Skip to main content
Support

Browse by category

All categories
← All posts
AnalysisJun 12, 2026 · 8 min read

The slow death of third-party cookies — what it actually changes

Chrome never killed third-party cookies, and the replacement died first. A clear-eyed look at the messy phase-out and what really changed.

By Khine1,511 wordsExtractable lead
The slow death of third-party cookies — what it actually changes — hero illustration

For about five years, “the death of the third-party cookie” was one of the most confidently repeated predictions in the advertising and web-standards world. Conference talks were built around it. Vendors sold migration plans against it. And it was, in the end, mostly wrong — or at least wrong in the shape everyone expected. The cookie did not die on schedule. Its designated successor died first. What actually happened is messier and, I think, more interesting than the clean obituary we were promised.

This is worth getting right, because the simple version — “third-party cookies are gone now” — is repeated often enough that people make decisions on it. They aren’t gone. In the browser that matters most for the ad economy, they’re still on by default. So let me try to lay out what really occurred, what these cookies did, what (if anything) is replacing them, and who that leaves better or worse off.

A cookie is just a small piece of data a site stores in your browser and reads back later. A first-party cookie belongs to the site in your address bar — it remembers you’re logged in, keeps your cart, holds your language preference. Almost nobody objects to these, and nothing in this story removes them.

A third-party cookie is set by some other domain whose code is embedded in the page you’re viewing — an ad network, an analytics script, a social widget. Because that same third party is embedded across thousands of unrelated sites, it can recognise the same browser everywhere it appears and stitch together a profile: you read about hiking boots here, mortgages there, a medical condition somewhere else. That cross-site linkage was the engine of behavioural advertising. It is also precisely the capability privacy advocates spent a decade objecting to. The third-party cookie was never load-bearing for the web working — it was load-bearing for the web being watched.

Safari and Firefox already did the thing

Here is the part the Chrome drama tends to overshadow: in the two browsers that weren’t built by an advertising company, third-party cookies were quietly killed years ago, and the web did not collapse.

Apple’s Safari shipped Intelligent Tracking Prevention in 2017 and, by March 2020, moved to full third-party cookie blocking by default — WebKit’s own post framed it as removing any lingering sense that “a little bit of cross-site tracking is allowed.” Mozilla got there slightly earlier in spirit: Firefox turned on Enhanced Tracking Protection by default in September 2019, blocking known third-party tracking cookies out of the box, and later tightened it further with Total Cookie Protection.

So for a meaningful slice of users — particularly on iPhones, where every browser rides Safari’s engine — the third-party cookie has effectively been dead since around 2020. Sites adapted. Login flows that leaned on cross-site cookies broke and were re-engineered. The lesson available to anyone paying attention was that you can remove this thing; you just have to mean it.

Chrome’s long, repeatedly broken promise

Chrome is roughly two-thirds of the global browser market, and it is owned by Google, whose revenue is overwhelmingly advertising. That single fact explains nearly everything about why Chrome’s timeline went the way it did.

Google announced in January 2020 that Chrome would phase out third-party cookies “within two years.” Then the date moved. It slipped to 2023. Then to the second half of 2024. Then Google began a limited experiment, disabling the cookies for one percent of Chrome users in early 2024 while testing its replacement. Then, in April 2024, it punted again, citing unresolved feedback from regulators and industry.

The decisive turn came on 22 July 2024, when Google announced it would not automatically deprecate third-party cookies after all. Instead it proposed a new user-choice prompt — let people decide for themselves. Less than a year later, on 22 April 2025, even that retreated: Google said it would not ship a standalone prompt, and third-party cookies would simply remain enabled by default, managed through Chrome’s existing settings.

Why the reversals? The honest answer is a collision of incentives. Google’s own tests reportedly showed publisher programmatic revenue dropping sharply when cookies were removed without a fully adopted replacement. Regulators complicated the other side: the UK’s Competition and Markets Authority had been supervising the project precisely because a company that dominates both browsers and ad-tech removing a rival tracking method, while building its own alternative, raises obvious competition questions. Google was, in a real sense, stuck between antitrust scrutiny and ad-revenue math — and it blinked.

The replacement died before the thing it was replacing

The plan was never just “delete cookies.” It was “delete cookies and replace them with the Privacy Sandbox” — a set of browser APIs meant to deliver coarse interest-based ads and conversion measurement without exposing individual browsing histories. Topics inferred a handful of broad interest categories on your device. Protected Audience handled remarketing. Attribution Reporting measured conversions in aggregate.

Adoption was thin. The ad industry found the APIs hard to use and weaker than what they replaced; privacy researchers argued Topics still leaked more than advertised. Caught in the middle, the Sandbox never reached escape velocity. On 17 October 2025, Google’s Anthony Chavez announced the wind-down: Topics, Protected Audience, Attribution Reporting and most of the rest would be retired, explicitly citing “low levels of adoption.” A few narrow pieces survive — CHIPS, FedCM, Private State Tokens — but the grand cookie-replacement project, roughly six years in, was shelved. Around the same time the CMA stepped back from its oversight, the regulatory pressure having lost its object. Trade press summed it up bluntly: the plug was pulled.

So the state of play as of this writing: third-party cookies are still alive in Chrome, the official thing meant to replace them is being dismantled, and the only browsers where the cookie is genuinely gone are the ones that acted unilaterally years ago.

What actually replaces them, in practice

The vacuum did not stay empty. With no clean browser-level successor, tracking simply migrated to ground that’s harder to see and harder to block.

First-party data is the big, legitimate winner. Sites that can get you to log in — retailers, publishers with accounts, anything with a newsletter — own a durable first-party relationship that no cookie policy touches. This is genuinely more privacy-respecting in one sense (you have a relationship with that site) and concentrates data in fewer, larger hands in another.

Server-side tracking moves the collection off your browser and onto the site’s own servers, often re-sharing it with ad partners through back-end connections. It’s more resilient to browser blocking precisely because the browser sees less of it.

Fingerprinting is the uncomfortable one. Instead of storing an identifier, trackers infer one from the unique combination of your screen size, fonts, GPU, timezone and dozens of other signals. It needs no cookie and no consent dialog, which is exactly why both Apple and Mozilla treat it as the next adversary — and why a world that “got rid of cookies” but embraced fingerprinting would arguably be worse for privacy, not better.

Who wins, who loses

The clearest losers are mid-sized independent ad-tech firms and publishers who depended on the open programmatic market that third-party cookies fed. Their targeting got worse on Safari and Firefox years ago; their reprieve on Chrome is real but feels provisional, and the promised standardised alternative never arrived.

The winners are the large platforms with first-party scale and logged-in users — the same companies, broadly, that were already winning. A privacy shift that pushes the industry toward first-party data and walled gardens tends to entrench incumbents, which is the quiet irony of the whole saga.

And then there’s a category that barely shows up in the analysis because it was never exposed to the question: tools that don’t track across sites at all. A calculator that runs entirely in your browser, a PDF editor that processes files locally and sends nothing to a server, has no third-party cookie to lose and no replacement to scramble for. Building that way was once treated as a constraint. It turned out to be the position least disturbed by five years of upheaval — not because of clever foresight, but because there was simply nothing to migrate.

The honest takeaway

If you want one sentence: third-party cookies are dying, slowly and unevenly, and the tidy 2024 funeral never happened. They’re blocked by default in Safari and Firefox, still on in Chrome, and the official replacement has been abandoned. The underlying tracking didn’t stop; it moved somewhere quieter.

The useful instinct isn’t to track which API is up or down this quarter. It’s to notice that “we removed the cookies” and “we stopped tracking people” were never the same claim — and to be a little suspicious of anyone who treats them as interchangeable. The cookie was always a symptom. The appetite for cross-site identity is the thing, and that is in no hurry to die.

References

  1. Full Third-Party Cookie Blocking and More — WebKit (accessed 2026-05-29)
  2. Today’s Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default — The Mozilla Blog (accessed 2026-05-29)
  3. A new path for Privacy Sandbox on the web — Google / Privacy Sandbox (accessed 2026-05-29)
  4. Update on Plans for Privacy Sandbox Technologies — Google / Privacy Sandbox (accessed 2026-05-29)
  5. Google Pulls The Plug On Topics, PAAPI And Other Major Privacy Sandbox APIs (As The CMA Says ‘Cheerio’) — AdExchanger (accessed 2026-05-29)
  6. Google ends third-party cookie phaseout plans — IAPP (accessed 2026-05-29)