Overview

Executive Summary

Third-party cookies are small text files that have underpinned cross-site behavioral tracking for more than two decades. They are being systematically eliminated, not because the industry chose to move on, but because regulators, browser vendors, and courts decided the privacy tradeoffs were no longer acceptable.

This report is organized around three questions: How did third-party cookies enable the tracking ecosystem that now exists? What specific technical and regulatory forces are dismantling that ecosystem? And what replaces it, both technically and from a user privacy standpoint?

The answers reveal a system whose privacy implications were largely invisible to the users it profiled. A typical web session generates dozens of tracking calls to ad networks, data brokers, and analytics platforms, none of which the user deliberately engaged with. Browsers and operating systems are responding with enforcement mechanisms that make cross-site behavioral profiling technically impossible without user consent.

Key Takeaway

The end of third-party cookies is not primarily a business transition: it is a privacy correction. The technical alternatives that replace them are architecturally different in ways that matter, they move data processing closer to the user, reduce the surface area for data leakage, and make tracking harder to do invisibly. Organizations that understand these architectural differences will make better decisions about compliance, user trust, and long-term data strategy.

Scope & Objectives

This report addresses three objectives:

  1. Explain the technology. Provide a technically accurate account of how third-party cookies enable cross-site tracking, including the HTTP mechanisms, the ad tech stack that uses them, and the specific privacy harms they create.
  2. Document the deprecation. Trace the multi-year process by which browser vendors, mobile operating systems, and regulatory bodies dismantled cookie-based tracking, and clarify what has actually changed as of early 2026.
  3. Assess the replacements. Evaluate the technical alternatives being deployed in the post-cookie environment, their capabilities, their genuine privacy properties, and their limitations.
Part I

How Third-Party Cookies Work — and Why They’re a Privacy Problem

To understand why third-party cookies are being eliminated, you first need to understand what they are, how they function at a protocol level, and what they made possible at scale. The privacy problem is architectural: it was not an accident or an abuse of the system, but a consequence of what the system was designed to do.

A cookie is a small key-value data store set by a server and persisted in the user’s browser. When a server includes a Set-Cookie header in an HTTP response, the browser stores it and returns it in the Cookie header of every subsequent request to that domain. This mechanism was introduced in 1994 by Lou Montulli at Netscape as a way to implement session state in an otherwise stateless HTTP protocol.5

A first-party cookie is set by the domain the user is currently visiting. A third-party cookie is set by a different domain, one whose resources are embedded in the page you’re visiting. That cookie will be sent back to the third party every time you visit any other site that also loads its resources, enabling it to recognize you across unrelated websites.

Technical Detail — SameSite Attribute

The SameSite cookie attribute, introduced in 2016 and strengthened in 2020, was the first major technical countermeasure. Cookies with SameSite=Strict are never sent on cross-site requests. Cookies with SameSite=Lax are sent only on top-level navigations. Cookies with SameSite=None (the legacy default for third-party cookies) are sent in all contexts, but Chrome began requiring these to also carry Secure=true in 2020.6

The Tracking Stack

Third-party cookies became the foundation of a multi-layer data infrastructure. The table below details the major layers of the third-party cookie tracking stack.

Layer Technology What Third-Party Cookies Enabled
Ad Networks & Exchanges Google Ad Manager, OpenX, Xandr Persistent user identifier across publisher inventory for frequency capping, retargeting, and cross-publisher reach measurement
Demand-Side Platforms (DSPs) The Trade Desk, DV360, MediaMath Bidding on impressions based on behavioral audience segments built from cross-site data
Data Management Platforms (DMPs) Salesforce DMP, Oracle BlueKai Aggregating cross-site behavioral data into audience segments sold to advertisers
Analytics Platforms Google Analytics (Universal), Adobe Analytics Cross-domain user journey tracking and attribution without authentication
Tag Managers Google Tag Manager, Tealium Deploying third-party pixel/cookie combinations at scale without engineering involvement
Identity Graphs LiveRamp, Neustar, Experian Linking browser cookie IDs to offline identity data (name, address, purchase history)
Table 1. The major layers of the third-party cookie tracking stack. Source: Digital 520 Analysis.

The real-time bidding (RTB) auction that underlies most programmatic advertising depends on all of these layers functioning together. When a user loads a web page, the publisher’s supply-side platform broadcasts an auction opportunity including the user’s cookie-based ID. The entire system depends on a persistent, shared identifier.7

Studies from Princeton’s Web Transparency and Accountability Project found that a majority of the top 1 million websites load third-party tracking code from Google, Meta, or both. On a typical news or retail site, a user’s browser makes 50–300 third-party requests per page load.1

Privacy Violations by Design

The privacy implications of third-party cookie infrastructure operate on several levels:

  • Cross-site behavioral profiling. An ad network embedded in thousands of publisher sites can observe and record every page a user visits that includes its tracking pixel. Over time this creates a detailed behavioral profile: political interests, health conditions, financial situation — none directly provided by the user.
  • Re-identification of supposedly anonymous data. Cookie-based profiles can be linked to real identity through cookie syncing, in which two ad networks exchange cookie IDs and link their respective behavioral datasets.8
  • Data persistence and breadth. Cookie-based behavioral data persists across sessions and devices, and can be sold to parties the user never interacted with. Data brokers built multi-billion dollar businesses on this supply chain.
  • Lack of meaningful consent. Prior to GDPR, most third-party tracking required no user notification. Post-GDPR consent banners are widely criticized as dark-pattern implementations that make refusal intentionally difficult.9
Technical Note — Cookie Syncing

Cookie syncing is the mechanism by which two independent ad networks share user identifiers. Network A embeds a pixel and sets its cookie ID. Network A calls a redirect URL on Network B, appending its own user ID as a URL parameter. Network B links the two IDs. This process happens silently on millions of page loads and is the technical mechanism that enabled “audience extension” products.

The Regulatory Response

The table below details key privacy regulations and their implications for cookie-based tracking.

Regulation Jurisdiction Key Cookie/Tracking Provisions
ePrivacy Directive (2002, amended 2009) European Union First EU law requiring consent for storing information on a user’s device. Widely unenforced.
GDPR (2018) European Union Requires freely given, specific, informed consent for processing personal data. Applies to cookie-based identifiers. Fines up to 4% of global revenue.
CCPA (2020) California, USA Grants consumers right to opt out of sale of personal information, including behavioral data. Amended by CPRA (2023).
Digital Markets Act (DMA, 2023) European Union Requires “gatekeepers” (Google, Meta, Apple) to obtain separate consent before combining personal data across services.
UK GDPR / Data Protection Act 2018 United Kingdom Post-Brexit equivalent of EU GDPR. ICO specifies cookie-based identifiers constitute personal data requiring valid consent.
Table 2. Key privacy regulations and their implications for cookie-based tracking. Source: Digital 520 Analysis.

The most significant enforcement actions: French CNIL fined Google €150 million and Meta €60 million in January 2022 for making it harder to refuse cookies than to accept them.10

Part II

The Deprecation Timeline

Safari ITP (2017–2020)

Apple’s WebKit team shipped Intelligent Tracking Prevention in Safari in September 2017, using machine learning to classify third-party domains as tracking domains. ITP 2.0 (2018) blocked all third-party cookies from classified domains entirely. ITP 2.1 (2019) added a 7-day cap on all script-writeable first-party storage set via third-party scripts. ITP 2.3 (2019) closed the cross-site link decoration workaround by stripping tracking parameters from URLs. Safari held approximately 20–25% of global browser market share,11 meaning roughly a quarter of web users were no longer trackable via third-party cookies.

Apple ATT (2021)

In April 2021, Apple shipped iOS 14.5 with the App Tracking Transparency framework. ATT requires all iOS apps to explicitly request user permission before accessing the device’s IDFA. Opt-in rates globally settled at approximately 25%,2 meaning three in four users denied permission when asked directly and clearly.

Prior to ATT, the IDFA was available to all apps unless the user manually disabled it, very few did. When Apple changed the default to opt-in with a clear prompt, 75% of users said no. This gap between “default-on” and “genuinely-asked” consent rates is the most important data point in the privacy debate.

Google Privacy Sandbox (2019–2026)

Google announced the Privacy Sandbox initiative in August 2019,12 proposing to replace third-party cookies in Chrome with privacy-preserving APIs. Google originally proposed deprecating third-party cookies by late 2022. The deadline was extended five times. Google then revised its approach: rather than deprecating third-party cookies entirely, Chrome now presents users with a one-time choice, a change driven by pressure from the UK Competition and Markets Authority.13

API / Proposal Purpose Technical Approach Status (2026)
Topics API Interest-based targeting Browser assigns weekly interest topics from a public taxonomy (~350 topics) Shipping in Chrome. Adoption limited.
Protected Audience API Retargeting without cookie syncing Auction runs on-device in an isolated JavaScript worklet Shipping in Chrome. Functionally limited vs. server-side retargeting.
Attribution Reporting API Conversion measurement Browser matches ad impression to conversion and generates a privacy-preserving aggregate report with noise Shipping in Chrome.
Storage Access API Embedded third-party state access Third-party iframes can request access to first-party cookies via a user-prompted dialog Shipping in Chrome, Safari, Firefox.
CHIPS (Partitioned Cookies) Cookies scoped to top-level site Third-party cookies with Partitioned attribute scoped to specific first-party context Shipping in Chrome 114+.
Table 3. Google Privacy Sandbox API overview and deployment status as of early 2026. Source: Google Privacy Sandbox developer documentation.3

Where Things Stand in 2026

  • Safari and Firefox: Third-party cookies blocked by default since 2020 and 2019. Combined ~30–35% of global web traffic.11
  • Chrome: Third-party cookies remain available but users have been presented with a one-time consent choice. Estimates suggest 40–60% of Chrome users will disable third-party cookies when prompted.
  • iOS App Tracking: The IDFA is unavailable for approximately 75% of iOS users.
  • Privacy Sandbox APIs: Deployed in Chrome but adoption is uneven. The APIs do not provide equivalent functionality for all use cases.
Part III

Technical Alternatives

No single technology replaces third-party cookies. The ecosystem is replacing a general-purpose cross-site identifier with a set of purpose-specific, architecturally constrained tools.

Privacy Sandbox APIs

The Privacy Sandbox APIs are browser-native alternatives to specific third-party cookie use cases. Their key architectural innovation is moving processing from servers, where data can be freely collected, to the browser, where it can be restricted and audited.

Technical constraints of the Topics API: Topics are limited to a predefined public taxonomy. A maximum of 3 topics are returned per call. Topic epochs rotate weekly, limiting persistent profile accumulation. The API includes a noise mechanism: 5% of the time, a random topic is returned.

Protected Audience architecture: Interest groups are stored in the browser, not on any server. Bidding functions run in isolated JavaScript worklets with no network access. The auction result is subject to k-anonymity requirements (k=50 in current implementation). On-device auctions are computationally constrained, complex ML-based bidding strategies cannot run in browser worklets.

First-Party Data Infrastructure

The highest-value investment in the post-cookie environment is first-party data collected directly from users through owned channels. Building genuine first-party data infrastructure typically requires:

  • Identity resolution layer. A system linking authenticated users across devices using email-based or phone-based identifiers — deterministic rather than probabilistic.
  • Consent management platform (CMP). A system for recording, storing, and honoring user consent choices in a technically enforceable and legally auditable way.
  • Customer data platform (CDP). A unified database aggregating first-party data from web, app, CRM, and offline sources into persistent customer profiles.
  • Server-side event tracking. Sending conversion and behavioral events directly from the advertiser’s server to ad platforms’ Conversion APIs, bypassing the browser entirely.

Server-Side Tracking

Server-side tracking routes user event data through the advertiser’s own server before forwarding it to advertising and analytics platforms, rather than firing client-side pixels directly from the user’s browser.

Architecture: User takes an action → browser fires an event to the advertiser’s own server-side endpoint (first-party request) → server enriches the event with CRM data and authenticated user ID → server forwards to platform Conversion APIs (Meta CAPI, Google Ads Conversion API, TikTok Events API).

Privacy Consideration

Server-side tracking does not inherently improve user privacy, it moves the tracking infrastructure to a place where users have less visibility. Privacy properties depend entirely on the organization’s data handling practices and consent. Under GDPR, server-side tracking still constitutes processing of personal data if it involves identifiable users.

Contextual Targeting

Contextual targeting serves ads based on the content of the page being viewed rather than the behavioral history of the user. Modern contextual targeting uses NLP models to classify page content across hundreds of topic and sentiment dimensions. From a privacy standpoint, contextual targeting has genuine advantages: it does not build or require user profiles, generates no cross-site tracking data, and requires no consent under GDPR since it does not process personal data.

Identity Solutions

The table below compares major identity solutions for post-cookie environments.

Solution Operator Mechanism Privacy Properties
UID2 The Trade Desk (open-source) Hashed and encrypted email/phone at authentication. Hash shared across participating publishers and DSPs. Global opt-out endpoint. Coverage limited to authenticated environments.
LiveRamp ATS LiveRamp Publisher authenticates user; LiveRamp generates an encrypted RampID for use in ad auctions. No direct cookie dependency. Requires explicit authentication. Data passes through LiveRamp infrastructure.
Google PPID Google Publisher generates an opaque identifier for authenticated users and passes it to Google Ad Manager. ID is opaque to Google. Only usable within Google ecosystem.
ID5 ID5 (independent) Probabilistic and deterministic matching across publisher network. Partially probabilistic. Privacy properties weaker than fully authenticated solutions.
Table 4. Identity solution comparison for post-cookie environments. Source: Digital 520 Analysis; The Trade Desk UID2 documentation.14

Data Clean Rooms

A data clean room is a secure computing environment that allows two parties to analyze overlapping datasets without either party directly accessing the other’s raw data.

Architecture: Advertiser uploads hashed first-party customer list → publisher uploads hashed authenticated audience → clean room executes queries over overlapping dataset in an isolated compute environment → differential privacy techniques add statistical noise → neither party receives the other’s raw data.15

Major implementations: Google Ads Data Hub, Meta Advanced Analytics, Amazon AWS Clean Rooms, Snowflake Secure Data Sharing, InfoSum.

Part IV

Privacy Implications

What Users Actually Gain

  • Reduced cross-site behavioral profiling. Without a shared identifier, ad networks cannot silently observe and link a user’s activity across sites they did not choose to engage with.
  • Profile data stays in the browser. Privacy Sandbox APIs keep user interest data on the device rather than uploading it to servers.
  • Consent becomes more meaningful. ATT’s 25% opt-in rate demonstrates that when consent is genuinely informed and easily exercised, a large majority of users choose to limit tracking.
  • Fewer data brokers in the loop. Browser-level partitioning directly reduces the surface area of data sharing.

What Still Threatens Privacy

  • Browser fingerprinting. A browser can be identified through user agent, screen resolution, installed fonts, canvas rendering behavior — without any cookies. Studies suggest 80–95% of browser instances can be uniquely identified through fingerprinting.16
  • Walled garden consolidation. The decline of open-web third-party cookies strengthens Google, Meta, and Amazon because their tracking infrastructure is first-party within their own ecosystems.
  • Authenticated identity infrastructure. Solutions like UID2 replace cookie-based cross-site tracking with authentication-based cross-site tracking. Privacy outcome depends on consent mechanism quality.
  • Server-side and CNAME workarounds. CNAME cloaking routes third-party tracking through a DNS alias, maintaining significant tracking capability outside browser restrictions.
Digital 520 Perspective

The Privacy Sandbox has been criticized by privacy advocates as a Google-controlled transition designed primarily to protect Google’s advertising business under the appearance of a privacy improvement. Google’s advertising data collection within its authenticated user base is entirely unaffected by Privacy Sandbox. The architectural shift constrains independent ad networks while Google’s data position strengthens.

Tracking Method Requires GDPR Consent? Notes
Third-party cookies (behavioral) Yes — legitimate interest insufficient CNIL, ICO, and most DPAs have ruled that behavioral advertising cannot rely on legitimate interest.
First-party cookies (analytics, session) Depends Strictly necessary cookies exempt. Analytics that build user profiles require consent.
Privacy Sandbox APIs (Topics, Protected Audience) Position unclear Several European DPAs are evaluating whether the APIs constitute processing of personal data.
Server-side tracking with hashed email Yes, if linked to identifiable individual Hashed email is still personal data under GDPR if the individual is otherwise identifiable.
Contextual advertising (no user data) No consent required Processing page content to serve relevant ads does not constitute personal data processing.
Authenticated identity (UID2, ATS) Yes — consent required at point of authentication Authentication event must include informed disclosure.
Table 5. GDPR consent requirements by tracking method. Source: Digital 520 Analysis; CNIL, ICO guidance.
Part V

Practical Guidance

For Engineering and Technical Teams

  1. Audit your cookie inventory using browser DevTools, a privacy scanning tool (OneTrust, Cookiebot), or web application firewall log analysis. Categorize each by purpose: strictly necessary, functional, analytics, or advertising.
  2. Classify and remediate SameSite attributes. Any third-party cookie in a cross-site context must carry SameSite=None; Secure. First-party session and authentication cookies should use SameSite=Strict or SameSite=Lax.
  3. Implement server-side Conversion APIs for each ad platform you use (Google, Meta, TikTok, LinkedIn).
  4. Evaluate and implement Google Privacy Sandbox APIs. Test Topics API integration for Chrome-targeted campaigns. Prototype Protected Audience API integration for retargeting.
  5. Implement CHIPS for functional third-party embeds. If your service is embedded in other sites, migrate third-party cookies to use the Partitioned attribute.
  6. Audit your consent management implementation. Verify your CMP correctly enforces consent choices at the tag/pixel level. If using Google Consent Mode v2, ensure the default state for analytics and advertising tags is ‘denied’ until consent is collected.
Consent Mode v2

Google Consent Mode v2 (required as of March 2024 for EEA traffic) sends behavioral modeling signals to Google even when consent is denied. The CMA and several European DPAs have expressed concerns about whether modeling based on non-consented data is compatible with GDPR. Consult legal counsel before concluding it resolves consent obligations.

For Marketing and Advertising Teams

  1. Audit your current attribution model. Identify what percentage of conversion attribution currently depends on third-party cookies. Multi-touch attribution models relying on cross-site cookie stitching are already broken for Safari and Firefox users.
  2. Invest in authenticated value exchange. Email subscription programs, loyalty accounts, and gated content are the mechanisms by which users voluntarily provide authenticated identity.
  3. Build platform-specific audiences natively. Within walled gardens, first-party customer match lists are more reliable than behavioral targeting built on third-party data.
  4. Test contextual campaign structures. Many marketers find the gap smaller than expected for categories with strong content-intent correlation.

For SMBs and Lean Organizations

Priority Action Why It Matters
1 — Immediate Implement a CMP that blocks all non-essential tracking tags until consent is given Required for GDPR/CCPA compliance. Many platforms (Cookiebot, CookieYes) offer SMB-priced plans.
2 — Near-term Migrate from Universal Analytics to GA4 with consent mode and IP anonymization Universal Analytics has been sunset. GA4 with consent mode is the current standard.
3 — Near-term Implement Meta CAPI and Google Conversion API server-side events Recovers conversion data lost to ITP, iOS ATT, and ad blockers.
4 — Medium-term Build an email list with explicit consent and a clear value proposition Authenticated first-party audience is the most resilient long-term asset.
5 — Medium-term Audit and reduce third-party script load on your site Each third-party script is a potential tracking, security risk, and performance issue.
Table 6. Priority action framework for SMBs and lean organizations. Source: Digital 520 Advisory Practice.

For Publishers and Media Companies

  1. Build first-party registration and login. Even a modest logged-in audience (10–20% of regular readers) significantly improves programmatic CPMs.
  2. Implement a subscription or newsletter strategy. Email as a first-party channel is resilient to all browser and platform changes.
  3. Evaluate direct data partnerships via clean rooms.
  4. Pressure-test your programmatic stack for Sandbox readiness. Work with your SSP to verify Protected Audience API and Topics API integration status.
Conclusion

Conclusion

Third-party cookies were an accident of history: a general-purpose session mechanism repurposed at scale into a cross-site surveillance infrastructure that most users never consented to and many would reject if they understood it. The fact that 75% of iOS users declined ad tracking when asked directly tells you everything about the gap between technical capability and genuine consent.

The deprecation is real, the timeline is messy, and the replacements are imperfect. Privacy Sandbox APIs provide meaningfully better privacy properties than third-party cookies in some dimensions while introducing new concerns in others. Server-side tracking removes user-visible tracking without necessarily reducing underlying data collection. Authenticated identity solutions preserve cross-site targeting but anchor it to consent events that vary widely in quality.

Key Implications
  • Audit your current cookie usage before assuming your tracking infrastructure still works; ITP and Firefox blocking have been degrading data quality for years.
  • Server-side Conversion API implementation is the highest near-term ROI technical investment for most advertising-dependent organizations.
  • Privacy Sandbox APIs are available but adoption is early. Engineering teams should prototype now, not wait for industry consensus.
  • First-party authenticated identity is the only durable long-term alternative. Everything else is a bridge.
  • Contextual advertising offers a structurally clean, consent-free approach that outperforms behavioral targeting in high-intent content categories.
  • Consent must be real, not a design exercise in coercing acceptance. Regulatory enforcement is closing the gap between dark-pattern consent and genuine choice.
Appendix A

Methodology

Digital 520 applies a rigorous, multi-source research methodology. For this report the following sources and methods were employed:

  • Primary technical documentation. Google Privacy Sandbox developer documentation, Apple WebKit ITP technical writeups, W3C specifications for the SameSite cookie attribute, CHIPS, Storage Access API, and Topics API were reviewed in full.
  • Regulatory source review. GDPR text, ePrivacy Directive, CCPA/CPRA text, DMA, and enforcement decisions from CNIL, ICO, and the Irish DPC were reviewed.
  • Academic and industry research. Research on browser fingerprinting (EFF Panopticlick, Princeton WTAP), cookie syncing mechanics, and ATT opt-in rates was reviewed and cited.
  • Practitioner judgment. Digital 520’s advisory experience across privacy engineering, advertising technology, and compliance engagements informs the practical guidance.

Limitations: Browser behavior and Privacy Sandbox API specifications are subject to rapid change. Policy positions from regulatory bodies continue to evolve, particularly regarding Privacy Sandbox APIs and Consent Mode v2.

Appendix B

Glossary

Term Definition
ATT (App Tracking Transparency) Apple’s iOS 14.5+ framework requiring apps to explicitly request user permission before accessing the IDFA. Opt-in rates settled at approximately 25% globally.
CHIPS (Cookies Having Independent Partitioned State) A browser mechanism allowing third-party cookies to be partitioned by top-level site, enabling functional embeds without enabling cross-site tracking.
Clean Room A secure computing environment in which two parties can perform joint data analysis without exposing raw individual-level records to each other.
CMP (Consent Management Platform) Software that presents cookie consent choices to users, records consent signals, and enforces those signals by blocking tracking tags without appropriate consent.
Contextual Advertising Advertising targeted based on the content of the page being viewed. Requires no personal data processing and no GDPR consent.
Cookie Syncing A mechanism by which two ad networks share user identifiers by passing them through pixel redirect chains, enabling cross-network audience matching.
Differential Privacy A mathematical privacy framework that adds calibrated statistical noise to query outputs to prevent reconstruction of individual-level data from aggregate results.
Fingerprinting A technique for identifying a browser or device based on technical characteristics (user agent, screen resolution, fonts, canvas rendering) without using cookies.
GDPR General Data Protection Regulation (EU) 2016/679. Requires a valid lawful basis for processing personal data, including cookie-based identifiers.
IDFA (Identifier for Advertisers) Apple’s device-level advertising identifier, analogous to a third-party cookie for mobile apps. Access requires explicit opt-in under ATT on iOS 14.5+.
ITP (Intelligent Tracking Prevention) Apple’s browser-level tracking protection technology in Safari, using machine learning to classify tracking domains and restrict cross-site cookie access.
Privacy Sandbox Google’s initiative to develop browser-native APIs that provide privacy-preserving alternatives to third-party cookie-based advertising functions in Chrome.
Protected Audience API A Privacy Sandbox API (formerly FLEDGE) enabling on-device retargeting auctions without cross-site cookie syncing.
RTB (Real-Time Bidding) The automated auction mechanism in which digital ad impressions are bought and sold in milliseconds, with DSPs bidding based on user behavioral data.
SameSite Attribute An HTTP cookie attribute controlling whether cookies are sent on cross-site requests. SameSite=None allows cross-site use; SameSite=Lax and SameSite=Strict restrict it.
Topics API A Privacy Sandbox API that provides browsers with interest categories based on local browsing history, without exposing individual site visit history to ad networks.
UID2 (Unified ID 2.0) The Trade Desk’s open-source authenticated identity framework using hashed email addresses to create a persistent cross-site identifier anchored to user authentication events.
Table 7. Glossary of key terms. Source: Digital 520 Analysis.
References

Endnotes

The following references support the data and claims presented in this report. Digital 520 maintains a full citation database for all Insight Reports.

  1. Englehardt, S. & Narayanan, A. “Online Tracking: A 1-million-site Measurement and Analysis.” Princeton Web Transparency and Accountability Project. ACM CCS 2016.
  2. Flurry Analytics / Yahoo. “iOS 14.5 Opt-In Rate: Daily Updates Since Launch.” April 2021 onwards.
  3. Google. “Privacy Sandbox Timeline.” developer.chrome.com/docs/privacy-sandbox. Accessed March 2026.
  4. International Association of Privacy Professionals (IAPP). “Global Privacy Law and DPA Directory.” 2025.
  5. Kristol, D. & Montulli, L. “RFC 2109: HTTP State Management Mechanism.” IETF. February 1997.
  6. West, M. & Goodwin, M. “SameSite Cookies Explained.” web.dev, Google.
  7. Interactive Advertising Bureau (IAB). “OpenRTB API Specification.”
  8. Englehardt, S. & Narayanan, A. (cookie syncing section). ACM CCS 2016.
  9. Forbrukerradet (Norwegian Consumer Council). “Deceived by Design.” June 2018.
  10. Commission Nationale de l’informatique et des libertés (CNIL). “Cookie consent: CNIL fines GOOGLE €150 million and FACEBOOK €60 million.” January 2022.
  11. StatCounter GlobalStats. “Browser Market Share Worldwide.” 2025.
  12. Google. “Building a more private web.” Chromium Blog. August 2019.
  13. UK Competition and Markets Authority. “Investigation into Google’s Privacy Sandbox browser changes.” Final Report. 2022.
  14. The Trade Desk. “Unified ID 2.0.” thetradedesk.com.
  15. International Association of Privacy Professionals (IAPP). “Data Clean Rooms: Privacy and Advertising Technology.” 2023.
  16. Electronic Frontier Foundation. “Browser Fingerprinting: An Introduction and the Challenges Ahead.” eff.org.

Download the Full Report

Access the complete formatted PDF edition of this Digital 520 Insight Report on third-party tracking deprecation.

Download PDF — Third-Party Tracking Report