For about five years, “the death of the third-party cookie” was one of the
most confidently repeated predictions in the advertising and web-standards
world. Conference talks were built around it. Vendors sold migration plans
against it. And it was, in the end, mostly wrong — or at least wrong in the
shape everyone expected. The cookie did not die on schedule. Its
designated successor died first. What actually happened is messier and, I
think, more interesting than the clean obituary we were promised.
This is worth getting right, because the simple version — “third-party
cookies are gone now” — is repeated often enough that people make decisions
on it. They aren’t gone. In the browser that matters most for the ad
economy, they’re still on by default. So let me try to lay out what really
occurred, what these cookies did, what (if anything) is replacing them, and
who that leaves better or worse off.
What a third-party cookie actually did
A cookie is just a small piece of data a site stores in your browser and
reads back later. A first-party cookie belongs to the site in your
address bar — it remembers you’re logged in, keeps your cart, holds your
language preference. Almost nobody objects to these, and nothing in this
story removes them.
A third-party cookie is set by some other domain whose code is embedded
in the page you’re viewing — an ad network, an analytics script, a social
widget. Because that same third party is embedded across thousands of
unrelated sites, it can recognise the same browser everywhere it appears
and stitch together a profile: you read about hiking boots here, mortgages
there, a medical condition somewhere else. That cross-site linkage was the
engine of behavioural advertising. It is also precisely the capability
privacy advocates spent a decade objecting to. The third-party cookie was
never load-bearing for the web working — it was load-bearing for the web
being watched.
Safari and Firefox already did the thing
Here is the part the Chrome drama tends to overshadow: in the two
browsers that weren’t built by an advertising company, third-party cookies
were quietly killed years ago, and the web did not collapse.
Apple’s Safari shipped Intelligent Tracking Prevention in 2017 and, by
March 2020, moved to full third-party cookie blocking by default —
WebKit’s own post framed it as removing any lingering sense that “a little
bit of cross-site tracking is allowed.” Mozilla got there slightly earlier
in spirit: Firefox turned on Enhanced Tracking Protection by default in
September 2019, blocking known third-party tracking cookies out of the box,
and later tightened it further with Total Cookie Protection.
So for a meaningful slice of users — particularly on iPhones, where every
browser rides Safari’s engine — the third-party cookie has effectively been
dead since around 2020. Sites adapted. Login flows that leaned on
cross-site cookies broke and were re-engineered. The lesson available to
anyone paying attention was that you can remove this thing; you just have
to mean it.
Chrome’s long, repeatedly broken promise
Chrome is roughly two-thirds of the global browser market, and it is owned
by Google, whose revenue is overwhelmingly advertising. That single fact
explains nearly everything about why Chrome’s timeline went the way it did.
Google announced in January 2020 that Chrome would phase out third-party
cookies “within two years.” Then the date moved. It slipped to 2023. Then
to the second half of 2024. Then Google began a limited experiment,
disabling the cookies for one percent of Chrome users in early 2024 while
testing its replacement. Then, in April 2024, it punted again, citing
unresolved feedback from regulators and industry.
The decisive turn came on 22 July 2024, when Google announced it would
not automatically deprecate third-party cookies after all. Instead it
proposed a new user-choice prompt — let people decide for themselves. Less
than a year later, on 22 April 2025, even that retreated: Google said
it would not ship a standalone prompt, and third-party cookies would simply
remain enabled by default, managed through Chrome’s existing settings.
Why the reversals? The honest answer is a collision of incentives. Google’s
own tests reportedly showed publisher programmatic revenue dropping
sharply when cookies were removed without a fully adopted replacement.
Regulators complicated the other side: the UK’s Competition and Markets
Authority had been supervising the project precisely because a company that
dominates both browsers and ad-tech removing a rival tracking method, while
building its own alternative, raises obvious competition questions. Google
was, in a real sense, stuck between antitrust scrutiny and ad-revenue
math — and it blinked.
The replacement died before the thing it was replacing
The plan was never just “delete cookies.” It was “delete cookies and
replace them with the Privacy Sandbox” — a set of browser APIs meant to
deliver coarse interest-based ads and conversion measurement without
exposing individual browsing histories. Topics inferred a handful of broad
interest categories on your device. Protected Audience handled
remarketing. Attribution Reporting measured conversions in aggregate.
Adoption was thin. The ad industry found the APIs hard to use and weaker
than what they replaced; privacy researchers argued Topics still leaked
more than advertised. Caught in the middle, the Sandbox never reached
escape velocity. On 17 October 2025, Google’s Anthony Chavez announced
the wind-down: Topics, Protected Audience, Attribution Reporting and most
of the rest would be retired, explicitly citing “low levels of adoption.”
A few narrow pieces survive — CHIPS, FedCM, Private State Tokens — but the
grand cookie-replacement project, roughly six years in, was shelved. Around
the same time the CMA stepped back from its oversight, the regulatory
pressure having lost its object. Trade press summed it up bluntly: the plug
was pulled.
So the state of play as of this writing: third-party cookies are still
alive in Chrome, the official thing meant to replace them is being
dismantled, and the only browsers where the cookie is genuinely gone are
the ones that acted unilaterally years ago.
What actually replaces them, in practice
The vacuum did not stay empty. With no clean browser-level successor,
tracking simply migrated to ground that’s harder to see and harder to
block.
First-party data is the big, legitimate winner. Sites that can get you
to log in — retailers, publishers with accounts, anything with a newsletter
— own a durable first-party relationship that no cookie policy touches.
This is genuinely more privacy-respecting in one sense (you have a
relationship with that site) and concentrates data in fewer, larger hands
in another.
Server-side tracking moves the collection off your browser and onto the
site’s own servers, often re-sharing it with ad partners through back-end
connections. It’s more resilient to browser blocking precisely because the
browser sees less of it.
Fingerprinting is the uncomfortable one. Instead of storing an
identifier, trackers infer one from the unique combination of your screen
size, fonts, GPU, timezone and dozens of other signals. It needs no cookie
and no consent dialog, which is exactly why both Apple and Mozilla treat it
as the next adversary — and why a world that “got rid of cookies” but
embraced fingerprinting would arguably be worse for privacy, not better.
Who wins, who loses
The clearest losers are mid-sized independent ad-tech firms and publishers
who depended on the open programmatic market that third-party cookies fed.
Their targeting got worse on Safari and Firefox years ago; their reprieve
on Chrome is real but feels provisional, and the promised standardised
alternative never arrived.
The winners are the large platforms with first-party scale and logged-in
users — the same companies, broadly, that were already winning. A privacy
shift that pushes the industry toward first-party data and walled gardens
tends to entrench incumbents, which is the quiet irony of the whole saga.
And then there’s a category that barely shows up in the analysis because it
was never exposed to the question: tools that don’t track across sites at
all. A calculator that runs entirely in your browser, a PDF editor that
processes files locally and sends nothing to a server, has no third-party
cookie to lose and no replacement to scramble for. Building that way was
once treated as a constraint. It turned out to be the position least
disturbed by five years of upheaval — not because of clever foresight, but
because there was simply nothing to migrate.
The honest takeaway
If you want one sentence: third-party cookies are dying, slowly and
unevenly, and the tidy 2024 funeral never happened. They’re blocked by
default in Safari and Firefox, still on in Chrome, and the official
replacement has been abandoned. The underlying tracking didn’t stop; it
moved somewhere quieter.
The useful instinct isn’t to track which API is up or down this quarter.
It’s to notice that “we removed the cookies” and “we stopped tracking
people” were never the same claim — and to be a little suspicious of anyone
who treats them as interchangeable. The cookie was always a symptom. The
appetite for cross-site identity is the thing, and that is in no hurry to
die.