Google annual developer conference, Google IO, was held in Mountain View last week. Amongst the headlines of hardware releases and software product changes was an announcement of privacy changes to Chrome that could have a very significant impact for web publishers and digital advertising as a whole.
The changes planned for Chrome are similar to what Safari already does with Intelligent Tracking Prevention. What has been announced for Chrome is not such a “Blunt instrument” as the change that has seen CPMs plummet on Safari traffic, but the potential impact is much larger thanks to Chrome’s dominant market share.
The announcement covered a number of parts, which we have summarised below. For those who would rather see the announcements for themselves you can watch the relevant part of the presentation below.
Over the coming months, Google will require that web developers explicitly state which cookies can work across websites (and therefore potentially be used for tracking). This will be done through the SameSite cookie attribute (read more on SameSite cookies). Those tagged as SameSite will only be accessible when the user is actually browsing the site that set them, so no more clever code to access first-party cookies cross-site.
Once same-site and cross-site cookies can be identified, Chrome is able to offer more control over how these are used. The example cited in the announcement is allowing users to clear all cross-site cookies without having to delete the more useful same-site cookies that remember details like logins. It seems likely that there will also be controls that allow users to disable cross-site cookies, although this has not been explicitly stated.
The option to totally disable cross-site cookies would be a blow to advertisers and the publishers who rely on them. However, the impact of this would largely be governed by how such an option was presented. Most users are hesitant to change their browser settings. So a “block cross-site cookies” option buried deep in settings would have little impact, compared with (for example) a large “block tracking cookies” option presented on installation.
Protections against fingerprinting
Whilst cross-site cookies are not popular with many users, they are at least something that the user has control over. One side-effect of blocking third-party cookies is that browser fingerprinting is seen by some as an alternative approach to user identification. Browser fingerprinting is the process of identifying users by the unique set-up of their device and software. This is generally seen as more of a privacy issue that cookies as it is hard for the user to control.
In order to prevent cookie blocking triggering a rush towards fingerprinting as a solution, Chrome will also include measures to “aggressively block fingerprinting”. Little detail has been given to how this will work, but it is likely to include restricting or blocking access to the user-agent string.
Whilst this approach would improve privacy, it is not without drawbacks. Fingerprinting is widely used in fraud detection/prevention and online security. Such systems could find their functionality compromised as a result.
Ads transparency browser extension
Google have also promised an open-source browser extension that will provide users with more information about the ads on the page they are viewing. This will include information about the adtech companies involved in the delivery of the ad and what trackers, if any, are present.
These announcements might at first seem counter-intuitive. Google is the world’s largest advertising company, so why would it want to block the cookies that online advertising systems use? There are multiple answers to this question. The first is simply that users worry about cross-site cookies. There are valid privacy concerns around them and a growing number of users want to block them. If users are going to be blocking cross-site cookies, then it is far better for Google, its advertisers and its publishers for them to be blocked in a measured manner than in a more aggressive manner that has a broader impact. Those user concerns have also led to growing amounts of privacy legislation around the globe. These changes in Chrome may well also be designed to signal to regulators that Google take the concerns seriously and are taking action.
Strange though it may seem, adding restrictions around how cookies are used might not be the act of Google self-harm that it initially seems to be. Cookies are a surprisingly democratic mechanism available to adtech players of all sizes. Remove them and those looking to serve a targeted, personalised ad need to work with a company who have more information on more users. These plays heavily to the big platforms like Google, Facebook and Amazon.
These Chrome announcements are quite conservative. There will be impact for publishers, and we will be discussing those here on the blog next week. However, the impact of what is currently known is likely to be limited. The concern for many publishers will be whether this round of announcements is the first of many to come.