A leading internet standards body has slammed Google for deciding once again to leave in place support for third-party cookies in its Chrome browser — even though the privacy-invading tracking technology “is not good for the Web” and can harm users.
Google’s announcement last week that it still isn’t dropping support for third-party cookies came “out of the blue” and “undermines a lot of the work we’ve done together to make the Web work without third-party cookies,” Hadley Berman, of the Worldwide Web Consortium (W3C), wrote in a blog post Monday. (The post was titled: “Third-party cookies have got to go.”)
The W3C agrees with the updated RFC definition of cookies, which acknowledges they have “inherent privacy issues.” Moreover, the RFC strongly recommends that “user agents adopt a policy for third-party cookies that is as restrictive as compatibility constraints permit.”
While third-party cookies — which are set by a website other than the one a user is visiting through embedded content such as ads, social media widgets, or tracking pixels — can be helpful when used for authentication across multiple sites, they also enable hidden data collection about users’ internet activity, Berman said.
There also are other hazards lurking in “the tracking and subsequent data collection and brokerage” that third-party cookies support, including “micro-targeting of political messages” that harm society at large, she wrote.
Google’s ‘user’s choice’ approach to cookies
Rather than end support for third-party cookies, Google instead decided to update Chrome’s cross-site tracking protection policy, unveiled last December, with an option in the settings of Chrome’s Privacy Sandbox, a set of privacy-preserving APIs. The option allows users to choose whether they want to experience web browsing within the Privacy Sandbox setting or continue to have traditional cross-site cookies activated.
Chrome users can also use the “Enhanced Ad Privacy” feature Google rolled out last year as part of Chrome version 115; it allows for interest-based advertising without tracking individual users across websites, the company said.
The W3C has been working with Google’s Privacy Sandbox team for several years on third-party cookie policies with “substantial progress,” Berman noted. The recent change in direction by Google represents a major step back in that effort, she said.
“The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies,” Berman wrote. “We fear it will have an overall detrimental impact on the cause of improving privacy on the web.”
That said, the W3C hopes Google “reverses this decision and re-commits to a path towards removal of third-party cookies,” she added.
Google did not immediately respond to requests for comment Tuesday.
Google’s lack of privacy leadership
Privacy experts acknowledged that while third-party cookies do present privacy concerns, there are numerous stakeholders to consider.
“Google has repeatedly attempted to replace cookies…aiming to balance user privacy with the needs of advertisers,” said Jason Soroko, senior vice president of product at Sectigo, a provider of certificate lifecycle management. “However, these efforts have struggled due to resistance from privacy advocates, regulatory hurdles, and technical challenges.”
That likely contributed to Google’s decision to delay pulling its support for cookies, he said, citing the “complex interplay between innovation, privacy concerns, and regulatory frameworks.”
More disappointing is that the company “still seemingly has no clear plan to implement greater privacy and safety controls against tracking,” said one privacy expert, who doesn’t believe Google is doing enough.
Google “has long boasted about the innovation happening in its Privacy Sandbox initiative, but that has yet to publicly bear fruit,” said Gal Ringel, Cofounder and CEO at Mine, a global data privacy-management firm.
Moreover, given Google’s role as “the single most influential organization on the internet today,” the company’s failure “to take a true stand on privacy sets a bad precedent on the issue at a critical time when the US is trying to pass more legislation to address the problem,” he added.