Chrome users waiting for Google to kill third-party cookies now have to wait even longer. In a Tuesday news update, the company revealed that its plan to start blocking third-party cookies by default won't kick off until early next year, at the earliest.
Even then, the process will depend on whether Google can reach agreements with the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO). Both of these organizations have a vested interest in the fate of these cookies for privacy reasons and have expressed concerns about Google's plans. Google has also faced pushback from advertisers worried about the financial impact if third-party cookies disappear from the world's most popular browser.
Also: Google's latest project could help protect you against cookie theft
This marks yet another in a series of delays and setbacks in Google's desire to curtail third-party cookies in Chrome. The company originally planned to start blocking third-party cookies in 2022. After that year came and went, Google postponed the process until H2 2024. Nudging the deadline further still, the company then announced that third-party cookies would be deprecated starting in the second half of Q4 2024. Now we have the latest delay, until early 2025.
This seems like a straightforward matter. Advertisers and companies use third-party cookies to track you while you browse the web through a process called cross-site tracking. Cybercriminals can exploit these types of cookies to steal personal information or spread malware. Cutting off support for such cookies would protect the privacy and security of Chrome users.
So, why the constant delays? In short, lots of cooks in the kitchen.
Even Google has complicated things. The company has proposed a Privacy Sandbox that would replace third-party cookies. The sandbox would still send targeted ads to Chrome users, to placate advertisers, but would limit cross-site tracking, to satisfy regulatory bodies.
Also: Google releases two new free resources to help you optimize your AI prompts
Regulators such as the CMA and ICO are not so keen on this proposal. Google's Privacy Sandbox idea is a sticking point for the CMA in particular, which in January 2024 compiled a list of 39 concerns.
The CMA is concerned that Google could continue to benefit from user activity data while limiting access to the same data from its competitors, that Google could control the inclusion of competitors in the sandbox (benefiting its own ad services), and that publishers and advertisers might be less able to identify fraudulent activity.
"We welcome Google's announcement clarifying the timing of third-party cookie deprecation," a CMA spokesperson told . "This will allow time to assess the results of industry tests and resolve remaining issues. Under the commitments, Google has agreed to resolve our remaining competition concerns before going ahead with third-party cookie deprecation. Working closely with the ICO, we expect to conclude this process by the end of 2024."
Advertisers and industry groups are of course worried about losing third-party cookie access in a browser with such dominant market share. Advertisers depend on third-party cookies to gather a host of details about internet users for the purpose of sending them targeted ads. For that reason, they see such cookies as vital for conducting successful ad campaigns.
"Google's ambitious plan to retire third-party cookies in Chrome is facing roadblocks on multiple fronts," Sarah Jones, Cyber Threat Intelligence Research Analyst at security provider Critical Start, told .
"Achieving a solution that satisfies the often conflicting needs of various stakeholders proves to be a complex challenge," Jones said. "Advertisers who rely on these cookies for targeted advertising, publishers who depend on ad revenue, and developers who need to implement the new solutions all have valid concerns. Balancing these needs alongside user privacy expectations and navigating the regulatory landscape set by authorities like the CMA further complicates the process."
To move forward, Google needs to get buy-in and consensus from all these disparate entities.
"We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators, and developers, and will continue to engage closely with the entire ecosystem," Google said in its news release.
"It's also critical that the CMA has sufficient time to review all evidence including results from industry tests, which the CMA has asked market participants to provide by the end of June. Given both of these significant considerations, we will not complete third-party cookie deprecation during the second half of Q4."
Also: How to stop Google from selling your browser history for ad targeting
Though third-party cookies are not blocked by default in Chrome, you can easily disable them yourself. In Chrome, go to Settings and select "Privacy and security." Click the setting for third-party cookies and check "Block third-party cookies."
This isn't the first time that Google has tried to resolve the concerns and conflicts over third-party cookies.
"Their first try, Federated Learning of Cohorts (FLoC), was a flop, criticized for privacy issues, leading to its replacement by the Topics API," Jason Soroko, Senior VP of Product at Lifecycle Management firm Sectigo, told .
"Regulatory pressures, including privacy laws and antitrust issues, are causing further headaches, complicating any new tech rollouts," Soroko said. "Additionally, creating something that doesn't just boost Google's ad dominance while respecting privacy is a legal and ethical minefield. The need to satisfy all parties--publishers, advertisers, and regulators--means Google keeps hitting walls and facing delays."
Though Google has struggled with this issue, other companies have already cut off support for third-party cookies. In 2019, Mozilla's Firefox started to automatically block all such cookies. The Standard and default mode of protection in Firefox specifically blocks cross-site cookies in all windows. In 2020, Apple completed its process to block all third-party cookies in Safari. By default, Safari prevents cross-site tracking on both mobile and desktop.
Google is still eliciting feedback on its Privacy Sandbox proposal, inviting anyone to share their thoughts. Until all the regulatory parties and other groups are satisfied, third-party cookies in Chrome are likely to stay on by default.