Guidesthird-party cookiesprogrammatic advertising

Third-Party Cookies in Google Chrome: A Guide for AdTech

cookie syncingDSPSSPDMPCDPconsent management platformGDPRuniversal IDsUnified ID 2.0IdentityLinkID5differential privacyProtected Audience APITopics APIAttribution Reporting APIPrivate Aggregation APIcontextual targeting

Third-party cookies have long been foundational to programmatic advertising, giving advertisers the ability to track users across websites and serve personalized ads. As privacy concerns have grown, browsers like Safari and Firefox moved to block these cookies by default. Google Chrome has taken a different path: rather than eliminating third-party cookie support outright, Chrome introduced the Privacy Sandbox — a framework designed to give users more control over their data while preserving the infrastructure of the ad-supported internet.

This article covers what third-party cookies are, how they function in digital advertising, how Google relies on them, and what the landscape of alternatives looks like.

Key Points

  • Third-party cookies carry out advertising-related activities such as cross-site identification and profiling, ad targeting, retargeting, ad campaign measurement, and attribution.
  • Cookies are domain-specific, so identifiers must be compared across systems through a process called cookie syncing — a process that introduces ad-serving latency and carries a low match rate.
  • Google's advertising ecosystem relies heavily on third-party cookies: twelve Google products use them to deliver ads and generate campaign reports.
  • Privacy regulations such as the General Data Protection Regulation (GDPR) have forced the AdTech industry to limit user tracking and develop alternatives.
  • Google has stepped back from plans to deprecate third-party cookies entirely, and instead intends to give users the choice to allow or opt out of tracking within Chrome.

The Role of Third-Party Cookies in Digital Advertising

Third-party cookies are created by domains other than the one a user is currently visiting. They store user IDs and behavioural signals, and are fundamental to several core advertising processes.

Ad Campaign Performance Measurement and Ad Attribution

Third-party cookies help measure ad campaign performance and attribute ad impressions and clicks to user actions. By tracking user interactions across different websites, advertisers can generate detailed reports on campaign effectiveness.

Ad Targeting

Third-party cookies enable supply-side platforms (SSPs) and demand-side platforms (DSPs) to deliver personalized ads based on a user's browsing history and inferred preferences.

Retargeting

Retargeting involves showing ads to users who visited a website but didn't complete a desired action — such as making a purchase. By tracking users across the web, advertisers can re-engage those potential customers with relevant messaging.

Cross-Site User Identification and Profiling

The primary function of third-party cookies is to enable cross-site user identification and profiling. By aggregating data from multiple websites, advertisers build user profiles inside data platforms — typically a data management platform (DMP) or a customer data platform (CDP) — to target users with ads tailored to their interests.

Cookies Need To Be Synced

Websites, platforms, and systems each generate their own user IDs and store them in cookies. For the same user to be recognized across multiple domains and AdTech platforms, those IDs must be matched — a process known as cookie syncing.

Cookie syncing creates a unified user profile that allows advertisers to carry out advertising-related activities across systems.

Here is how the cookie-syncing process works:

  • A user visits a website that has ad inventory available.
  • A DSP receives the request to serve an ad to that user.
  • The DSP sends a request and creates a third-party cookie.
  • The ad exchange redirects (HTTP redirect) the ad request to the pixel URL on the DMP's side, passing the user ID in the URL parameter. The DMP reads its own cookie or creates a new one, then saves the DSP's user ID alongside its own in a cookie-matching table.
  • If the sync is bidirectional, the DMP redirects back to the DSP, passing its own ID in the URL parameter. The DSP reads its own cookie and stores the DMP ID alongside its own in its cookie-matching table.
  • Both the DSP and DMP now hold each other's user IDs in their respective databases.

Cookie syncing has notable drawbacks:

Low match rate: The success rate of matching user IDs is between 40% and 60%.

Cookie blocking: Users who employ cookie-blocking software or browse in private/incognito mode prevent cookies from collecting data on them.

Lags in ad serving: The browser must make multiple calls to different servers, introducing latency into the ad-serving process.

Without cookie syncing, platforms cannot reliably identify the same user across different systems.

What's Happening with Third-Party Cookies in Google Chrome?

Third-party cookies have long been critical for independent AdTech companies operating in Chrome's ecosystem, enabling cross-site tracking to support targeted ad delivery. In recent years, Chrome has introduced incremental privacy changes — most notably the SameSite policy, which restricts how cookies can be shared across sites.

Google has signalled plans to eventually phase out third-party cookie support as part of its Privacy Sandbox initiative. That initiative aims to protect user privacy while still giving AdTech companies the tools they need to deliver relevant ads. However, after years of delays, Google announced it will not shut down third-party cookie support and will instead allow users to decide whether third-party cookies can be created on their devices.

Third-Party Cookies in Google's Advertising Business

Google itself uses third-party cookies to display and personalize ads, apply frequency capping, suppress ads a user has opted out of seeing, and measure campaign performance.

The following twelve Google products use third-party cookies for advertising purposes:

  • AdSense
  • AdSense for Search
  • Google Ad Manager
  • Google Ads
  • Campaign Manager
  • Google Analytics
  • Display & Video 360
  • Search Ads 360
  • YouTube
  • Google Flights
  • Google Hotel Ads
  • Google Surveys

Specific advertising cookies used by Google include the NID cookie, which displays ads to users who are not signed in, and the ANID and IDE cookies, which manage ads served on non-Google websites. When personalized ads are enabled, these cookies tailor the ads shown; when disabled, they record users' opt-out preferences.

Privacy Regulation, Browser Policy, and Google's Approach

In 2018, the General Data Protection Regulation (GDPR) came into effect across the European Union, establishing new rules for processing personal data. Under the GDPR, companies must collect user consent before using personal data for ad targeting and retargeting — typically via a consent management platform (CMP). Similar privacy regulations have since emerged in other jurisdictions, with the common objective of protecting user data.

Beyond regulation, major browsers have updated their privacy policies independently. Safari and Mozilla Firefox now block third-party cookies by default and limit cross-site tracking as a result. Google has taken a different approach.

Rather than blocking third-party cookies, Google launched the Privacy Sandbox — a framework intended to enable targeted advertising while improving user privacy. In its most recent public announcements, Google confirmed it plans to:

  • Introduce new features in Chrome that support informed decision-making around user tracking.
  • Add IP Protection to Chrome's Incognito mode.
  • Continue developing the Privacy Sandbox APIs.

Alternatives to Third-Party Cookies

In response to the evolving privacy landscape, various AdTech vendors have developed identity solutions to serve as replacements for third-party cookies. The most widely discussed category is universal IDs (also called alternative IDs or alt IDs).

A universal ID is a unique user identifier used by AdTech companies to recognize users across different websites and devices. To create one, vendors take a piece of deterministic data — such as an email address or phone number — and generate a hashed, encrypted ID. This allows companies to identify users without exposing raw personal data.

Three prominent examples of universal IDs include:

Unified ID 2.0: Developed by The Trade Desk, it provides a secure, encrypted ID derived from a user's email address.

LiveRamp's IdentityLink: Connects a user's online and offline data through a single persistent identifier.

ID5 ID: An independent identity infrastructure provider that supports addressable advertising across web/display, in-app mobile, and connected TV (CTV) environments.

Other alternatives to third-party cookies include data clean rooms, the IAB Tech Lab's Seller Defined Audiences (SDA), self-serve ad platforms, and contextual targeting.

Google's Privacy Sandbox

First announced in 2019, the Privacy Sandbox is Google's initiative to establish a new advertising standard for the open web. It delivers a suite of APIs for online advertising that aim to enable effective targeting and measurement while protecting user privacy through techniques such as differential privacy.

The main advertising solutions within the Privacy Sandbox are:

Private Aggregation API

Aggregates and reports cross-site data in a privacy-preserving manner. It uses the sendHistogramReport() operation to gather data from the Protected Audience API and Shared Storage, producing noised summary reports. For example, marketers can generate histograms showing the approximate number of users in a given location who have seen their ads.

Attribution Reporting API

Measures ad conversions without relying on third-party cookies, tracking ad clicks and views in third-party iframes or first-party contexts such as social networks.

Topics API (formerly FLoC)

Replaces the earlier FLoC proposal, using broad interest categories to enable personalized advertising without extensive cross-site tracking.

Protected Audience API (formerly TURTLEDOVE and FLEDGE)

Developed from earlier proposals including SPARROW, Dovekey, and PARROT, this API enables private ad targeting and re-engagement by storing user interest signals directly in the browser rather than on external servers.

None of these APIs rely on third-party cookies. For now, Google will continue to support third-party cookies in Chrome while these alternatives mature — though the direction of travel is clearly toward a more privacy-constrained ecosystem where user consent and browser-side infrastructure play a larger role.

<Related />