De-Deprecated: Cookies Live to Crumble Another Way

This blog originally appeared in abridged form in the July 23 issue of Lucid Privacy Bulletin, here.

Five years, hundreds of ad industry engineering hours and millions of dollars spent testing Google Privacy Sandbox – all for nought? Perhaps not, but Google’s announcement they will not be nixing third-party cookies (3PCs) after all, creates new uncertainties.

New path, same woods

In their blog, the Privacy Sandbox team has proposed an "updated approach" where the Sandbox's APIs will live alongside a new user choice "experience" for controlling 3PCs.

• Anthony Chavez, VP, Privacy Sandbox: “We are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.” 

It's possible that Google will offer an option like Apple's App Tracking Transparency (ATT). But will the choice be global (i.e. at the browser level) or per each website visited? Opt-in or opt-out? And if opt-in, will the request be one-time or regularly refreshed? Specific to each purpose (e.g. measurement vs personalization)? With prominent Accept All/Reject All buttons as seen on nearly every European (and some US) sites?

True to Google fashion the details of what the experience will look like exactly and what it will do is left to everyone's imagination. But European regulators may well steer Google into a particular direction.

Conditions for GDPR-grade consent

Leading European regulators appear committed to an experience where consent requests are granular, explicit and time-bound. According to CNIL France, the head of the EDPB Cookies Taskforce:

Consent is a free, specific, unequivocal and informed expression of will. The validity of consent is therefore linked in particular to the quality of the information received.

Until the person has given their consent, cookies cannot be placed or read on their device.

[Consent] must be required each time a new purpose requiring consent is added to the purposes initially planned.

[Requests] must allow Internet users to be fully informed, particularly regarding the different purposes of cookies and the identity of those responsible for the processing.

Circa 2018: "...the period of validity of the consent to the deposit of Cookies be increased to a maximum of 13 months. At the end of this period, the consent will have to be collected again. As a result, cookies must have a limited lifespan of thirteen months after their first deposit in the terminal equipment of the user (following the expression of consent)"

Furthermore, the CNIL recommends that this choice be made on each of the sites or applications concerned by navigation tracking.

Solutions for users to withdraw their consent must be made available to the user. They must be accessible at all times.

CNIL's guidance concerns data retention too. Device storage duration should be limited to what is necessary, for example 13 months, and data collected should be retained for a maximum period of 25 months.

Google's not Apple

Google is an advertising business first. Google also offers a robust consent management capability, Google Consent Mode, that mandates support for IAB Europe’s hyper-granular Transparency and Consent Framework (TCF). (Google also supports IAB’s Global Privacy Platform and US opt-out signals.)

While delegating 3PC deprecation to users is a clever way to inoculate the Sandbox from anticompetitive claims (at least on this front), Chrome's mysterious new privacy "experience" still needs to pass muster with the UK's Competition and Markets Authority (CMA) and Information Commissioner (ICO). Would they approve a 'GTT'? It's too early to tell. But the CMA has called for public comments on Google's proposal, including on the "potential issues/risks of centralised/browser-based controls."

Wait, what about the users?

In his 2021 blogs, Lucid’s Ben Isaacson discusses Apple's ATT being a contextless experience that swings too far away from the “level of control [in modern cookie preference centers] that most website visitors may never utilize.”

Google could present "information alongside existing preference dashboards", and support publishers/advertisers with customizing an "“explainer” prompt, site-specific content, or even a dedicated email message to educate" users as part of a new streamlined experience.

Along similar lines, mobile industry analyst Eric Seufert calls Apple’s ATT consent prompt a “foreboding and intimidating” experience that the CMA agrees “may not maximise user comprehension and thus limit the extent to which ATT empowers users to make effective choices about their data.”

Can Google strike a balance? They arguably can, and under the gaze of regulators and industry stakeholders will need take pains to look as open and neutral as possible.

And while the Chrome team has not offered any details yet, the current privacy experience looks like this:

Ironically, even if the CMA and ICO are fine with Chrome's current prompting and settings presentation (perhaps not), as Ben also notes, third-party CMPs will not appreciate being disintermediated as their new experience. (Cue Anything You Can Do, I Can Do Better.)

Zooming out

Whatever Google does next, they are aiming to keep their Q2 2025 timetable. And while much remains to be seen, three things are clear: (1) the Sandbox will now have to compete with 3PCs, alternative IDs etc on its own merits, (2) the UK CMA and ICO, as well as the adtech industry will have a chance to weigh in, and (3) Chrome will not remain the last bastion of 3PCs for long. Whether in the name of browser parity or user choice, these identity signals will dwindle away. This makes innovation in privacy-protective advertising more important than ever.