Thoughts on Cookies (Persisting)

A Journey Of Tech History

‍It took 13 years after the launch of the first iPhone, which was completely Flash-free, and 10 years after Steve Jobs' "Thoughts on Flash" letter, for Google to fully deprecate Flash in 2020, replacing it entirely with HTML5 technology. Moving away from Flash was a significant event for those working in publishing, marketing, and advertising in the 2010s. That’s not surprising since by 2010, it was estimated that more than 40% of online ads still ran on Flash, the dominant technology for rich media and video ads at the time.

One key reason Steve Jobs opposed Flash was its poor security record. For him, consumer security was prioritized above all else—closely aligned with his views on privacy. As early as 2010, Jobs was advocating for consumers to be asked every time if they were willing to share their information. He famously said, “Privacy means people know what they are signing up for, in plain English, and repeatedly.” In many ways, this paved the way for what would become Apple’s App Tracking Transparency (ATT) framework, announced in June 2020. ATT allows users to choose whether an app can track their activity across other apps and websites for advertising or data-sharing purposes.

How Flash and Cookies Demise Connect 
But returning to the Flash deprecation story—this transition didn’t happen overnight. Flash was so deeply entrenched in the web ecosystem that moving to alternative technologies became a massive undertaking. Rebuilding ads in HTML5 or other formats posed significant challenges for advertisers and ad platforms, disrupting ad delivery and impacting revenue streams during the transition period.

In some respects, the shift away from third-party cookies mirrors this experience.

Third-party cookies are tracking files placed on a user’s device by a website other than the one they are currently visiting, often used to track user behavior across different sites for advertising and data collection purposes. Because it’s hard for users to know which cookies they have engaged with, it can jeopardize privacy by enabling companies to monitor activities without explicit consent.
In January 2020, Google announced its intention to phase out third-party cookies due to growing privacy concerns and a changing regulatory landscape around data protection. This decision followed their 2019 announcement of the Privacy Sandbox, a new privacy platform for the web.

The shift undoubtedly began with the EU's GDPR in May 2018, followed by California's CCPA in January 2020. These regulations, alongside iOS 14 and IDFA deprecation in September 2020, marked a key turning point in the battle against third-party cookies, as growing privacy concerns made reliance on them increasingly unsustainable.

By developing alternatives that preserved user privacy while still enabling effective ad targeting, Google aimed to create a more sustainable advertising ecosystem. Originally, Google planned to phase out third-party cookies by 2022. However, much has happened along the way. Shortly after Google’s announcement, the world entered the COVID-19 crisis, which placed tremendous strain on the global economy. This was followed by an economic downturn that we are still experiencing. Similar to the shift from Flash to HTML5, if not more challenging, developing a new mechanism for targeting, ad measurement, and attribution in a post-cookie world is no small task. Making such seismic changes in an industry already grappling with the effects of GDPR and iOS 14, amidst ongoing economic instability, is undoubtedly a complex challenge. This is especially significant considering that Chrome—held around 70% of the browser market share.

Cookies Going Away:  Act 1

Google’s first attempt at a cookie replacement, called Federated Learning of Cohorts (FLoC), proposed a new way for businesses to target people with relevant content and ads by clustering large groups of people with similar interests. Google described FLoC as a way to “hide individuals in the crowd” by using on-device processing to keep a person’s web history private in the browser. However, FLoC faced significant scrutiny due to privacy concerns and was eventually scrapped.

Critics pointed out that although FLoC was designed to be k-anonymous, the sequence of cohort IDs computed across weeks could be unique and potentially used by third parties to track users across sites. This privacy risk contradicted FLoC’s goal of mitigating individualized user tracking.

Cookies Going Away:  Act 2

Google then replaced FLoC with the Topics API as part of its Privacy Sandbox initiative. The Topics API observes and records topics of interest based on users’ browsing activity. This information remains on the user’s device and can be shared with ad tech platforms, but theoretically without revealing additional details about the user’s browsing history.

Cookies Going Away:  Act 3

On June 27, 2024, Criteo published a blog sharing their experimentation results with the Privacy Sandbox, assessing the impact on advertiser campaigns and publisher inventory. Their conclusion was that the Privacy Sandbox did not meet its commitments. According to their testing, if third-party cookies were deprecated with the current Privacy Sandbox, publishers would lose an average of 60% of their revenue from Chrome—falling far short of Google’s goal to limit the revenue impact to 5%. The concern on Criteo’s side was real, in a recent marketer survey carried out by Statista in 2024, 75% of responding marketers from eight countries worldwide stated that they heavily relied on third-party cookies.

Later on July 22, 2024, Google reported results from its own experimentation. Their tests showed that the Privacy Sandbox APIs created a 13% uplift for publishers on Google Ad Manager and a 3% uplift for publishers on Google AdSense. But these results are on Google’s on its own platforms. In another report published on the same day, stats did not look so promising with the main issues being remarketing recovery. “Remarketing recovery: Across campaigns using only remarketing audiences, our experiment showed a 55% advertiser spend recovery in Google Ads and 49% in Display & Video 360.3 These results are likely because remarketing today is more reliant on third-party cookies which enable a highly precise level of ads personalization, and the eligible inventory is limited because few supply side platforms (SSPs) are currently testing the Privacy Sandbox.”

Cookies Going Away: Epilogue

With Criteo’s findings, regulatory concerns from the UK’s CMA focusing on anti-competitiveness, and their own experimentation results, Google announced a new approach: instead of deprecating third-party cookies entirely, they plan to introduce a consumer-led decision-making process regarding tracking, which sounds a lot like Apple’s ATT framework.

“In light of this, we are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice across their web browsing and adjust that choice at any time.”

This is not very different from the current experience in some regions of the world, such as those under GDPR, where users must accept or manage a laundry list of cookies and legitimate interest toggles. Time will tell when the fate of cookies is revisited and if Google will be able to sunset them like they did with Flash. One thing is clear: third-party cookies still pose a privacy risk, and at some point, something is going to give. Companies should continue investing in strengthening their first-party data strategies, engaging directly with users, finding creative ways to build rich data sets that allow them to control their own faith and reduce reliance on third-party cookies. At Voyantis, we help companies acquire more high-value customers by leveraging non-PII data sets to generate highly accurate user-level predictions and automatically send them to ad networks, enabling them to identify more of these valuable customers. By effectively utilizing first-party data and mediating it to ad networks in a privacy-safe manner, these companies can reduce reliance on platform changes while achieving profitability.