Chrome Killed Third-Party Cookies. The Advertising Industry Rebuilt Itself Around Something Worse.
Google first announced it would phase out third-party cookies from Chrome in January 2020, with a target date of early 2022. After four years of delays — driven by advertising industry pushback, UK Competition and Markets Authority intervention, and multiple failed iterations of the Privacy Sandbox replacement APIs — Google completed the deprecation in mid-2025. Every Chrome user on the planet now browses without third-party cookies, joining Firefox and Safari users who had been there since 2019 and 2017 respectively.
The long-promised privacy improvement arrived. The advertising industry adapted. And a growing body of research suggests that what replaced third-party cookies is, in aggregate, more invasive — because it is harder to detect and impossible to clear.
What Third-Party Cookies Actually Did
A third-party cookie is set by a domain other than the one you are visiting. You go to a news site; an ad network sets a cookie from its own domain that follows you to other sites that use the same ad network. That cookie enables cross-site tracking: the ad network knows you visited the news site, the shopping site, and the sports site, and can build a profile of your interests to target ads.
The reason cookies were simultaneously ubiquitous and eventually deprecated is that they are technically transparent. Your browser's developer tools show you exactly what cookies are set and by whom. Privacy-focused browser extensions like uBlock Origin could block third-party cookies trivially. Users who knew they existed had tools to stop them. Regulators understood how to write rules about them — GDPR's consent requirements for cookies were imperfect but comprehensible.
Google's Privacy Sandbox: What It Replaced Cookies With
Privacy Sandbox is Google's umbrella for the APIs that replaced third-party cookies. The two most significant:
Topics API classifies your browsing into one of approximately 470 interest categories (sports, finance, cooking, technology) and gives participating advertisers access to three of your recent top topics without revealing which sites you visited. The interest history stays in the browser, not on external servers. Google calls this a privacy improvement — and it is, compared to the granular cross-site tracking that third-party cookies enabled. Critics note that the advertiser still learns something about your interests, the classification is done by Google's models, and there is no opt-out mechanism within Chrome other than turning off the feature entirely.
Protected Audience API (formerly FLEDGE) handles remarketing — the experience of seeing an ad for a product you viewed on one site while browsing another. Under Protected Audience, the retargeting logic runs in a sandboxed environment within the browser rather than on an external ad server. The advertiser can target you based on past site visits without the ad network learning which sites you visited. This is technically elegant. It is also, from a user experience perspective, identical to what cookies provided: you see ads for things you recently looked at.
Privacy Sandbox gives advertisers roughly 80% of what third-party cookies gave them — enough that Google's advertising business remained intact — while technically making user data visible to fewer external parties. Whether this constitutes a meaningful privacy improvement depends on what you thought was the problem with cookies in the first place.
The Fingerprinting Explosion
Browser fingerprinting uses characteristics of your browser configuration — screen resolution, installed fonts, GPU renderer information, audio processing behavior, canvas rendering, time zone, language settings — to generate a quasi-unique identifier for your device. Unlike cookies, fingerprints are not stored on your device, cannot be cleared by the user, and do not require your consent under most current legal frameworks.
Research published by Princeton's Web Transparency and Accountability Project, the Electronic Frontier Foundation, and multiple academic groups in 2024-2025 consistently finds that third-party tracking script usage declined modestly after Chrome's cookie deprecation, while fingerprinting script adoption increased significantly. A 2025 study tracking 100,000 popular websites found fingerprinting scripts on 42% of sites, up from 26% in 2022. Canvas fingerprinting (drawing invisible text in a hidden element and measuring how the GPU renders it) is now present on a majority of major commercial websites.
The mechanisms are increasingly sophisticated. AudioContext fingerprinting processes a small audio signal and measures how the device's audio stack processes it — variations in hardware and software create a detectable signature. WebGL fingerprinting renders a 3D scene and reads the output — GPU variations produce consistent, trackable differences. These techniques work even in private browsing mode, even with most cookie-blocking extensions, and even when the user has opted out of tracking within a website's consent management platform.
Server-Side Tracking: The Infrastructure Shift
Simultaneously with browser-level changes, the advertising industry moved significant tracking infrastructure server-side. Server-side tagging — placing Google Tag Manager, Meta's Conversion API (CAPI), and other tracking tools on a first-party server rather than loading them from a third-party domain — effectively makes browser-level cookie blocking irrelevant. When your analytics server makes the calls, your browser never sees a third-party request to block.
Facebook's CAPI, launched in 2020 in anticipation of iOS tracking restrictions, allows advertisers to send conversion data directly from their servers to Meta — bypassing browser-level privacy controls entirely. Meta's data suggests CAPI recovers 10-15% of conversion tracking that iOS's App Tracking Transparency and ad blockers would otherwise prevent. Google's Enhanced Conversions does the same thing for Google Ads. Both tools use hashed email addresses and phone numbers as identifiers, matching users across sessions in ways that are legal under GDPR (because they rely on data the user voluntarily provided) but invisible to the user and impossible to prevent without never sharing contact information with any website.
What Actually Improved
The post-cookie web is not entirely bad news for privacy. Some things genuinely improved:
The long tail of obscure third-party trackers — small ad networks and data brokers that relied on cookie syncing between publishers to build profiles — has been significantly disrupted. Cookie syncing (two trackers sharing cookie IDs to match user identities across their respective databases) does not work without cookies. This has consolidated the tracking ecosystem around a small number of large players (Google, Meta, a few large CDPs) rather than distributing it across hundreds of smaller brokers. Whether concentrated tracking by three large companies is better than distributed tracking by 300 small companies is a legitimate philosophical question.
First-party data collection and contextual advertising are both genuinely less invasive than behavioral tracking at scale. A publisher who sells ads based on an article's content rather than your browsing history is not building a surveillance profile. Contextual advertising is making a comeback, and several large publishers who invested in editorial quality and direct audience relationships have outperformed expectations in a post-cookie world.
The regulatory environment has also tightened. The UK Information Commissioner's Office published enforcement guidance on fingerprinting in 2024, treating it as personal data processing under UK GDPR and requiring the same consent framework as cookies. The EU's EDPB issued similar guidance. Whether enforcement will be effective at the scale of the web remains to be seen — regulators struggle to keep pace with technical implementation — but the legal landscape no longer treats fingerprinting as a free alternative to cookies.
The Practical Upshot for Users
If you use Firefox with uBlock Origin or Safari's Intelligent Tracking Prevention, your privacy posture improved with the cookie deprecation and remains better than Chrome's. Firefox blocks known fingerprinting scripts. Safari's ITP limits the cross-site data sharing that makes fingerprinting commercially useful. Chrome's Privacy Sandbox protects you from some cross-site tracking while keeping you inside Google's advertising ecosystem.
If you are a website operator who depended on third-party cookies for analytics or attribution, the practical answer by 2026 has been: first-party data platforms, server-side event tracking, and consented email-based matching. The measurement gaps are real but smaller than initially feared. What was lost was primarily the ability to track users who explicitly opted out — a capability that arguably should not have existed in the first place.
The harder question — whether the web is meaningfully more private without cookies than with them — has an uncomfortable answer. For most users on Chrome, in most countries, with default settings, the answer is: marginally, in some ways, while fingerprinting and server-side tracking have expanded to fill the gaps. The deprecation was a genuine and necessary step. It was also only one step.