Google won’t kill third-party cookies after all

This may well be one of the greatest strategic and business U-turns of the century: backtracking on a project more than seven years in the making, and an attempt to reshape an entire web ecosystem and its funding model. Google’s recent decision to halt its plans to phase out third-party cookies in Chrome marks a sobering moment for the future of web privacy. As someone who has tracked—and been involved in—the Privacy Sandbox initiative from its inception (it began during my term on the W3C Technical Architecture Group!), across technical, policy, and standardization dimensions, I can say that this abrupt reversal is more than just disappointing—it’s deeply troubling..

The Privacy Sandbox represented a rare attempt to shift a huge ecosystem of online advertising practices which– this is a no surprise–has been fueled by user data. We're speaking about an ad industry which is valued at over $700bn globally—a figure that continues to grow year by year. Derailment of an initiative to shift the user data is a bad sign for user trust, but also a failure of multi-year effort of researchers and developers (even if by now most of the said researchers switched domains and/or left academia). Could this be a broader sign of deterioration of data protection, security and privacy, which goes well along the promoted views that intellectual protection, copyright protection, and privacy and data protection are no longer needed in times of AI development, because AI must be developed?

Cynics could add something more. Concerns have been voiced—e.g. among some privacy analysts but also some competing vendors in AdTech—that the Privacy Sandbox may have served, at least in part, as a reputational shield, and/or as a strategic delay, rather than a genuine effort. Such a delay could have imposed costs on competitors and slowed innovation. Of course, I am not saying that or anything of the kind—only noting that such views circulate in parts of the industry. Given how things ultimately played out, it’s understandable that, to some, such narratives now seem like the most straightforward explanation—even if they were speculative at first, the outcome ended up lending them unexpected credibility. Especially striking is how the final announcement—the ‘we’re not doing this’ blog post—was so brief and low-key. Interestingly, in February, Google quietly relaxed protections against browser fingerprinting (https://blog.lukaszolejnik.com/reducing-fingerprinting-risk-of-accept-language-browser-header/)—a practice the Privacy Sandbox was explicitly designed to curtail.

There's another issue. If major actors can selectively disengage from privacy commitments when consensus proves too costly, it raises hard questions about accountability and the real enforceability of data protection principles on the open web.

Let's hope this is not a sign of what's next to come with the future GDPR reform.