content
Let’s sort out the cookie chaos: where Chrome is headed, what Privacy Sandbox is, and what marketers should do
Introduction: from myths to practice
If you’ve been living with the feeling that Chrome will cut off third-party cookies tomorrow and the advertising market will be turned upside down, breathe easy. The scenario of a complete shutdown will not happen anytime soon: Google has moved to a user choice model and is betting on Privacy Sandbox and additional protections in Incognito. That’s what we’re going to talk about without panic or drama. And, keeping with our pragmatic approach, let’s be clear: today, in the ADV Advantage blog post, we’re not retelling press releases, but translating them into the operational language of performance teams. At the same time, we will briefly go over the history of cookies, explain why privacy has become a central issue, and provide a practical course of action for marketers.
Cookies: a brief history without nostalgia
Cookies appeared in the mid-1990s as an undramatic solution to an everyday problem: remembering the user’s state between page views. This is how first-party cookies for authorisation, shopping cart storage, and personal settings were born. Later, third-party cookies appeared, allowing third-party domains to write markers within built-in elements: banners, pixels, widgets. This mechanism gave birth to modern targeted advertising.
The enchantment did not last forever. When it became clear that third-party cookies were forming detailed cross-site profiles, regulators, browsers, and part of the industry began to set limits. Safari took the most high-profile step: in 2020, WebKit enabled default blocking of third-party cookies for all users. Firefox went in a similar direction back in 2019, introducing default blocking of third-party tracking cookies, and later ‘Total Cookie Protection,’ which isolates cookies within a single site. Microsoft Edge didn’t go as far, but introduced Tracking Prevention levels; the default is Balanced mode, which blocks known trackers and reduces personalisation while maintaining acceptable website compatibility.
Opportunities vs. risks: why the old world will not return
Third-party cookies gave the industry three things: large-scale remarketing coverage, cross-site frequency control, and relatively simple web attribution. But these same mechanisms became a source of conflict: there was little transparency, user control was weak, and vulnerabilities such as browser fingerprinting and data combination made privacy conditional. Regulatory waves such as GDPR/CCPA raised the bar for consent and accountability, and browser teams began looking for alternatives to ‘ubiquitous’ trackers.
And here’s an important point: user privacy does not equal the ‘death’ of targeted advertising. The issue is not about banning all targeting, but about how to minimise third-party observation and limit data transfer between domains. That is why big players are looking for mechanisms that preserve the economics of the open web but make it less intrusive and more secure.
Chrome timeline: from plans to ‘get rid of cookies’ to a ‘user choice’ approach
Chrome’s initial plan seemed straightforward: testing phases and complete shutdown of third-party cookies after settling issues with the British regulator CMA. In early 2024, Chrome did indeed restrict third-party cookies for about 1% of users as part of the ‘Tracking Protection’ experiment to test the impact and readiness of the industry.
In July 2024, Google announced a new approach: instead of a hard deprecation of cookies, the company will focus on ‘elevating user choice’ — a user-friendly option to manage third-party cookies, plus further development of Privacy Sandbox. This is essentially a departure from the complete shutdown scenario. In 2025, after consultations and tests under the supervision of the CMA, Google confirmed that there would be no complete shutdown, nor would there be a separate ‘mass’ prompt; users would manage settings in the standard Chrome settings. At the same time, the team continues to invest in Sandbox and strengthen protections in Incognito.
This is an important turning point for the market: Chrome is leaving third-party cookies available, but is moving the ecosystem towards alternatives and more conscious user choice, rather than a one-off ‘kill switch’.
Privacy Sandbox: why do we need it if cookies remain?
Privacy Sandbox is a set of APIs designed to reduce cross-site tracking while enabling advertising use cases: interest targeting, remarketing, and measurement. In a nutshell:
- Topics API simplifies ‘interests’ without personal browsing history by transmitting aggregated topic signals through the browser.
- Protected Audience API is an evolution of FLEDGE for remarketing: the auction takes place on the user’s device, without transferring lists outside.
- Attribution Reporting API offers measurement without third-party cookies, aggregating and limiting the detail of events.
In 2025, Google says outright: the role of Sandbox may shift, but investment continues — and new browser-level protections are emerging. Some APIs, notably Protected Audience, are moving towards general availability in Chrome, prompting testing by platforms and large advertisers.
How other browsers work: contrasting strategies
The ecosystem is heterogeneous. Safari made a ‘tough’ choice yesterday: third-party cookies are in the trash, and ITP even limits the lifecycle of some first-party cookies. Firefox with ETP and Total Cookie Protection blocks cross-site cookies by default and isolates storage, making profiling difficult. Microsoft Edge keeps ‘Balanced’ as the default and gives businesses policies for centralised management, including complete blocking of third-party cookies in Strict mode or group policies.
Against this backdrop, Chrome is the most ‘migration-friendly’: it maintains web compatibility, but at the same time introduces alternatives and gradually strengthens protections. This explains why Chrome has found itself in the spotlight of regulators: any sudden change affects one-third to two-thirds of the market.
Incognito: what really protects and what has changed
Historically, Chrome Incognito blocked third-party cookies by default — this is part of the promised ‘less visibility’ of the session. However, legal battles over data collection in private sessions forced Google not only to clarify its communication, but also to agree to delete historical incident data arrays. In 2024, the company reached an agreement in a high-profile case involving Incognito, which reinforced public demand for transparency. There’s more: in April 2025, Google publicly announced that it would strengthen protections in Incognito and plans to launch ‘IP Protection’ in Q3 2025 to further complicate cross-site linking via IP.
The broader context also remains tense: a recent jury verdict in the US ordered Google to pay $425 million in a privacy case, highlighting the cost of mistakes in interpreting tracking settings. This isn’t about Incognito directly, but the trend is clear: ‘privacy by default’ is becoming an expectation rather than an option.
Why you can’t just ‘live as you lived’
From a business perspective, simply returning to 2015 is impossible for three reasons. The first is asymmetry. Some audiences already live in a world without third-party cookies (Safari/Firefox), some in a world of limited visibility (Edge, various extensions), and some in Chrome with user choice and future protections. The second is legal risks. Even if technology allows it, regulatory requirements for consent, transparency, and data processing purposes remain and are being strengthened. The third is technical drift. The gradual strengthening of protections in browsers, the emergence of IP Protection, and formats such as on-device auctions are changing the logic of tools without returning to old models.
The consequence for performance teams is simple: the ‘all on cookies’ model is changing from a basic one to a secondary one. It is being replaced by hybrid strategies: first-party data, server integrations, aggregated reports, and experiments with incrementality.
How this affects targeting and remarketing
Remarketing based on third-party cookies is becoming less and less reliable in terms of audiences and browsers. Privacy Sandbox offers Protected Audience API as an option for remarketing without mass cross-site tracking: lists are generated from websites, and ad selection takes place on the user’s device. For interest targeting, Topics API provides ‘light’ signals without personal browsing history. Is this a magic replacement? No. It is another compromise that is already moving towards production and should be tested where a critical share of the Chrome audience is present.
The key change in thinking is the preference for first-party strategies: logins, loyalty, email/phone as hashed identifiers, CRM segments, conversions confirmed on the backend. In other words, ‘less external noise, more of your own proven signals.’
Attribution and measurement: the end of last-click as a monopoly
Even if third-party cookies remained unrestricted, marketing would still move towards models where aggregated reports, MMM, lift experiments, and data-driven attribution come to the fore. Sandbox offerings such as Attribution Reporting attempt to provide the minimum necessary for optimisation without identifying users by browsers and domains. Coupled with holdout experiments, this allows you to answer the question ‘how much did advertising add’ rather than just ‘who got the last click’.
In practice, this means: compare reports from different sources, use longer windows, analyse cohort LTV, not just ROAS on day zero. And most importantly, embed measurement into the testing process, rather than adding it as an afterthought after ‘scale’.
What to do for performance teams in the Chrome world without a ‘kill switch’
- Build the first side. Systematise logins, form segments in CRM, and synchronise them with advertising systems in hashed form.
- Switch to server integrations. For the web, use server-side tag management and conversion transfer from the backend; for mobile, use SDK updates and postbacks.
- Test the Sandbox API in Chrome. Capture remarketing through Protected Audience and measurement through Attribution Reporting in your pilots.
- Reconfigure attribution. Align windows and models between tools; add regular lift tests and MMM as a cross-check.
- Revise user consent. Transparent consent banners and granular approaches reduce legal risks and increase trust.
- Plan cross-browser strategies. Consider Safari/Firefox as separate realities and Edge as a compromise mode.
- This is the only numbered ‘six’ that is really worth hanging on the team wall and checking once per sprint.
How this affects Google Ads, Meta, and other platforms
In Google Ads, Enhanced Conversions, server-side conversions, and modelling tools are becoming more important. For web remarketing, it is worth combining first-party lists with Chrome-oriented Protected Audience tests, especially if Chrome has a high share in your mix. The trend is similar in Meta: prioritise Pixel+CAPI, quality identifiers and CRM segments, and consider web remarketing as a hybrid combination of site signals and platform tools.
Outside of Google and Meta, pay attention to different browser audience profiles: for example, in Safari, remarketing on third-party cookies will not work technically, so pull in a share of logins and UGC creatives that will convert anonymous traffic into known traffic.
Risks to consider
First, information noise. You will continue to see dramatic headlines about ‘the end of cookies.’ But the reality today is that Chrome keeps third-party cookies under user control and is developing alternatives. Second, inconsistent compatibility. Some websites still break when cookies are completely blocked, which is why Chrome has given grace periods and warned developers via DevTools. Third, legal risks. Court rulings and agreements around privacy will continue to affect the product and policies, and this is not something that can be ‘waited out.’
Conclusion: cookies are alive, but not immortal
Chrome is not turning off third-party cookies completely and does not plan to pull the plug all at once. Instead, the browser is moving evolutionarily: more choice for the user, gradual strengthening of protections (particularly in Incognito, where third-party cookies are already blocked by default and IP Protection is planned), investment in Privacy Sandbox, and encouraging the market to adopt alternative measurement and targeting models.
For marketers, this means the end of an era when plans were built ‘around cookies and only cookies.’ Privacy is not a temporary trend, but a new rule of the game. The winners will be those who can create a hybrid: strong first-party data, server-side signal aggregation, regular experiments with incrementality, and a willingness to use new APIs where appropriate. Think today: what three things will you change in your stack this quarter so that in a year’s time you won’t be living in ‘fire brigade’ mode? If you need a ‘quick action map’ for your stack, the ADV Advantage team will be happy to put one together with you, translating browser policies into the language of KPIs and agile experiments.
Subscribe to our newsletter
