Internet Advertising Is About to Change. Here's What Consumers Need to Know.

The third-party cookies that have tracked internet users for years are going away. Is that a good thing?

A browser with several click arrows, behind the browser a maze of dots (cookies) some falling into hands Illustration: Franziska Barczyk

The internet as you know it today is changing significantly behind the scenes. As a result, you may be subject to less hidden monitoring of your activities from unseen companies you have never heard of. But companies you do know, such as Google and Facebook, could consolidate their dominance even more.

To best navigate these changes and ensure more privacy, it helps to understand the transformation taking place.

Driving this change is a tech industry move away from intrusive tracking by default via third-party cookies, tiny text files that websites put on your computer that assign you a unique user ID. Browsers have long allowed third-party cookies, which enable advertisers to follow you around in order to target messaging.

“The bottom line is that user expectations for privacy have changed,” says David Temkin, Google’s director of product management, ads privacy, and user trust.

“It’s that tracking—which is tied to the profiles that are being created—that the advertising industry is moving away from right now,” he continues. “When people hear about it, and they just look at it and they feel ‘Well, what is this? I feel like I’m being tracked or even stalked as I go from site to site to site.’”

Despite Temkin’s declarations on privacy, some experts expect these browser changes to give tech giants, such as Google (and its parent company Alphabet) and Facebook (and its newly named parent company Meta), even more dominance over the online advertising market.

More on Privacy

After it eliminates third-party cookies, Google would like your browser to store details about your interests and allow targeted ads rather than letting outsiders build marketing dossiers about you. In other words, a bicycle manufacturer may show you ads because your browser—rather than an outside advertising technology firm or data broker—suggests that you visited some of the same websites as others interested in athletics and bicycles. That approach would put the browser at the center of the advertising equation, and Google, not coincidentally, makes Chrome, the world’s most popular browser.

Google calls this system Federated Learning Cohorts (FLoC), part of what the company terms a “privacy sandbox.”

“I definitely am skeptical about the Google privacy sandbox proposals,” says Justin Brookman, Consumer Reports’ director of privacy and technology policy, “because it sounds like they just want to re-create targeted advertising but at the browser level, and maybe then box other companies out.”

“Still, it could have a positive result in that fewer companies would have access to your internet behavior,” he says. “That’s good from a privacy perspective.”

What Has Changed So Far?

For more than a quarter-century, advertising technology companies have tracked what we do on the internet to target their messaging, fueling, for example, those persistent messages that follow you around after you look up something, such as a pair of pants. Popular browsers are now saying “no more.” 

Apple, which earns most of its money by selling iPhones and computers, started requiring user permission before allowing third-party cookies in its iOS 14.5 update in April. “This is a significant improvement for privacy,” an engineer involved in Apple’s related efforts, John Wilander, wrote in March 2020. Firefox and Safari have also started blocking such tracking automatically. 

Google, which became one of the world’s richest companies through advertising, is joining the bandwagon. According to web analytics firm Statcounter, Google announced in January that by 2022 it would phase out cookies in its Chrome browser, which dominates two-thirds of the browser market. Last summer it delayed its timetable until 2023.

“We want to give people ample time to get familiar with the technologies to integrate them and to have a smooth transition from third-party cookies,” Google’s Temkin says. “Some of our peers in big tech are kind of like, ‘Oh, accidentally, I just kicked over the life support; bummer.’ That’s not what we want to do.”

Much smaller rivals such as Brave have already made privacy a core component of their browsers. Learn more about Brave’s privacy features.

How Do Cookies Allow Outsiders to See What You Are Doing on the Internet?

Invented in 1994, cookies can enhance the user experience by, for example, allowing sites to remember who you are without requiring a log-in every time. Such uses are first-party cookies because you have a direct customer relationship with the site. 

Yet many websites contain additional ads and outside content, such as social media links, that enable other companies to place third-party cookies on your computer to monitor what you do on the internet. (Consumer Reports uses cookies for on-site functionality, analytics, marketing, and social media interaction.)

“There are profiles of me that are being collected by multiple advertising-related technology companies,” says Temkin, who leads Google’s efforts to boost privacy while still making money from ads. “They’re not visible to me. They are all collected based on this identifier of a third-party cookie.”

“It’s all in the service of ‘We want to deliver you a particular individual advertisement based on what we believe your interests are,’” he says. “Your interests are inferred from your behavior, particularly what sites you’re going to on the web and a variety of other factors.”

Cookies and other tracking technology have proliferated considerably since the mid-1990s, and most web browsers have allowed them by default. Users could tinker with various settings to try to block them, but many haven’t bothered.

Why Didn’t Browsers Block Cookies Long Ago?

Browser company officials say they didn’t block third-party cookies by default initially for two main reasons. One is that without cookies, some sites didn’t work properly. The second reason is that web developers didn’t want to unplug the economic engine behind the web.

“The internet is funded by advertising and entails a huge amount of targeting and tracking,” says Eric Rescorla, chief technology officer of Mozilla’s Firefox team. “There is active debate about how much of that targeting is necessary to have the advertising work successfully.”

Lou Montulli, who invented cookies in 1994 while working for Netscape, has watched the debates since the beginning. “If we were completely hostile to advertising,” he says, “then there would be no revenue model for the web, or at least there would be a diminished revenue model for the web.”

Why Are Companies Changing Things Now?

In recent years, the public has shown more resistance to the internet’s constant tracking. In a nationally representative Consumer Reports February 2020 survey (PDF) survey of 5,085 adult U.S. residents, 96 percent agreed that more should be done to ensure that companies protect consumer privacy and 74 percent were at least moderately concerned about the privacy of their personal data.

“There are some companies that are sincerely pushing products that improve your privacy,” says Pete Snyder, senior privacy researcher and director of privacy at the browser company Brave. “Those are coming from a mixture of incentives of ethics and market differentiation and strategic placement against Google and that sort of thing.” 

Government and media investigations have further highlighted privacy abuses. For example, in 2019 Facebook agreed to pay the Federal Trade Commission a whopping $5 billion—by far the agency’s largest fine ever—for not allowing users the promised ability to control the privacy of their data, such as by sharing data with third-party apps. 

Companies have also had to rethink their privacy practices amid legislation such as European Union rules that require them to get consent before using all but “strictly necessary” cookies (such as when you put items into a website shopping cart). Then there’s the California Consumer Privacy Act, which gives Californians certain data protections.

How Will These Changes Affect Big Tech Companies?

Few experts expect that big tech companies will become any less omnipotent because of the changes. In fact, the end of third-party cookies could strengthen their businesses.

“If your browser got rid of third-party cookies, then your visits to typical sites that show ads, whether it’s a news site, a blog, or whatever, those sites lose some of the ability to place and measure their ads,” says Don Marti, vice president of ecosystem innovation at the advertising service company CafeMedia. “But a big platform site like Facebook or YouTube actually does not depend on a third-party cookie; they depend on having the user logged in to that environment.”

“The terrible scenario is what happens if the independent content sites break but Facebook and YouTube don’t?” he says.

Jimmy Secretan, vice president of ads and premium services at Brave, says this about Google: “Even with the elimination of third-party cookies, their revenue stream will likely be fine.”

Google’s proposed alternative to third-party cookies, FLoC, is designed to target ads without so many outside companies storing information about you. Your browser might communicate that “this person is one of a cohort of people who looks at steak recipes, or classic rock, or real estate, or fitness,” and allow in related ads. But sites themselves wouldn’t be able to leave cookies in your browser that allow others to see which sites you’ve visited. 

A major antitrust lawsuit filed by Texas and other states over Google’s dominance in the online advertising market also expects the search giant’s position of power will not change in a world without third-party cookies. “Google’s entire business model is to collect comprehensive data about every user in the service of brokering targeted ad sales. It then uses privacy concerns as an excuse to advantage itself over its competitors,” the lawsuit alleges. 

“The planned elimination of third-party cookies from Google’s dominant browser, Chrome, is also justified on privacy grounds, but the effect is to increase information asymmetries between Google and its competitors.”

Asked about the case, Temkin at Google said: “Look, a company this large is getting a lot of attention, and our practices are under a great deal of scrutiny. And we obviously need to adapt and respect what’s going on there.”

Apple has made a very public embrace of privacy as a differentiator, but experts say the company still collects plenty of user data. “It’s like Apple trying to claim that their platform is privacy,” says Montulli, the inventor of cookies. “Well, they have their own advertising IDs; all they’ve done is shifted from using cookies. What they actually did was create their own advertising ID that’s embedded in the phone, and created their own advertising network.”

Apple’s Wilander, the security and privacy engineer working on the Safari browser changes, and company spokespeople declined to answer questions.

Will Ads Stop Following You Around?

“Probably every consumer has noticed that when they go to a shopping cart, and start shopping for something and don’t buy it, sometimes they start seeing those ads all over the place,” says Ari Paparo, who works for a division of Comcast that bought the advertising firm Beeswax, where he had served as CEO. “The so-called ads-that-follow-me around will decline, because those are really based on cookie technologies.”

Why have such ads existed for so long? “The reality is that they’re so effective compared to other ads that the benefits to the advertiser outweigh the waste,” Paparo says.

Montulli calls such ads fairly primitive because they only really know you looked up a product, such as a bicycle. “If that bike company participates in an ad network, then the ad network would know that you visited a bike store at some point, and then the ad network will start serving you ads about bikes,” he explains. “But the ad network has no idea whether you end up buying a bike or not.”

Will You Have to Pay to Visit Your Favorite Websites?

With less precisely targeted advertising, many sites now offering free content may make less money in the future. Instead, they may have to charge for their content, much as Netflix requires a subscription to access its video content, some experts say.

“The days of being able to just visit websites and read news and information without logging in is probably going to decline,” Paparo says. “It used to be that only the very premium sites like the New York Times or the Financial Times were able to sustain a requirement that people logged in.”

“Over the past several years we’ve seen a pretty solid increase in the number of sites that require a log-in or give you a limited number of articles for free before they require it,” he adds. 

Some European websites, such as the one for the leading German newsmagazine Der Spiegel, preview what may become more common in the U.S: To see content, you must first agree to tracking and ads or pay for a subscription. Requiring you to log in so you stay longer in their realm may make websites more valuable to advertisers.

What Should You Do Now?

Because Google’s Chrome will still allow third-party cookies by default until 2023, privacy experts suggest that you may want to change your Chrome privacy settings. CR shows you how to use Google privacy settings, and Google provides its own explanation

Critics of Google’s proposed FLoC system include the Electronic Frontier Foundation. “The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process,” writes EFF’s Bennett Cyphers. “It may also exacerbate many of the worst nonprivacy problems with behavioral ads, including discrimination and predatory targeting.”

The privacy company DuckDuckGo has developed a new browser extension to counter the technology, as detailed in our article on DuckDuckGo’s solution to a Google privacy controversy.

Under the current and future systems, Google will still be able to follow your activities if you’re signed in to its services. Don Marti at CafeMedia outlines steps you can take for greater privacy while using YouTube in this blog posting

Other browsers allow users to change their settings to boost privacy further, including Microsoft’s Edge and Firefox. Apple describes how to limit its own ad targeting. Large popular websites such as Facebook can still learn a great deal about you from what you put on their sites. And if you sign on to other sites using Facebook, that gives Facebook additional insights into your web activities. Find out how to use Facebook’s privacy settings.

Could Companies Use Other Surveillance Tech Instead?

Although Google is hoping companies will embrace its FLoC system to target ads, other companies prefer an alternative approach, which asks internet users for unique information, such as an email address. 

Should emails become the identifier that advertisers use to track people, you might consider using a service that creates different email addresses for different companies. I have long used Abine’s Blur service, and other possibilities include AnonAddy and ManyMe. Apple offers Hide My Email service. All of these services relay incoming messages to your main email address.

Beyond third-party cookies, a controversial technique called fingerprinting could enable outsiders to follow you online. With fingerprinting, companies record details such as your computer’s model type, operating system, time zone, screen resolution, fonts, language, memory, and other distinguishing characteristics so that they can follow you over time.

“Fingerprinting is kind of frowned upon because the consumer can’t really opt out of it,” says tech executive Ari Paparo. “Most advertisers don’t like that idea—but also, regulators and other folks who keep an eye on the industry.”

You can test to see how unique your browser is by going to the Electronic Frontier Foundation’s Cover Your Tracks site. Using the EFF tool, I tried out a series of browsers and found that only Brave offered randomized protections against fingerprinting. Google’s Chrome—the most widely used browser—offered the least protection.

Correction: A previous version of this article misspelled the name of David Temkin, Google’s product management, ads privacy and trust, in some instances.

Headshot of CRO freelance writer Adam Tanner

Adam Tanner

Adam Tanner is a Consumer Reports contributing editor. He is also the author of “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records” and an associate at Harvard's Institute for Quantitative Social Science.