Streaming Learning Center Where Streaming Professionals Learn to Excel
Related Articles
Google just kicked the can down the road—again—on killing third-party cookies in Chrome. While much of the advertising world rejoiced at the announcement, privacy professionals and legal teams should be sweating. This isn’t a free pass. It’s a stay of execution.
Specifically, in a statement released on April 22, 2025, Anthony Chavez, Vice President of the Privacy Sandbox initiative, stated:
“we’ve made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies. Users can continue to choose the best option for themselves in Chrome’s Privacy and Security Settings.”
This marks a reversal from Google’s earlier promise to disable third-party cookies by default in Chrome, following the lead of Firefox and Safari, which made that move years ago. Safari, through Intelligent Tracking Prevention, has blocked third-party cookies by default since 2017. Firefox did the same in 2019 with Enhanced Tracking Protection.
What Google is now saying is that third-party cookies will remain active by default, and it’s up to users to manually turn them off in Chrome’s settings. So, Chrome remains the only major browser that still allows advertisers to track users across sites unless the user explicitly opts out—something most people never do.
What’s critical to remember is that just because you can track users with third-party cookies in Chrome doesn’t make it legal. If you look at Google’s decision as a free pass, you could find yourself in violation of privacy laws like the CPRA or GDPR—exposing your company to fines, lawsuits, and serious reputational damage. Google may have left the door open, but it’s your responsibility to make sure walking through it doesn’t break the law.
Third-Party Cookies and Privacy Laws
Third-party cookies may be enabled by default in Chrome for now, but their legal status hasn’t changed. Under California’s Consumer Privacy Rights Act (CPRA), using third-party cookies to track users across sites and serve targeted ads may still qualify as selling or sharing personal information. That means you could be collecting data illegally, even if the browser allows it.
A quick legal primer: The CPRA applies not just to California-based companies, but to any business—worldwide—that collects personal data from California residents. If your business makes over $25 million annually, processes data from 100,000+ users, or earns half your revenue from selling or sharing user data, you’re covered. That includes storefronts that sell globally but don’t explicitly exclude California customers.
And it’s not just a U.S. problem. Under the EU’s General Data Protection Regulation (GDPR), consent is required before dropping non-essential cookies (like those used for advertising). That consent must be informed, freely given, and specific, which rules out the sneaky, pre-ticked boxes and hard-to-find opt-outs still common across many sites. Tracking someone without proper consent can get you fined, no matter where your servers are.
If you’re an advertiser still using third-party cookies, talk to your attorney (great article on the CPRA here). Review whether your cookie-based ad practices count as data sharing or selling under CPRA, and whether your site’s cookie banners and opt-outs comply with GDPR.
If you’re a consumer, your best move is to block third-party cookies in Chrome’s settings. It won’t solve everything, but it’s a meaningful first step toward limiting cross-site surveillance.
Just because Google left the door open for third-party cookies doesn’t mean you should walk through it blind.
