What comes after the cookie data monster?

A new digital advertising era will phase-out third-party cookies that track users' online behaviour. EUrologus compiled what under the EU’s data protection umbrella European internet users can expect in the near-future.

Published On: March 4th, 2024

© Shutterstock

It is commonly known that the real business behind Google’s display of search results, responsible for generating $1.6 billion in revenue last year alone, lies in the ads that are placed alongside them. The search behemoth owns Double Click, the dominant market player ad bidding system that operates to ensure that all advertisements shown to consumers’ eyes online are well-targeted and placed under less than 200 milliseconds.

The shift from third-party cookies

It would be naive to assume that the world’s largest digital company would willingly give up the gigantic data stack that guarantees the lion’s share of its advertising revenue in targeted consumers. Up until recently, Google tried to give the impression that the best way to keep track of ever-changing user interests and consumption patterns is through cookies.

What do internet cookies do?

One of the innovations of the programmer Lou Montulli, developer of one of the first internet browsers software, Lynx, in 1991 was the introduction of the internet cookie. Cookies were originally thought to be a fundamental part of the way the web works, as essential as Wi-Fi, HTML, or electricity, and all they do is recognise a computer as it moves between web pages. Consequently, they were needed for critical things like logging into a website or shopping in an online store. In fact, cookies are small text files that are stored on your computer and the information they contain is set and accessed by the servers of the websites you visit. The problem is that the same cookies can also be used to track people and used for things like collecting data for targeted advertising and creating advertising profiles. For the latter, users have limited control over the data that is recorded and shared about them. Users have no oversight of the companies that process their data and how they are tracked on the internet. These concerns have led to their gradual erosion since the EU in 20211 first articulated its privacy concerns about cookies.

Also according to the wider industry’s claims, this is an effective way to target digital advertising – display ads like banners, SEM ads, retargeting dynamic ads, mobile ads, and textual advertisements placed along with search results.

The key development causing excitement around cookies is that Google, the crown holder of the most popular web browser, i.e. Chrome, despite being expected to be among the last to do so, promises to phase out the use of third-party cookies completely by the end of 2024.

Furthermore, it wants to lead the way ahead by claiming to take better care of users’ personal data in the future. Google’s move to phase out cookies comes years after the launch of the privacy-centric Brave browser, which blocked cookies by default. Likewise, they have also long been phased out by Mozilla’s Firefox, Apple’s Safari, and Microsoft’s Chromium-based Edge browser (see interactive chart on browser market share in the EU27).

Alternatives to cookies

For users, the real question is therefore not when the cookies will disappear from the digital data collection arena, but which new “industry standard” will replace them.

Google, of course, has its own preferred answer, which several of the legal experts EUrologus consulted have warned is misleadingly dubbed as the Privacy Sandbox initiative. Google’s ambition is that Privacy Sandbox enables tracking between websites and applications while helping to ensure that online content and services can operate efficiently.

In a veiled message by the digital giant, it is designed to position the current digital advertising giants for the post-cookie era. Its creators promise to involve publishers, media companies, developers, and advertisers in the development of the Privacy Sandbox to create a new industry standard that both protects users’ privacy rights and enables the digital advertising market to function. Google does not hide its displeasure over the diminishing acceptance of cookies, nor do others in the advertising industry, including Meta, which operates Facebook and is the second on-market global stakeholder.

In Google’s words, “in recent years, some browsers and platforms have taken steps to limit or remove existing mechanisms, such as third-party cookies, without effective alternatives. This can negatively impact critical ecosystem functions and put users’ private data at greater risk”. The latter refers to website functions that do not work if cookies are not accepted or blocked, shamelessly avoiding the mention of advertising targeting as the holy grail.

In an interview with EUrologus, Kris Shrishak, a digital rights expert at the Irish Council for Civil Liberties, believes that the truth lies elsewhere, contrary to Google’s arguments. According to him, while the Privacy Sandbox – which is currently under development – will indeed better protect the data of users who visit one of the world’s one million most visited websites from their browser, the latter will be far from true if they visit less popular sites. In fact, the Privacy Sandbox uses machine learning to find out under which niche interest categories and tags the system should put the user. This in turn can give an undue amount of data about internet users to ad-targeting systems.

In addition to Privacy Sandbox, a competing solution is under development by Meta and Mozilla, the company behind Firefox, called Interoperable Private Attribution (IPA). However, experts who spoke to EUrologus say that since IPA is also backed by a major player in the digital advertising market, caution should be exercised about the true intent of the initiative when it comes to protecting private data online.

How is the phase-out seen from Brussels?

Experts at EPICenter.work, a vocal defender of digital rights in Europe, warn that cookies are just one way of recognising users’ behaviour on websites and of tracking their use of different services. Another method is the so-called “digital fingerprinting”, where information such as window size, installed fonts, and battery charge, is combined with a unique identifier to ensure anonymity. There are also attempts to integrate the functionality to evaluate website visits into the browser itself.

Shrishak stresses that contrary to popular belief, it is not the EU’s data protection regulation, commonly known as the GDPR, that primarily regulates cookies, although it does have relevant passages. The processing of personal data is primarily governed by the ePrivacy Directive, which is currently being updated in negotiations between the Council and the European Parliament.

This will be complemented by important additions from the Digital Markets Act (DMA) and the Digital Services Act (DSA), which entered into force last year.

Separately and specifically, the phasing out of cookies has also reached the level of interest of EU policymakers in the spring of 2023, leading to the formation of EU working groups to discuss the legal, business, and data protection aspects of the issue.

The European Commission has announced a voluntary scheme to increase the number of websites in the EU that phase out cookies. According to EU institutional sources consulted by EUrologus, the latter is likely to lead to the creation of a post-cookie targeting and advertising regulation in the near future.

According to an in-depth analysis by IAB Europe, which represents digital advertising market players at the EU level, the three main factors contributing to the end of the cookie are, overall, the following. The legal environment in the EU (with privacy at its core), which is very much moving in this direction; browser developments; and, thirdly, the widespread use of ad-blocking software (ad blockers).

Simply put, the use of ad-blocking solutions (and thus the banning of cookies) has reached a critical level among users, which is beginning to hamper the effective operation of advertising systems, targeting, and ads bidding.

Therefore, it is highly predictable that Google, despite renaming and becoming the industry standard for “1st party cookies,” will not even remotely let go of the data collection that enables targeting ads served alongside search results.

Stay up to date with our newsletter!