There’s more to life than cookies, but a triple chocolate cookie is a great place to start
The long-running debate on cookie withdrawal from Chrome is moving towards its peace conference after Google’s u-turns this past year.
As with all battles, the terms coming out of the peace conference are pivotal.
This important chapter will do much to set the terms of individual-level identifiers in data-rich systems.
Comment submissions are open until July 4th. Will it be independence day for the cookie? Or independence day for Google? That depends on the quality of the evidence submitted now.
What just happened?
On Tuesday April 22nd, Google announced that it would shelve its plan to deprecate so-called third-party cookies as part of the Google Chrome Privacy Sandbox.
Then, on June 13th, the UK Competition and Markets Authority published a proposal to release the Chrome Commitments on the basis that the cookie would be kept after all. (It remains to be seen whether the CMA will agree with the proposal.)
The result is significant, and not only for cookies, because it sets a clear precedent against withdrawing valuable data unless there is objective analysis of both privacy risks and consumer welfare impacts.
Here, that had been lacking, because neither Google’s asserted privacy improvements nor the consumer welfare impacts had been established on objective evidence.
What prompted the u-turn on cookies?
Dnes & Felver PLLC played an important role in helping to bring evidence to the debate. Please see our blog posts and press coverage summarizing key chapters:
- August 2023: Good cookies and bad cookies: What’s next for online match keys?
- July 2024: 3 Ways Forward for 3rd Party Cookies.
- February 2025: Stephen Dnes was quoted as the last word on the cookie prompt debate by AdExchanger: The latest on Chrome’s Cookie Choice Prompt: It’s gonna be global.
The firm drew on its in-house expertise in the economics and market research so pivotal to antitrust cases to develop an ultimately winning strategy.
The essence of this strategy was to move the case towards a much sharper focus on what web consumers want. The inconvenient truth for the Sandbox proposals was that most consumers do not mind allowing advertising optimization for free content. Sensitive data is hardly ever engaged, and when it is, there are more tailored measures to improve signals on sensitivity, rather than curtailing non-sensitive data.
A simple example is incognito mode.
Better signals would address the approximately 20% of consumers concerned about rich data use, while not curtailing value for the 2/3 who are happy to for rich data use to fund content.
This proved to be an inescapable argument for the Sandbox. It was not possible to show why consumers benefited from the proposed global data diminution, rather than an improvement in risk-based signals and stronger private browsing modes.
The direction of travel changed markedly upon Dnes & Felver’s involvement. This inflection point was noticed by others. For instance, Alan Chapell’s Monopoly Report with Garrett McGrath of Magnite identified a sudden change in the CMA’s tone and lines of questioning from January 2024 (27 November 2024).
Something had changed in the Sandbox analysis: it was now based on consumer welfare, and the unanswerable question was why content funding should be harmed when most consumers are happy.
All of a sudden, the CMA stopped signing off on the Google reports.
Why no cookie prompt?
The CMA apparently demanded that Google retain at least a portion of data rich traffic for those users happy to accept personalisation.
However, no neutral prompt could ultimately be agreed; much less one that could apply on a global basis.
Further, many happy consumers ought not to be prompted at all: excessive pop ups undermine the user experience.
As survey evidence shows users happy with syncing of preferences across devices, if there were to be any personalisation prompt it would surely have to apply fairly, and not only to competing traffic.
So, any prompting regime removing data would have to apply to Google as well.
This created another unanswerable argument – this time, against prompting bias. This addressed the well-known issue with biased prompts common to the Sandbox and other data diminution initiatives, notably Apple ATT.
A simple visual comparison of owned-and-operated vs Sandbox prompts and demonstrated substantial anti-consumer prompting discrimination. The answer in Google’s latest quarterly report was remarkably weak: that the same data protection rules apply to all prompting systems – which is hardly the point.
The real question is why the prompts were different for Google and for others, whereas the Commitments required non-discrimination in feature diminution.
These very pointed observations from the CMA seemed to prompt a rethink by Google: would insisting on increased data integration in the open web necessarily be such a good idea? Might it accentuate arguments that competition is weak in the long tail? Could data diminution à la Sandbox even be an own goal that would primarily help Apple, and not Google?
So, it was not only the CMA that came to see the matter differently – the new strategy seemed to influence Google too. That helped to create a landing zone.
Ultimately, a precedent was set against the loss of rich data absent objective analysis of risk and consumer benefits:
- Shortly thereafter, the CMA’s analysis of benefits from Apple’s ATT in the Mobile Browsers case also became more sceptical.
- In March, the French competition authority fined Apple for bias in its ATT prompts.
- And this April, Google accepted that it would keep the third-party cookie after all.
On June 13th, the CMA published an important report on the history of testing the Sandbox. The essential problem was that value continued to diminish. The so-called Privacy Enhancing Technologies (PETs) in the Sandbox simply were not up to the task of replacing the cookie. This contravened expectations from the 2019-20 CMA Market Study, which had expected the performance gap to close.
So ultimately, the position is driven by the fact that competitive content funding still needs access to decentralized data sources such as the ability to write information to local storage as with the third-party cookie.
It remains to be seen whether this is truly a “tombstone” to the case – but either way, it is a clear warning shot to any firm considering the impairment of a rich data system from which consumers derive value. This would be important for any future Apple ATT-like prompting system, or any possible restrictions to the Google Android MAID identifier.
Joshua Koran, an advertising technology expert, stated: “People’s privacy rights are important. Mere pretextual privacy improvement claims are not helpful to identifying nor implementing effective solutions to genuine privacy concerns. Recent clarifications from both the UK Information Commissioner’s Office and the European Commission have emphasized the importance of mitigating risks related to the context in which personal data is used, instead of where it is stored or processed—such as adopting appropriate deidentification measures.”