Google Walks Back Cookie Privacy Protections

By Raphaël Mimoun, public interest technologist and founder of Horizontal

In January 2020, Google announced it would phase-out third-party cookies from its web browser, Chrome. Privacy advocates, who had for years denounced the invasive nature of third-party cookies, welcomed the announcement. Five years later, in April 2025, Google reversed course: third-party cookies will remain in Chrome for the foreseeable future. The reversal cements the surveillance-capitalist nature of Google’s business model and sheds any pretense of prioritizing user privacy. Billions of Chrome users will continue to have their online activities tracked, recorded, and sold without their consent—not just by Google but also by countless companies and data brokers.  

What Cookies Are and Why They Matter

A cookie is a small file that websites store in our web browser when we visit them. They help these websites remember information about us: for example, websites use cookies to save our login details so we don’t have to enter our password every single time; shopping sites use cookies to remember what we add to our shopping cart. Many websites also use cookies to learn how we use their services—which page we visit, how long we spend on the website—so they can improve their user experience or the services they offer. The cookies installed by websites to remember our account information or preferences are called first-party cookies. While they may be invasive at times, first-party cookies play an important role in making the web usable.

Third-party cookies, on the other hand, are used to track and surveil users in worrying ways. Unlike first-party cookies, third-party cookies aren’t created by the websites we visit; they’re created by other services or companies whose technology the websites we visit rely on. These cookies are used to follow users beyond the website that installs them in our browser, and across other websites. For example, if you visit an online kitchenware store, a third-party cookie may be installed by an advertiser in your browser. From there, this cookie will record the other websites you visit—a second kitchenware store and a recipe blog. This information will then be used by the advertiser to show you ads in Instagram, Google Search, or YouTube. 

But third-party cookies do not stop at shopping websites: all of our searches and activities are recorded. Looking up information about a health condition you have? Seeking a divorce lawyer? Searching for an abortion clinic? All of this will be recorded. Data brokers, the companies that buy, collect, and aggregate data about us into detailed profiles, then sell this information. Our most intimate data becomes accessible with few restrictions or regulations, whether to health insurers who may use health data to discriminate against customers, or to evangelical groups targeting pregnant women with anti-abortion campaigns. Even law enforcement agencies buy data they are not allowed to collect themselves from these brokers.

Google Chooses Advertisers 

In this landscape of complex and poorly-regulated tracking technologies, Google plays a central role. Over two-thirds of the world’s internet users rely on Chrome. Any changes to the browser's policies on third-party cookies directly impacts the privacy of billions of internet users.

In January 2020, when Google announced its decision to phase out third-party cookies, it cited the ever-increasing user demands for privacy and transparency. At the same time, Google presented new technologies to provide advertisers with more privacy-friendly ways to serve ads to users. These technologies—carrying technical names like called Privacy Sandbox or Federated Learning of Cohorts (FLoC)—aimed to preserve individual internet users’ privacy while still giving advertisers the ability to target them with ads relevant to them. 

Other internet browsers like Mozilla’s Firefox had already banned third-party cookies, without needing to look for a fallback solution to satisfy advertisers. But unlike these other browsers, Google isn’t just a technology company; it is also the world’s largest advertising platform. Google serves billions of ads on Google Search or YouTube every single day. This dual role as both a technology company and a seller of ad spaces meant that Google was unwilling to alienate those who make it such a profitable company: advertisers. Seeking to satisfy both privacy-hungry users and data-hungry advertisers, Google’s approach ended up offering the worst of both worlds. Privacy advocates found that Privacy Sandbox and FLoC still breached users' privacy and, ironically, advertisers also found those technologies inadequate for their needs. 

In the end, after five years of searching for a middle ground, Google announced that it was shelving the project altogether: Chrome will continue to allow third-party cookies for the foreseeable future. Google explained that there were “divergent perspectives” on the question of third-party cookies. Ultimately, Google was not able to reconcile the need to protect user privacy with the goal of accommodating advertisers’ ability to target users. Between users and advertisers, Google chose advertisers.   

The decision leaves billions of Chrome users vulnerable to tracking by advertisers and data brokers. The most popular internet browser on earth will remain a tool of corporate surveillance, and the systematic tracking of users will remain the norm in our web ecosystem. 

Browser Privacy: A Regulatory Blind Spot

Browsers are central to how the internet functions, and regulators have taken notice. Chrome has faced antitrust lawsuits by both the European Union and the US government. But while these cases focus on anti-competitive practices, the privacy risks inherent to browsers remain under the radar. The EU’s GDPR has dealt with third party cookies at the website level, requiring each website to get user consent before installing cookies on a user’s browser. The requirement has had questionable results: most users accept cookies without fully understanding their implications, and consent pop-ups have made browsing the internet noticeably less smooth. 

Other approaches to bring privacy to the masses have proven far more successful: in 2021, Apple started asking users each time they install a new app on an iPhone or iPad, whether to let the app track them. Studies showed that a whopping 96% of users opted against tracking. This experience showed that when users are given a simple and understandable choice to stop tracking, they overwhelmingly reject it. Regulators could require browsers like Chrome to follow a similar path and let users decide whether to allow third-party cookies at all. 

Privacy-First Browsers You Can Use Today 

Until regulators step up to force dominant browsers like Chrome to protect user privacy, users still have the option to ditch Chrome for other browsers. Firefox, for example, is a longtime favorite among privacy advocates and it has everything one expects from an internet browser plus privacy by default. The DuckDuckGo browser, made by privacy-friendly search engine DuckDuckGo, is a minimalist option with few features (no extensions, for example) but strong protection against invasive trackers. And for adventurous users, the Brave browser offers the most robust privacy protections of all, though some features such as cryptocurrency rewards and built-in AI tools may get in the way of a simple user experience, but users can disable these in the browser's settings. 

Ramma Shahid Featured in Women in PR 40 Over 40 Power List

Our brilliant PR and Communications Lead, Ramma Shahid, has been named one of the 40 Over 40 Women in PR!

Ramma leads strategic communications focused on inclusion, behavior change, and real-world impact. As host of the Women in Transport podcast, she spotlights key issues like menopause, disability, and racial equity. She co-leads leadership programs, facilitates #IAmRemarkable sessions, and serves on the Met Police’s Scrutiny Panel on Violence Against Women and Girls. With a background in psychology, Ramma creates messaging that helps people feel seen, heard, and safe.

👏 Congratulations Ramma! 👏

From the Group Chat 👥 💬

This week in our Signal community, we got talking about:

Cloudflare has been making some interesting moves lately. Most notably, they launched Pay per Crawl, a private beta marketplace that lets website owners charge AI companies micropayments for scraping their content. The move comes as concern grows over companies like OpenAI and Anthropic collecting massive amounts of data without offering meaningful referrals or compensation. Cloudflare also announced the upcoming launch of Containers, a new feature that allows developers to run complex, stateful workloads alongside Workers without relying on traditional orchestration tools.

Other approaches to managing and monetizing AI bot traffic are emerging as well—like the Fastly + TollBit integration, which lets publishers detect AI bots and redirect them to a custom paywall where access is granted only if the bot presents a valid token or pays.

This Week's Links

Internet Governance

• Europe must stop treating digital sovereignty as negotiable and take bold action to break up Big Tech monopolies, enforce its digital laws, and build independent tech infrastructure to regain control of its digital future write Robin Berjon and Cori Crider. https://www.politico.eu/article/digital-sovereignty-us-brussels-belgium-trade-talks-tech 
• A new poll shows that majorities in France Germany and Spain want the EU to enforce its digital laws on Big Tech even if it risks straining relations with Donald Trump. https://peoplevsbig.tech/large-majority-of-french-german-and-spanish-public-back-tough-eu-stance-on-big-tech-despite-risk-to-trump-relations 
• The US Senate voted to pass an amendment to the budget bill removing the proposed 10-year moratorium on the enforcement of state laws on artificial intelligence. https://www.techpolicy.press/us-senate-drops-proposed-moratorium-on-state-ai-laws-in-budget-vote 
• Denmark is phasing out Microsoft software in favor of open-source alternatives like LibreOffice and Linux as part of a national strategy for digital sovereignty. https://www.zdnet.com/article/why-denmark-is-dumping-microsoft-office-and-windows-for-libreoffice-and-linux 
• China’s online censorship regime, often oversimplified as the “Great Firewall,” is actually a far more complex and adaptive system that authors Jessica Batke and Laura Edelson call “The Locknet.” https://locknet.chinafile.com/the-locknet/intro  
• Michelle Thorne of the Green Web Foundation warns that the EU’s proposed Cloud and AI Act could derail climate goals—unless AI development is kept within planetary boundaries. https://www.thegreenwebfoundation.org/news/tell-the-eu-keep-ai-within-planetary-boundaries 
• In the era of Trump 2.0, tariffs have become a powerful bargaining chip, with the vast American market leveraged to pressure trading partners, like Europe, into removing long-standing tariff and non-tariff barriers. In a follow-up to her piece in IX, Burcu Kilic asks: between tariffs and tech, what will Europe choose? https://botpopuli.net/between-tariffs-and-tech-what-will-europe-choose 
• Iran shutdown Internet access “to prevent the enemy’s misuse,” according to its Ministry of Communications. How this shutdown was observed from the Tor network. https://acuarelataller.org/en/traces-of-irans-internet-shutdown-in-tor-network-activity 
  • After the total shutdown ended on June 25, Iran's internet access was technically restored, but heavy network restrictions remain in place. More in this ongoing thread tracking censorship workarounds and ISP behavior. https://github.com/net4people/bbs/issues/489 
• As conflicts and crises increasingly threaten global internet infrastructure, the UN’s 2025 Best Practice Forum on Cybersecurity is working to define how the multistakeholder internet community can better protect core resources and ensure civilian access online. https://intgovforum.org/en/content/bpf-cybersecurity 
• How much investment would it take to build a competitive, independent browser, in the context of all this talk on digital sovereignty? Asks Tara Tarakiyee. https://tarakiyee.com/digital-sovereignty-in-practice-web-browsers-as-a-reality-check 
• Governments around the world are increasingly exerting control over the technology that people depend on to access the free and open internet, according to a new report co-authored by the European University Institute and Freedom House. https://globalgovernanceprogramme.eui.eu/gifi/eui-freedom-house-report-on-anti-censorship-tools-and-end-to-end-encryption 
• At IGF 2025: this panel from the Global Internet Standards Testing Community discusses internet.nl which can help countries and organizations assess and improve their digital infrastructure. https://www.youtube.com/watch?v=o7yIxdqWxx0 
• Notes and papers from the 7th annual PrivaCI Symposium—the first to take place in Europe—hosted by Vrije Universiteit Brussel and the Brussels Privacy Hub in Belgium. https://privaci.info/symposium/2025/symposium_report.html 

Digital Rights

• CDT’s report “Moderating Quechua Content on Social Media” examines how automated and human content moderation systems handle posts in Quechua, an indigenous and low-resource language spoken by 9–10 million people in South America. https://cdt.org/insights/moderating-quechua-content-on-social-media 
• Access Now and a coalition of human rights organizations are demanding accountability from Paragon Solutions US, Inc. following Citizen Lab's confirmation that its Graphite spyware was used to surveil journalists and civil society actors in Italy. https://www.accessnow.org/press-release/paragon-must-answer-for-spyware-use-against-civil-society 

Technology for Society

• Measurement Lab (M-Lab) has published the Internet Quality Barometer (IQB) Framework, a new method for assessing internet quality beyond traditional speed tests. https://www.measurementlab.net/blog/iqb 
• As the EU advances its 'twin transition' agenda, Carsten Horn and Ulrike Felt find the supposed harmony between digital and green goals rests on fragile, tech-driven optimism rather than ecological reality. https://www.tandfonline.com/doi/full/10.1080/1523908X.2025.2515225 
• Online child safety is reimagined as a proactive, rights-based challenge that centers kids’ agency, well-being, and meaningful participation in the digital world in a new report by Sandra Cortesi and Urs Gasser. https://tumthinktank.de/en/project/frontiers-in-digital-child-safety 
• AI is being weaponized by centralized, reactionary forces to dismantle democratic institutions under the guise of efficiency, often through opaque, unaccountable uses of automation and data centralization argues Dan McQuillan. https://berlinergazette.de/resisting-the-techno-fascist-takeover-are-we-ready-for-decomputing
• Social networks were built on short posts designed for speed and scale. But what if the next era of the web was built for something deeper? John O’Nolan and Matthias Pfefferle rediscover the magic of the blogosphere. https://www.youtube.com/watch?app=desktop&list=PLtZ3QXAltC7xfzOlf0dOM3cWEwvp75YUn&v=VO99ok3glZU 
• As machine learning becomes more influential across disciplines and public life, the quality of its research communication matters more than ever—but a growing number of papers, as Zachary C. Lipton and Jacob Steinhardt argue, obscure rather than illuminate, undermining both academic progress and public trust. https://arxiv.org/abs/1807.03341 
• Tech for Palestine launched UpScrolled, an Instagram alternative for those who want to avoid shadowbanning, suppression, and censorship. https://updates.techforpalestine.org/upscrolled-is-live-the-instagram-alternative-thats-actually-on-your-side 
  • If you’re looking for a federated Instagram alternative, you can also try Pixelfed https://pixelfed.org 

Privacy and Security

• After revelations that Yandex used localhost DNS rebinding to track users, David from ADAMnetworks revisits how DNS Rebind Protection, when properly configured, can block such privacy-invasive techniques and has already shielded millions of endpoints by default. https://support.adamnet.works/t/dns-rebind-protection-revisited/1435 
• In Nature’s latest podcast: An analysis reveals that 90% of computer vision studies involve imaging humans, raising concerns about hidden links between AI research and surveillance. https://www.nature.com/articles/d41586-025-02004-z
• Switzerland, long seen as a privacy haven, is now considering a major surveillance law revision that critics, including Proton, say would threaten online anonymity and digital rights. https://www.techradar.com/vpn/vpn-privacy-security/a-war-against-online-anonymity-why-switzerland-wants-to-change-its-surveillance-law-and-whats-at-stake
• US agencies have issued a cybersecurity advisory warning that Iranian-affiliated hackers may target American companies and critical infrastructure, particularly those connected to Israeli defense firms. https://www.reuters.com/sustainability/boards-policy-regulation/iran-linked-hackers-may-target-us-firms-critical-infrastructure-us-government-2025-06-30 

Upcoming Events

• The Tech People Want Online Summit Hosted by Open Knowledge Foundation. Mallory's pannel "Tech For Society" is at 2:00pm CEST. July 8-9. Online. https://okfn.org/en/events/the-tech-people-want-online-summit 
• Webinar: Land Defenders Share Their Experiences with Holistic Security and Documenting Digital Attacks July 17, 1:00pm UTC. Online. https://limes.digitaldefenders.org/883125 

Careers and Funding Opportunities

United States

• Tanium: AI Security Engineer. Emeryville, CA. https://www.tanium.com/careers/6863607 
• Meta: Engineering Manager, Generative AI Safety. Menlo Park, CA. https://www.metacareers.com/jobs/741372948232066 
• Stanford University:  Technology Ethics & Policy Rising Scholars Program Research Associate. Stanford, CA. https://careersearch.stanford.edu/jobs/technology-ethics-policy-rising-scholars-program-research-associate-28543
• Salesforce: Responsible AI Data Scientist - AI Red Teamer. San Francisco or Palo Alto, CA. Seattle or Bellevue, WA. https://careers.salesforce.com/en/jobs/jr291587/responsible-ai-data-scientist-ai-red-teamer 
• OneTrust: Head of Privacy & AI Governance. Atlanta, GA.  https://www.onetrust.com/careers/head-privacy-ai-governance-6793801
• AIG: AI Governance Manager. Atlanta, GA. https://aig.wd1.myworkdayjobs.com/en-US/aig/job/AI-Regulatory-Manager_JR2502340
• SAIC: AI Policy Engineer. Bethesda, MD. https://jobs.saic.com/jobs/16194857-ai-policy-engineer 
• Princeton University: Associate Professional Specialist. Princeton, NJ. https://puwebp.princeton.edu/AcadHire/apply/application.xhtml?listingId=39082
• The Atlantic: Vice President, Engineering. Washington, DC or New York, NY. https://atlanticmedia.wd1.myworkdayjobs.com/en-US/Careers/job/Washington-DC---The-Wharf/Vice-President--Engineering_R627
• Los Alamos National Laboratory: AI Security Engineer. Los Alamos, NM. https://lanl.jobs/search/jobdetails/ai-security-engineer-cybersecurity-technical-staff-2-3/f88d71f7-42ac-460e-a471-0633a3f361da 
• NYC Health + Hospitals: Senior Director - Data & AI Governance. New York, NY. https://www.linkedin.com/jobs/view/4247484526 
• Pepsico: Responsible AI Enablement Manager. Purchase, NY or Plano, TX. https://www.pepsicojobs.com/main/jobs/364289 
• Comcast Cybersecurity: Network Research Engineer, Post-Quantum Cryptography. Philadelphia, PA. https://comcast.wd5.myworkdayjobs.com/en-US/Comcast_Careers/job/Comcast-Cybersecurity--Network-Research-Engineer--Post-Quantum-Cryptography_R412654 
• The University of Pennsylvania: Engagement and Policy Manager - Penn Center for Media, Technology, and Democracy. Philadelphia, PA. https://wd1.myworkdaysite.com/en-US/recruiting/upenn/careers-at-penn/job/Amy-Gutmann-Hall/Engagement-and-Policy-Manager---Penn-Center-for-Media--Technology--and-Democracy_JR00107517 
• RealPage:  Director, AI Risk and Governance. Remote US. https://recruiting2.ultipro.com/REA1005REALP/JobBoard/9e84575d-6c12-4726-8828-5c68a1bdb792/OpportunityDetail?opportunityId=fe3467ea-6246-4903-a511-4d06be22329b 

Global

• Thomson Reuters: Senior Analyst, Data & AI Ethics - Research. Toronto, Canada. https://careers.thomsonreuters.com/us/en/job/JREQ192155/Senior-Analyst-Data-AI-Ethics-Research 
• LawZero: AI Safety Research Lead. Montreal, Canada. https://job-boards.greenhouse.io/lawzero/jobs/4002902009 
• Lego: Senior Child Rights and Safety Manager. Billund, Denmark or London, United Kingdom. https://www.lego.com/en-us/careers/job/senior-child-rights-and-safety-manager-cc863d060b7b100188bcaf99272d0000
• Ericsson: Senior AI Security Technology Specialist. Jorvas, Finland or Stockholm, Sweden. https://jobs.ericsson.com/careers?jobPipeline=careersite&page=1&query=ai%20security&start=0&pid=563121765230627&sort_by=solr
• Randstad Global. Budapest, Hungary.
  • AI ethics specialist. https://randstadgroepnl.wd3.myworkdayjobs.com/en-US/Werken-bij-Randstad-NV/job/AI-ethics-specialist_R-32391-1
  • Legal specialist/responsible AI program manager. ​​https://www.randstad.com/jobs/legal-specialist-responsible-ai-program-manager_hungary_45404027 
• Schneider Electric: Principal, Responsible AI Operationalisation Officer. Bangalore, India. https://www.se.com/ww/en/about-us/careers/job-details/principal--responsible-ai-operationalisation-officer/008XAF
• University of Cambridge: Research Assistant in AI policy and design practice (Part Time, Fixed Term). Cambridge, UK. https://www.jobs.cam.ac.uk/job/51725/ 
• American Express:  Responsible AI Technical Governance Manager (EU AI Act). London, UK. https://aexp.eightfold.ai/careers/job/29562184-responsible-ai-technical-governance-manager-eu-ai-act--london-london-united-kingdom
• TechSkills: Account Manager. Remote UK. https://careers.techuk.org/en/postings/1111adf0-9ae7-41c3-a9c5-566d2422012e 
• Wikimedia: Senior Trust & Safety Policy Manager. Remote. https://job-boards.greenhouse.io/wikimedia/jobs/6923247?gh_src=nyskvt7v1us

What did we miss? Please send us a reply or write to editor@exchangepoint.tech.