If your website uses third-party cookies, it’s time to act as their removal is getting closer. Chrome plans to disable third-party cookies for 1% of users starting in the first quarter of 2024 to facilitate testing, then moving to 100% of users starting in the third quarter of 2024. The move to 100% of users requires resolving competition issues that still exist in the UK Competition and Markets Authority (CMA).
The goal of the Privacy Sandbox is to reduce cross-site tracking while enabling features that ensure online content and services remain freely accessible to everyone. The challenge is to reject and remove third-party cookies, as they enable essential functions such as login, fraud protection, advertising and generally the ability to embed rich third-party content into your websites. At the same time, they are also the main factors for cross-site monitoring.
In its latest major milestone, Google has introduced a set of APIs that offer an alternative to the current privacy-focused status quo for use cases such as identity, advertising, and privacy detection. Fraud. With these alternatives, Google can now begin phasing out third-party cookies.
In this cookie countdown article, we’ll walk you through the timeline and immediate steps you can take to ensure your sites are ready.
1% removal of third-party cookies and testing facilitated by Chrome
On Privacysandbox.com’s timeline, you can see two milestones in Chrome’s supported testing modes approaching in the fourth quarter of 2023 and the first quarter of 2024. These tests are primarily intended for organizations testing the Privacy Sandbox relevance and measurement APIs. However, as part of these tests, Google disables third-party cookies for 1% of Chrome Stable users.
This means that starting in early 2024, you can expect to see an increased proportion of Chrome users with third-party cookies disabled on your site, even if you don’t actively participate in Chrome-supported testing. This testing period will last until the third quarter of 2024. At this time, following consultation with the CMA and subject to the resolution of any competition concerns, Google plans to begin disabling third-party cookies for all Chrome users.
Prepare for the phase-out of third-party cookies
Google has broken down the process into several key steps, detailed below, to ensure you are ready to run your website without third-party cookies:
1. Check the use of third-party cookies
Third-party cookies can be identified by their SameSite=None value. You should look in your code for cases where you have set the SameSite attribute with this value. If you’ve already made changes to add SameSite=None to your cookies in 2020, these changes might be a good place to start.
The Chrome DevTools network window displays cookies set and sent during requests. In the application area you can see the “Cookies” section under “Storage”. You can view the cookies stored for each website you access when the page loads. You can sort by the “SameSite” column to group all “None” cookies.
In Chrome 118, the DevTools Issues tab shows the current issue: “Cookies sent in cross-site context will be blocked in future Chrome versions.” of Chrome). The issue lists potentially affected cookies for the current page.
If you notice that third-party cookies are being set, you should check with those providers to see whether they plan to phase out third-party cookies. For example, you may need to update the version of a library you use, change a configuration option in the service, or do nothing if the third party manages the required changes itself.
2. Break test
You can start Chrome with the –test Third-Party-Cookie-Phaseout command-line option or, starting with Chrome 118, enable chrome://flags/#test Third-Party-Cookie-Phaseout. This allows Chrome to block third-party cookies and ensure that new features and mitigations are enabled to best simulate the post-exit state.
You can also try browsing with third-party cookies blocked via chrome://settings/cookies. However, note that the flag ensures that new features are also enabled. Blocking third-party cookies is a good approach to detecting problems, but does not necessarily confirm their solution.
If you maintain an active test suite for your websites, you should run two runs side by side: one with Chrome with the usual settings and the other with the same version of Chrome launched with the third-party –test -cookie option -exit. Any test failure in the second pass, but not the first, is a good candidate for investigating third-party cookie dependencies.
Once you have identified the problematic cookies and understand their use cases, you can go through the options below to select the required solution.
3. Use cookies partitioned with CHIPS
If your third-party cookie is used in a 1:1 integrated context with the first-party site, you may consider using the Partitioned attribute as part of Independent Partitioning State Cookies (CHIPS) to enable cross-site access with a separate To enable cookie used per location.
To implement CHIPS, add the Partitioned attribute to your Set-Cookie header:
By setting the Partitioned attribute, the site chooses to store the cookie in a separate cookie jar, partitioned by the top-level site. In the example above, the cookie comes from store-finder.site, which hosts a map of stores that allows the user to save their favorite store. If brand-a.site integrates store-finder.site using CHIPS, the fav_store cookie value is 123. If brand-b.site then also integrates store-finder.site, it creates its own partitioned instance of fav_store. set and sent cookie, for example with the value 456.
This means that integrated services can still store state, but do not have shared cross-site storage that would enable cross-site tracking.
Possible use cases : Third-party chat modules, third-party map modules, third-party payment modules, CDN subresource load balancing, headless CMS providers, sandbox domains to provide trusted non-user content, third-party CDNs that use cookies for access control, third-party API calls , which require cookies upon request, embedded ads with status separate from the publisher.
4. Use Apparent Website Sets (RWS)
If your third-party cookie is only used on a small number of related websites, you may consider using Related Site Sets (RWS) to enable cross-site access to that cookie in the context of those defined websites.
To implement RWS, you need to define and submit the site group for the whole. To ensure that websites are connected in a meaningful way, the applicable set policy requires grouping these websites by: related websites that have a visible relationship to each other (e.g., a company’s product offering variants), service domains (e.g. API , CDN). ) or country-specific domains (e.g. *.uk, *.jp).
Sites can use the Storage Access API to request access to cross-site cookies using the requestStorageAccess() function or to delegate access using the requestStorageAccessFor() function. When sites are part of the same set, the browser automatically grants access and cross-site cookies are available.
This means that groups of related websites can still use cross-site cookies in a limited context, but it is unlikely that third-party cookies will be exchanged between unrelated websites in a way that would enable cross-site tracking.
Possible use cases: Application-specific domains, brand-specific domains, country-specific domains, sandbox domains for serving untrusted user content, service domains for APIs, CDN.
5. Migrate to the appropriate web APIs
CHIPS and RWS enable certain types of cross-site cookie access while maintaining user privacy. However, other use cases for third-party cookies should be transitioned to privacy-focused alternatives.
The Privacy Sandbox offers a set of APIs specifically designed for specific use cases that do not require the use of third-party cookies:
- Federated Credential Management (FedCM) Enables fdrs identity services, which allows users to sign in to websites and services.
- Private government tokens Helps fight fraud and spam by changing boundaries and non-identifying information between websites.
- subjects enables interest-based advertising and content personalization.
- Protected audience enables remarketing and custom audiences.
- Attribution reports allows you to measure ad impressions and conversions.
Additionally, Chrome supports the Storage Access API (SAA) for use in user-interacted iframes. SAA is already supported by Edge, Firefox and Safari. Google believes this strikes a good balance between maintaining user privacy and enabling essential cross-site functionality with the benefit of cross-browser compatibility.
Note that the Storage Access API presents users with a browser permission request. To provide an optimal user experience, Google only prompts the user if the website calling requestStorageAccess() has interacted with the embedded page and has already visited the third-party website in a higher-level context. If the request is accepted, access to cross-site cookies for this website is permitted for 30 days. Possible use cases include authenticated cross-site embeds such as social media comment widgets, payment providers, and subscription video services.
If you still have use cases for third-party cookies that are not covered by these options, you should report the issue to Google and see if there are alternative implementations that do not rely on features that may enable cross-site tracking .
Preserve important user experiences
Cross-site cookies have been an essential part of the Internet for over a quarter of a century. This makes any change, especially a radical change, a complex process that requires a coordinated and step-by-step approach. While additional cookie attributes and new privacy-focused APIs represent most use cases, there are certain scenarios where Google wants to ensure that these cookies do not impact the user experience. website (see
These are primarily authentication or payment flows where a top-level website opens a pop-up or redirects to a third-party website for an operation and then returns to the top-level website, either on the way back or On the way back a cookie is used The integrated context. Google intends to provide a temporary set of heuristics to identify these scenarios and allow third-party cookies for a limited duration, giving websites a longer window to implement the necessary changes.
Next Step: Google will publish a letter of intent with more details on the blink-dev mailing list later this month and we will continue to update the documentation here.
Source: Google
And you ?
What do you think about deleting third-party cookies?
See also:
According to Twilio, 81% of companies still use third-party cookies, while 85% of consumers want brands to only use first-party data
Why is Google’s approach to replacing third-party cookies for advertising purposes attracting regulators’ attention? Some elements of the answers
The number of third-party cookies on websites in Europe fell significantly after the GDPR came into force