Updated July 25 with a new industry report on the potential implications of Google’s proposed consent-based privacy change in Chrome.
On Monday, Google unexpectedly announced that its long-awaited removal of tracking cookies from Chrome had fallen apart. The company had been struggling to agree with regulators on an approach that would balance its own interests with those of the broader marketing industry, but no one expected this.
“We’re proposing a refreshed approach that expands user choice,” the company announced on July 22, before dropping its bombshell. “Instead of removing third-party cookies, we would introduce a new experience in Chrome that would allow users to make an informed choice that would apply to their entire web browsing experience.”
But before you ask too many questions about what this means, we don’t know yet. It probably means you can choose between tracking cookies, Google’s semi-anonymous Topics API, and its semi-private browsing. You’ll be able to change your choice, which will apply at any time across the web. But there’s a catch: even that hasn’t been agreed yet. “We are discussing this new path forward with regulators,” Google said, and the UK’s Competition and Markets Authority (CMA) responded: “We will need to carefully consider Google’s new approach… We welcome views on Google’s revised approach, including the potential implications for consumers and market outcomes.”
That’s bad news for Chrome’s 3 billion users, most of whom will never change their settings and would be better served by a more private browser by default. That was the subject of Apple’s anti-Chrome ad campaign, disguised as a pro-Safari promotion that recreated scenes from the Hitchcock film The birds to represent users being spied on while browsing the web, before Safari came to the rescue.
Ironically, just hours before this shocking news, the EFF had warned that “Privacy Sandbox is Google’s way of allowing advertisers to continue targeting ads based on your online behavior, even after Chrome completes its long-overdue phaseout of third-party cookies.”
Google’s Privacy Sandbox program, which was supposed to replace tracking cookies, appears to have had a number of false starts since its inception. The latest iteration involved grouping users into like-minded groups, but Apple made clear in a WebKit update released alongside its attack ads that such a move wouldn’t prevent fingerprinting as promised.
“We look forward to continuing to work with the ecosystem on the next step in the journey to a more private web,” Google concluded in its statement. But its decision to keep tracking cookies in place, while admitting that Plan B toward a more private web has failed, risks coming across as hollow. Let’s not forget that Google’s promise to kill tracking cookies celebrated its fourth anniversary earlier this year.
The EFF warns that Google’s decision “underscores its continued commitment to profits over user privacy. Safari and Firefox have blocked third-party cookies by default since 2020, when Google committed to doing the same. Third-party cookies are one of the most pervasive tracking technologies, allowing advertising companies and data brokers to collect and sell information about users’ online activities.”
Regulators are now having to grapple with this shock move by Google, which has clearly caught them off guard. The CMA has said that “in light of these developments, we will not be publishing our quarterly update report due later this month.” The CMA’s response will be crucial: it is the ongoing debate with the CMA that has caused so much angst around Google’s Privacy Sandbox rollout.
The UK Information Commissioner said: “We are disappointed that Google has changed its plans and no longer intends to remove third-party cookies from the Chrome browser. Since the Google Sandbox project began in 2019, we have believed that blocking third-party cookies would be a positive step for consumers. Google’s new plan is a significant change and we will consider this new course of action when more details become available.”
Contrast this with the view from the other side of the fence, that of digital trackers. The Washington-based NAI is a “self-regulatory association dedicated to responsible data collection and use for digital advertising.” Unsurprisingly, it welcomed the news, “supporting Google’s decision to maintain support for third-party cookies while improving transparency and user control,” and adding that “Chrome’s abandonment of third-party cookie support in the absence of alternative technologies that offered equivalent scale and interoperability would have posed a significant threat to the advertising competition that is essential to the free and open Internet.”
But, as always, the digital advertising industry may find itself failing to heed the sage advice of being careful what you wish for; Google ditching its Privacy Sandbox in favor of a consent-based privacy model may not be all the industry hopes. Digital Day “Google isn’t exactly eliminating third-party cookies; it’s just leaving the work up to users,” he explains. And that brings us to another interesting twist: Apple, again.
What’s clear is that the complex relationship between Google and Apple reverberates throughout this story. Whether it’s the eerily precise timing with which Apple launched a privacy push on Safari and attack ads on Chrome just days before the cookie announcement, or the echoes of Apple’s own approach to controlled privacy that could very well emerge as the driving force behind this user-centric approach.
“Three years ago,” Digital Day explains: “(Apple) introduced what you might call a polite gatekeeper for every app on a person’s phone. Before letting an app follow that person to other apps or sites, the gatekeeper asks, ‘Is it OK for this app to keep tabs on what you’re doing elsewhere?’ The user can say yes or no. While Google hasn’t explicitly said it will do the same thing, it has hinted that it will do something similar. It said it would introduce a “new experience in Chrome” that would allow users to make informed choices about their web browsing, which they can adjust at any time.”
This is, of course, Apple’s App Tracking Transparency, which caused a seismic shock to Meta’s tracking business model and changed the game for smartphone privacy.
The risk is that Google could succeed in creating the imbalance in access to data that was at the heart of regulatory resistance to the Privacy Sandbox, simply by this other means. “How this prompt works remains to be seen, but it is clear that Chrome is moving toward a consent-based privacy model. This change means that advertising on the web is starting to mirror advertising in mobile apps, where Google and Apple already use consent-based prompts to manage privacy settings.”
Digital Day An anonymous advertising executive expressed this concern: “Privacy is the scapegoat here, the one that (Google and Apple) are using to create advantages for their own stack. Google still accesses all of their data at the transactional level, both operate login frameworks that heavily favor large platforms, and both have massive amounts of login data on top of that.”
The battleground for all of this is obviously mobile devices and artificial intelligence. Google has been reluctantly following Apple’s lead on privacy for several years. Just look at how much more locked down Android is now than it used to be. But where Apple’s control is broadly acceptable to privacy analysts, Google’s will be viewed very differently.
The main problem with Google’s Privacy Sandbox is the tech giant’s dual role: on the one hand, it plays the role of chief guardian of its users’ privacy, and on the other, it plays the role of chief beneficiary of the monetization of all that data. In mobile at least, Google (like Apple on iOS) is sitting on a vast pool of data and single sign-ons and unified accounts that fill in a lot of gaps. This is an obvious concern.
In this Apple-Google feud that has been going on and on throughout this Chrome cookie story, there is a new twist. The register, who just launched an interesting response to Apple’s claim that Google’s latest Privacy Sandbox offering, its Topics API, would finally enable digital fingerprinting.
Disagreeing with the original research paper that Apple is relying on, “Google Topics engineer Josh Karlin opened a GitHub issue last week questioning the research methodology. “I took a quick look at your code after seeing some rather surprising results in the associated paper, and it’s important to highlight an issue I encountered because it significantly impacts the simulation results (and thus the paper).” Fixing this bug… reduces the re-identification rate from about 57% to about 3%.”
But the horse has now bolted, and it is the Privacy Sandbox rather than tracking cookies that appears to have collapsed.