Original Content

Google to kill cookies with consent

By Eric Benjamin Seufert

Google yesterday announced that it no longer intends to deprecate third-party cookies in its Chrome browser. From its blog post, A new path for Privacy Sandbox on the web (emphasis mine):

Early testing from ad tech companies, including Google, has indicated that the Privacy Sandbox APIs have the potential to achieve these outcomes. And we expect that overall performance using Privacy Sandbox APIs will improve over time as industry adoption increases. At the same time, we recognize this transition requires significant work by many participants and will have an impact on publishers, advertisers, and everyone involved in online advertising … In light of this, we are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We’re discussing this new path with regulators, and will engage with the industry as we roll this out … As this moves forward, it remains important for developers to have privacy-preserving alternatives. We’ll continue to make the Privacy Sandbox APIs available and invest in them to further improve privacy and utility. We also intend to offer additional privacy controls, so we plan to introduce IP Protection into Chrome’s Incognito mode.

To me, this approach sounds like Apple’s App Tracking Transparency (ATT) privacy framework applied to the web. In other words, Google can sidestep the regulatory scrutiny of deprecating cookies in Chrome by simply passing the burden of accepting cookies to individual consumers. If ATT serves as a clarifying precedent, the overwhelming majority (~85%) of users will not consent to being tracked by cookies.

With ATT, Apple was able to achieve meager opt-in rates, in part, through the foreboding and intimidating wording used in its prompt, as I discuss in “Allow this app to personalize advertising for you?”. The UK’s Competition and Markets Authority (CMA), which is the competition regulator that is investigating Google’s proposed deprecation of cookies in Chrome, published a mobile ecosystems market study in June 2021 that dedicates an entire appendix to ATT. The appendix is critical of the dark patterns utilized for opt-out by Apple in the ATT prompt. From the study (emphasis mine):

In summary, the ATT choice screen provides users with an active choice to opt into sharing their data with third-party app developers. This is a step towards enhancing users’ control over their data. We do, however, have concerns that the current choice architecture of the ATT prompt and preprompt, may not maximise user comprehension and thus limit the extent to which ATT empowers users to make effective choices about their data.

Given the proactive, authoritative role that the CMA plays in Google’s ability to deprecate cookies, its stated sentiment around such dark patterns could signal a challenge to Google’s ability to do the same. At the same time, applying an opt-in prompt gives users more active choice than Chrome’s principal competitors, Safari and Firefox, which block third-party cookies by default. Can the CMA genuinely protest a privacy framework that is less heavy-handed than those used by Safari and Firefox?

Further, as I argue in Why is Google killing cookies?, Google is very obviously motivated to excise the cookie from the open web ecosystem for the benefit of its owned-and-operated channels: its Network business is in a state of systemic decline, YouTube and Search feature higher margins than Network, and Network presents the company’s most acute regulatory liability. The benefits to Google of cookie extinction are manifest: more demand for its higher-margin channels.

As I describe in The open web is whistling past the graveyard, while the purported goals of Google’s Privacy Sandbox — which was designed to replace cookies and which Google will continue to develop — are noble, it simply can’t replicate the economic efficiency of cookie-based identity. Recent testing by Criteo indicates that publishers could lose 60% of their revenue if third-party cookies were deprecated and replaced with functionality from the Privacy Sandbox.

It’s worth noting that Google has revealed very little — almost nothing — about its post-deprecation plans for cookies. But with a consent-based approach, Google can claim that Privacy Sandbox’s relative inefficiency is incidental: that consumers, not publishers or advertisers, have superior claims to privacy choices. This would absolve Google from many of the obligations placed on it by the CMA with cookie deprecation while preserving the benefits to it of a cookie-less web.

Again: little is known about Google’s implementation of a cookie consent prompt in Chrome at this point. But if Google models its consent framework on Apple’s App Tracking Transparency (ATT), the outcome would not be the preservation of cookies. It would be akin to lifting the speed limit on a road but installing speed bumps every few feet. Given broad license by regulators to offer an opt-in framework for denying cookies, Google would almost certainly do so to its benefit. Google could design an opt-in prompt that closely resembles ATT’s, rather than those used by websites in Europe. By doing so, Google would mostly eliminate cookies in Chrome under the aegis of championing consumer choice. A cookie consent approach is cookie deprecation by another name.

Comments: