As browsers increasingly prioritise user privacy, the era of third-party cookies is drawing to a close. The newest to take that leap is Google Chrome. The much-expected and delayed deprecation of third-party cookies in Chrome is expected to be fully rolled out in Q3 2024. But what is the impact of a truly cookieless future? And, are companies ready for the shift?
Honestly, it’s still hard to say. Other browsers have done this already. So Chrome deprecation doesn’t come as a surprise. Marketers have lived through this before and survived. The challenge is that Google Chrome holds a 64% search engine market share.
This is not a small percentage of the market! So for those marketers that have not prepared for this shift back when Safari and Firefox retired third-party cookies, and when iOS privacy updates happened, this time around the impact might be felt more. Plus, from what we have seen when all this started, many companies implemented cookie banners that in reality did not actually stop tracking!
In this guide, we try to detangle the complex and messy world of first-party cookies and Google Chrome deprecation. Plus, we give digital marketers a few ideas and suggestions on how to mitigate the risks.
First-Party vs Third-Party Cookies
In this guide
Unsurprisingly, the place to start this guide is by actually defending the terms we are talking about: what are cookies and what’s the difference between first-party vs third-party cookies?
A cookie is essentially an identifier, it’s a small file that your computer downloads when you visit any website to know that it is you who is visiting. This can be for different reasons, from giving you a great user experience to hounding you with ads.
The difference between first-party and third-party cookies should be simple. First-party cookies are files that a particular website (domain) saves on your computer. The website is collecting this data for their own purposes, usually to do with user experience. Some examples include collecting analytics data, and remembering your shopping basket or login details.
Third-party cookies are files that are saved on your machine that are not owned by the website you visited. They track your movement across websites – also known as cross-site tracking. Those cookies are most often associated with advertising services. They are the reason why you are targeted with fishing ads!
Third-party cookies, in essence, mean your data is shared with other websites – you visit one site and other websites, such as advertisers, know this. This is done by placing a script (a pixel) on the website you visited that essentially shares this data with the script owner.
Third-party cookies are then used for several advertising features but they all fall into three main buckets:
- Creating audiences
- Remarketing
- Conversion tracking
This of course has privacy implications. Just because I visited your website doesn’t mean I want to be bombarded with ads for similar sites. In essence, the question of first-party and third-party cookies is one of privacy. First-party cookies are owned, while third-party cookies are shared and often without the explicit consent of the user. Of course, users have control over what cookies are collected. You can adjust cookie settings on a browser level. After all, it’s the browser that downloads the cookie in the first place.
The challenge is that average users don’t even know this and that, until recently, many browsers were set to download third-party cookies by default. Companies (and marketers) have been for years using third-party cookies, for some, under the radar to support their advertising efforts. But with the development of laws such as the GDPR and the ePrivacy Directive, and supported by the Digital Markets Act, this wild west of privacy violations is coming to an end.
These days smart websites have cookie banners that control this and allow users to set their preferences visibly on the website level. If you are a business operating in the EU having a compliant cookie banner is mandated by law.
Fifteen years ago privacy was not such a wide concern. But today things have changed. Driven by privacy breaches in the 2010s (eg. the Cambridge Analytica scandal, in 2019) and the implantation of laws both in the EU (GDPR, ePrivacy) and US (California Consumer Privacy Act), privacy started gathering momentum.
It’s no surprise that major browsers are also following suit. Firefox started setting its Enhanced Tracking Protection as active by default back in 2019. And, recently they rolled out their Total Cookie Protection by default to more users. Apple in general, launched several important privacy features starting with OS 14 and iPadOS 14 in 2020 and Safari doesn’t track third-party cookies by default. This trend at Apple continued in 2023 with Link tracking protection.
And, while Apple and Firefix hold a smaller market share – Safari accounts for 18.86%, while Firefox holds only 3.3% – we’ve lived through this before and survived. And, now for the biggest player: Google Chrome. The browser with the largest market share has been announcing stricter privacy measures since 2019. But the timeline has been shifting and to this date, Chrome by default allows third-party cookies for the majority of users. Not for much longer though! Google has started truly preparing for the cookieless world. Since January 4th 2024, Chrome has restricted third-party cookies for 1% of users with plans to reach 100% in Q3.
For most marketers, this switch by browser will not come as a surprise. Those of us who have been following this for a while have already done some of the work to get prepared. After all, we had to if we were operating in an EU country. Anyone who has ensured their cookie banners are compliant, will be familiar with some of the main terms already. For other marketers, this all might be a surprise!
Important Terminology for Chrome Third-Party Cookie Deprecation
One of the most important terms every marketer should at least be aware of is the existence of the Google Chrome Privacy Sandbox which bakes privacy into third-party cookie collection on Chrome. It has several tools that help advertisers and publishers make the move. From my understanding, a lot of the responsibility is being placed on the third-party cookie creators eg. the ad platforms – including Google, Meta and Linkedin.
In this context some of the elements of the Sandbox, marketers should pay attention to are:
- Topics – Topics are Google’s idea for interest-based ad targeting via browser-based tracking of users’ web activity. Basically whereas before every website you visited where specifically shared on the web now the browser tracks these but doesn’t share that data anymore. Instead, it infers topics based on aggregated sites you visited and gives you the option to remove those or stop them completely in settings.
- FLEDGE or `Protected audience API – Protected audience API is Google’s proposal for remarketing and custom audiences without individual-level user tracking. Again rather than data being shared between websites, the browser will log a visit to an advertiser site. As you move across the web, the sites of advertisers you’ve visited can inform your browser that they would like a chance to show you ads in the future. Advertisers can directly share information with your browser.
- Attribution Reporting APIs – now this is where it gets a bit more complicated. In essence, Attribution Reporting APIs are a way of giving conversion data where the browser is the middleman between the publisher and the ad platform. The browser does the matching of the click and conversion using anonymised data rather than impacting privacy with the data being shared directly with the advertiser.
What’s in Your Cookie Jar – Auditing Your Website for Third-Party Cookies
For those who have not, the first step – even before we dive into particular impacts – would be to audit your website so you can see what’s in your cookie jar in the first place!
Let’s be clear, third-party cookie deprecation won’t impact every website. But till you check you won’t know for certain. This is why auditing your website is advised. Here are some of the ways you can do this:
- Auditing your cookies using Chrome Developer Tools
- Auditing your cookies using Screaming Frog
- Auditing by using a Third Party Consent platform
One of the elements to keep an eye out for regardless of which auditing path you take is the SameSite tag. The SameSite attribute tells a browser when and how to fire a cookie in first or third-party situations.
This tag will have one of three values mentioned in it:
- None – the Note tag together with its must-have attribute Secure is a way to clearly communicate that you intentionally want the cookie sent in a third-party context.
- Lax – The means that the cookie won’t be sent for cross-site requests BUT will be sent if a user navigates to the cookie’s origin site, for example, following a link. This is the default value a cookie will have if not otherwise specified.
- Strict – The cookie will only fire if the link is coming from the same domain (first-party) AND the link isn’t coming from a third party.
Auditing Your Cookies Using Chrome Developer Tools
You can easily inspect your website for cookies using the Chrome Developers Tools from Chrome itself. But be warned this can be a bit time-consuming and it’s not the most friendly interface.
There are three main places to look at here: Network tab, Applications tab and Issues. All three will give you info on the same thing really, what cookies you have and which will be problematic when Chrome deprecation third-party ones. Personally, I like the look of two of these: Applications and Issues. Applications because it gives me a clear view of the SameSite column.
And, Issues because it’s just more user-friendly and clearly tells you which are the affected cookies.
Auditing Your Cookies Using Screaming Frog
Screaming Frog is one of our top SEO tools in general and why we love them can be seen in their quick turn-around of this super useful new feature: Cookie Audit. Screaming Frog has a brilliant guide on how to run the Cookie Audit, so have a look at that.
What we love about it and where it is miles better than Developer Tools is its user-friendly interface and Cookie summary report.
They also give some super important advice which is running the audit with and without the Cookie Consent being triggered. This is super useful to be able to compare what actually happens as a result of the banner being accepted, making a great way to also test the Consent Mode for things like Google Ads.
Auditing by Using a Third-Party Consent Platform
Another way to audit your website is to use a third-party cookie consent platform. They provide an audit as part of the set-up process for your consent banner. There are a ton of consent baller providers out there. Which one you use will depend on your website and your preferences. For example, Cookie Bot is quite easy to set up but can be a bit clunky in blocking embedded content such as Vimeo or YouTube. Our developer partner Tom Slominski from GreyHound studio swears by Real Cookie Banner, particularly for WordPress websites:
It seemed like these guys really understood the implications of the law and how to best respond to it, as opposed to other plugins which dealt more specifically with blocking cookies, which is just a part of it.
You might also want to make sure that the platform you choose is on the list of Google’s Consent Management Platform (CMP) partners, as this means setting up Consent Mode will be way easier! Plus, a great resource you might want to email to your devs is the Privacy Sandbox Analysis Tool (PSAT) extension. PSAT has been designed to support devs with the deprecation and the adoption of alternative APIs.
Impact of Cookieless Tracking on Digital Marketing
Now that we hopefully understand a bit more about the not-so-easy world of cookies, it’s time to tackle the big questions:
- What is the actual impact of this first-party cookie deprecation on digital marketing?
- How concerned should you be?
- What do you need to do to mitigate the impact?
Digital marketing is a massive field so unfortunately we can’t cover every possible scenario here. But here are a few examples where the impact might be felt. From paid social to PPC, Chrome first-party cookie deprecation will impact advertising in many different ways. And yes you should be concerned about this as a digital marketer. But there are ways to mitigate some of it. Plus, let’s face it more emphasis on privacy in advertising is actually a great thing for the user!
The impact on advertising will broadly speaking be concentrated on three elements:
- Audience targeting
- Remarketing
- Reporting
Audience Targeting
Cross-site tracking as we know it today enables a lot of the audience targeting when it comes to ads. Companies such as Meta and Google have not only built their audience profiles based on data collected within their platform. They have used multiple data points collected by tracking user behaviour across multiple sites.
Obviously, without this data, the targeting won’t be as precise in the future. One solution for this has been given by Google via the Privacy Sandbox initiative and it’s the previously mentioned Topics API. Technically speaking Topics still require tracking of browning behaviour but in a broader interest-based sense. Advertising platforms can call the API to request access to a user’s topics of interest, but not details of their browsing history.
Here’s a high-level overview of how this works.
The current taxonomy for topics is quite extensive – around 469 topics. Google is limiting the taxonomy’s size to reduce the risk of fingerprinting. There are some excellent commercial terms in there, but the effectiveness of this approach is yet to be seen as the topics still seem a bit wide. Additionally, another thing to consider is Epochs. Epochs – browsing activity during a period of time which is currently one week. Each user has its own epoch and the topics selected for each epoch are randomised from their top 5. Plus, there is a 5% chance the topic is randomly selected from all possible topics in a taxonomy of interests. Great for privacy but limiting for accurate targeting within platforms.
Users also have control over their Topics and can disable them in their Chrome settings.
Remarketing
The remarketing side of things is all connected with the Protected Audience API that’s part of the Privacy Sandbox. This is how the API lifecycle looks like
Here’s a summary of how it works:
- Interest Groups: Sites can create interest groups, specifying names and owners (e.g., demand-side platforms). Browsers can add users to these groups upon request.
- Ad Auctions: When a user visits a site with available ad space, the site or a sell-side provider (SSP) can run an ad auction using the Protected Audience API. The auction includes invited interest group owners who can bid.
- Bidding: Bids are generated by interest groups using real-time data from their Protected Audience Key/Value service. The auction winner is determined by the bid with the highest score, based on seller-owned real-time data and contextual information.
- Ad Display: The winning ad is displayed in a fenced frame, ensuring privacy. The ad creative’s URL must match those specified in the bid.
- Reporting: Sellers can report auction outcomes, and buyers can report wins.
As is the case with all other elements of the Sandbox, the Protected Audience API aims to improve advertising while preserving user privacy.
Reporting
The Attribution side of the whole story is probably the most complex of the lot. To mitigate the impact of the deprecation Google has included into the Sandox access to their Attribution Reporting API.
Here’s a great Google video as an intro.
It replaces third-party cookies for ad conversion measurement, ensuring user privacy. The API offers event-level and summary reports for measuring ad conversions. Event-level reports link ad clicks/views with conversion data, while summary reports offer detailed conversion insights. Privacy protections, like delayed reporting and noise addition, safeguard user data.
The two reports work slightly differently as well. Event-level reports associate ad interactions with conversion data, with limited cross-site tracking. Summary reports provide detailed insights in an aggregated manner, ensuring user privacy through encryption and noise addition.
What Can Marketers Do To Improve Their Targeting, Remarketing and Reporting Capabilities?
What marketers can do to improve their capabilities depends on the platform. The advertising platforms themselves are and will be sorting things on their end to a large extent because they still want marketers to invest in paid advertising after all. And, let’s face it if your targeting and reporting is pants, your results will suffer and you might decide to stop advertising.
Remember, advertising platforms have seen this before. When Apple released its tracking update, Meta tweaked its features and brought forward a bunch of new settings such as Aggregated events. Advertisers do and will adjust!
The reality is though that there won’t be as many cookies in that cookie jar, which makes things slightly less accurate but still possible.
Here are a few things to check and do, to make the process as easy and the data as accurate as possible.
Meta Advertising Platforms
Your Meta pixel will still work after deprecation if implemented correctly. But there are a few bits you should check and things to be aware of.
Meta Cookie Usage setting
As the name suggests, this setting manages the usage of cookies – specifically First-party cookies.
Step 1. Log into your Events Manager, go to Data Sources (where your Pixel is) and choose Settings.
Step 2: Scool down and find Cookie Usage settings. By default this should be set to On but we’ve seen instances where this was not the case. If it’s not set to On click on Edit and set it to On!
Be mindful also to read the Meta Cookie Consent Resource!
Google Ads and Google Analytics 4
There are a few things marketers can do here to make their lives easier when Chrome retires third-party cookies. Let’s cover two of the most important elements here:
- Google Consent Mode
- Enhanced Conversion (EC) Tracking
Google Consent Mode
If you’ve recently logged in to your GA 4 account you might have noticed that all of a sudden there is a warning that your property is not complete and Google is yet again sending you to the Setup Assistant where you can see a new incomplete action: Verify Consent Settings.
This warning is a sign that Google is finally rolling out its Consent Mode widely. The feature allows companies to communicate visitors’ cookie or app identifier consent status to Google. Based on what the user chooses as their setting on your cookie banner, the tags adjust their behaviour to respect it. So if your cookie banner is compliant (which it should be!) it allows Google to know when a user chooses to Deny all cookies (but essential), Accept all cookies or Customize what is collected. See below an example of a compliant cookie banner.
While there are many elements to consider when checking your banner for compliance one of the most important ones is making sure only necessary cookies are opted into by default. The rest need to be opted out from and the user needs to click to opt in. The existence of the cookie banner and its compliance is mandated by law through directives such as the GDPR and the ePrivacy Directives in the EU.
In the US, things are still a bit murkier with most states mandating the banner needs to be present but it can work on an Opt-out basis (meaning the collection is by default allowed and users need to opt-out rather than opt-in). The exception is the State of California with its California Consumer Privacy Act (CCPA) which is slightly more prescriptive.
Now that you have an idea about cookie banners, let’s get back to Consent Mode. At the moment getting this done is a priority for Google Ads. If you are an advertiser that shows ads in the EEA region and UK advertisers you need to implement Consent Mode.
After someone visits your website and declines/ignores cookies, the relevant Google tags will adjust accordingly and not use ads cookies, but conversion modelling to fill measurement gaps.
Consent Mode is not a new feature. I remember researching it 4 years ago as part of implementing a Cookie banner for a website where I worked as an SEO manager. Back then it was limited to Analytics 360 and we had UA so we could not make use of it. Today the Mode is rolled out in its second iteration to everyone which is great news.
If you want to understand a bit more about how it actually works for Google Ads check out this Google Ads Tutorials: Consent Mode video and read more about Consent Mode modelling.
The question on everyone’s mind is how to actually implement this?
The easiest way to do this is by ensuring you have a compliant cookie banner on your website that can easily be hooked up with Consent Mode. Here is a list of Google certified partners. If you already have a banner in place check for implementation guides for that solution online. If your website runs on Shopify, the Pandectes app is widely recommended, but there are many others that can be used.
You can also opt-out to set this up using a custom banner solution and connect to Consent Mode using your Google Tag Manager. Be warned though it’s a bit of a fuff!
Once everything is up and running, a great little feature in GA4 is the ability to check all is working correctly. Go to Admin > Data Streams > Consent Settings and if all is well you’ll see the below screen
Obviously, with Consent Mode implemented targetting, remarketing and reporting in your Google Ads will change. Those users who deny cookies or decide not to pick Advertising cookies in their custom settings, will not be directly tracked. But, having Consent Mode enabled means that advertising platforms such as Google Ads can at least use modelling to fill in the gaps. Without it, your ability to advertise will be impacted quite a lot when Chrome deprecates third-party cookies!
Note:
Smaller sites will struggle more with taking full advantage of Consent Mode. There are some prerequisites for the modelling. The main ones being:
- at least 1,000 events per day with analytics_storage=’denied’ for at least 7 days.
- at least 1,000 daily users submitting events with analytics_storage=’granted’ for at least 7 of the previous 28 days
This is definitely not ideal but let’s remember while Consent Mode is not mandated by law, cookie compliance is.
Enhanced Conversions
The future of Google Ads and other platforms means a lot of reliance on AI-powered technologies. As Google states, marketers need to employ durable measurement and audience solutions. Google Ads and Display & Video 360 as well as Campaign Manager 360 are all Google’s products and they are currently testing and applying elements of the Sandbox.
As mentioned, the Sandbox has several elements to it. The one element that is particularly interesting and needs action on the markers’ side is Enhanced Conversions.
With first-party cookies being retired in Chrome, conversion tracking will get a bit more tricky on Google Ads. Enhanced conversions are a way for Google to mitigate this and to start relying on your first-party data instead. When someone converts on your website, for example, they fill in a form, they provide personal data such as email, address or phone number. Enhanced conversions are a way for Google to receive that data but in a privacy-first way. A secure one-way hashing algorithm called SHA256 is used to transfer the data to your ad account. Then this is matched to Google’s own hashed database of users (eg. someone logged into their Google account).
As is the case with any features, there are different ways you can set this up in Google Ads. You can use the Google tag directly, Google Tag Manager or the Google Ads API. Doing it via Google tag and GTM is available from within your Google Ads so we recommend you start there. The easiest set-up is via GTM.
There are three ways to set up enhanced conversions via GTM:
- Automatic collection – the easiest way
- Code – more accurate but hard
- Manual configuration – more precise than automatic but less than code. Also hard.
Most smaller websites will want to simplify things and go for Automatic collection. Here you will have two options:
- Standard automatic enhanced conversions – good for websites where the confirmation page is the one that holds the identifiable data (eg. email). A good example is purchase pages.
- Automatic enhanced conversions with the user-provided data event tag – best option if your Thank you page doesn’t have that data and instead you are collecting it in the previous step. For example, a Contact us page with a form that leads to a Thank you page.
Let’s look at an example of our test site MyFakeShop. Our main conversion event is a Contact us form. The form requires users to input identifiable information, and email. After submission, the user is taken to a thank you page.
Considering this path we can see that we need to set up Automatic enhanced conversions with the user-provided data event tag. We already have GTM installed on our website so this installation is the obvious choice. Plus, it’s the easiest one!
In the previous video, we showed you how to enable the global Enhanced conversion setting in Google Ads. For the connection to work, we need to ensure that we are pushing data from our website in hashed forms to Google ads via GTM.
Step 1. Ensure the correct data is pushed via the GTM data layer.
The best way to do this is to open up your Google Tag Assitant and test the journey. Fill in your form and see what gets pushed.
In cases where you do not see the correct data pushed via the data layer, you will need to contact your developer to add this. At the very least you will need to push the email via the data layer since that is mandatory. Otherwise, how will Google do the matching later one!
Step 2: Create your User-Defined Variables.
Step 3: Create your trigger, Variable Configuration and Trigger
Note:
Make sure you also check out this detailed list of how to prepare your accounts. This goes beyond Enhanced Conversions and talks about other elements that are also relevant. Share this with your developers as well! And, if you have an agency running your ads they should already have a lot of these ticked off as well!
First-Party Data for the Win!
One of the best things digital marketers and companies in general can and are doing is actually collecting first-party data. This isn’t a new concept but unfortunately, we find many companies are still behind with it. Too many times companies have contacts but are not keeping them in any accessible form. No lists, no contact management systems (CMS’s) in place… Contacts being collected in emails, not segmented or managed correctly. This is all first-party data that can be incredibly useful for audience targeting, reporting and remarketing!
Multiple platforms also let brands match their own first-party data with clicks, ad exposures, and engagements measured in the platforms, like Google’s Ads Data Hub, Meta’s Advanced Analytics, Amazon Marketing Cloud, and more.
One great example of this is Hubspot, The CRM data can be integrated with your Meta, Google Ads and LinkedIn even now. For example, if you have a customer list on Hubspot make sure you sync or upload that data from Hubspot to your chosen advertising platform. The advertisers can then match this and use it to improve your targeting, remarketing and reporting capabilities.
All advertisers also have APIs available. For those marketers ready for more technical, you can explore server-side conversion tagging. See for example Facebook Conversion API and Google Ads tagging using GTM.
Final Thoughts
It’s certainly not easy wrapping your head around this! Plus we have no idea what the actual impact will be. The hope is that advertisers will get with the programme and enable markers to still target, remarket and report. Many have done so already. Most platforms have APIs and configurations already available to support this transition. The challenge is that setting this up is not super easy for many marketers.
This guide tackles at least a few sections of this very complex topic. Hopefully, it gives marketers an idea of where to start!
