Publishers cry foul over W3C crusade to rid web of third-party cookies Movement for an Open Web (MOW), an advocacy group that supports web publishers, has filed a complaint with the UK's Competition and Markets Authority (CMA) challenging the World Wide Web Consortium's (W3C) call to eliminate third-party cookies. The term "cookies" refers to HTTP cookies, data sent by a server to a web user's …
For what it's worth I've met two of the current 11 members of the TAG, and I have a lot of time for both of them. Both very fine engineers as well as being able to negotiate the politics and bureaucracy of the W3C, which is no mean feat. Both definitely strong on privacy. That's why I voted for them in the last TAG election, and I'd happily vote for them again.
My employer is moving to a new security platform, and one of its recommendations was that we should disable 3rd party cookies in Chrome.
I created a suitable GPO, a test OU, and have applied it to myself. It's been almost two weeks, and everything still seems to work.
I really was expecting it to cause issues with something. My biggest fear was that authentication via Entra ID or Okta would fail on one of our systems. But everything seems to be fine so far!
I'm sure we'll have to put some exceptions in at some point, but I'm really impressed at how uneventful it's been.
So, with the greatest of respect to the publishers... get stuffed.
I've had third-party cookies and persistent cookies turned off for as long as I can recall.
The only problems I've had are with a small number of sites that implement different regional variations using a cookie rather than different URLs: these may sometimes detect the absence of a cookie on the homepage and then attempt to set it appropriately and redirect back to the homepage expecting the cookie then to be present - and so on until the browser complains about a redirection loop.
Compared with the things that break using adblockers, it's been negligible.
My view on this is that if sites break because they're overly intrusive or badly-designed, then they break. Other content is available.
I use Firefox where cookie settings are very easy to access (unlike Chrome, where they hide the setting). I normally browse with cookies turned off altogether and only turn cookies on temporarily in order to log in on sites like The Register so I can comment.
Nearly all web sites work just fine with cookies turned off.
A few get stuck in a redirection loop due to poorly written server side software and eventually time out in a self-imposed mini-DDOS. For those sites I usually just close the tab and don't bother with them, as there are always other sites that have what I'm looking for.
The main incentive to have cookies turned on is actually the idiotic "cookie warning" banners and pop-ups which some web sites have. They make life difficult on some web sites and I can see that some people would rather give in and be tracked than have to deal with them all the time. In most cases they are just banners across the bottom so I ignore them and don't even really see them anymore.
So, you really don't need cookies very often provided you use a browser which lets you turn them off and on quickly and easily.
I have Firefox delete all cookies upon program closure, I get the "benefits" of cookies on sites that need them (purchasing, etc) and then tell them to "Stuff off" when they try to use them for tracking afterwards. I do that with all my browsers, mobile and desktop.
exactly, if i visit a website & they use functional cookies, then fine but if i visit a website & im hammered with cookies from their 1564 "partners" then fuck them! even Sky has 100s of "partners" that their cookie warning tells you about.
its ridiculous and the sooner than the term "data broker" doesn't exist anymore ye better
The excellent people at noyb have had some success in reminding specific sites (even Google) that there should be a simple one-click “Allow only essential cookies” option, rather than these evil “dark pattern” obstacle courses that too many sites use, in order to properly comply with the law.
That's because your choice is stored in a cookie. If you're like me, they disappear on a very regular basis.
On a similar topic:
He contends that 3PCs are not inherently intrusive and that unwelcome tracking arises from bad actors abusing the system.
Ok, give me a list, and if it doesn't include google-analytics.com and adobedc.net, then its severly incomplete.
And which is explicitly prohibited by EU rules on cookie consent. IIRC it is required that the process to opt out should be no more difficult/onerous/convoluted than the process to opt in. So having an "accept all" button without also having a "reject all" button is illegal - but when's that ever bothered any of the tech giants ?
We had a "Do Not Track" header. This has largely been abandoned because outfits decided since there's no actual legislation supporting it, they'll just ignore it. Now we have a "Don't Sell My Data" header and I'm sure the scum will ignore it also.
The following is taken from the Kids Web Services privacy policy. That's the outfit doing age verification for Bluesky (and others) in the UK. They had an opportunity to do the right thing, and they chose this:
"Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. There is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals."
So these third party cookie supporters can take the toilet brush of their choice and shove it right up there...
The purpose of do-not-track is not for the site to actively take any action. The purpose is to provide legal cover for the client to implement content-blocking features that are triggered by ignoring the header.
By pre-emptively withdrawing consent for tracking, there is no case to answer by the ad-block author.
There's this thing called TV. Many years ago, the clever TV chaps worked out how to make money from advertisements, whilst knowing NOTHING about the people watching.
By relying on putting relevant adverts between the programmes, and paying for customer surveys, and paying a sample of people who agree to be tracked, they could gather statistics accurate enough to do the job, whilst not having any details on individuals not involved directly in their surveys/tv-channel tracking.
They even survived the many "ad-blockers" that involved channel surfing, or popping to the kitchen to make a cuppa.
Now, granted, it's quite likely that if they had the ability to track when they started out, they would have, but it turns out, it wasn't necessary.
I'd have a lot to say on this topic, but I'll limit myself to this: killing tracking does not mean killing advertising. At the beginning of the Internet, there was no tracking, and people still managed to sustain websites with ad money.
Internet ad revenue has gone up immensely since then, but, and this is critical, almost all of that increase has gone to Google, Meta, and a handful of other brokers. Almost none of it has gone to content creators, and the share is still going down (see the controversy over AI results), to the point where sustaining quality content is getting difficult even as Internet ad expenditure has never been higher.
If you kill tracking for real, then the big data brokers suddenly have no unbeatable scale advantage over smaller ad firms, which means that suddenly you have competition in the ad space, which means that content providers can now choose who to sell eyeballs to, which means that they can now shop for a bigger slice of the pie.
So, the answer to your question is: they can keep going with ad revenue from non-tracking ads.
Oh, and yes, they can also charge subscriptions. If the content is good enough, I'd pay them. I already do, for some services.
Third party cookies are only possible when you load the third party content that's included on the website you visit. When you visit example.org, their page includes something from evilcorp.com. It might be a banner ad, a single pixel, or a script, such as from gargle-analytics. That's the only way third party cookies can get onto your computer.
However, the cookie is not everything for these third parties. They already know, because you loaded the banner ad, your IP address, the date and time, the site you visited, and any extra information that that site chose to give up.
Suppose you watch Priest porn and your preferred porn purveyor includes a browser fingerprinting script from evilcorp, the URL could be evilcorp.com/track.js?cat=priest. Now evilcorp knows that, too. All without needing a single cookie.
So when publishers cry, boohoo, they're crocodile tears. The advertisers will still pay to have their content included by the sites they wish to advertise on, and for evil corporations starting with the letters G, and F, they want their content on every website. Without them getting their content everywhere, their tracking cookies have no value.
So they don't need cookies. The cookies just take ambiguity off the table. It lets them differentiate between mommy's browsing and little Petunia's.
The only way to avoid being tracked is to not load that third party content in the first place. Browse add-ons like NoScript help here. That's what really worries the big G's and F's. That's why Google invented manifest v3: to destroy NoScript and equivalent.
Hey: I'd like you to run this program for me. I'm not going to tell you what it does, and I'm not even going to ask for your permission, I'm just going to send it to you so that you can run it on your phone. That's exactly what almost everybody permits when they run third party scripts. Stupid everybody. That's what NoScript prevents.
Run NoScript unless you're happy running my unknown program without even being asked. Which means ditching Chrome and anything else that's switched to manifest v3. Firefox is the one you should be using.
Perhaps we should ban inline 3rd party url's?
I'm not being facetious - a lot of sites would need to change the way they do things, but it could still work.
However, ultimately, there's nothing you can do technically to stop evil corp distributing their log files do to ask and sundry.
It's interesting to remember that the whole concept of the WWW is that sites have 3rd party URLs. That's basically what it's for. Though, they're not used in the manner originally envisaged by TBL. He thought that people would host pages and link to other people's pages. Instead, we have comparatively few hosts, commercial interests, advertising, etc.
A search engine wouldn't work without 3rd party URLs unless the search engine had privileged access to the innards of the web browser that an ordinary web page didn't enjoy. To do that, the search engine company would have to persuade you to run their web browser... Oh, yeah.
Google would absolutely love to be the sole means by which you can navigate from one web domain to another web domain. They'd know everything then...
The original sin of the cookie law was attempting to prevent a bad behavior by outlawing a specific technique. They should have outlawed the bad behavior directly. Declare that everything my browser sends to you, as well as the fact that it has sent something to you, is personal information under the GDPR, and that's it. Now it doesn't matter how you shift data to evilcorp.com; it's all illegal unless you get informed opt-in. The next step would be to actually enforce it, but one thing at a time.
Why yes, I would love to have my data shared with thousands of your 'affiliates' who 'need' it to 'provide' some absolutely 'excellent services' and whatnot. Just tell me, what is in it for me? Oh, increased digital footprint and conceding that what algorithms feed me is what I will consume for all eternity? Jolly good, always wanted to be made into a marketing foie gras.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
