The problem with Third-Party Cookies tracking is that many websites and vendors do not wait for valid consent to start tracking personal information. But when they do, and the consent is lawful, it's fine. It really is.
Third-Party Cookies tracking are great tools that provide auditability, transparency, and robustness. However, because of the unregulated and unfaithful use of their capabilities, as well as a well-thought-out anti-competitive bashing campaign, they’re now on the brink of becoming extinct.
Apple and Mozilla, who are not relying on Third-Party Cookie tracking for their advertising revenue, were the first to limit the reach of Third-Party Cookies tracking. Google, after carefully merging the Google account with the Chrome experience and designing an Advertising API called the Privacy Sandbox, was supposed to follow in 2024. It won’t be the case.
Third-Party Cookie Could Adapt to Survive
At Axeptio, even though we mostly deal with First-Party Cookie, we think that Third-Party Cookie are a tool worth saving. As long as they are used properly, they can generate value for advertisers, publishers, developers, and end-users.
What they currently lack to function in a privacy-minded world is built-in respect for user consent. A mode that would allow Third-Party Cookies to effectively work only when the user authorizes a given third-party domain to place a Third-Party Cookie on the visited domain.
CMPs to the Rescue
Google has built a basic API called the Consent Mode. This API expects that the CMP communicates consent signals through the dataLayer variable. These signals, only mapped to purposes for now, are then read by Google solutions (Analytics, Ads, etc.), that act accordingly.
The Consent Mode was the first sign of recognition from Google of the major responsibility of CMPs to act as a trusted third party, and the need for acknowledging a compliant consent collection.
Consent Mode is not a Chrome API, and consent is a notion that has been completely left out of the current version of the Privacy Sandbox. We believe there’s no better opportunity than the latest postponing of Third-Party Cookie deprecation to challenge this situation.
Consent at a Browser Level
We propose a very simple, yet effective approach, inspired by existing mechanisms: CSP and CORS. These mechanisms have annoyed the hell out of millions of web developers but have proven very lean and well-enforced. By enabling the first-party domain to declare which resources and which types of resources are allowed to load and execute, they act as the final boss that protects the user and the website from abuse.
Transposing the logic of CSP & CORS in consent terms would take the following steps :
Without any form of consent, Third-Party Cookie would not be able to stick, being marked as pending just like it is intended with the Privacy Sandbox.
With a CMP live on the website, the browser will expect an explicit consent signal to tell it what to do. Until the signal is received, no cookie will survive outside the tab context.
The explicit consent signal would contain the following information:
- Allowed Third-Party Cookie domains
- Allowed cookie names (optional)
- Allowed HTTP Methods (for AJAX calls as well)
- Grant Duration
- A Canonical URL to the consent proof, stored in the browser history for auditing purposes
This domain-level consent would also help in building browser-level defaults for some Third-Party Cookies domains that a user will want to allow or block. It could even reduce the usage of CNAME cloaking if the browser takes care of DNS resolution, thus improving transparency and trust.
APIs residing in the navigator.consent namespace could allow for third-party and first-party CMPs to communicate these consent signals seamlessly, crafting a better experience for the user and the developer.
A Future-Proof Solution
Recognizing the role of consent at a browser level will also pave the way for privacy-enhancing technologies, such as our consent assistant Taste. Opening the navigator.consent APIs to extensions would result in a much more respectful and enjoyable experience, while providing control for individual preferences.
