Historic 3PC deprecation
Third-party cookies — and Google’s plan to phase them out on Chrome — are getting plenty of attention right now, but 3PC deprecation actually started over ten years ago with Firefox.
Mozilla’s Firefox started limiting 3PCs beginning in 2013. Firefox’s tracking protection features automatically disable 3PCs to prevent websites from following your activity. It’s important to note that some websites require 3PCs to work correctly, and Firefox users have the ability to enable 3PCs for sites they choose.
Apple followed Firefox’s cookie-blocking footsteps with Safari in 2017.
Safari’s default setting only accepts cookies and website data from the sites that users visit (i.e., first-party cookies). The goal is to prevent advertisers from storing data on users’ devices. Users can always change their cookie storage options in Safari to always accept or block all cookies, but most users leave the default settings as-is.
Google has announced that, as part of its Privacy Sandbox project, it will begin phasing out 3PCs on Chrome in 2024. The company will propose new cookie functionality and purpose-built APIs to support legitimate cases of cross-site tracking while protecting user privacy.
This will be an ongoing process, starting with 1% of users in Q1 to facilitate testing, and disabling 3PCs for the remaining 99% of users by the end of 2024.
History of app tracking
In the past, third-party app tracking was industry commonplace and the default.
When app tracking is enabled, apps can track users’ activity across other apps and websites. You could click on an ad in your Solitaire app and the Solitaire app would know that you visited the website linked to the ad — and potentially what actions you took there.
Eventually, basic privacy protections were put in place that allowed users to disable app tracking. Users could manually comb through their settings to disable tracking, but they 1) had to know they needed to do this and 2) had to figure out how to do so.
Then, in 2020, Apple’s new iOS 14 caused major disruption in the industry.
For the first time, users logging into an app were asked if they wanted to allow the app to track them. They were prompted to choose yes or no, and iOS would update permissions based on their response. Apple dubbed this new feature “App Tracking Transparency.”
As of April 2022, the opt-in rate for app tracking (following the iOS 14.5 update) was only 25%, meaning 75% of users opted out.
Since mobile activity makes up roughly 50% of all online traffic, Apple’s opt-in privacy feature made a significant impact on data tracking, retargeting, and attribution.
Privacy laws: past, present, and future
Cookies and data tracking are examples of how technology often develops faster than legislation can keep up. While cookies are useful for businesses and advertisers, both consumers and governing bodies have historically have had privacy and usage concerns about them.
These are the most significant privacy laws currently impacting cookie tracking:
The ePrivacy Directive. Introduced in 2002 and amended in 2009, this regulation protects electronic communications within the EU and has become known as the “cookie law.” This legislation requires websites to gain prior consent from visitors to store or retrieve information on their devices, in addition to informing users about cookies they use.
GDPR. Another piece of EU legislation, the GDPR is the most comprehensive set of data protection and security laws ever passed by a governing body (though it only mentions cookies directly once). Introduced in 2018, the GDPR states that, when used to identify internet users, cookies qualify as personal data and are therefore subject to GDPR policies. These policies require websites inform users about the collection of their personal data, do not collect more personal data than needed, and securely store and maintain personal data, to name a few.
The California Consumer Privacy Act (CCPA). Introduced in 2018, this law guarantees online privacy rights to California residents and applies to companies conducting business in the state of California. CCPA states that users must be able to opt-out of cookie tracking and request data deletion, and that businesses may not discriminate against users who choose not to share their personal data.
Currently, there are no U.S. federal laws about cooking tracking. However, digital privacy has been a significant concern for many years and several bills aimed at protecting consumer privacy have been proposed at the federal level. This includes the bipartisan American Data Privacy and Protection Act, which would require user consent to data tracking.
The term “walled gardens” refers to an online environment that controls a user’s access to its content and services. Users can gain access to some content, but not all of it. This means the walled garden creator has full control of all content and the data tied to it.
Facebook, now Meta, has also historically been a walled garden. If advertisers wanted to use key features of Facebook’s ad system (like retargeting or ad attribution), they needed to use Facebook’s infrastructure, including its third-party tracking code. The same is largely true for most social media networks (e.g., TikTok, Snapchat, Pinterest, etc).
These walled-garden platforms often have vast amounts of zero-party (information that users voluntarily and deliberately share with a site) and first-party data (information that is collected from users based on their interactions with a site), allowing advertisers to build, activate (the act of serving ads), and measure well-defined, in-platform only audiences.