced by Chrome's Topics API.
June 24, 2021
Chrome extended its third-party cookie phase-out timeline by two years.
July 21, 2021
Chrome 92 on mobile introduced improved browser permission management panels, with each page and extension running in its own sandbox. Phishing protections were also enhanced.
September 1, 2021
Chrome 93 dropped support for the 3DES algorithm in TLS due to vulnerability to Sweet32 attacks. It also blocked HTTP, HTTPS, and FTP connections over ports 989 and 990, and added WebOTP API support for one-time SMS passwords synchronized across Google accounts.
September 22, 2021
Chrome 94 increased security by removing AppCache.
October 20, 2021
Chrome 95 rejected cookies larger than 4,096 bits (name and value combined) and 1,024 bits per attribute, dropped FTP protocol support, and stopped supporting URLs without IPv4 addresses.
January 4, 2022
Chrome 97 introduced the Keyboard MAP API, a controversial feature enabling web applications to detect key presses across different keyboard layouts.
February 1, 2022
Chrome 98 updated the Keyboard API and SDED (Simple Data Encryption Standard) encryption to improve privacy protections.
July 27, 2022
Chrome announced it would not start phasing out third-party cookies until the second half of 2024.
What Are Third-Party Cookies?
Web cookies are a browser storage mechanism used to retain data between sessions. There are generally two types: first-party and third-party cookies.
First-party cookies are created by the domain the user is currently visiting. Third-party cookies are created by domains other than the one the user is on.
Third-party cookies have been the backbone of online advertising for over a decade, powering a range of critical advertising processes.
What Processes Rely on Third-Party Cookies?
The core purpose of third-party cookies is to identify users across different websites, enabling:
- Behavioural ad targeting — showing ads based on a user's activity across multiple websites
- Audience targeting via cookie syncing — exporting audiences built in DMPs to DSPs for targeting
- Ad retargeting — re-engaging users who have previously visited a site
- Frequency capping — limiting how often a specific user sees an ad within a given period (e.g., a maximum of five impressions in 24 hours)
- Audience extension — reaching a publisher's audience across other websites
- View-through attribution — connecting an ad view to a downstream conversion
The Impact on AdTech
Safari and Firefox already block third-party cookies by default, but the real industry disruption arrives when Chrome does the same — given its roughly 65% global market share.
The expectation is that Chrome will complete this phase-out in 2024. When it does, many players across programmatic advertising will feel significant impact.
Publishers
Publishers face a sharp drop in ad revenue. Without third-party cookies, advertisers cannot identify the publisher's audience and are therefore unwilling to pay as much for impressions. Audience extension revenue is also heavily affected.
SSPs and Ad Exchanges
Most SSPs and ad exchanges make money by taking a margin on top of media prices. When publishers earn less, so do they. Without third-party cookies, SSPs and ad exchanges lose the ability to identify users on publisher sites, undermining behavioural targeting, attribution, and measurement.
Ad Networks
Ad networks can still display ads without third-party cookies, but behavioural targeting, attribution, and audience reach all take a meaningful hit.
DSPs
Matching an advertiser's target criteria against a publisher's audience becomes much harder without user-level identification. Behavioural targeting and retargeting are limited and don't scale the way they do with third-party cookies.
DMPs
The majority of DMPs use third-party cookies to identify users and build audience profiles that advertisers and DSPs use for targeting. Without them, the core business offering of most DMPs is severely impacted — publishers and advertisers lose access to those audiences entirely.
Advertisers
Without effective audience identification across the open web, advertisers can't run effective behavioural or retargeted campaigns. The result is lower reach, lower campaign performance, and fewer conversions.
It's Not Game Over for AdTech…
But the industry will have to play by a different set of rules.
Several alternatives to third-party cookies are available for AdTech companies looking to maintain audience targeting and measurement capabilities.
Google Chrome's Privacy Sandbox
Privacy Sandbox is Google's initiative to create a secure environment for personalization that still protects user privacy. It encompasses a set of standards and APIs designed to replace the functions currently handled by third-party cookies.
These standards are being developed collaboratively between AdTech companies, agencies, publishers, and Google's ad and browser teams through the W3C Improving Web Advertising Business Group.
Privacy Sandbox is expected to be released sometime in 2024.
Universal IDs and Device Graphs
A universal ID is a persistent identifier that allows AdTech platforms to recognize users across different websites and devices.
Universal IDs are built using probabilistic data (e.g., IP address, browser type and model, user-agent string), deterministic data (e.g., email address or phone number), or a combination of both.
Both publishers and advertisers can use their first-party data to generate universal IDs. While universal IDs are the closest functional replacement for third-party cookie IDs, they're not as passively available across the web as cookies have been.
Data Clean Rooms
A data clean room is software that allows two parties — say, a publisher and an advertiser — to match their data together without either side gaining direct access to the other's raw data.
This kind of secure data collaboration can support many programmatic advertising functions, including ad targeting and measurement.
There are two broad types:
- Centralized data clean rooms — data is stored in a single location
- Decentralized data clean rooms — data is stored in separate locations (e.g., different servers), with matching happening across those environments
The IAB Tech Lab's Seller Defined Audiences (SDA)
On February 24, 2022, the IAB Tech Lab released its first addressability specification from the Project Rearc initiative: Seller Defined Audiences (SDA).
This standard is designed to help publishers monetize their first-party data by creating audience cohorts that can be passed to demand partners (DSPs) via the OpenRTB protocol and Prebid.
SDA builds on other IAB Tech Lab standards, including Audience Taxonomy, the Data Transparency Standard, and the IAB Tech Lab's Transparency Center.
Self-Serve Ad Platforms
Beyond universal IDs and SDA, publishers can give advertisers direct access to their audiences through self-serve ad platforms. Rather than selling inventory through an ad server or SSP, a self-serve platform lets advertisers create campaigns directly on a publisher's properties — websites or mobile apps — using first-party audience data.
Contextual Targeting
Contextual targeting shows relevant ads based on the content of a page rather than data about the individual user. It's a concept that predates the internet — contextual placement was the norm in magazine and newspaper advertising for decades.
Contextual targeting has been experiencing a resurgence as privacy regulations tighten and browser-level cookie restrictions expand. It doesn't rely on cross-site tracking and is therefore unaffected by third-party cookie deprecation.
What to Expect From Chrome Going Forward
Chrome's engineers are navigating a difficult balance between user privacy and advertiser interests — and not every proposal has landed well. FLoC, for example, drew significant community criticism before being abandoned in favour of the Topics API, which attempts to anonymize users more effectively by mapping interests to a topic catalogue rather than cohort identifiers. Topics API is still being evaluated by the broader industry.
The Keyboard MAP API is another example of a proposal that has drawn pushback, and early revisions are already underway.
That said, Chrome has made genuine progress on user privacy over time — Network State Partitioning, for instance, is a meaningful step toward preventing cross-site tracking via side channels.
Chrome continues to evolve on multiple fronts, though critics note that UI/UX improvements sometimes receive more attention than fundamental privacy architecture. Whatever one thinks of the pace of change, Chrome remains the dominant browser — and that means its decisions continue to shape the entire web advertising ecosystem.
Where There's Change There's Opportunity
The challenges posed by third-party cookie deprecation are real, but so are the opportunities. Privacy Sandbox, universal IDs, data clean rooms, SDA, contextual targeting, and first-party data strategies each represent viable paths forward.
These changes — alongside broader privacy shifts like GDPR and Safari's Intelligent Tracking Prevention — don't spell the end of AdTech. But vendors will need to rethink how their platforms work if they want to remain competitive in a privacy-first world over the next decade.