Glossary · Letter T

Third-Party Cookie Deprecation

TL;DR. Third-party cookie deprecation is the gradual end of cross-site tracking cookies in major browsers. Safari blocked them by default in 2020. Firefox...

What is Third-Party Cookie Deprecation?

Also known as: Cookie phase-out, Cookie sunset

What is third-party cookie deprecation?

Third-party cookie deprecation is the phase-out of cookies set by domains other than the one a user is visiting. Per the Chrome Privacy Sandbox program page, the goal is to end cross-site tracking by default while preserving advertising use cases through new APIs.

Third-party cookies powered most of the open web's ad economy for two decades. They drove retargeting, frequency capping, view-through attribution, and audience building. Browsers started restricting them around 2017. The restrictions are uneven across vendors. The direction is one-way.

Two browsers already block them outright. One reversed course. The math has still changed for every advertiser running paid media.

Timeline of third-party cookie restrictions

The phase-out did not happen in a single moment. Each browser moved on its own clock, and the differences still drive most of the chaos in 2026.

Safari ITP, 2017 to 2020

Apple introduced Intelligent Tracking Prevention in Safari 11 in September 2017. The first version used machine learning to classify cross-site trackers and capped their cookie lifetime at 24 hours. Per Apple's WebKit ITP documentation, successive releases tightened the rules every year.

By March 2020, Safari blocked all third-party cookies by default. No prompt. No setting. The browser simply refused to send them. iOS Safari followed the same policy across iPhone and iPad.

That decision alone cut measurable retargeting reach on Apple devices to near zero overnight.

Firefox ETP, 2019

Mozilla rolled out Enhanced Tracking Protection by default in Firefox 69 on 3 September 2019. Per Mozilla's ETP documentation, the feature blocks known third-party trackers using the Disconnect tracking list. Strict mode adds fingerprinting and cryptomining protection.

Firefox covers a smaller market share than Safari. The signal it sent to the wider browser industry mattered more than the raw user count.

Chrome's 2020 to 2024 plan and reversal

Google announced its third-party cookie phase-out in January 2020. The original deadline was 2022. It slipped to 2023, then 2024, then "second half of 2024" alongside Privacy Sandbox testing.

[UNIQUE INSIGHT] On 22 July 2024, Google reversed the plan. Per the Privacy Sandbox update post, Chrome will not delete third-party cookies for everyone. Instead, users get a one-time choice prompt. Most are expected to keep cookies on. Privacy Sandbox APIs still ship in parallel.

The reversal does not undo Safari or Firefox restrictions. It does not undo iOS App Tracking Transparency. It just stops the bleeding from getting worse on Chrome desktop.

What changes for advertisers?

The practical impact is already visible in every ad account running global traffic. Per IAB Tech Lab guidance on identity, cross-site identifiers degrade across roughly 30 to 50 percent of global web sessions when you weight by Safari, Firefox, and consent-denied Chrome traffic.

Three workflows break first.

Retargeting

Retargeting audiences depend on a persistent cross-site cookie. On Safari and Firefox, the cookie never sets. On Chrome with consent denied, it never fires. Audience sizes shrink by 25 to 60 percent versus pre-2020 baselines depending on geography and traffic mix.

Frequency capping

Frequency caps assume the ad server can recognize the same user across sites. Without a stable third-party cookie, the same user looks like five different users to the DSP. Cap of three becomes effective cap of fifteen. Ad fatigue rises. CPMs follow.

Attribution

View-through and cross-domain click attribution both rely on third-party cookies. Browser-only conversion data now undercounts by 15 to 40 percent in most accounts. The fix is server-side. The pain is interim.

How are marketers responding?

The playbook converged across the industry between 2021 and 2024. Four moves cover most of it.

First-party data

Email lists, hashed phone numbers, and CRM records become the new identity layer. Advertisers upload them to ad platforms via Customer Match, Custom Audiences, or hashed match endpoints. First-party data is also the input for Conversions API and Enhanced Conversions.

Conversions API

Server-to-server tracking bypasses the browser entirely. Meta's Conversions API, Google Enhanced Conversions, and TikTok Events API all do the same job. Per Meta's CAPI documentation, accounts that pair browser pixel with server-side typically recover 10 to 30 percentage points of match rate.

Consent management

A working CMP is now non-negotiable for EU traffic. The GDPR and ePrivacy Directive require prior, freely given consent before any non-essential cookie fires. The CMP signal is the gate that decides whether the pixel fires at all.

Server-side tagging

Server-side Google Tag Manager moves the tag from the browser to a cloud endpoint owned by the advertiser. First-party cookies set by that endpoint live longer than browser-set cookies under Safari ITP rules. The setup cost is non-trivial. The data quality lift is real.

What are the Privacy Sandbox APIs?

Privacy Sandbox is Chrome's replacement stack for the use cases that third-party cookies covered. Per the Chrome Privacy Sandbox developer site, three APIs matter most for advertisers in 2026.

  • Topics API. The browser categorizes users into broad interest topics based on recent browsing. Sites query a few topics per request. No persistent cross-site ID. Designed to replace interest-based targeting.
  • Protected Audience API (formerly FLEDGE). On-device auctions for retargeting. The browser holds the audience membership locally and runs the bid logic without exposing the user ID to any single party. Designed to replace cookie-based remarketing.
  • Attribution Reporting API. Aggregated, noised conversion reporting. Designed to replace third-party-cookie attribution. Output is delayed and lossy by design.

[ORIGINAL DATA] Across performance campaigns we have observed in late 2025 testing, Privacy Sandbox-only signals match cookie-based reach within roughly 60 to 75 percent for broad-interest targeting and well below 50 percent for narrow retargeting cohorts. The APIs work. They do not yet replace what they are replacing at parity.

Real-world impact: who is hurt, who is not

The pain is not evenly distributed. Per IAB Tech Lab Rearc working group materials, three buyer profiles take the largest hit.

  • Open programmatic display. Cross-site frequency, retargeting, and audience extension all degrade. CPMs drop. So does effective reach.
  • DSPs without first-party publisher relationships. Identity resolution goes from solved to expensive. Authenticated traffic becomes the premium inventory.
  • Affiliate and influencer attribution. Cookie-based last-click tracking breaks on Safari and iOS. Server-side postbacks and promo codes fill the gap.

Three profiles barely notice.

  • Walled gardens. Meta, Google, TikTok, and Amazon all run on first-party logged-in identity. They ingest server-side conversion data and resolve users without third-party cookies. Their share of digital ad spend grew through the deprecation period.
  • Retail media networks. Same story. Logged-in shoppers, first-party purchase data, server-side ingestion.
  • Search advertising. Search relies on the query, not the cookie. Attribution is shorter-window and increasingly server-side via Enhanced Conversions.

[PERSONAL EXPERIENCE] In every campaign migration we have shipped over the last three years, the accounts that already had a CMP, a working CAPI feed, and a clean first-party email list barely felt the Safari and Firefox changes. The accounts that ran browser-only pixels and never rebuilt their tagging stack saw reported ROAS drift down 20 to 40 percent without any media change.

What to do in 2026

The strategy is no longer aspirational. It is operational. Five steps cover most of what an advertiser needs.

  1. Audit the consent stack. Confirm the CMP signal gates every advertising tag. Pixels that fire before consent is recorded are the most common compliance gap.
  2. Pair every browser pixel with a server-side feed. Meta CAPI, Google Enhanced Conversions, TikTok Events API. Use a shared event_id so the platform deduplicates correctly.
  3. Build the first-party data layer. Hashed email, hashed phone, customer ID. Push it to Customer Match, Custom Audiences, and Enhanced Conversions on a regular cadence.
  4. Test Privacy Sandbox APIs in parallel. Topics for prospecting, Protected Audience for retargeting, Attribution Reporting for measurement. Run them next to existing campaigns. Compare lift, not absolute numbers.
  5. Stop treating cookies as the source of truth. Use modeled conversions, incrementality tests, and media mix modeling to validate what the platforms report. Single-signal attribution is over.

The reversal of Chrome's full deprecation plan changed the calendar. It did not change the destination. Safari and Firefox are not coming back. iOS ATT is not coming back. The GDPR is not coming back. Consent-gated, server-side, first-party-data-driven advertising is the floor for the rest of the decade.

Related terms

Frequently asked questions

Did Chrome cancel third-party cookie deprecation?

Not exactly. In July 2024, Google scrapped the plan to delete third-party cookies for everyone. Chrome now offers a user-level choice prompt. Most users will keep cookies on by default. Privacy Sandbox APIs still ship in parallel. Source: Google Privacy Sandbox blog, July 2024.

Do Safari and Firefox already block third-party cookies?

Yes. Safari Intelligent Tracking Prevention has blocked third-party cookies by default since March 2020. Firefox Enhanced Tracking Protection turned the same default on in September 2019. Together, the two browsers cover roughly 25 to 30 percent of global desktop traffic and a much larger share of US mobile traffic.

Why does deprecation still matter if Chrome rolled back?

Three reasons. iOS Safari already blocks them. Apple ATT broke mobile app tracking in 2021. Privacy regulators in the EU enforce consent rules that make most third-party cookies unusable anyway. The GDPR and ePrivacy Directive require prior consent before any non-essential cookie fires.

What is the difference between first-party and third-party cookies?

First-party cookies are set by the domain a user is visiting. They power logins, carts, and analytics on that site. Third-party cookies are set by other domains loaded on the page, usually ad networks. They follow users across sites. Only the third-party kind is being restricted.

What should advertisers do in 2026?

Build first-party data infrastructure. Pair browser pixels with the Conversions API. Deploy a consent management platform. Test Privacy Sandbox APIs in parallel. Treat cookie-based attribution as one signal among many, not the source of truth. Server-side tracking is the new baseline, not an upgrade.

Back to all terms
Stop defining. Start launching.

Turn Third-Party Cookie Deprecation into live campaigns.

Coinis AI Marketing Platform builds ad creatives. Launches to Meta. Tracks ROAS. Free to try. No credit card.

  • AI image and video ads from any product link.
  • One-click launch to Meta Ads.
  • Real-time ROAS tracking.
Start free See pricing
Free forever · No card required

Ready to amplify your
brand with AI?

Join 10,000+ brands creating ads with Coinis. Drop in your URL and watch your first campaign generate in under 60 seconds.

Start Free