What’s the deal with third party cookies and the google privacy sandbox?

There’s been a decline in the use of third party cookies and chrome is planning on phasing out support for them entirely in 2024. Third party cookies are currently the primary enabler of web tracking and advertising so this seems like a win for consumer data privacy and protection. I’m going to go over what third party cookies are, what specifically is being phased out, and what it really means.

Every browser HTTP request expects in a response from a server. When a browser issues a request to example.com, example.com can set a cookie by responding with a set-cookie response header. The browsers stores cookies on disk and saves the cookie under example.com. If you example.com again in the future, this cookie will be forwarded back to the server with the same domain.

So what’s this “party” business?

If the cookie domain is the same as the current domain you’re on (in your browsers address bar), this is a first party cookie. The cookie belongs to the domain. Every other cookie is third party. So whether a cookie is first party or not depends on two things:

  1. The domain of the cookie
  2. The current domain of the page

So from a user perspective, a cookie isn’t first party in an absolute sense. If they go to a different site under a different domain, the same cookie stops being first party. To reiterate, the site you’re currently on determines whether a cookie is first party or third party.

Web pages are loaded via URL contain a domain name, but the HTML documents can also contain references / links to resources on other domains. Those same servers can also receive cookies with matching domains (that are different from the current site you’re on!). In other words, the same website you’re visiting transmits its own cookies AND cookies from other websites. Some of those websites are sites like google for the purposes of analytics and tracking.

This basic auto storage and transmission behavior of cookies combined with the hyperlinking nature of web sites has been a gold mine for online advertisers. If you’re an advertiser, third party cookie data¬†allows you to learn about visitor behaviors, such as websites they frequently visits and recent purchases. This data is then used to send ads to past visitors or people with similar profiles.

Here’s a scenario:

Say you have an account on amazon and are researching a rice cooker on Amazon. Then, you go to another site later in the day and see an ad Amazon advertisement for the same exact product. What?! How’s that possible? You’re not on amazon anymore! Well, if you aren’t on an Amazon-owned site and you’re seeing amazon related ads, this advertisement was probably triggered by third-party cookie data.

This may seem like magic but with a basic understanding of cookie behavior it’s a simple mechanism. Lets continue with the amazon example. So amazon has an advertising network (similar to Google’s doubleclick). There’s two sides to every advertising network. There’s the advertisers that have something to sell (companies selling rice cookers on amazon.com) and want their products to be advertised as widely and cheaply as possible and there’s people that want to make money by showing ads on web properties that they own (they are not the ones making the ad) like a recipe blog or something.

Amazon calls those that want to show ads associates . When a user takes an action on amazon, this is all being funneled into amazons idea of who you are as a consumer. For example, what you looked at buying last.

Here’s an example of a cookie that’s set by the ad network when you visit Amazon.com:


ad-privacy=0; Domain=.amazon-adsystem.com; Expires=Sun, 01-Oct-2028 14:16:44 GMT; Path=/; Secure; HttpOnly; SameSite=None

This long-lived cookie contains an identifier of who you are according to amazon and this cookie data will be forwarded to any request to the amazon ad networks domain .amazon-adsystem.com. When you later visit a recipe site that’s part of the ad network, they’re going to load a third party tracking script (also known as pixels) from .amazon-adsystem.com that receives the cookie that’s set, looks up the user by ID on the amazon servers, and serves a targeted ad based on the information the ad network has on the user identified by the cookie. Pretty slick right? What’s even better for advertisers is that these scripts also continue to track your behavior as long as they’re loaded and transmit the data back to the server to build an even richer representation of you as a consumer for re-targeting purposes.

With the end to third party cookies, this basic mechanism is threatened. The recipe site will be restricted to only transmitted first party (its own) cookies. Cookies previously set by an ad network (from a users visit to amazon.com properties) will not be transmitted behind the scenes for ad retargeting.

Yay! No more targeted ads right?

While this looks like a positive direction for data privacy, it’s definitely not the end for third party advertisements. Remember that Google and many tech companies make an ungodly amount of money from their advertising platforms and it’s not in the interest of big tech to kill their golden goose. The current google led proposal to replace third party cookies in chrome is called the privacy sandbox initiative. A key aspect of this proposal is that instead of transmitting user data to a centralized ad platform, the data is kept locally on-device and ad auctions (that determine what ads to show) are run based on local data. This doesn’t mean your data is protected or privacy, they’re just offloading the tracking behavior to the client side. My basic understanding at this moment is that instead of reaching out to a central ad network via a cookie to render an ad, they run local machine learning models on what the device knows about usage behavior to serve ads. There’s concern about whether this is actually privacy-protecting or whether it creates new privacy issues for users and further entrenches google as an ad monopoly.

Leave a Reply

Your email address will not be published. Required fields are marked *