Third-party cookies (3PCs) live to see another day—but they’re still not here to stay.

Major browsers have been phasing out third-party cookies for a lot longer than you may think: Safari lost third-party cookies in 2017, Firefox in 2019. Since then, roughly 50% of the internet has been without third-party cookies. So, what’s going on right now? A lot, actually.

Everything changed in 2024 as Google announced they are not unilaterally getting rid of third-party cookies on Chrome after years of back-and-forth. Instead, they are going to invite users to make an “informed choice that applies across their web browsing” (meaning they will likely ask users to opt-in to tracking).

Digital advertisers have long used third-party cookies as an easy way to target, pace, measure and personalize their campaigns, so Google’s announcement may feel like momentary relief for brands—but it really doesn’t change anything. While information about the pivot is limited, third-party cookie deprecation is still happening—and may well accelerate with this new change. Here’s why: If Google makes the very likely (and more regulatory-friendly) decision to ask Chrome users to actively opt-in to third-party cookies, advertisers can expect to see significant signal loss. When given the choice, most users will not agree to tracking – as we’ve seen happen with Apple’s proactive privacy choices.

Epsilon saw the flaws in third-party cookies long ago, and Google’s latest moves doesn’t change our opinion. Marketers should continue to invest in tools and tactics that don’t rely on third-party cookies, and we’re here to lead them through the changing industry by connecting brands with their consumers in ways that don’t rely on them. Plain and simple. 

Here, we’ll explore what are third-party cookies, why they were going away in the first place (and why that’s changed), and how advertisers continue to deliver relevant, effective messaging with or without third-party cookies.

What are third-party cookies?

Websites use cookies to remember a user’s actions and preferences, so they aren’t asked to perform a task again and again. As a result, they help provide a better, more personalized user experience.

Third-party cookies are created and placed by someone other than the owner of the website you’re visiting to track consumers across the internet. Some common uses include cross-site tracking, retargeting and ad serving. Third-party cookies are also regularly used for person-level measurement, as they can identify when a transaction or another conversion type (page visit, log-in, etc.) occurs.

First-party cookies, on the other hand, are generated by the host domain. They are specific to the host domain, do not transfer across other sites, and help provide a better user experience. These cookies enable the browser to remember important user info, such as what items you add to shopping carts, your username and passwords, and language preferences.

For an example, let’s say you visit a website called learn.com. Any cookies put on this website by learn.com would be first-party cookies. Any cookies put on learn.com by any other site, like a social media site or an advertiser, would be third-party cookies.

Why are third-party cookies used?

Cross-site tracking: the practice of collecting browsing data from numerous sources (websites) that details your activity and provides behavioral insights.

Retargeting: the effort of reigniting engagement or conversion by delivering visual or text ads to previous visitors based on the products and services in which they’ve shown interest.

Ad serving: making decisions regarding the ads that appear on a website, deciding when to serve these ads, and collecting data (and reporting said data, including impressions and clicks) in an effort to educate advertisers on consumer insights and ad performance.

Personalization: data collected by third-party cookies helps marketers learn a user’s browsing behaviors and preferences, which enables brands to more effectively tailor ads to the consumer.

Measurement: many use third-party cookies to measure the effectiveness of their marketing campaigns. Analytics provided help marketers attribute specific conversions to specific ads.

Why were third-party cookies going away, and now they’re not? 

Remember, we’ve all been operating with limits on third-party cookies for a while—Safari, Firefox and Edge all opted to get rid of third-party cookies in the past five years, meaning a large portion of web activity in the U.S. has actually been on browsers that don’t accept them. Chrome is just the last holdout among major browsers.  

Google was planning to impose full deprecation in 2025, but after many delays due to regulatory and industry pressure it’s not surprising that they are modifying their approach. And it’s no secret Google’s moves will personally benefit them, as they claim the pivot is in the name of consumer privacy. But is it really?

How will third-party cookies will still impact digital advertising, even if they aren’t fully going away?

To opt-in or to opt-out, that is the question. Google has not given us any hints as to whether users will actively have to opt-in to third-party cookies on Chrome, but, given that Google’s stated reason for eliminating third-party is to improve user privacy, it is highly likely that users will be asked to opt-in to tracking.

The most comparable previous event is Apple’s rollout of the App Tracking Transparency (ATT) framework in 2021, which required users to opt-in. Only 16% opted-in to tracking initially. Over time that number has increased to 34%, as apps are allowed to renew their opt-in requests (and some users have responded to those requests)—but that won’t apply to Chrome, because the user is making a browser-level decision not an app-specific decision. Given the latter, we expect opt-in rates well under 10% for Chrome.

All that said, although third-party cookies aren’t fully going away, signal loss will still occur—the proof is in Apple's mobile ad IDs (MAIDs).

Here are the aspects of advertising that will be most impacted by signal loss:

Reach: Without third-party cookies advertisers are scrambling for a way to reach their customers and prospects online, often turning to search, owned channels and walled gardens—to their own detriment.

Personalization: Behavioral and browsing data will be limited, making it hard for advertisers who depend on third-party cookies to personalize ads.

Campaign management: Basic capabilities like A/B testing and frequency capping will be challenging for advertisers who depend on third-party cookies.

Performance measurement: Analytics and attribution based on third-party cookies will be much less effective. We anticipate many advertising vendors will not be able to calculate metrics like ROAS anymore, and will turn to the less effective Media Mix Modeling (MMM).

Our research shows that 69% of advertisers think third-party cookie deprecation will have a bigger impact than the GDPR and CCPA, and 70% feel that digital advertising overall will take a step backward.

But despite the understanding of importance and concern, fewer than half (46%) feel “very prepared” for marketing without the third-party cookie.

If third-party cookies are still unreliable, what should marketers use instead?

Despite Google’s announcement, it’s critical that marketers continue to invest in tools and tactics that don’t rely on third-party cookies. They will need to find a new way to identify people online so they can continue to personalize messages, optimize campaigns and measure performance.

To start, marketers should get familiar with the different options for identifiers. When they understand the strengths and weaknesses of the most common identifiers, it will be easier to choose a smart approach to identity. To succeed, partner with an established, people-based identity solution—one that’s future-proofed against the loss of identifiers and built with privacy in mind. Any adtech and measurement partners you work with should have a solid plan that doesn't rely on third-party cookies.

Epsilon’s identity graph, COREid is anchored to deterministic data elements which makes it not only reliable in finding the right consumers, but stable against regulatory shifts. Our data is privacy-centric and pseudonymized before it enters the digital ecosystem, keeping consumer information safe.

What’s Epsilon’s response to this new reality?

For us, it’s business-as-usual.

Epsilon has never needed third-party cookies to connect with consumers. They’re not people-based, not transparent and can’t identify people over time.

We’ve always known that the key to identity is first-party relationships with publishers and brands. That’s why we began building our identity solution in 2007 and started investing in publisher relationships all the way back in 2012. Today, Epsilon has over 17,000 PubLink integrations and a similar number of direct publisher relationships on CORE Private Exchange, our Supply-Side Platform. COREid does not rely on third-party cookies and 98% of our ads are delivered to individuals, not to cookies or devices.

In fact, 33% of the impressions served worldwide by Epsilon Digital go to Apple users who are cookieless today.

The industry agrees that Epsilon leads the way in helping marketers deliver people-based, measurable ads that drive performance without needing third-party cookies.