Google will disable third-party cookies for millions of Chrome browser users on Jan. 4 as part of its ongoing privacy initiative.
The Google Chrome Tracking Protection feature will first be rolled out to 1% of users, with plans to phase out third-party cookie tracking for all users by the second half of 2024, the company said in an announcement Thursday.
Chrome Tracking Protection is part of Google’s Privacy Sandbox initiative, “an industry-wide effort to develop new technology that will improve people’s privacy across the Web and apps on Android,” as described on the Privacy Sandbox website.
Alternatives to third-party cookies are being developed that would allow sites to maintain functions like ad targeting and spam protection while preserving user anonymity, Google said.
Google Chrome update shuts off third-party cookies for estimated 30 million users
With a browser market share of nearly 63% according to StatCounter, Chrome is poised to strike a greater blow to third-party cookie tracking than its rivals Apple Safari and Mozilla Firefox, both of which had already disabled third-party cookies by 2020.
More than 3 billion people use Google Chrome, research by AtlasVPN found in 2021, meaning 30 million or more internet users could be included in the Jan. 4 rollout.
After the update, the test pool of randomly selected users will receive a notification on their desktop or Android Chrome browser informing them that Tracking Protection is active.
“If a site doesn’t work without third-party cookies and Chrome notices you’re having issues — like if you refresh a page multiple times — we’ll prompt you with an option to temporarily re-enable third-party cookies for that website from the eye icon on the right side of your address bar,” Google stated.
APIs available to replace advertising, anti-spam functions
Google will phase out Chrome support for third-party cookies throughout Q3 and Q4 of 2024, according to its current Privacy Sandbox timeline.
Meanwhile, application programming interfaces (APIs) have been available since Q3 2023 for developers to replace the useful functions of third-party cookies. This includes the Topics API and Protected Audience API for displaying relevant ads and the Private State Tokens API for blocking traffic from bots and malicious sources.
Topics and Protected Audience provide advertising sites with limited information about a user’s interests, which Chrome compiles from their browser history and stores on the user’s device rather than any external servers. These APIs enable sites to select ads based on these interest topics without collecting the user’s cross-site activity like third-party cookies do.
Private State Tokens are cryptographic tokens that can be issued to a browser when a user’s activity is trusted, such as when they pass a CAPTCHA prompt. The tokens on a browser can then be “redeemed” on other sites that trust the token issuer. This allows sites to segment trusted and untrusted users as a way to prevent spam and fraud, including bot activity. The tokens are encrypted, meaning they can only be used to distinguish trusted browsers from untrusted browsers and do not identify individual users.
Chrome’s cookie quashing ‘a long time coming’
Google twice postponed its third-party cookie phaseout, which was originally scheduled to begin in early 2022. The feature was first pushed to late 2023 before eventually being revised to 2024. The reason for the delay was a need for more testing of the relevant technologies, according to Privacy Sandbox Vice President Anthony Chavez.
Mozilla Firefox and Apple Safari were the first mainstream browsers to disable third-party cookies by default. Firefox released Enhanced Tracking Protection for all users in September 2019, which was followed by an upgrade to Safari’s Intelligent Tracking Prevention (ITP) in March 2020.
Mozilla’s 2023 release of Total Cookie Protection added additional protection against device fingerprinting and supercookies. In a blog post last week, Mozilla senior tech writer Chris Mills called Google’s phaseout plan “a long time coming” and a “big step” toward the end of third-party cookies. Mills also cited Google’s business interest in targeted advertising as a reason for its “seemingly slow response.”
While the major drive behind eliminating third-party cookies is user privacy, the move could potentially have some cybersecurity benefits, as it could reduce the amount of browsing information available to hackers. However, first-party cookies like authentication cookies, which can be stolen to bypass multi-factor authentication, are not affected by tracking protection measures.
Even if the early 2024 test phase goes according to plan, Google will still need to smooth over competition concerns with the UK’s Competition and Markets Authority before its Privacy Sandbox goals can come to fruition.