Note d'experts

Third-Party Cookie Restrictions for Chrome: Explanations and Opportunities

Mathieu Lima
Mathieu Lima
Mis à jour : 26 nov. 202512 min read

Restrictions, but Not the End of Third-Party Cookies for Chrome

Third-party cookies have played a key role in digital marketing by enabling user tracking across different sites. This technology offers the ability to target users based on their interests or through remarketing campaigns. It is also at the heart of advertising performance measurement and post-view conversion attribution.

Recent years have been marked by the emergence of regulations such as GDPR and ePrivacy, growing user awareness of privacy protection with the use of adblockers, as well as initiatives from major web players such as Apple with Safari and Mozilla with Firefox, emphasizing privacy as a key product argument.

Google is aligning with this market trend by planning to implement restrictions on third-party cookies for Chrome, combined with the use of new technologies and practices that will allow advertisers to continue targeting their audience and effectively measuring their media investment, while limiting privacy risks (source).

This is therefore not entirely the end of third-party cookies on Chrome, but it is likely that some users will choose to "block" third-party cookies with the experience that Google will offer. The impact will be strongly related to how Google presents the choice experience and the performance of alternative technologies like Privacy Sandbox.

This transition mainly represents an opportunity for web giants such as Google and large platforms with a connected environment (for example Meta and Amazon) who are capable of developing alternatives to third-party cookies. However, it poses a major challenge for players dependent on third-party cookies, such as Criteo, who do not have their own advertising inventory.

It should also be noted that major advertising players have already adopted measurement protocols based on first-party cookies, which are not affected by this evolution but remain subject to regulations such as GDPR and restrictions imposed by certain browsers like Safari.

A Similar Approach Implemented by Apple on iOS

With these restrictions on third-party cookies for Chrome, the responsibility for blocking third-party cookies will be delegated to users. This approach is similar to what Apple implemented in 2021 on iOS with the blocking of the IDFA advertising identifier (advertising identifier on iOS which is equivalent to third-party cookies). This default blocking of IDFA is linked to the AppTrackingTransparency (ATT) framework. Apple has made available an alternative technology: SKAdNetwork (SKAN), now called AdAttributionKit (AAK). 👉 Learn more about SKAN and AAK in our expert note dedicated to AdAttributionKit.

The SKAdNetwork APIs allow platforms and advertisers to obtain campaign performance information without needing IDFA to remain in an environment that better protects users' personal data.

Not All Cookies Are Affected by These Restrictions

It is important to review some definitions as the information circulating about the end of (third-party) cookies is imprecise, even erroneous.

Third-Party Cookies

Third-party cookies (also called 3rd-party cookies) store information for services external to the visited site. The information is stored on the user's device, has an expiration date, and is shared between multiple sites, allowing cross-site matching and user identification.

Imagine user A visiting an ecommerce site (example: www.boutiquemode.com) and interacting with products. A media partner such as Criteo creates a third-party cookie associated with the criteo.com domain with an identifier. When user A then navigates to other partner sites, the cookie allows Criteo to recognize user A and www.boutiquemode.com to present them with personalized ads based on their browsing (cart abandonment, product view, customer).

Consider user B visiting a sports news site (example: www.sportnews.com) focused on tennis. A third-party cookie is created by an advertising partner to associate user B's interest in tennis. When user B visits sites in this partner's network, they can be targeted with ads for tennis products.

User C sees an ad on www.sportnews.com for www.boutiquemode.com, which integrates a tracking pixel from an ad-centric platform like Eulerian. The pixel triggers a third-party cookie on the eulerian.com domain. If user C makes a purchase on www.boutiquemode.com later, the platform can attribute the conversion to the previously viewed ad.

First-Party Cookies (Used by Third Parties)

First-party cookies (also called 1st-party cookies) store information belonging to the site publisher or advertisers. The information is stored on the device, has an expiration date, and is limited to the domain of the visited site.

First-party cookies were originally designed to help the site function properly, for example by allowing a user to stay logged into their account during different visits. For years, they have been used by most media platforms and other measurement tools (Meta, Google, etc.) which use these first-party cookies to compensate for the gradual abandonment of third-party cookies by browsers. These 1st-party cookies (serving third parties) are placed on browsers via tags or pixels (Conversion Linker for Google Ads, Meta Pixel for Facebook, etc.).

When user E clicks on a Facebook ad to go to www.boutiquemode.com, the link contains a unique click identifier in the URL parameter (for example: fbc=123) which is captured by the site via a first-party cookie. If user E makes a purchase during this visit or subsequent visits, Meta can attribute this conversion to the initial ad, all without using a third-party cookie.

Advertising performance measurement (post-click) has relied mainly on first-party cookies for several years now. Analytics tools (site-centric) as well.

While restrictions on third-party cookies will not impact 1st-party cookies, there are obviously other market trends that drastically limit the use of first-party cookies used for advertising performance measurement: GDPR, but also browsers like Safari which limit the lifespan of a first-party cookie and remove click identifiers starting from iOS 17 (in the context of Safari, this is referred to as Intelligent Tracking Prevention or ITP).

What Are the Impacts of Third-Party Cookie Restrictions for Chrome?

Digital marketing loses a very effective signal that allowed user tracking between sites BUT it will still be possible to track and target behaviors without this technology:

  • Thanks to the sharing of 1st-party data (for example the user's email address): which allows matching a user between different environments.
  • Through platforms that use fingerprinting or IP address targeting (practices that may involve GDPR breaches and are also increasingly deprecated by browsers).
  • And through the advent of new technologies in browsers and in information analysis (Google Privacy Sandbox for Chrome, conversion modeling, AI, etc.).

But while the market adapts and integrates these changes, there will be impacts.

Remarketing Targeting and Audience Exclusion

Remarketing campaigns rely essentially on third-party cookies: they are therefore directly impacted. Precision and volume should be affected initially: it will be necessary to remain particularly vigilant on this type of campaigns and channels.

At the same time, excluding known users from your acquisition campaigns will be less effective. This could lead to an artificial improvement in performance on these campaigns because they will be able to target your customers more (who are more likely to convert).

Interest-Based Targeting, Programmatic and DMP

Advertising buying via programmatic platforms and the use of classic DMPs (Data Management Platforms) will lose performance and efficiency as long as the new Privacy Sandbox technology driven by Google has not proven itself.

It will be necessary to remain particularly vigilant on programmatic investments to seek to measure campaign performance as much as possible and adapt the investment strategy accordingly.

The market is evolving with the advent of CDPs (Customer Data Platforms) which offer a more customer-centric approach, integrating 1st-party data (for example email address) which are now essential for targeting.

Post-Impression Measurement in Tools and Platforms

Measuring post-impression advertising performance (i.e. was there a conversion after viewing the ad?) is more complicated.

  • Advertising platforms and attribution tools (like Eulerian) that cannot capitalize on 1st-party data (email address) will have to adapt their technology to retrieve information provided for example by the Privacy Sandbox.
  • Media platforms, such as Meta and Google, which can capitalize on 1st-party data (because users are logged into advertising environments), will be able to offer a view on post-impression performance if the advertiser's site activates the sending of user-provided data. We are talking about features like Enhanced Conversions for Google Ads and Advanced Matching for Meta.

If you value this metric (post-impression conversions) in your media management, expect some turbulence.

Google's Privacy Sandbox

A new technology is emerging with the Privacy Sandbox (see our expert note on this subject for more details).

This responds to the same use case as 3rd-party cookies but in a stricter environment, which frames the use of so-called personal data and offers more control to users. This technology notably allows not tracking users individually and grouping them into cohorts.

The uses are:

1 - Targeting

  • Topics API: allows collecting themes in which users have an interest. Users have control over this collection and can modify/delete categories (https://privacysandbox.com/proposals/topics/).
  • Protected Audience API (PAAPI): allows managing remarketing audiences so that third parties cannot track user browsing behavior across different sites. This API allows auctions directly on the device via the browser, to choose relevant ads from sites the user has previously visited (https://developers.google.com/privacy-sandbox/relevance/protected-audience?hl=en).

2 - Performance Measurement

  • Attribution Reporting API (ARA): allows measuring advertising conversions in a more privacy-respecting way, without using third-party cookies. This API evaluates conversions in different contexts: ad clicks and views, ads in third-party iframes, and ads in a 1st-party context (https://developers.google.com/privacy-sandbox/relevance/attribution-reporting?hl=en).

Remarks

  • It is an approach and mechanism relatively close to what was put in place by Apple with SKAdNetwork (SKAN) for mobile applications. In the same way, the SKAdNetwork API allows platforms and advertisers to query campaign performance without having to use IDFA (advertising identifier on iOS which is equivalent to third-party cookies) to remain in an environment that better protects users' personal data.
  • Meta already retrieves signals within the framework of the Attribution Reporting API: the Meta Pixel also sends conversion events to the endpoint /privacy_sandbox/pixel/register/trigger:
  • Google Analytics also already collects signals within the framework of the Attribution Reporting API with the same type of additional request as Meta for GA4 key events with the endpoint /privacy-sandbox/register-conversion:
  • GA4 also collects in every request the pscdl parameter (Privacy Sandbox Cookie Deprecation Label) allowing Google to monitor in GA4 the status of third-party cookie deprecation and the acceptance status of Privacy Sandbox signals for Chrome users:

The Privacy Sandbox is the most advanced technology that should allow platforms and advertisers to continue the majority of use cases (notably targeting and measurement) enabled by third-party cookies for Chrome.

AI and Data Modeling

Players such as Google and Meta are increasingly using AI and advanced statistical models to model conversions and predict user behaviors, even if they do not have all the "observable" data.

Google, for example, introduces the concept of modeling:

  • Conversion modeling in Google Ads and Google Analytics 4 (more details here 👉https://edgeangel.co/notes/ga4-modelisation-donnees-attribution) which allows attributing the conversion to the right channel probabilistically, even having lost signals.
  • Behavioral modeling in Google Ads and Google Analytics 4 (thanks to the implementation of Consent Mode in advanced version) allows restoring data (i.e. user journeys) even having signal losses linked to regulation and browser evolutions.

This trend is also observed among other players like Meta and Criteo and tends to amplify with restrictions on third-party cookies for Chrome. These technologies allow advertisers to continue addressing relevant marketing campaigns to users and measuring return on investment. However, they also require advertisers to trust "black box" models that will become increasingly complex to understand and challenge.

Strengthening GAFAM Hegemony

All industry initiatives and various regulations (GDPR, ePrivacy, Digital Markets Act, ...) aimed at strengthening user privacy and fighting abusive marketing practices will not change the established order and even less the domination of GAFAM on the sector. Indeed, only large players today have the possibility to:

  • (1) Match advertisers' 1st-party data (for example an email address) with their large user bases, with features like Enhanced Conversions for Google Ads and Advanced Matching for Meta;
  • (2) Invest in statistical models and modeling to compensate for the lack of data;
  • (3) And above all, they are the ones defining the new standards of the web and mobile applications (Privacy Sandbox initiative led by Google, ITP features on Safari and ATT on iOS led by Apple).

What Actions Should Advertisers Take?

Restrictions on third-party cookies for Chrome, in itself, does not require major changes for advertisers. However, it is part of a market trend where it is necessary to invest resources in data collection and activation, as well as in governance as a whole. There is also a great opportunity for advertisers to be the most efficient in their sector on these data issues to gain or accentuate a competitive advantage.

In our opinion, here are the main areas to address:

Consent Management: Cornerstone of Digital Marketing

1 - The evolution of post-third-party cookie technologies is moving towards personal data protection, placing user consent as the legal basis. Consented data (some players speak of zero-party data: data consented and voluntarily provided by customers) is key for managing digital campaigns. Google has developed features such as Enhanced Conversions (allowing 1st-party data to be sent to Google and thus compensating for the abandonment of third-party cookies on browsers). This feature requires advertisers to provide Google with the consent status of users for each data transmitted, thus placing legal responsibility on the advertisers themselves.

2 - Google offers features like Consent Mode V2 (CoMo v2) in its advanced version, which allows sending data even in the absence of user consent. Google limits the data collected in this case (by obfuscating personal data and not storing browser information for example with a 1st-party cookie) and uses these signals for modeling. The use of this feature is in a gray area: regulators have not yet ruled on its compliance or not. Advertisers must therefore evaluate the business and marketing benefits of this type of feature compared to potential legal risks. This decision generally requires consultation between marketing and legal teams which is not always easy. In the case of activating this type of feature, it will also be necessary to choose a compatible Consent Management Platform (CMP).

  • Audit your CMP implementation and tag conditioning regularly to ensure they match your data privacy choices and implement a continuous consent optimization process;
  • Decide on advanced features like CoMo v2 in its Advanced version.

This new technology which guarantees user data privacy by design (personal data does not leave the user's browser) and processes aggregated data, could offer a consent exemption framework on media tags.

Indeed, in the absence of personal data, we would fall outside the scope of GDPR. It would remain to be evaluated if this framework allows meeting the exemption criteria related to Article 82 of the Data Protection Act which allows exempting audience measurement tools by respecting certain specifications during configuration.

Constant monitoring by your analytics partners and your legal department on these subjects seems crucial to be able to adapt the consent strategy according to the evolution of rules and uses. This will allow advertisers who are ahead on these subjects to maximize data usage while respecting regulation and their users' privacy.

Capitalizing on Other First-Party Data

First-party data refers to your customers' data, generally email address, phone number, first and last name. This data is available when the user is logged into their account or when they make a purchase or contact request.

It involves sending this data to media platforms (hashed data) with features like Enhanced Conversions for Google Ads, User-provided data feature for GA4 or Advanced Matching for Meta, Snapchat and TikTok. These features allow:

  • Improving campaign performance measurement;
  • Creating audiences for remarketing;
  • Better understanding user interests.

Media platforms, on their side, have data on some of these users because they are on connected environments. It is therefore a signal allowing targeting algorithms to work better, which complements tracking technologies based on cookies (3rd-party and 1st-party). This data therefore becomes key with the abandonment of 3rd-party cookies for Chrome, especially for activating remarketing audiences.

This 1st-party data is worth gold for platforms like Google and Meta, because it enriches their user knowledge and increases the value of audiences sold to advertisers (audiences that could be offered to your competitors 🤔?). Sending this data to another country can also raise sovereignty questions for major French brands.

Learn more about Google features that allow capitalizing on 1st-party data.

How to activate these features?

  • With Google Tag Manager (GTM) Web or other TMS and reworking the dataLayer tagging.
  • GTM Server (sGTM) can also help to enrich data sent to tools without exposing it in the dataLayer. In practice, we will rather favor a dataLayer implementation with hashed data but it is a possibility.
  • Customer Data Platform (CDP) and reverse ETL: these are more powerful tools to synchronize 1st-party data with platforms more deeply, with an architecture using a data warehouse. This type of tool is particularly key for sharing 1st-party audiences.
  • Activate these features with a client-side (and/or server-side) integration for conversions;
  • Activate a flow from your data warehouse to platforms with a reverse ETL for audiences, being careful to only send data for which you have user consent (avoid if possible backoffice/CRM integrations to platforms which will be complicated to maintain, especially on consent management, and which offer less flexibility);
  • For the most mature players, the question of implementing a market CDP (Segment or Rudderstack for example) will make more and more sense.

Optimize Tracking, Especially for New Customer Information

The abandonment of third-party cookies on Google Chrome will impact the ability of algorithms to distinguish acquisition audiences from remarketing audiences in particular.

In other words, platforms could potentially over-deliver to your customers.

To address these challenges, we recommend tracking the acquisition of a new customer as a dedicated event with a reworking of tagging if necessary.

It will be important to monitor your campaign performance based on this indicator and potentially manage some of your campaigns (dedicated to acquisition) on this objective.

This seems mandatory to us for managing marketing, especially since implementation is relatively easy:

  • Track new customers via a dedicated event and import them into media platforms;
  • Monitor performance (also) based on this metric;
  • Eventually manage acquisition campaigns via this event if you have enough volume.

Data-Driven Attribution, Incremental Testing, and Marketing Mix Modeling

Measurement technologies and models are evolving: they are adapting to the market and new standards and regulations. Advertisers must follow these trends to be able to understand and maximize their media investment:

1 - Data-Driven Attribution (DDA)

  • Definition: process of attributing credit (weight) to different touchpoints (channels) for a given conversion, using your data and history.
  • Benefits: fast and easy to scale. Provides real-time insight into performance drivers, fueling better bid automation and optimizations at the campaign, channel, and cross-channel levels (available directly in tools like GA4).

2 - Incremental Testing 🔥

  • Definition: uses controlled and randomized experiments to compare changes in consumer behavior between groups exposed or not to marketing activity while keeping all other factors constant (also available through tools like the Conversion Lift Measurement feature on Google Ads).
  • Benefits: the most rigorous and reliable measurement method to measure the true performance of a specific channel or campaign.

3 - Marketing Mix Modeling (MMM)

  • Definition: highly advanced modeling that uses (sophisticated) statistical models to understand what drives sales and performance. It measures the effectiveness of media investment by taking into account other external factors that impact sales (for example, seasonality, prices, the economy).
  • Benefits: offers a holistic view of all channels, sales, and external factors. It can also provide a longer-term view of the impact of marketing campaigns.
  • DDA (Data-Driven Attribution) is already fairly well adopted by advertisers, and we encourage moving in this direction for players who are still on a last-click vision. DDA remains imperfect: for example, if we consider the DDA provided by GA4, it will mechanically favor Google Ads campaigns which will have more signals and matching keys, notably with the User-provided data feature.
  • The next step for advanced players is to implement incremental testing processes to truly measure campaign performance (post-impression) and adapt budgets accordingly: this is a real opportunity.
  • For the most mature players, it will finally be about moving towards MMM to have an even finer view of campaign performance and interconnections with external events. Note: the entry ticket is much more significant to activate this type of analysis.

Strengthen Collection with Server-Side Tracking (sGTM)

Server-side tracking and tagging (for example with sGTM) is not a direct response to third-party cookie restrictions for Chrome because it does not address the same issues and challenges. However, server-side tracking will allow, in particular, collecting globally more robust signals to maintain and develop your marketing performance.

Google Tag Manager Server-side will allow:

  • Reducing JavaScript resources on the site by capitalizing on a single data stream and offloading requests to the server side;
  • Being more robust in terms of tracking against ad blockers and the policies of certain browsers;
  • Gaining control over data sent to ad platforms by obfuscating parameters but also by enriching data.

sGTM is a top feature to implement that allows gaining data quality and control. Our recent analyses show an incremental gain of about 20% compared to a client-side implementation.

sGTM, in some cases, can also facilitate the activation of 1st-party data provided by the user (for example User-provided data for GA4), without having to expose them in the dataLayer, but sGTM is not a prerequisite here.

Due to lack of knowledge or implementation errors, a certain number of advertisers and agencies activate sGTM to send data to media platforms without user consent. No, sGTM is not a way to bypass user consent and no, sGTM is not a solution to directly mitigate restrictions on third-party cookies for Chrome.

Activating sGTM obviously remains a top recommendation that allows substantial gains in terms of data collection and opens a certain number of server-side use cases to go further (enriching data with sensitive data, margin-based steering, offline conversion tracking, etc.).

Want to dive deeper into the subject with our experts and book a discovery call? Contact us >