Google just announced another delay to full third-party cookie deprecation. The company is now signaling the timeline shifts into 2025, citing ongoing engagement with the UK’s Competition and Markets Authority. The industry’s reaction has ranged from exhaustion to relief, but the most important thing to understand about this delay is what it reveals about who actually controls the cookie’s fate — and what they’re actually worried about.

The answer is the CMA, and the concern isn’t privacy.

The CMA’s Role Is Not What Most People Think

The UK Competition and Markets Authority entered a formal engagement with Google in early 2021, when Google committed to providing advance notice before deprecating third-party cookies and to work collaboratively with the CMA before doing so. That commitment, known as the CMA’s Privacy Sandbox undertakings, gave a competition regulator formal authority over what is ostensibly a privacy initiative.

This is an unusual and important arrangement. The CMA’s mandate is competition law, not data protection — that’s the ICO’s territory. What the CMA saw in Privacy Sandbox was not a privacy measure but a potential competition intervention with structural consequences for the UK digital advertising market.

The concern, clearly articulated in the CMA’s published reports, is this: third-party cookies are bad for privacy but relatively neutral for competition. They’re available to everyone — Google, The Trade Desk, Xandr, independent ad tech companies, publishers, measurement vendors. Privacy Sandbox, as originally designed, would replace open-access cookie infrastructure with APIs controlled by Google, operating inside Chrome, with rules set by Google.

The CMA’s analysts asked a direct question: would this shift make Google’s advertising products relatively more powerful than they were with cookies? The answer, based on their assessment of the Privacy Sandbox API designs, was potentially yes.

The Specific Technical Arguments

The CMA’s most recent Privacy Sandbox review gets into specific technical concerns that are worth understanding, because they explain why the undertakings haven’t been resolved despite years of negotiation.

The Protected Audience API (formerly FLEDGE), which handles retargeting in a cookieless environment, runs auctions inside the browser. This “on-device” architecture is positioned as privacy-preserving — advertiser audience data never leaves the user’s browser. But the CMA has raised questions about whether this architecture disadvantages DSPs that don’t have a browser presence. Google’s own DV360 has a Chrome-native advantage that independent DSPs don’t have. The question of whether that advantage produces a competition concern is what the undertakings process is trying to resolve.

The Attribution Reporting API, which replaces conversion pixel tracking, aggregates conversion data and adds noise before reporting. The privacy benefits are real. The CMA’s concern is whether the aggregation and noise parameters, which Google sets, could be designed to advantage Google’s own measurement products over third-party measurement vendors. If Google controls the signal quality of attribution reporting in Chrome, that’s a structurally powerful position.

The Topics API, which replaced FLoC as the interest-based targeting replacement, generates topic assignments from browsing history inside the browser and exposes limited signals to publishers and ad tech. The CMA’s question is whether the taxonomy, the signal quality, and the access model are designed in ways that benefit Google’s contextual ad products — which map directly to the Topics taxonomy — over competing targeting systems.

Why “Just Keep Cookies” Isn’t the CMA’s Answer

It would be a misreading of the CMA’s position to conclude that they want cookies to stay indefinitely. The undertakings process is not a proxy for cookie preservation — it’s a requirement that any replacement for cookies not entrench Google’s market power beyond what cookies already represented.

This is a meaningful distinction. The CMA is asking Google to demonstrate that Privacy Sandbox APIs would leave the competitive landscape for ad tech at least as open as it was with cookies. That means third-party access to targeting, measurement, and attribution signals in Chrome that is genuinely comparable to what the ecosystem has with cookies today.

Google has made modifications to the Privacy Sandbox designs in response to CMA concerns. The Privacy Sandbox timeline and CMA correspondence is publicly documented and makes for dense reading. The short version: progress has been made on interoperability commitments and API access rules, but the CMA has not yet signed off that the full replacement package meets competition requirements.

Until they do, Google has committed not to deprecate. That commitment is why the cookie is still alive today, and why the latest delay is a direct consequence of CMA review velocity, not Google’s privacy engineering schedule.

What the DOJ Is Watching

The CMA is not the only competition authority watching Privacy Sandbox. The US Department of Justice, which filed its adtech antitrust suit against Google in January 2023, has made related arguments about Google’s incentive to design Privacy Sandbox in ways that benefit its own ad stack.

The DOJ trial is expected to proceed this year, and the intersection of Privacy Sandbox and the antitrust case creates an unusual dynamic. If the DOJ prevails and seeks structural remedies — potentially requiring Google to divest AdX or DFP — the question of who controls Chrome’s advertising APIs becomes even more pointed. A divested Google ad exchange operating alongside a Google-controlled browser privacy infrastructure is a different competitive scenario than one where Google owns the whole stack.

The European Commission is watching too. The Digital Markets Act designates Google’s core platform services as gatekeeper services, and the Commission’s enforcement teams have raised questions about whether Chrome and Google Search, as platform services, could be used to advantage Google’s advertising products through Privacy Sandbox API design.

The CMA’s undertakings process has, deliberately or not, given every major competition authority leverage over the pace of cookie deprecation. That’s why the delay announced this month is likely not the last one.

Implications for the Industry

For the ad tech industry, the honest implication of the CMA situation is that “when will cookies go away” is the wrong question. The right question is “what is the eventual architecture, and who controls it.”

If Privacy Sandbox proceeds with strong interoperability commitments validated by the CMA, the post-cookie environment will be genuinely open — different in mechanics from cookies but not structurally advantageous to any single player. That outcome is good for independent ad tech.

If Google and the CMA fail to reach satisfactory commitments, the scenarios range from long-delayed deprecation (bad for everyone building alternative infrastructure) to a negotiated outcome that modifies Chrome privacy architecture more substantially than Google currently contemplates.

Publishers should not be building identity and authentication programs primarily to hedge against cookie loss. They should be building them because they generate direct revenue through CPM premiums and because regulatory pressure on commercial data intermediaries is increasing regardless of what happens in Chrome. The CMA drama is a distraction from that fundamental.

FAQ

Q: What exactly are the CMA’s “Privacy Sandbox undertakings” and are they legally binding? The undertakings are a formal commitment Google made to the CMA in February 2022, giving the CMA consultation rights and a de facto veto over cookie deprecation timing. Google agreed not to deprecate third-party cookies without first satisfying the CMA that Privacy Sandbox wouldn’t harm competition. The commitments are legally binding under UK competition law.

Q: Does the CMA’s engagement mean the UK will have a different cookie policy than the EU or US? The CMA’s authority is specific to Chrome browser changes and their competition implications in the UK. The CMA is not setting cookie policy for publishers — that’s the ICO under UK GDPR. In practice, Chrome is a global browser, and any CMA-negotiated changes to Privacy Sandbox architecture affect global deployment, giving the CMA outsized influence relative to its jurisdictional scope.

Q: If Privacy Sandbox is ultimately rejected by the CMA, what happens to third-party cookies? If no CMA-satisfactory cookie replacement is agreed, Google’s options are: keep cookies indefinitely (which conflicts with their privacy commitments), deploy Privacy Sandbox anyway (which violates their undertakings and risks CMA enforcement action), or negotiate a modified architecture. The most likely outcome of a prolonged standoff is extended delays rather than a clean rejection.

Q: Should adtech companies stop investing in Privacy Sandbox integration given the uncertainty? No. Privacy Sandbox integration — particularly for Protected Audience and Attribution Reporting — provides real value for testing and cookieless traffic management today. Safari and Firefox represent 30%+ of traffic without any Privacy Sandbox alternative, and those users benefit from any cookieless bidding infrastructure an adtech company builds. The CMA delay extends the runway but doesn’t change the direction.