The Cookie That Never Died: What Six Years of Privacy Promises Actually Produced

The funeral for the third-party cookie has been scheduled and cancelled so many times that the ad industry stopped planning for it. Google announced cookie deprecation in January 2020, targeting 2022. Then 2023. Then 2024. In July 2024, Google reversed course entirely — instead of deprecating cookies, Chrome would show users a choice prompt. By April 2025, even the prompt was abandoned. Cookies remain live in Chrome under standard privacy settings, exactly where they were in 2019.

On October 17, 2025, Google retired the Privacy Sandbox initiative — the umbrella project that was supposed to build the privacy-preserving advertising infrastructure that would make cookie deprecation viable. The Topics API, Protected Audience API, Attribution Reporting API, and eight other technologies were shut down. Six years of industry preparation, hundreds of millions of dollars in development, and multiple rounds of regulatory scrutiny concluded with the status quo intact.

Why Privacy Sandbox failed

The technical reasons were secondary to the economic ones. The IAB Tech Lab, after a six-month analysis, concluded that Privacy Sandbox "introduces significant hurdles for the digital ad economy." Criteo's modelling found publishers could lose up to 60% of Chrome advertising revenue in a world where Privacy Sandbox was the only targeting mechanism. Index Exchange found CPM rates fell 33% in implementation tests. Publisher uptake of the Topics API, which was supposed to replace interest-based targeting, never crossed the thresholds needed for revenue neutrality.

The UK's Competition and Markets Authority, which had placed Google's Privacy Sandbox commitments under a legally binding consent order in 2022, simultaneously released Google from those obligations in October 2025 — despite all 15 public consultation respondents opposing the release. The CMA's stated reason was that cookie deprecation was no longer on the table, so the commitments designed to constrain how Google used that power had no remaining purpose.

Advertisers and publishers had spent years building Privacy Sandbox integration, training teams on the new APIs, and explaining the transition to clients. The industry response to the shutdown ranged from relief to exhaustion to concern about what happens next. Google retains enormous control over how advertising works in Chrome — more control, arguably, than it had before the Privacy Sandbox saga began, because the scrutiny that produced the CMA consent order has now been discharged.

The Apple comparison that explains everything

While Chrome's cookie saga was playing out in slow motion, Apple did something straightforward: it asked users whether they wanted to be tracked, and it enforced the answer. App Tracking Transparency, launched in April 2021, requires apps to show a prompt before accessing the device's advertising identifier. In the United States, the tracking rate dropped from 72.6% to 17.9% — a 54.7 percentage point decline. The global ATT opt-in rate as of mid-2025 is approximately 35%, meaning roughly two-thirds of iOS users deny tracking when asked directly.

Meta estimated $13 billion in lost advertising revenue by 2022 from ATT alone. Conversion-optimised ads saw a 37% reduction in click-through rates. Apps that fail to get above a 30% opt-in rate lose an estimated 58% of advertising revenue. The ad industry adapted — through Meta's Conversions API, Apple's SKAdNetwork, modelled conversions, and first-party data strategies — but the adaptation was to a genuinely changed environment, not to a change that kept being postponed.

The contrast is instructive. Apple shipped privacy enforcement because Apple sells devices and software, not advertising. Its incentives aligned with user privacy. Google's Privacy Sandbox tried to solve a conflict between user privacy and the advertising business model that funds Chrome's development, and ultimately that conflict was not resolvable in a way that satisfied both parties.

What the industry built instead

The six years of cookie-deprecation preparation were not wasted. They accelerated the development of alternatives that are now deployed at scale, even though the crisis that was supposed to force adoption never materialised.

Data clean rooms — secure environments where advertisers and publishers can run queries across combined datasets without either party seeing the other's raw user records — are now normalised infrastructure. The market reached $3.2 billion in 2025 and is growing at over 20% annually. Google, AWS, LiveRamp, and Snowflake hold the majority of the market. In May 2026, Publicis acquired LiveRamp for $2.167 billion — the largest agency holding company acquisition in the data infrastructure space — signalling that clean room capability is now a strategic asset at the holding-company level. WPP acquired InfoSum in 2024.

Universal identity solutions have made meaningful but uneven progress. The Trade Desk's Unified ID 2.0, built on hashed email addresses with user consent, now covers approximately 75% of the third-party data ecosystem on the Trade Desk platform according to the company's own figures. LiveRamp's RampID is available across a network of over 1,000 partners covering 2.9 billion monthly active mobile devices. The caveats are real: a major CTV publisher spent three months generating cryptographically broken UID2 tokens without the Trade Desk flagging the errors, and after fixing them saw no measurable change in advertising revenue — suggesting that buyers were not yet relying on UID2s in practice despite theoretical adoption figures.

Server-side tracking has become a standard tool for recovering measurement signal. By sending conversion data directly from a brand's server to advertising platforms rather than relying on browser pixels, advertisers recover an average of 34 to 37% more attributed conversions. With ad blocker usage now at 1.77 billion users globally, client-side pixels alone measure somewhere between 60% and 80% of actual activity.

What was lost, and what changed

Third-party cookies enabled deterministic cross-site tracking: the same user clicking a social ad, browsing a product page, and returning through search could have their entire path logged and attributed. That chain is now broken outside walled gardens — not because of Chrome policy, but because Safari and Firefox deprecated third-party cookies years ago and account for a substantial share of browsing. Chrome's retention of cookies matters primarily in the programmatic ecosystem targeting Chrome users specifically.

Frequency capping across publishers — preventing one user from seeing the same ad forty times across different websites — is now largely guesswork outside logged-in environments. Multi-touch attribution across the open web has collapsed into probabilistic models or been abandoned in favour of incrementality testing and marketing mix modelling. Niche B2B advertisers, who relied on cross-site intent signals to reach specific professional audiences, have been hit hardest. Broad consumer advertisers with large first-party data assets have adapted more successfully.

The open web programmatic ecosystem absorbed the damage that the walled gardens avoided entirely. Google Search, YouTube, Meta's platforms, and Amazon's retail media all operate inside first-party authenticated environments. Their targeting capabilities were never dependent on third-party cookies and are unaffected by the entire saga. The consolidation of advertising spend into these platforms, visible in revenue figures since 2021, is at least partly an effect of the uncertainty the cookie deprecation saga created — brands moved investment toward surfaces where the signals were reliable, and those surfaces all happen to be owned by the three companies with the largest first-party data assets on earth.

Where it goes from here

With Privacy Sandbox retired, the W3C's Private Advertising Technology Working Group is now the venue where browser makers, advertisers, and privacy advocates will negotiate the next attempt at privacy-preserving ad measurement. The group is building on differential privacy principles — mathematical noise added to aggregate measurement reports to prevent individual identification — which Apple has already deployed in SKAdNetwork and ATT measurement.

The working assumption is that the path Apple forced on mobile advertising will eventually arrive on the web, through either regulation or competitive pressure, even if Google could not engineer it voluntarily. The EU's Digital Markets Act and ePrivacy Regulation are both still active regulatory fronts. The advertising industry is building first-party data infrastructure, clean room capability, and server-side measurement not because the cookie is dying this year, but because the trajectory of its eventual decline has not changed — only the timeline.