PRIVACY BEAT: Reaction after Google drops a bomb: Within two years Chrome browser likely won’t support third-party cookies

Privacy Beat

Your weekly privacy news update.


Reaction after Google drops a bomb: Within two years Chrome browser likely won’t support third-party cookies; balancing privacy, antitrust and competition

Google Inc. finally dropped a ticking virtual bomb on the advertising and publishing industries this week, posting a discrete blog post declaring that within two years it’s Chrome browser will stop supporting the use of so-called “third-party” cookies.  The move had been anticipated.

The news came in a blog post by Justin Schuh, director of Chrome engineering at Google, entitled: “Building a more private web: A path towards making third party cookies obsolete.” He said Google wants to encourage the creation of open data-exchange standards that replace such cookies for behavioral advertising. He seemed to imply that Google wouldn’t act until, as he put it, “once these approaches have addressed the needs of users, publishers, and advertisers…”

Why is Google acting? Speculation focuses on privacy, competition — and antitrust.

  • “Google is bowing to pressure to shore up privacy standards across its online advertising platforms and freely available web tools, which will affect more than half of all web users,” wrote reporter Ronan Shields at AdWeek, without attribution.

  • “Google doesn’t want to force the death of the cookie too quickly in case it attracts antitrust attention,” Shields quoted “a source inside a major holding group — who requested anonymity for fear of professional retribution” as saying. DigiDay reporter Lara O’Reilly added in her own words: “As is the case for almost every move Google makes, antitrust regulators will be watching closely.” 

  • Google may have felt it had to promise more definitive action about tracking cookies because of moves by browser makers Apple (Safari), Mozilla (Firefox) and Microsoft (Edge), all of which have announced or are implementing moves which restrict tracking seen as privacy-invading. And it may have concluded that its business would be hurt less than that of its cookie-dependent competitors. 

With his call for industry thinking about how to re-invent advertising technology for the web, Google’s Schuh spotlights the work of the World Wide Web Consortium (W3C), a Cambridge, Mass. nonprofit that has been at the center of collaboration on Internet and Web standards for at least 40 years. Google has already proposed some ideas to a web-advertising standards working group, but it has not yet proposed anything.

“This is going to be tough on publishers if they don’t engage in this conversation soon,” said former Google and Guardian UK employee and consultant David Gehring, who tweeted a reaction to the Google announcement. 


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


CCPA isn’t only new data-privacy law in California: Now “data brokers” have to tell the public what they are doing; meanwhile, more thoughts about ‘sale’ definition

The public will soon know more about the opaque world of data brokers. On or before Jan. 31, any organization which “knowingly collects and sells to third party the personal information of a consumer with whom the business does not have a direct relationship” has to file with a public registry maintained by the California Attorney General.

There are already some who have registered since the list became public on Jan. 13. A similar law took effect in Vermont a year ago, but only 165 data brokers have registered. California estimates many more will file there, in part, according to attorneys Daniel Goldberg and Elliott Siebers, the California registration law has a more expansive definition of both “sale” and “personal information.”

Meanwhile, both a prominent law firm, and the digital ad industry’s Network Advertising Initiative (NAI) have been weighing in with opinions on how the CCPA defines the ‘sale’ of personal data.  Facebook signaled in December it might play legal hardball over the definition of data “sale”.

“Several of the largest players in the digital advertising industry have taken conflicting positions on whether digital advertising is a ‘sale’ under the CCPA,” write attorneys Austin Mooney, Amy Pimentel and Wendy Zhang of the law firm of McDermott Will & Emery. They write that it “remains to be seen” whether some approaches are interpreted to satisfy the law’s requirements.  They argue that clarifying the situation should be among California Attorney General Xavier Becerra’s “highest priorities” in providing CCPA enforcement guidance.

The NAI’s guidance on sale came out in November. In the guidance released under the signature of NAI’s counsel, Tony Ficarrotta, the NAI wrote that the CCPA’s definition of sale “is broader than an everyday meaning, and “includes merely ‘making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”



A compromising idea: Study state privacy laws and see which could be reasonably preempted and which not; meanwhile, Washington state tries again

A key holdup to gaining bipartisan consensus on U.S. federal online privacy regulation has been a dispute over whether federal law should be written to preempt — override — state laws.  California Democrats, including House Speaker Nancy Pelosi, say they won’t vote to override the California Consumer Privacy Act (CCPA). Senators and congressmen in other states are cautious about having federal law invalidate the work of statehouse colleagues. 

But a blog post by two writers on the International Association of Privacy Professionals takes a more nuanced view. Attorneys Peter Swire and Pollyanna Sanderson write that a solution might be to carefully study state laws, and narrow down the areas of potential conflict. “If the negotiators get to a small subset of issues, then an overall deal becomes more likely,” say the lawyers. “Where there is consensus, have congressional experts in legislative drafting create language to implement the consensus.” Swire is with the law firm of Alston & Bird and Sanderson is policy counsel at the nonprofit Future of Privacy Forum, which is supported by major tech companies, retailers, financial institutions, start-ups, media companies, foundations and others.




Norwegian consumer group’s EU study exposes claim of widespread ad-tech privacy violations on phone apps

The Norwegian Consumer Council (NCC) released this week a compilation of findings from 20 consumer and civil-society organizations in Europe spotlighting the undisclosed sharing of personal data by phone applications and urged authorities to investigate the online advertising industry. (LINK TO THE REPORT)

“Grindr and OkCupid Spread Personal Details, Study Says,” headlined The New York Times story.

 “The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used,” Finn Myrstad, director of digital policy in the NCC, said in a blog post about the research. The post said ad-tech is “systematically breaking the law” and is “out of control.”  It said it was filing complaints against Grindr and five other companies — Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato. 

The study findings were immediately picked up by the U.S.-based Consumer Reports, which particularly cited dating apps and mentioning Grindr, OKCupid, Tinder, and the period-tracking apps Clue and MyDays, which CR’s Thomas Germain wrote, “share intimate data about consumers with dozens of companies involved in the advertising business.”  It said 10 apps were feeding personal information to at least 135 other companies.

“The NCC report shows that a huge surveillance industry has built up around us,” the Electronic Frontier Foundation’s Christoph Schimon blogged in reaction. “Instead, we need a user-oriented tech ecosystem that does not treat user data like a free resource to be exploited.”

MORE: EU consumer groups urge immediate investigation.



Concern grows over Indian government’s plan to partially forbid encryption so as to ‘censor’ content

An editorial in The Washington Post, and concerned comments by a well-known Internet investor are centered on moves by the Indian government to change the way end-to-end encryption works when a user connects with a website. The intention, it is claimed, is to make it easier for the government to track the reading habits of individuals.

The Washington Post editorial was headlined: “India threatens to tear apart any semblance of digital privacy.”  The technology change is to be used by Prime Minister Narendra Modi to “filter unlawful content,” The Post asserted. Said The Post: “Companies for whom end-to-end encryption today isn’t an essential part of their model might comply with India’s law, and sacrifice security. Companies for whom it is essential, such as WhatsApp, will likely fight.”

The news prompted Internet investor Roger McNamee to Tweet: “India threatens to destroy any notion of online privacy. The window to balance social media with democracy and privacy is closing. This is not a drill.”

The Center for Democracy and Technology’s Hannah Quay-de la Vallee wrote that the expected Indian rules would limit the ability of companies operating in India to protect their users from having sensitive communications and conversations exposed. It would do so in order to give the government the ability to trace the source of messages and content.





Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Google plans to consult on death of third-party cookie

“After initial dialogue with the web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years. But we cannot get there alone, and that’s why we need the ecosystem to engage on these proposals. We plan to start the first origin trials by the end of this year, starting with conversion measurement and following with personalization.”

– Justin Schuh, director, Chrome engineering, in a Jan. 14 Google corporate blog post about plans to deprecate third-party cookie support in the Chrome browser within two years.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp