It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: November 18, 2024
If you’re feeling out of the loop about Chrome’s personal data collection, you’re not the only one. Google had announced that it would be deprecating third-party cookies. Then it delayed the deprecation. Then they called the whole thing off. Meanwhile, Google is promoting a third-party cookie alternative known as the Privacy Sandbox.
That brings us to today: Businesses are still wondering what Google’s actions mean for their privacy programs. Since Google is no longer deprecating third-party cookies, does it mean for businesses that collect personal information from Chrome users? And what is the future of third-party cookies?
For many businesses, third-party cookies are already a thing of the past. Some moved away from collecting third-party cookies in response to Google’s now-defunct plans to sunset them in Chrome. Other browsers, like Mozilla Firefox and Safari from Apple, already block third-party cookies by default. (We dive deeper into what third-party cookies are and why they can be problematic in How Cookies Work and How to Conduct a Cookie Audit.)
But third-party cookies aren’t inherently evil; they just require closer collaboration between marketing and privacy teams to deploy them in a compliant way that respects consumer rights. Plenty of businesses can benefit from third-party cookies without running afoul of data privacy regulations, and these cookies can exist for consumers without compromising their privacy.
But third-party cookies are by no means essential for advertisers hoping to target Chrome users. Google is still investing in its third-party cookie alternative, the Privacy Sandbox, which could be a viable approach to targeted advertising in the future.
Google’s Privacy Sandbox is intended to reduce tracking of consumer behaviors across websites and apps (i.e., the core criticism behind third-party cookies), while still giving businesses a way to target their advertisements to consumers. The essential problem that the Privacy Sandbox is meant to solve is targeting advertisements to a consumer without excessively tracking that consumer.
The Privacy Sandbox proposes to accomplish this through a series of APIs, namely:
There’s a slew of additional APIs involved in the Privacy Sandbox but are the three major ones to be familiar with.
Since the Privacy Sandbox is still in development, a random subset of users visiting a participating website are presented with a pop-up that gives them the option of opting in or out of the Privacy Sandbox's APIs and tracking. Currently, businesses interested in deploying the Privacy Sandbox can still enroll in the program. Even with the reversal of Google’s cookie deprecation, Google has promised it intends to ramp up development efforts on the project.
In theory, the Privacy Sandbox sounds great! Why wouldn’t it be able to replace third-party cookies? Turns out, it’s not quite that easy. To understand why, we need to explore the events leading up to Google’s cookie deprecation reversal.
In 2019, Google promised it would phase out the use of third-party cookies in Chrome by 2022. However, both regulators and advertisers alike argued that the Privacy Sandbox was an inadequate replacement for third-party cookies.
Regulators construed the Privacy Sandbox as anti-competitive and still liable to privacy violations, while industry players asserted that it failed to support common advertising use cases, such as robust reporting and brand protection.
For example, researchers discovered that the Privacy Sandbox’s Topics API was an effective means of browser fingerprinting. In essence, browser fingerprinting is a method of tracking an individual device (and its associated user) without relying on third-party cookies; instead, websites can simply analyze browser and device configuration data, package that up into a profile (or “fingerprint”).
With this fingerprint, they can track user behavior and preferences across sites and send that data to whichever third party asks for it—just like you can with third-party cookies. A study from the University of Wisconsin-Madison discovered that analyzing just three topics associated with a user was sufficient to uniquely identify that user 60% of the time.
As time went on and these criticisms persisted, Google announced it was delaying cookie deprecation to 2025.
By the time July 2024 rolled around, it had become clear that the Privacy Sandbox was a long way away from meeting industry and regulatory stakeholders’ requirements. At that time, Google announced it would scrap its planned phaseout of third-party cookies in a blog post.
So, how to proceed? Third-party cookies? Privacy Sandbox? Neither? Obviously, it’s complicated. In fact, the complexity of the Privacy Sandbox for users and businesses was another big reason why Google decided to reverse its decision on the third-party cookie phaseout.
Many consumers, businesses, and privacy professionals have a decent understanding of third-party cookies and what they mean for privacy. That doesn’t mean everyone understands third-party cookies or the precise way they impact privacy, but they are much more widely understood than the Privacy Sandbox. Whether they use the Privacy Sandbox, third-party cookies, or neither, how should marketers and privacy professionals handle consent management for Chrome users?
If your organization is enrolled in the Privacy Sandbox program or considering it, err on the side of caution. The Privacy Sandbox is a work in progress, and it’s something of a novelty in the context of data privacy regulations. Even though Privacy Sandbox’s APIs secures most user data within the browser itself rather than circulating it among different websites, it’s still arguably tracking users as they navigate the web.
That’s what data privacy advocacy group, noyb (or “none of your business”) contends. Noyb recently filed a complaint to this effect, additionally claiming that the Privacy Sandbox’s pop-up banner deceptively presented itself as a privacy-enabling tool rather than another kind of tracker.
Given the gray area here, following data privacy best practices is a good idea. If your website uses the Privacy Sandbox, the French data protection authority CNIL suggests you:
To accomplish this, the CNIL recommends that websites update the consent collection banners to indicate that they are using this new tracking method as well as any other tracking methods they use. If you use a consent management platform for your banners, you’ll likely be able to update the language on your banner to include this information. Naturally, this would be in addition to the pop-up served by Google’s Privacy Sandbox, given the complaint filed against it for deceptive design.
There are benefits to using third-party cookies rather than the Privacy Sandbox. The technology has been around for longer, and there are solutions and best practices to ensure you’re using it compliantly.
As with the Privacy Sandbox, you’ll want to ensure you’re collecting the right kind of consent and providing the right kind of notice based on your governing law. Our What Is Cookie Compliance blog provides an overview of what the major laws require.
You’re not off the hook—in most cases, you still need to collect and manage consent from consumers visiting your website.
There’s no business on the planet that can operate without collecting some information from its consumers; data privacy regulations still protect that information. Your website likely still collects personal information through first-party cookies or zero-party data. Data privacy regulations require you to notify consumers about this collection, secure their consent, honor subject rights requests, and meet all other obligations imposed on businesses.
The good news is that providers like Osano can help you make sense of the different ways you process personal information and stay compliant, no matter what technologies and approaches you use—third-party cookies, first-party cookies, zero-party data, or emerging data collection techniques like the Privacy Sandbox.
Understandable. You can find more answers in the Ultimate Guide to Consent & Preference Management—it dives into everything, including:
Also understandable. You can talk to a human being instead. Request a demo of Osano, and we’ll take time to answer your consent management questions.
As more and more data privacy laws come online, it's clear that managing consent is crucial. In this comprehensive guide, we'll explore every aspect of consumer choice management, including cookie consent, universal opt-out mechanisms, compliance requirements, and more
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.