Google has delayed the deprecation of third-party cookies in Chrome for the second time, pushing the timeline from late 2022 to the second half of 2023. The announcement, made through a Chromium blog post this week, cites the need for additional time to complete Privacy Sandbox API testing and to ensure the ecosystem is ready for the transition.

This is the second delay since the original January 2020 announcement established a two-year timeline. The first delay, in January 2021, pushed the date from late 2021 to late 2022. The second delay pushes it again by another year. We are now three and a half years from the original announcement with a transition that has not yet started.

The official framing — collaboration, ecosystem readiness, responsible transition — is consistent with how Google communicates all Privacy Sandbox decisions. The contextual framing — announced one month after the UK Competition and Markets Authority published its interim report on the Privacy Sandbox’s anticompetitive potential — is harder to read charitably.

Timeline: What Google Promised vs. Delivered

A timeline review is instructive.

January 2020: Google announces cookie deprecation “within two years” — implying late 2021. Privacy Sandbox proposals are published for W3C comment. The industry is given two years to build alternatives.

August 2020: FLoC is announced with origin trials expected for early 2021.

January 2021: First delay. Cookie deprecation pushed to “late 2022.” Rationale: the ecosystem needs more time. FLoC origin trials begin in Q1 2021.

March 2021: Google announces it will not use or build alternate cross-site identifiers, separating itself from UID2 and the broader identity ecosystem.

June 2021: Second delay. Cookie deprecation pushed to “H2 2023.” Rationale: Privacy Sandbox APIs need more testing; CMA investigation underway.

What the Privacy Sandbox APIs have delivered in eighteen months since the original announcement: FLoC origin trials at limited scale, with a specification that has been significantly criticized by the IAB Tech Lab, the Electronic Frontier Foundation, and the CMA. The Conversion Measurement API in early experimental state. Trust Tokens in limited testing.

What the independent adtech ecosystem has built in the same period: UID2 launched without independent governance. LiveRamp ATS with meaningful but incomplete publisher adoption. Contextual targeting infrastructure upgraded across multiple vendors. No universal replacement for the cookie’s cross-site targeting and attribution functions.

The CMA Investigation and Its Timing

The UK Competition and Markets Authority opened a formal investigation into the Privacy Sandbox in January 2021, following concerns raised by the ad tech industry that Google’s cookie deprecation approach was designed to disadvantage competitors. The CMA’s interim report, published in May 2021, found:

  • The Privacy Sandbox proposals, as currently designed, could entrench Google’s market position in online advertising markets.
  • The proposals could reduce competition in the buying and selling of online advertising.
  • Some aspects of the proposals could harm publishers by reducing the value of their inventory.

The CMA report is not a finding of wrongdoing — it is a preliminary assessment — but it establishes that a major competition regulator has found credible anticompetitive concerns in exactly the proposals that Google says it needs more time to develop.

The second delay announcement comes one month after this report. Google is now working with the CMA under a formal commitment to consult on Privacy Sandbox decisions. The Commitments Google offered include consulting with the CMA before deprecating cookies, providing the CMA with test data from Privacy Sandbox origin trials, and establishing industry advisory groups.

Whether the delay is primarily about genuine ecosystem readiness or about managing regulatory risk by demonstrating responsiveness to the CMA — the effect is the same: cookies continue for another 18 months, Privacy Sandbox APIs remain in development, and the independent adtech ecosystem continues operating in an environment of announced but unrealized disruption.

What the Delay Means for Industry Planning

The second delay is neither good news nor bad news for independent adtech companies — it is a signal that the timeline is not reliable as a planning anchor and that the transition, when it comes, will likely be sudden rather than gradual.

Each delay reduces the credibility of the next announced date. Companies that stopped investing in post-cookie infrastructure after the first delay and are stopping again after the second are accumulating technical debt. The right response is to treat the cookie deprecation timeline as “unknown but finite” rather than planning against a specific date.

What to continue building: First-party data collection and activation infrastructure. Contextual targeting capabilities. Publisher authentication programs. Identity framework integrations with UID2 and ATS. Privacy Sandbox API compatibility work, particularly for the Conversion Measurement API which is further along than FLoC.

What to defer: Production deployment of Privacy Sandbox API-dependent campaign workflows. Any campaign strategy that assumes FLoC cohort signals will be available at scale in the near term — FLoC’s fate is uncertain given the IAB Tech Lab and EFF critiques.

What to watch: The CMA consultation process. The DOJ adtech antitrust investigation, which names AdX, DFP, and Google Ads in claims about vertical market foreclosure. The development of PAAPI (Protected Audience API), which is Google’s renamed and revised version of TURTLEDOVE, as it progresses through the W3C process.

The Regulatory Risk Horizon

The CMA investigation is the most concrete regulatory risk to the current Privacy Sandbox approach. If the CMA concludes that the Privacy Sandbox, as implemented, would harm competition in UK advertising markets, it has powers to require behavioral remedies — changes to how the APIs work, interoperability requirements, or in extreme cases, structural remedies affecting Google’s advertising business in the UK.

Google’s commitments to the CMA create formal obligations that constrain its ability to deploy Privacy Sandbox changes unilaterally. The independent adtech industry that has been arguing its case through W3C comment threads now has a regulatory forum — the CMA consultation process — where its structural arguments can produce binding outcomes rather than just influencing specification language.

This is the substantive outcome of the delay that matters most: the regulatory engagement it reflects and the binding commitments it enables.

FAQ

Is H2 2023 the real cookie deprecation date now? It is the current announced date, and it has less credibility than the original January 2020 announcement given that Google has now delayed twice. Most industry analysts are planning for a 2024 or later effective date while building post-cookie infrastructure as though the deadline were real. The CMA consultation commitment may actually create more enforcement for the timeline than Google’s voluntary statements — regulatory deadlines tend to hold better than self-imposed ones.

What is the CMA investigation and how does it affect Privacy Sandbox development? The UK Competition and Markets Authority opened a formal investigation into whether Google’s Privacy Sandbox cookie deprecation plans could harm competition in online advertising markets. As a result, Google offered formal Commitments to the CMA that include consulting with the CMA before deprecating cookies, providing test data and results from Privacy Sandbox origin trials, and engaging with an industry advisory group. These commitments are legally binding in the UK. If Google violates them, the CMA can impose financial penalties. This gives the CMA meaningful influence over Privacy Sandbox timeline and design.

What happened to FLoC specifically — is it still moving forward? FLoC origin trials ran in Q1-Q2 2021 on a limited population of Chrome users. The IAB Tech Lab published a comprehensive critique in April 2021 arguing that FLoC cohort IDs can be used for fingerprinting, that the cohort design provides insufficient audience resolution for most advertising use cases, and that the governance of cohort assignment is opaque. The EFF and academic privacy researchers raised fingerprinting concerns independently. Google has not formally abandoned FLoC but has renamed the underlying proposal to Protected Audience API (PAAPI) and is revising the design. Whether PAAPI addresses the technical critiques is still being evaluated.

Should publishers accelerate or slow down authentication investment given the delay? Authentication investment should continue at the pace appropriate to the publisher’s own audience and business model — independent of the cookie delay. Publishers with registered user bases and the ability to implement authentication flows have a direct path to identity-enriched programmatic inventory that commands premium CPMs in non-Google channels today, not in 2023. The delay extends the window but does not eliminate the opportunity cost of building authentication infrastructure late.