The Cookie Replacement That Never Shipped
For five years the advertising industry planned around one assumption: Google would remove third-party cookies from Chrome and replace them with the Privacy Sandbox, a set of browser APIs that promised interest-based advertising without cross-site tracking. That plan is now dead. On 17 October 2025 Google announced it was retiring most of the Privacy Sandbox technologies, and third-party cookies remain in Chrome with no removal date on the calendar.
If your consent strategy was built on the idea that cookies were about to disappear, it's time to update it. The short version: nothing replaced the cookie, so the legal machinery that governs cookies, consent banners and all, is exactly as load-bearing as it was before. In some ways it's more so.
The Verified Timeline
It helps to see how we got here, because the reversals happened in stages and each one was widely misreported.
- January 2020: Google announces its intention to phase out support for third-party cookies in Chrome, originally targeting a two-year window. The date slipped repeatedly.
- 22 July 2024: Google reverses course. Rather than deprecating third-party cookies, it says it will introduce "a new experience in Chrome that lets people make an informed choice that applies across their web browsing." Cookies stay; users get a choice.
- 22 April 2025: Google drops even the standalone prompt. Its words: "we've made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies." Control stays in Chrome's existing privacy settings.
- 17 October 2025: Google retires most of the Privacy Sandbox itself, citing "ecosystem feedback about their expected value and… low levels of adoption."
What Google Actually Retired
The 17 October update names the technologies being phased out across Chrome and Android. These were the pieces meant to power advertising and measurement without third-party cookies:
- Topics API, the interest-based ad targeting signal
- Protected Audience API (formerly FLEDGE), for remarketing and custom audiences
- Attribution Reporting API, for conversion measurement
- Private Aggregation and Shared Storage
- Protected App Signals, On-Device Personalization, and SelectURL
- IP Protection, Related Website Sets, and the Android SDK Runtime
Google also said it is "moving away from the Privacy Sandbox branding" entirely. The initiative, as a named program, is finished.
What Survived
Not everything went. Google kept the pieces that had real adoption and that improve privacy without trying to replace cross-site targeting:
- CHIPS (Cookies Having Independent Partitioned State), which lets a third party set a cookie that is partitioned per top-level site, so it can't be used to track a user across different sites.
- FedCM (Federated Credential Management), which simplifies federated sign-in flows in a privacy-preserving way.
- Private State Tokens, retained to help developers fight fraud and abuse.
These are useful primitives, but none of them is an advertising identifier and none changes your consent obligations. CHIPS in particular is a security and isolation feature, not a lawful basis for tracking.
Why This Makes Consent More Important, Not Less
It's tempting to read "cookies aren't going away" as "nothing changes." The opposite is true for compliance teams. The Privacy Sandbox was, among other things, the industry's hoped-for way to do advertising with less reliance on consent, because the browser would handle interest signals locally. That escape hatch is closed. Advertisers who bet on Topics and Protected Audience now have to fall back to what already worked: consented first-party data and Google's Consent Mode signals.
Meanwhile the third-party cookie, the exact object that the GDPR and the ePrivacy Directive were written to govern, is still in the browser and still being read by ad tech. The user-choice model Google adopted is a Chrome setting, not a lawful basis; it doesn't collect or record consent the way GDPR requires, and it doesn't cover the EEA's legal requirement to obtain prior consent before non-essential cookies are set. Your banner is still the thing that makes cookie use lawful.
What To Do Now
- Stop planning for a cookieless Chrome. There's no deprecation date. Roadmaps built on one should be retired alongside the Sandbox.
- Keep your consent banner tight. Non-essential cookies and tags must still be blocked until the user opts in, with an equal-prominence reject option. See the GDPR cookie compliance checklist.
- Lean on Consent Mode and first-party data. With the Sandbox gone, Google's own advertising products depend on the consent signals you send. Understand what each one controls in the Consent Mode parameters reference.
- Re-read the user-choice framing. Chrome's third-party cookie controls are covered in what Chrome's user-choice model means for consent, and the wider set of identifiers in first-party vs third-party cookies.
A Note on the Topics API Guide
If you previously read our explainer on the Privacy Sandbox and the Topics API, treat it as historical context now. The mechanism it describes was retired in the October 2025 update. The strategic conclusion still holds: durable, compliant measurement comes from consented data you collect yourself, not from a browser API that may be withdrawn.
The One Thing That Didn't Change
Amid the reversals, the legal ground stayed perfectly still. The GDPR and the ePrivacy Directive were never contingent on Google's roadmap. They require prior, informed, freely given consent before non-essential cookies or similar technologies are set, regardless of whether the browser vendor plans to remove those cookies later. The Sandbox's rise and fall changed the advertising technology available; it changed nothing about the legal basis you need to run it.
So if a stakeholder asks whether the shutdown lets you relax your banner, the answer is no. Two years of "cookies are dying" headlines produced a lot of deferred compliance work. With the cookie confirmed to stay, that work is simply due now. Anyone who paused a consent project waiting for the cookieless future should un-pause it.