Cookie deprecation: what actually happened and what to do now
Google didn't kill third-party cookies. Browsers did it anyway. Here's where we actually stand in 2026 and what it means for your tracking.
If you’ve been following the cookie deprecation saga, congratulations on your patience. This story has had more plot twists than a Netflix series, and the ending still isn’t written. But here’s what I can tell you after working through this with clients for four years: the people who waited for clarity got left behind. The people who adapted early are in great shape regardless of what Chrome does next.
Let me lay out what actually happened, where things stand right now, and what you should do about it. No speculation. No panic. Just the situation as it is.
The timeline, because it’s easy to lose track
2020: Google announces Chrome will phase out third-party cookies within two years. The ad industry panics. Safari and Firefox had already blocked them by default, but Chrome is 65% of browser traffic. This was the big one.
2021-2022: Google introduces FLoC (Federated Learning of Cohorts) as a replacement. Privacy advocates hate it. The industry hates it. Google kills FLoC and replaces it with Topics API. The two-year deadline passes. Nothing changes in Chrome.
2023: Google starts testing cookie deprecation with 1% of Chrome users. Announces full deprecation by Q3 2024. The industry starts preparing in earnest.
2024: Google delays again. Then in July, Google announces it won’t deprecate third-party cookies after all. Instead, it’ll give users a choice via a new Privacy Sandbox prompt. Collective whiplash across the industry.
2025: Google quietly refines its approach. The Privacy Sandbox APIs (Topics, Attribution Reporting, Protected Audiences) continue development. Chrome introduces more user controls. Meanwhile, Safari’s Intelligent Tracking Prevention gets stricter. Firefox tightens up too.
2026 (now): Third-party cookies still technically work in Chrome for users who haven’t changed their settings. But the ecosystem has shifted anyway. Most sophisticated advertisers have moved to first-party data strategies. The holdouts are feeling the pain.
Where we actually stand right now
Here’s the thing nobody says clearly enough: it doesn’t matter what Chrome does with third-party cookies anymore. The practical impact already happened.
Safari blocks third-party cookies completely. Has for years. That’s roughly 20% of web traffic in most markets, higher in the US and much higher on mobile. Firefox blocks them too. That’s another 3-5%.
So even in the best case, where Chrome keeps third-party cookies forever, you’ve already lost third-party cookie coverage on a quarter of your traffic. For mobile-heavy businesses, it’s closer to 40%.
Chrome’s Privacy Sandbox is live. Topics API lets advertisers target interest-based cohorts instead of individual users. Attribution Reporting API provides conversion measurement without cross-site tracking. Protected Audiences API (formerly FLEDGE) handles remarketing in a privacy-preserving way. These APIs work. They’re not perfect replacements for what cookies did, but they work.
The practical effect: if you’re still relying on third-party cookies as the backbone of your digital marketing measurement, you’re already working with incomplete data. Not in the future. Right now.
What actually changed for marketers
Let me be specific about what got harder, because the impact isn’t evenly distributed.
Retargeting reach dropped. If you’re running display retargeting through third-party cookie-based platforms, your addressable audience shrank by 20-40% depending on your traffic’s browser mix. You’re paying the same CPMs to reach fewer people. Your frequency is probably higher than you think on Chrome users and zero on Safari users. That’s not a targeting strategy, that’s a blind spot.
Frequency capping broke. Third-party cookies were how ad platforms tracked how many times a user saw your ad across different sites. Without them, frequency capping on Safari and Firefox is essentially guesswork. Users on those browsers either see your ad too many times or not at all. Neither is ideal.
Cross-device attribution has gaps. Deterministic cross-device matching relied heavily on third-party cookies. Google’s own cross-device reporting in Google Ads still works (because they have logged-in users), but independent attribution tools lost significant coverage.
View-through conversions became less reliable. Someone sees your display ad, doesn’t click, later converts on your site. Tracking that connection required a third-party cookie from the ad server. On Safari and Firefox, that connection is gone. Your display campaigns look worse in attribution reports than they actually perform.
Not sure how cookie changes affect your specific setup? I'll review your tracking stack and show you exactly where you have blind spots.
Book a Free Audit →What didn’t change (and this is important)
Amid all the noise, some things remained completely stable. Knowing what still works is just as important as knowing what broke.
First-party cookies still work everywhere. When a user visits your site and you set a cookie on your own domain, that works in every browser. GA4, your CRM tracking, session management, login persistence, all fine. First-party cookies aren’t going anywhere. They’re how the web works.
Server-side tracking is unaffected. If you send data from your server to Google, Meta, or any other platform via their server-side APIs, browser cookie policies don’t matter. The data never touches the browser. This is why server-side tagging through Google Tag Manager’s server container, Meta’s Conversions API, and similar tools became the standard approach. It’s not a workaround. It’s better architecture.
GA4 works fine. GA4 uses first-party cookies. It was designed with this future in mind. Your GA4 data quality didn’t degrade because of cookie deprecation. (It might have degraded for other reasons, but that’s a different article.)
Google Ads conversion tracking works. Google controls both Chrome and Google Ads. They have first-party relationships with logged-in users. Enhanced conversions, consent mode, and the Google tag all use mechanisms that don’t depend on third-party cookies.
Email and CRM-based marketing is untouched. If someone gives you their email address and you market to them through email, that has nothing to do with cookies. Same for SMS, push notifications, and any communication channel based on a direct relationship.
The practical playbook for right now
Stop waiting for a definitive answer on Chrome cookies. It doesn’t matter. Here’s what to do.
1. Implement server-side tagging. If you haven’t already, set up Google Tag Manager’s server-side container. Route your GA4, Google Ads, and Meta tracking through it. This gives you reliable measurement regardless of browser behavior. The setup takes a few days. The hosting costs about $50-100/month for most businesses. There’s no reason not to do this.
2. Turn on Enhanced Conversions. For Google Ads, enable enhanced conversions. This sends hashed first-party data (email, phone) alongside your conversion tags. Google matches it against logged-in users. It recovers a significant chunk of the conversions that would otherwise be lost to cookie restrictions. It takes about thirty minutes to set up.
3. Implement Meta’s Conversions API. Same concept as enhanced conversions but for Meta. Send conversion events server-side in addition to (not instead of) browser-side pixel events. Meta uses both signals for deduplication and optimization. If you’re spending money on Meta ads without CAPI, you’re giving their algorithm less data to work with and getting worse results.
4. Build your first-party data asset. Email lists. Loyalty programs. Account creation. Anything that creates a direct, consensual data relationship with your users. This data is yours. It doesn’t depend on any browser vendor’s privacy decisions. It doesn’t expire. It doesn’t get blocked. Companies that invested in first-party data three years ago are the ones running effective remarketing campaigns today.
5. Use Google’s consent mode v2. This is required in the EEA anyway, but it’s valuable everywhere. Consent mode lets Google model conversions for users who don’t consent to cookies. You don’t lose the data entirely; you get modeled data that fills the gaps. It’s not as precise as observed data, but it’s much better than a blank space in your reports.
6. Accept modeled data. This is the hardest shift for analytics people. We’re used to counting things precisely. In 2026, some of your data will be modeled. Google Ads will model some conversions. GA4 will model some user behavior. Meta will use statistical methods to fill gaps. This is the new normal. The modeled data is directionally accurate. It’s good enough for optimization decisions. If you insist on only using observed data, you’ll be optimizing on an incomplete picture.
Frequently asked questions
Q: Did Google kill third-party cookies in Chrome?
No. In July 2024, Google reversed its decision and announced it would not deprecate third-party cookies. Instead, Chrome introduced Privacy Sandbox APIs and user controls. However, Safari and Firefox have blocked third-party cookies for years, meaning 20-30% of web traffic already operates without them regardless of Chrome’s stance.
Q: Do first-party cookies still work in all browsers?
Yes. First-party cookies set on your own domain work in every browser. GA4, CRM tracking, session management, and login persistence all use first-party cookies and remain unaffected by third-party cookie deprecation. Server-side cookies set via HTTP headers also avoid the ITP restrictions that Safari applies to JavaScript-set cookies.
Q: What should I do to prepare for a cookieless future?
Implement server-side tagging through GTM’s server container, enable Google Ads enhanced conversions, set up Meta’s Conversions API, build first-party data assets (email lists, loyalty programs, account creation), and deploy Consent Mode v2. These steps work regardless of what Chrome does with third-party cookies.
Q: How does cookie deprecation affect retargeting campaigns?
Retargeting reach has already dropped 20-40% because Safari and Firefox block third-party cookies. Frequency capping is broken on those browsers. The solution is to use platform-native alternatives like Google’s Protected Audiences API, Meta’s custom audiences from first-party data, and server-side conversion tracking to feed optimization algorithms.
Stop waiting for resolution
I talk to marketers who are still “waiting to see what happens with cookies” before making changes. That wait has cost them three years of adaptation time.
The old model, where third-party cookies provided universal cross-site tracking, is over. Not because of one policy decision, but because the entire ecosystem moved. Browsers restricted tracking. Regulations required consent. Users became more privacy-aware. Platforms built alternatives.
The companies in the best position right now are the ones that treated 2020’s announcement as a starting gun, not a warning to monitor. They built server-side infrastructure. They invested in first-party data. They learned to work with modeled data and probabilistic attribution.
You can still catch up. Everything on the list above is implementable in weeks, not months. But the gap between prepared and unprepared companies is widening. Every quarter you wait, the companies that adapted earlier are compounding their advantage.
The cookie question was never really about cookies. It was about whether your measurement strategy depends on browser-vendor goodwill or on infrastructure you control. Build the infrastructure. The rest is noise.
Artem Reiter
Web Analytics Consultant
