3 Ways Forward for 3rd Party Cookies
Cookiepocalypse shelved?
Is it morning again for the third-party cookie?
With the news overnight that Google will not remove the Third-Party Cookie from Chrome, it’s a good time to think about what comes next.
If the result seems surprising, it need not be. The fundamental point is that Google failed to consider consumers. Two important studies from the IAB and CMA both show that 64-69% of users are happy to trade data for free service [1] [2]. A smaller minority (19%) have concerns.
The issue is to cater to both groups. The Sandbox would have harmed the majority who want the free service, instead of carving out a more tailored pathway to cater differently to the different groups.
This failure to focus on the consumer caused the Sandbox to fail.
What Google forgot: 64-69% of users are happy to trade data for service
For example, Google had tried to justify the key competitive restraint known as Related Website Sets based on how many vendors people can keep in mind – playing to familiarity bias. That’s entirely the wrong question. The true question is consumer welfare in relation to data use. And if Google had the evidence that consumers benefit from data restriction, it would have emerged by now. The CMA was right to push back hard.
So, centralisation into the Googleplex has been rejected – at least for now. But what comes next?
Cookies don’t get better with age
Who really wants cookies from 1997? Not me. The original technical standard is quite stale. Maybe it’s time for a fresh batch.
And with the rejection of the original Google Privacy Sandbox, the kitchen is open for competing vendors to bring a variety of approaches to market.
Since you ask, my favourite cookie is the snickerdoodle
What hasn’t been asked?
The most important thing in the cookie debate is what hasn’t been said. What are the real, underlying problems with cookies?
Some fresh thinking about how to address the underlying risks of harm would be to define the perceived harms more specifically. There are three essential issues the next generation of competing systems will need to address:
Sensitive data. Harms can arise from sensitive data. Significantly, sensitive data harms do not depend on linking data to identity. Sensitive data points raise concerns even without a link to identity. They are essentially about improper use of sensitive information. The safest thing with sensitive data is to render it non-sensitive when possible (e.g., replacing precise latitude and longitude with a named point-of-interest) or circumscribe its uses when not possible (e.g., medical records).
Reidentification. This is the difference between User 1 searching for a hotel room, and a spouse finding out about an affair by relinking User 1’s search to identity. (“HARRY!!!”). The information is not sensitive, but when it is linked to a specific individual’s identity, it becomes so. For this category, prohibiting the linking of identity to the information is the right safeguard.
Unwanted personalisation. Some consumers love personalisation. Others hate it. This is the true category for consumer choice, because preferences vary. Whereas all consumers look to regulators to protect them from sensitive data abuse, and from unauthorised identity linking. So here is the true focus for choice – the others are general regulatory issues calling for effective general safeguards. And this was at the heart of Google’s error in the original Sandbox: it failed to provide a data rich option for the majority of consumers who want it.
Curiously, none of the “privacy preserving” technologies of recent years map to these concerns of online harms. Neither Apple’s ATT and ITP, nor Google’s Chrome (Desktop) nor (Mobile) Privacy Sandbox do. What they do instead is to say that some data – that handled by others – should become a bit fuzzier. On this approach:
Boilerplate contracts are said to be fine so long as they are called first party. Despite the well-known issues with “boilerplate” standard form contracts, the approach elided consumer consent with consumer protection. These are different things.
More data would move into central repositories even when that isn’t consumer friendly. The approach exempts vertically and horizontally integrated large organizations’ use of the data, with their “first party” exemptions. So instead of focusing on prohibiting any of the above true harms, the approach merely centralized more data handling into fewer hands. This exempted massive data collection and processing across contexts, such as with Apple’s attribution (SKAN) and Google’s attribution (attribution APIs) without any meaningful consumer welfare analysis.
So instead of grappling with a reasonable level of evidence-based consumer protection, new life was given to an old fallacy: consent=OK. But all boilerplate contracts – whether harmful or helpful – are first party. So, it is hardly surprising that a consumer regulator was unconvinced by this reliance on a fictional consent. Indeed, the classic article on boilerplate contracts is entitled A Non-fiction Approach. [3]
A non-fiction approach to consumer protection is exactly what is needed, and it is where the debate will now move.
Avoiding a traffic jam on the information superhighway
The original proposals had risked turning the information superhighway into a traffic jam. The additional value of signals beyond the context of an advertisement is consistently estimated at 30-60% marginal value. You can get a lot of cookies for that. We’re talking one of those big birthday ones. For everybody.
Another yummy cookie
And it isn’t just the money. As the UK ICO recently pointed out in relation to Google’s Privacy Sandbox, making things a bit fuzzier does not map to the underlying concerns:
There’s no guarantee that sensitive data will not arise from the use of context or even Topics cross-correlations, for instance, nor that identity linking would not happen beyond consumer control using those APIs, such as the push from Google and others to use identity-linked match keys for interoperable exchanges of online data (see Customer Match). The ICO was right not to treat the Sandbox as a magic wand, when really they were given a stick with some promises of “fauxcus pocus”.
As for consumer-friendly transparency, it’s hard to see how Google can make this claim while not mentioning any of its identity-linked handling in the UX for Chrome (Desktop) Privacy Sandbox. Google seemed to be saying that what happened server side should remain hidden from user’s view, while any real-time exchanges of data that involve client software should be blocked by default even if actually safer and more private.
Privacy doesn’t mean selling it so long as you get $5 for it
As the ICO reminded us in 2021, there is nothing wrong with using Personal Data provided that it is transparent. But nothing in the Sandbox really ensures transparency. Really it is about withdrawing real-time interoperable match keys from others. This drives volume into larger, first party systems.
It will be said that this is pro-consumer but that is so only in the most Pyrrhic sense. Did you know, for instance, that Apple’s chief privacy protection on iTunes is that they won’t sell data… unless they get $5 for it?
It’s true.
“To protect your privacy, targeted ads are delivered only if more than 5,000 people meet the targeting criteria. The information used to determine which ads are relevant to you is tied to random identifiers and not to your Apple ID.”
The quick reader of the sentence will think that they are safe in a cohort of a minimum of 5,000. But focus is needed on the verb: delivered. This is not saying that a minimum of 5,000 data points must exist before an insight is generated — and no wonder, as that is much more obfuscation than would be useful.
It is simply a commercial rule on minimum order size. At a $1 CPM, this minimum equates to just $5. Moreover, given that Apple’s statement doesn’t link “random identifiers” in the second sentence to “people” in the first sentence, it is possible they could deliver ads to just a single match key without violating the statement!
Apple’s rule still allows advertising to:
5,001 ill people
5,001 people who just searched for a gambling addiction
5,001 people who are near an abortion clinic
Other protections may well forbid that, but the main one described to the consumer is that there must be 5,000 sales or we’re not interested.
The key point here is that all boilerplate contracts are first party. And the ones we have do not show anything like a reasonable level of transparency to the consumer.
In light of the evidence, it would be helpful if the debate could move on from arguing that there is any meaningful consumer protection from a first-party relationship. There are consumer protection issues, but they are not solved there.
Otherwise, there is an ugly future in which OS and browser vendors tie user IDs to their systems, and define privacy as selling it for at least $5.
The $0.002 firewall
Google had attempted to justify the restrictions on the grounds that all parties would lose browsing history data, including Google. This was quite clever as it played to a lacuna in European competition policy: the love of the guild-inspired “level playing field” rather than checking true economic effects.
A recent study revealed the true economic effects. Laub, Miller and Skiera (2024) quantified the differences by putting relative numbers on the value of user IDs and browsing history. [5]
The study provided a devastating result. The marginal value of a match key in the study is approximately $0.20 CPM (1000 impressions). But if you have a match key ID — like Login with Google — then the additional marginal value of browsing history is just $0.002 CPM. So, the essential characteristic of the Google Privacy Sandbox Commitments is that Google had agreed to do 100x the harm to rivals that it would have done to itself.
It is just as well the study was updated in April 2024 or this might not have been spotted in time. Thank goodness the Frankfurt academics checked what was really buried in the Sandbox sand.
In essence, Google’s Commitments are not worth one brass farthing (to Google).
Once this had become clear Google’s favoured approach of equal blindness as to browsing history – but with the loss of IDs only for others – became untenable.
What that would have meant for mobile browsers
It was also striking that Google is not allowing consumers choice over browser extensions and data handling in Chrome (Mobile) and YouTube. So, there was an acute risk that accepting the “level playing field” firewall of removing data equally would then box in the analysis on extensions in the Mobile Browsers Investigation.
Cue an excellent Claude Rains impression: I’m shocked, shocked that browser data has been firewalled. Pity that doesn’t allow any extensions in Android.
Moving the debate forward
The real question here which few are addressing — with the notable exception of the CMA in the Mobile Browsers case — is that there are multiple consumer groups.
The fresh market research by Verian in the Mobile Browsers case [4] provides a great landing zone which would move the debate forward. The research identified four consumer segments. Some love identity-linked data across devices. Others hate it. A large group just consume the content and don’t mind. Another large group say they would switch only if they find issues.
So, in the data driven future, some see The Jetsons and others see Minority Report. The issue is how to cater to the different preferences. Oddly, no one has been asking what kind of cookies people want:
The relaxed majority. I like to eat free cookies. We can even put an exceptionally robust number on this. We noted the two separate studies by the IAB [1] and CMA [2] above. They find that this is a substantial majority (64-69%). Yes, you read that right: two independent studies within 5% of each other. In the IAB study, 80% further state they wouldn’t want to pay for free service, and just 1% express a priority concern about “tracking”. So, moving the frontier of data inwards just harms this group.
The concerned minority. When it comes to cookies, I prefer raisins to chocolate. 19% in the IAB study state concerns about Personal Data handling. And it is their right to be cautious. The essence of privacy is that they get to keep their data secret and don’t need to tell us why. These consumers face a market failure, much more so than a market power issue, in that the interoperable data results in a pooling equilibrium whereas their preference is for a separating one. For these consumers, it will be a blend of innovation and regulation that helps them to keep their identity and any information linked to it siloed to each organization they interact with.
Not deserving a bullet, however, is the bootleggers’ and baptists’ coalition uniting a motley crew of luddites and special interest groups who wish to see selected data (often from their rivals) diminish in general. The giveaway is advocacy for a first party future, without calibrating that sweeping remark to any mitigation of risk. For these consumers, nothing will do except to make everyone a fruitarian when it comes to cookies — just for different reasons. For some, the reason is to focus on selling their ad inventory direct to marketers. For others, it’s a meddlesome preference. Either way, it’s unprincipled. And those wanting triple chocolate cookies can’t have one — for no clear reason. “Go on, have some fruit. It’s better for you anyway.”
Rejecting the corporatist settlement
It’s very good news that the CMA case has gotten ahead of a parallel EU Commission investigation. There were already signs that corporatist lobbying was warming up in Brussels.
That would have taken the form of a twist on the fruitarian account. Industrial policy in data – the argument that the regulator should get data “just right” – would displace competition policy. This turned up right on time in the form of the Meta decision under the EU’s new Digital Markets Act. The decision restricts data-driven advertising for no stated consumer evidence. Thus, all three of Demsetz’ Nirvana Fallacies (no, not the band) [6] are present:
Free lunch. The fact that the majority want to trade their data is conspicuous by its absence.
People might be different. It may be that people trade their data for service — but really they shouldn’t.
Greener grass. Just let me change things. The grass will get greener. I promise.
The curious thing is that there is already the data for an evidence-based approach, rather than the politics. The issue is crystal clear, and it is to address two different preferences as to Personal Data.
Data privacy – A consumer welfare approach
Focus on this evidence is what is needed. Consumer analysis reveals the excessive breadth of ATT, ITP and the Sandbox. The issue is not to take away cookies but to allow the different consumer preferences from the surveys to shine through. What would that fresh batch of cookies look like?
Sensitive data tagging by publishers. Publishers are best placed to tag for sensitivity. Recipients would know to handle the sensitive information with enhanced mitigations relative to innocuous information. For example, sensitive websites would trigger an automatic incognito mode. This is the least cost avoidance of the sensitive data issue and it stops consumers having to deal with what is essentially a content publisher issue. Moreover, publishers should already differentiate sensitive content under the GDPR (Art 9). If this sounds utopian, consider the existing brand-safety classification systems that already warn recipients of sensitive content. The tech is more than doable.
Personal Data flag. That would provide transparency over the currently latent issue of Personal Data, de-identified data, and paywall combo deals hidden across the web. If a consumer is worried about Personal Data then a major mitigation is to use de-identified data instead, in line with the US and German Google settlements which apply consent only to identity-linked data but otherwise apply disclosures. This is also at the heart of CCPA (reasonable risk of re-identification); ditto the UK’s proposed Data Protection Bill before it timed out with the election. What is so nice about this is that it clarifies whether Personal Data is being used to operate and monetize the digital property being visited and allows more meaningful choices about it. The ability to reset such a match key or temporarily experience the same property with a different match key (e.g., incognito mode) provides even greater choice.
Personalisation on/off. Some like “other consumers also looked at…” based on their search and shopping experience – and if so, what’s the harm in recommendations whether performed in-house by a large vertically-integrated company or by “third party” (aka “B2B”) supply chain vendors to serve such properties’ offerings? Some consumers don’t want personalization—regardless of the entity powering it. So the key is to allow user control over whether personalisation is on or off. That way, those who want to have enriched experiences using data can do so — but those who don’t want to aren’t forced to.
What would all this blue sky thinking look like, I hear you cry? Well, that’s the beauty of it. There isn’t one answer.
Browser vendors, including extension vendors, could use the tags to compete over addressing true privacy harms, while avoiding the dark patterns many current interfaces rely upon to intentionally hide from the public the disagreeable exemptions for their own business-to-business data handling called out above. That would map to the different consumer preferences. The beauty of consumer-facing competition in the UX is that the vegan cookie eater can have a vegan cookie (de-identified; not sensitive; not personalised) but those wanting a triple chocolate cookie can still get it.
Really, all that the Apple and Google solutions do is to take away the triple chocolate cookie without even offering a real vegan one. It’s just a sawdust filled snack: it may fill a void but it doesn’t satisfy anyone. After all the delays, the Sandbox approach to disintermediating rival businesses has seen better days. No one seems to really want that design. Perhaps not even Google at this point.
Consumer protection isn’t the same thing as consumer consent
The key here is to keep coming back to evidence-based consumer protection. There is great significance in the observation of the CMA in Appendix J to the Mobile Ecosystems Market Study that vendors such as app developers benefit from data/free trades just as much as consumers do. When Audiomack could say to consumers that data drives free service, 64% said yes – until Apple blocked this via its ATT prompt. [2] And the ICO has been canny in not commenting specifically on anything except to say that transparency, choice and fairness must be observed and “first party” exemptions must be rejected out of hand. [7]
In this the CMA and ICO are considerably more open minded than their EU counterparts: it seems that the UK bodies still see a role for trading data for service, provided that it is transparent. There does not seem to be much appetite to go down the EU Meta decision pathway. From this perspective, it would be better not to regulate except to address clearly defined market failure. Whereas all too often EU law insists on creating a framework, even where there is no clear consumer harm.
The alleged beefing up of GDPR via ATT, ITP and the Sandboxes are cases in point, and the risk here is that Apple and Google effectively put the GDPR on steroids but only in relation to others. With recognition of the costs of the GDPR mounting, that aspiration is a little out of vogue. [8] A sharp focus on consumer harm and proportionate regulation avoids this error.
So for all the talk about changes to competition law it really all comes back to a simple tale about consumer welfare. The network effects issue is there, but the underlying problem is not (chiefly) a scale barrier to entry – it’s a market failure creating a pooling equilibrium which is good for most users, but departs from the consumer preferences of some users. The focus should be on fixing that, and not fudging enough data from only smaller rivals to Big Tech until everyone forgets about it.
What to watch
It will be critical to get consumer interfaces right, including transparency as to the role of data in providing free content to those happy with the transaction – while also catering to the minority who prefer different approaches to funding content.
At the very least, consumer protection requires clear and consistent disclosure of equivalent use cases. By contrast, ATT/ITP and the Sandboxes differentiate based on channel of access with baroque restrictions for browser-based data, and no commensurate restriction elsewhere – such as owned and operated apps like YouTube. It’s very good news that the CMA did not allow that double standard to stand.
So those who asked, how long until cookies go away were really asking the wrong question. The priority question is how to fix the three underlying issues. That is the real way forward for third party cookies.
The only thing worse than a stale cookie is a stale debate about a stale cookie. It’s a curious thought, but perhaps all the ICO has been saying all these years is that when it comes to cookies, they want a fresh batch.
Acknowledgement:
I am grateful to Joshua Koran for comments on an earlier draft of this Substack, but all errors and omissions are mine alone.
Disclaimer:
I have been engaged as an expert consultant by parties in data competition matters at times over the past few years. The above posting is general commentary, and no comments are made in my academic capacity.
References:
[1] IAB, The Free and Open Ad-Supported Internet: Consumers, Content, and Assessing the Data Value Exchange (29 January 2024)
[2] CMA Mobile Ecosystems Market Study (now Mobile Browsers and Cloud Gaming Investigation), Appendix J, para. 109
[3] JJA Burke, “Contract as Commodity: A Nonfiction Approach,” 24 Seton Hall Legis. J. 285 (1999-2000)
[4] Verian Group, Presentation of key qualitative research findings (CMA Mobile Browsers and Cloud Gaming Investigation, 27 Jun 2024)
[5] R Laub, K Miller and B Skiera, The Economic Value of User Tracking for Publishers (Apr 2024) pp.29-30
[6] H Demsetz, Information and Efficiency: Another Viewpoint 12(1) Journal of Law & Economics 1-12 (1969)
[7] UK CMA and ICO, Joint statement on competition and data protection law (2021)
[8] G Johnson, Lessons from the GDPR and Beyond, NBER Working Paper 30705 (2022)
Image credits:
Snickerdoodle – C Shebley, Creative Commons 2.0.
Birthday cookie – Public domain.
Chocolate cookies — American Heritage Chocolate, Unsplash.