Guidesprivacy in adtechthird-party cookies

Privacy in AdTech FAQ: Chrome's Privacy Sandbox, Safari ITP, Firefox, and GDPR

FLoCTURTLEDOVEFLEDGESameSite attributeSafari ITPFirefox ETPDSPDMPSSPcookie syncingview-through attributionbehavioral targetingidentity resolutionLiveRampPermutivedevice fingerprintinglocal storageweb browsersad targetingmeasurementad blockers

Google Chrome's announcement that it would stop supporting third-party cookies set off a wave of questions across the digital advertising industry — but Chrome's changes aren't the first privacy challenge AdTech has faced, and they won't be the last. This FAQ covers the most common questions about privacy trends in AdTech, how Chrome's Privacy Sandbox works, what happens to targeting and measurement after third-party cookie deprecation, and what publishers, AdTech companies, and advertisers can realistically do to prepare.

Privacy in AdTech is a multilayered topic that has been evolving for well over a decade.

The first major challenge for publishers, AdTech companies, and advertisers was ad blockers, which were introduced in the mid-2000s. Then, in 2015, Safari allowed users to install content blockers — functionally similar to ad blockers. The GDPR followed in 2018, adding a regulatory layer to an already shifting landscape. More recently, Safari and Firefox stopped supporting third-party cookies entirely, and Chrome has been moving in the same direction.

The trend is also pushing toward removing IDs that could serve as fingerprints. Some companies responded to third-party cookie restrictions by shifting to first-party cookies and browser local storage, often combined with fingerprinting and link decoration. These are workable alternatives for now, but they aren't future-proof — browsers can and do block or restrict them. A clear example: when Safari's ITP started limiting third-party cookies, some AdTech and MarTech companies began storing data in browser local storage. Safari responded by removing data from local storage after seven days.

Chrome hasn't announced restrictions on first-party cookies, but future changes that limit user identification — similar to what Safari has already done — can't be ruled out.

At present, between 20% and 30% of web browser traffic in the US and Europe no longer supports third-party cookies, based on Safari and Firefox's combined market share. When Chrome deprecates third-party cookies, that figure will approach 100%.

What changes has Google Chrome made to third-party cookies?

Chrome has made two major changes on this front.

The first came on May 7, 2019, when Google announced it would give Chrome users more control, transparency, and choice over personalized advertising. In practice, this meant Chrome would allow users to block and delete third-party cookies while leaving first-party cookies intact. Web developers and AdTech companies were required to include a SameSite attribute — specifically SameSite=None; Secure — when setting third-party cookies to ensure they could still function in a third-party context.

The second major announcement came on January 14, 2020, when Google Chrome declared it would shut off support for third-party cookies by 2022.

That timeline shifted. On June 24, 2021, Google announced a two-year extension, moving the expected deprecation to mid-2023. Then on July 27, 2022, Google pushed the date again, stating that third-party cookie phase-out would begin in the second half of 2024.

When will Google's changes to third-party cookies come into force?

The SameSite attribute requirement came into force in February 2020 with the release of Chrome 80.

The full deprecation of third-party cookies has been delayed multiple times. Google initially said 2022, then pushed it to mid-2023 in 2021, and then to the second half of 2024 in July 2022. Chrome is currently developing and testing the standards and APIs within Privacy Sandbox, and the final deprecation timeline depends on how that testing proceeds.

The end goal is for Chrome's Privacy Sandbox to replace the core processes currently handled by third-party cookies.

What is Privacy Sandbox and how does it work?

Google Chrome's Privacy Sandbox is a secure environment for ad personalization and measurement. Chrome positions it as a new web standard — one that places user privacy at the centre while keeping the web ad-supported.

Several components of Privacy Sandbox are designed to replace the key mechanisms of display advertising:

APIs for conversions and measurement: Chrome provides two APIs that AdTech companies can use to retrieve click-through and conversion data. Reports are sent in aggregate and are deliberately delayed, making it harder to link a click to an individual user.

Federated Learning of Cohorts (FLoC) for interest-based targeting: FLoC groups users based on similar interests and behaviour, which is then used for ad targeting. For example, if an advertiser wants to promote a new car, Chrome can deliver that ad to users who belong to a group like "new car enthusiasts." This approach is more privacy-preserving because targeting happens at the group level rather than on a 1:1 individual basis, as it currently works with first- and third-party cookies. FLoC connects with Google's Federated Learning framework, which uses AI and machine learning to analyze data in a privacy-preserving way.

TURTLEDOVE (Two Uncorrelated Requests, Then Locally-Executed Decision On Victory) for retargeting/remarketing: This works similarly to FLoC but is specifically designed for retargeting use cases rather than interest-based targeting.

How advanced is Chrome's Privacy Sandbox project?

Some of the standards and APIs in Privacy Sandbox have already been released for origin trials — including FLoC and the Attribution Reporting API. Others, such as FLEDGE, were still in testing as of mid-2022. There remains significant work to complete before Privacy Sandbox can fully replace third-party cookie functionality, which is part of what prompted the timeline extensions.

What impact will Chrome's changes have on AdTech and MarTech?

All AdTech and MarTech platforms that rely on third-party cookies will be affected.

Impact on AdTech:

  • Behavioural targeting and retargeting: Advertisers will lose the ability to target users based on cross-site behaviour. Some behavioural targeting will remain possible through first-party data, but its reach will be limited.
  • Audience activation via cookie syncing: DSPs and DMPs sync cookies with each other to help advertisers reach their target audiences. Because cookie syncing relies on third-party cookies, this process will cease to work once Chrome deprecates them.
  • Attribution: View-through attribution — attributing an ad impression to a downstream conversion — will no longer function in the same way.

Impact on MarTech:

Most MarTech platforms (analytics tools, marketing automation platforms, etc.) rely on first-party cookies, so they won't be directly affected by the third-party cookie changes in Chrome. However, any MarTech tool that does depend on third-party cookies will face the same disruptions as AdTech platforms.

Who will benefit most from Chrome's changes?

The players best positioned to weather these changes are those that don't depend on third-party cookies for identification.

Even though every participant in browser-based advertising will feel the impact, publishers with large, engaged audiences have a natural advantage. Because they have a direct relationship with users, they can collect first-party data and use it for ad targeting.

DMPs that collect and use non-cookie identifiers — such as email addresses and device IDs — are also in a stronger position. LiveRamp and Permutive are examples of identity resolution platforms that can identify users without third-party cookies. Most traditional DMPs, however, are heavily dependent on third-party cookies and will face serious disruption.

Who will lose the most from Chrome's changes?

Advertisers and AdTech companies will bear the largest negative impact.

Advertisers will lose the ability to activate audiences for media buying via cookie syncing, and retargeting campaigns will no longer work the same way. The result will be reduced reach and weaker campaign performance across the board.

Because the majority of AdTech companies have built their business models around third-party cookies — for identification, targeting, and measurement — they will need to rethink both their technology and their commercial approach. Chrome's Privacy Sandbox will still allow some form of group-level targeted and retargeted advertising, but it's unclear whether this will deliver results comparable to what third-party cookie-based targeting achieves today.

Are other browsers introducing Privacy Sandbox or similar mechanisms?

Safari introduced Intelligent Tracking Prevention (ITP) in September 2017. ITP blocks third-party cookies by default and limits the lifespan of first-party cookies and browser local storage.

Firefox introduced Enhanced Tracking Protection (ETP), which also blocks third-party cookies by default and additionally blocks device fingerprinting.

Neither Safari nor Firefox has announced plans to adopt Google Chrome's Privacy Sandbox, though that can't be ruled out.

What do publishers, AdTech companies, and advertisers need to do to prepare?

Publishers

When third-party cookies disappear, DMPs will lose their ability to build audiences for later activation by advertisers. SSPs and ad exchanges will also lose the ability to identify users across websites in the way they currently can.

Publishers need to start building addressable audiences now — if they haven't already. The most direct approach is to have users register and log in via email, so that email addresses can serve as identifiers for both ad targeting and, to a limited degree, measurement. Publishers can extend this further by integrating with an ID resolution service built on first-party cookies. The Advertising ID Consortium, which uses LiveRamp's Identity Link, is one well-known option.

An alternative is to join a login alliance — a shared authentication tool that lets users create one account usable across multiple publishers within the alliance. Login alliances were established in several EU countries, including Germany, initially to simplify GDPR compliance and enable first-party-data-based targeting. Adoption has been slow, largely due to competition concerns, but the model is gaining renewed attention.

AdTech companies

AdTech companies will need to change how their technology works. Key areas to focus on include:

  • First-party data: Platforms should invest in capabilities that help publishers and advertisers extract maximum value from first-party data.
  • Other digital advertising channels: Browser-based display advertising is significant, but there are large and growing markets in in-app mobile, OTT and CTV, and digital out-of-home (DOOH) that are not affected by third-party cookie deprecation in the same way.
  • Privacy Sandbox: The remaining timeline before full deprecation is not long, and AdTech companies should be actively exploring how to use Privacy Sandbox's APIs for targeting, retargeting, and measurement.

Advertisers

Brands and advertisers have two primary levers:

  • Collect first-party data tied to email addresses: This enables ad targeting and retargeting by matching email lists with those collected by publishers through identity resolution services like LiveRamp.
  • Build closer direct relationships with publishers: Purchasing inventory through direct deals makes it easier to reach target audiences without relying on cookie-based identification.

How can AdTech companies continue to function if targeting and measurement shift to aggregate, browser-controlled mechanisms?

Targeting based on third-party cookies and third-party data will no longer work, but targeting based on first-party data will survive — in a more limited form. CPM prices will drop significantly as it becomes much harder to consistently identify audiences across websites.

Many of the linking fields that currently connect AdTech systems — cookie IDs in cookie syncing, device graphs, DMP-DSP connections — will stop working. Any AdTech process that uses cookie IDs as the link for data exchange will need to be rebuilt or retired.

Ads displayed in mobile apps will continue to function as they are served and measured through SDKs, which don't rely on browser cookies.

One meaningful differentiator between AdTech companies today is their cookie pool and their ability to reach specific audiences. With cookie pools disappearing, that differentiation erodes. Ad targeting, measurement, and potentially even auction mechanics will increasingly be controlled at the browser level, meaning all AdTech companies will be working from the same dataset — which significantly reduces competitive differentiation.

If Safari and Firefox were ever to adopt Privacy Sandbox, even first-party-data-based targeting could face restrictions, which is precisely what happened with Safari's ITP.

How do browser-based display ads and in-app mobile ads compare in terms of spend?

According to eMarketer data, programmatic display ad spend in the USA reached $57 billion in 2019. In-app mobile ad spend in the USA was approximately $77 billion in 2019.

Both channels represent substantial portions of media budgets. Any significant disruption to how either operates — such as the end of third-party cookies in browsers — carries real consequences for every player in the ecosystem.

<Related />