► Data

The cookieless future that wasn't

Google retired ten Privacy Sandbox ad APIs and kept third-party cookies in Chrome. The real pressure on first-party data investment now comes from regulation and platform walled gardens, not Chrome.

Editorial diagrammatic illustration: a layered data-pipeline diagram with several branching paths leading to terminated dead-ends, and a single tall central pillar with a brand-orange circle at its apex, on cream paper background.

► Bottom line up front

On October 17, 2025, Google's VP of Privacy Sandbox formally retired ten technologies, including the Topics API, Protected Audience API (formerly FLEDGE), and Attribution Reporting API (ARA), citing low adoption across the industry. Third-party cookies remain in Chrome. The "cookieless future" framing that drove consulting conversations from 2021 to 2024 has arrived in inverted form: Chrome keeps cookies, but the privacy-preserving replacements were shelved. The practical implication is that the case for first-party data infrastructure was never really about Chrome. It was always about Meta and TikTok walled gardens, regulator enforcement in Singapore, Australia, and the EU, and Safari/Firefox users who block third-party cookies regardless. Those pressures are unchanged. Source: privacysandbox.google.com.

Two decisions, 14 months apart: what Google actually did

The Privacy Sandbox story has two distinct acts, and conflating them is how most marketing teams have misjudged the strategic situation.

Act one, July 22, 2024. Anthony Chavez, VP of Privacy Sandbox, published "A new path for Privacy Sandbox on the web" on blog.google. The post confirmed that Chrome would not deprecate third-party cookies. Instead, Google would introduce a user-facing choice mechanism: a Chrome UI that lets users make an explicit decision about cross-site tracking. The plan to remove cookies by a fixed deadline was abandoned. Regulators, publishers, and ad-tech vendors had all pushed back hard on the original timeline; Google cited the feedback as a driver of the reversal. At that point, Privacy Sandbox APIs were still live and nominally still on the roadmap.

Act two, October 17, 2025. Chavez published a second post: "Update on Plans for Privacy Sandbox Technologies." This one retired the APIs. Ten technologies were put on the deprecation list, with an explicit reference to "low levels of adoption" as the reason. The post acknowledged that with cookies staying, the urgency to adopt Privacy Sandbox alternatives had evaporated and the ecosystem had not built on them at meaningful scale.

The sequence tells a coherent story. Topics API, Protected Audience, and Attribution Reporting all required the ad-tech ecosystem to rebuild significant infrastructure. With third-party cookies staying in Chrome, that rebuild had no forcing function. Google's own statement names the result: "low levels of adoption." When adoption is low and the original motivation (cookie removal) is gone, retiring the APIs is the logical outcome.

What remains live in the Privacy Sandbox are the technologies that solve different problems. CHIPS (Cookies Having Independent Partitioned State) partitions first-party cookies to third-party contexts, improving security without breaking cross-site flows. FedCM (Federated Credential Management) handles federated login without exposing user identity to the identity provider. Private State Tokens address fraud and abuse signals without cross-site tracking. These three continue because they have genuine adoption and solve problems that exist regardless of the cookie-deprecation debate.

The ten APIs being retired, and the three that stay

The October 2025 announcement listed the retirements explicitly. For any team that invested engineering time or vendor integrations in Privacy Sandbox APIs, the table below is the complete reference.

Privacy Sandbox API status, per October 17, 2025 announcement (source: privacysandbox.google.com)
API / Technology Status What it was for
Topics API (Chrome + Android) Retiring Interest-based targeting without cross-site user profiles
Protected Audience API (Chrome + Android, formerly FLEDGE) Retiring On-device remarketing auctions without server-side user data
Attribution Reporting API (Chrome + Android) Retiring Privacy-preserving ad attribution using aggregated, noisy reports
Private Aggregation (including Shared Storage) Retiring Aggregate measurement across sites with differential-privacy noise
Related Website Sets (including requestStorageAccessFor) Retiring Cross-site cookie access within first-party-owned domain sets
IP Protection Retiring Proxy routing to prevent IP-based cross-site tracking
On-Device Personalization Retiring Local ML-based content personalisation without server-side data
Protected App Signals (Android) Retiring Privacy-preserving app install and engagement signals for Android advertising
SelectURL Retiring Privacy-preserving content selection from a pre-defined URL set
SDK Runtime (Android) Retiring Isolated runtime for ad SDKs on Android to reduce data access
CHIPS (Cookies Having Independent Partitioned State) Continuing Partitioned cookies for secure cross-site embedding without cross-site tracking
FedCM (Federated Credential Management) Continuing Federated login without exposing user identity to identity providers
Private State Tokens Continuing Anti-fraud and abuse signals without cross-site tracking

Three patterns emerge from this list. First, the retiring APIs are all ad-tech focused: targeting, attribution, remarketing, measurement. The continuing APIs are infrastructure-focused: login, fraud prevention, secure cookie partitioning. Google is walking away from the ad-tech APIs and keeping the web-platform utilities.

Second, Android is in scope for several of the retirements. Teams running app campaigns that integrated Protected App Signals or SDK Runtime need to verify with their mobile measurement partner (MMP) and demand-side platform (DSP) what that means for attribution models. The web-only framing that dominated cookieless coverage in 2021-2024 missed the mobile-app dimension.

Third, Google's October post noted it will "continue to engage" on an interoperable attribution standard through the W3C Private Advertising Technology Community Group. Attribution Reporting API is retired, but the underlying problem of privacy-preserving cross-site attribution is still on the standards agenda. This is relevant to any team planning 3-5 year measurement infrastructure. The standard may arrive; build your stack to accommodate it when it does, but do not wait for it.

The real measurement problem was never Chrome

Chrome kept third-party cookies. Safari and Firefox still block them. Safari holds roughly 25-29 percent of global browser share depending on the measurement source, with higher concentration on mobile in markets like Singapore and Australia where iPhone penetration exceeds 50 percent in some demographics. Firefox adds 3-4 percent. A practical share between 28 and 33 percent of users have been operating in a cookie-limited environment since Safari's Intelligent Tracking Prevention (ITP) launched in 2017. That figure predates the entire Privacy Sandbox debate.

The walled garden problem is older and larger still. Meta's Conversions API (CAPI) exists because Meta's own pixel, running inside Facebook's ad attribution system, was never fully reliant on Chrome third-party cookies. Meta's signal loss problem accelerated with iOS 14.5 in April 2021, when Apple's App Tracking Transparency (ATT) framework required explicit opt-in for identifier-level tracking across apps. Meta reported a USD 10 billion revenue impact in 2022 from iOS ATT. That damage came from Apple, not from Chrome. Building CAPI infrastructure, matching hashed customer data with Meta's graph, and setting up server-side event matching are all responses to Apple and Meta's measurement architecture, not to Google's cookie decisions.

TikTok's Events API has the same architecture logic as CAPI. Google's own Enhanced Conversions and server-side Google Tag are also responses to signal quality erosion, driven partly by browser restrictions and partly by ad-blocking software. Our analytics and insights practice treats server-side tagging as baseline infrastructure regardless of browser policy, precisely because the signal erosion is multi-vector. No single browser decision reverses that.

The first-party data argument rests on three pillars that the cookie reprieve does not touch. One: consent-based collection. In markets where GDPR, PDPA, or the Australian Privacy Act apply, explicit user consent is required before tracking cookies are set. A third-party cookie dropped without consent is a legal problem regardless of Chrome's technical capability. Two: walled garden matching. Meta, TikTok, Google, and LinkedIn all offer better audience matching, better lookalike quality, and better event match scoring when you supply consented first-party signals. This is a performance argument, not a compliance argument. Three: signal durability. Regulation tightens over time, browsers make their own decisions, and users install ad blockers (penetration exceeds 40 percent in some markets). A first-party data foundation is insulated from all three.

The Chrome cookie decision did not change any of these three arguments. If anything, the October 2025 API retirement reinforces the third pillar: the industry tried to build privacy-preserving ad-tech alternatives, failed to adopt them at scale, and the infrastructure investment requirement still exists but must now be solved through first-party data and server-side measurement rather than browser-native APIs. For a deeper view of the measurement stack that survives both scenarios, see our post on cookieless MMM and Bayesian incrementality for APAC marketers.

What privacy law actually requires across your markets

The regulatory picture differs meaningfully by market. For any team operating across Singapore, Australia, the United States, and Canada (leapbuzz's five-market footprint, plus Malaysia), the following table is the practical orientation.

Privacy regulation: marketing-relevant requirements by market, mid-2026
Market Primary law Consent basis for tracking cookies Enforcement posture (mid-2026)
Singapore Personal Data Protection Act (PDPA) Deemed consent with notification (lower bar), or express consent. PDPC advisory guidelines on marketing data apply. PDPC enforcement actions in financial services and retail. Advisory guidelines updated; server-side measurement flagged as a privacy-positive approach.
Australia Privacy Act 1988 (as amended) Consent or legitimate interest with disclosure; tracking pixels treated as collection of personal information. OAIC published Meta-Pixel-class tracking findings in 2026. Active enforcement. Statutory tort for serious privacy invasions now in force. Board-level risk.
EU / EEA GDPR + ePrivacy Directive Explicit opt-in for non-essential cookies. Consent Management Platform (CMP) with granular categories required. High enforcement density. DPA fines in the hundreds of millions of euros for large platforms. Applies to any site with EU visitors.
United States State-level patchwork (CPRA, Colorado CPA, Virginia CDPA, others) Opt-out right for sale/sharing of personal data; no federal opt-in requirement. Threshold-based (number of residents served). Enforcement active in California (CPPA). FTC enforcement under Section 5 for deceptive tracking practices.
Canada PIPEDA (federal); Bill C-27 pending Meaningful consent required for collection and use of personal information. OPC guidance on tracking and consent applies. OPC enforcement capacity growing. Bill C-27 would substantially increase fines and rights if enacted.
Malaysia Personal Data Protection Act 2010 (PDPA MY) Consent required for processing personal data for marketing purposes. Enforcement less active than SG/AU, but statutory requirements apply to any data collected from Malaysian users.

The practical conclusion: every market in leapbuzz's five-market footprint requires either explicit consent or disclosed legitimate interest before tracking cookies are set for marketing purposes. Chrome's technical decision to keep cookies does not override any of these. A site that drops third-party tracking cookies without consent is non-compliant in the EU, AU, and SG regardless of Chrome's stance. The PDPC's advisory guidelines on use of personal data in marketing cover tracking pixels, audience matching, and retargeting directly.

For teams that have not yet implemented a consent management platform (CMP), the OAIC's 2026 findings on tracking pixels are a useful urgency signal for the AU market. The finding confirmed that embedding third-party tracking pixels without adequate disclosure and consent mechanisms constitutes a breach of Australian Privacy Principle 1 (APP 1), which requires transparent handling of personal information. For a practical walkthrough of CMP implementation aligned to strictly necessary consent categories, our post on Freshpaint and CMP strictly necessary consent covers the boundary conditions in detail.

Server-side tagging addresses the consent-execution problem as well as the signal problem. When tag firing is controlled server-side, the CMP consent state can be enforced at the server layer before any event is forwarded to a third-party platform. Browser-side tags, by contrast, rely on the CMP blocking script executing before the tracking pixel fires, which is technically fragile. Our analytics and insights service covers server-side architecture as part of every measurement engagement, not as an optional add-on.

One practical framing for AU-market clients: the OAIC's 2026 enforcement posture treats website analytics and ad pixels under the same regulatory lens as direct marketing lists. "We don't sell data" is not a defence for a tracking pixel that passes user-identifiable information to a third-party platform without disclosure. The regulatory definition of "collection" includes passive technical collection through pixels and tags.

What to do now: a decision flowchart

The decision depends on where your stack currently sits relative to two variables: Privacy Sandbox API exposure, and cookie-dependency combined with regulatory market mix. The flowchart below routes to one of four postures. All advice is generic; apply your own audit before acting on any branch.

Privacy Sandbox wind-down: what to do now A decision flowchart with three yes/no questions routing to four recommended postures based on Privacy Sandbox API investment, third-party cookie dependency, and regulatory market exposure. YES NO NO YES YES NO START Your current data posture Did your team invest in Privacy Sandbox APIs? (Topics, Protected Audience, Attribution Reporting) ACTION A Audit integration spend. APIs are retiring. Redirect to 1PD + SST. Do campaigns rely on third-party cookies? for measurement or targeting ACTION B Ahead of the curve. Maintain 1PD stack. Audit consent governance annually. Do you serve EU, AU, or SG users? (stricter consent enforcement) ACTION C CMP + server-side tagging not optional. Regulatory risk is live. ACTION D Build server-side tagging now while the window is open.

A note on the flowchart postures. Action A (Privacy Sandbox API investors) requires an honest audit of what was built and what it cost. Most vendors who integrated Topics or Protected Audience early are already redirecting that engineering capacity; confirm with your DSP or measurement vendor before assuming your integration is dead code.

Action C (cookie-reliant, regulated-market exposure) is where the regulatory risk is most concentrated. The Australian OAIC's 2026 tracking-pixel investigation findings, the PDPC's enforcement pattern in Singapore, and GDPR's strict consent requirements in the EU all converge on the same conclusion: a third-party tracking cookie without a valid consent mechanism is a liability regardless of Chrome's technical posture. The CMP is not optional in these markets, and server-side tagging is the correct architecture for enforcing the CMP decision at the event layer. See our AI strategy service for how we approach measurement stack architecture as part of broader data strategy engagements.

For teams who have already built first-party data infrastructure (Action B), the October 2025 retirements are largely validation rather than a call to action. The Privacy Sandbox road was always uncertain. Teams that invested in consented data collection, CRM matching, server-side event pipelines, and CAPI integrations are in a defensible position regardless of what Google does with Chrome.

For a broader view of how to structure measurement that does not depend on any single browser decision, our post on first-party data strategy covers the foundational architecture decisions from customer data platform selection to consent-compliant collection mechanics.

Questions, answered

Is Google removing third-party cookies from Chrome?

No. On July 22, 2024, Google's VP of Privacy Sandbox Anthony Chavez announced that Chrome would maintain third-party cookies and instead introduce a user-facing choice mechanism, replacing the earlier plan to deprecate cookies outright. Cookies remain in Chrome as of mid-2026.

What changed in October 2025 is that Google retired the Privacy Sandbox ad-tech APIs that were built as cookie alternatives. The two decisions are related but separate: cookies stay, and the replacements were shelved. Source: privacysandbox.google.com/blog/privacy-sandbox-update (July 2024) and privacysandbox.google.com (October 2025).

Which Privacy Sandbox APIs are being retired?

On October 17, 2025, Google announced the retirement of: Attribution Reporting API (Chrome and Android), IP Protection, On-Device Personalization, Private Aggregation (including Shared Storage), Protected Audience API (Chrome and Android, formerly FLEDGE), Protected App Signals, Related Website Sets (including requestStorageAccessFor and Related Website Partition), SelectURL, SDK Runtime, and Topics API (Chrome and Android).

The APIs that continue are CHIPS (Cookies Having Independent Partitioned State), FedCM (Federated Credential Management), and Private State Tokens. The complete official list is at developer.chrome.com/en/docs/privacy-sandbox/status/.

What is the Topics API and why did Google retire it?

Topics API was designed to let Chrome infer broad interest categories from a user's browsing history and share those categories with advertisers, replacing the cross-site tracking that third-party cookies enable for audience targeting. Google retired it in October 2025 citing "low levels of adoption."

The low adoption was predictable: with cookies remaining in Chrome, advertisers had little incentive to migrate to a less granular system. Safari and Firefox never implemented Topics. Without cross-browser adoption, Topics could not function as an industry standard, and without industry adoption, it could not offer meaningful reach.

What is the Protected Audience API (formerly FLEDGE)?

Protected Audience (formerly called FLEDGE) was a Privacy Sandbox API designed to run remarketing and custom-audience auctions inside the browser, without sharing user identity with any server. The auction logic ran locally on the device, so no cross-site user data left the browser.

Google retired it in October 2025, also citing low adoption. The technical concept was sound, but the implementation required advertisers and demand-side platforms to rewrite substantial portions of their bidding infrastructure. Without the pressure of imminent cookie removal, that investment did not happen at scale.

What is Attribution Reporting API and what replaces it?

Attribution Reporting API (ARA) was designed to let browsers report ad click and view attributions to advertisers using aggregated, noisy reports rather than user-level click IDs. It was the Privacy Sandbox replacement for URL-level click tracking across sites.

Google retired it in October 2025 and noted it would continue engaging with the W3C Private Advertising Technology Working Group on an interoperable attribution web standard. Until a replacement standard ships, advertisers relying on cross-site attribution must continue using click IDs (gclid, fbclid, etc.) with consented first-party data collection and server-side measurement. Marketing mix modelling (MMM) and incrementality testing remain the most reliable measurement methods that do not depend on user-level attribution at all.

Does keeping cookies in Chrome mean I can stop investing in first-party data?

No. Chrome cookies are a technical reprieve, not a strategic one. Three pressures remain regardless of Chrome's decision.

First, Meta, TikTok, Amazon, and most scaled ad platforms have built walled gardens that restrict cookie-based cross-site tracking in their own environments regardless of Chrome. Conversion API (CAPI) and server-side tagging are required to maintain signal quality inside those platforms. Second, regulators in the EU (GDPR), Australia (Privacy Act and OAIC enforcement), Singapore (PDPA), and Canadian provinces require explicit consent before cookies are set for tracking purposes. Third-party cookies with consent are legal; third-party cookies without consent are not. Third, iOS Safari and Firefox remain relevant in your user base and block third-party cookies at the browser level regardless of Google's decision.

What should I do with Privacy Sandbox integrations I already built?

Audit the build cost and opportunity cost before doing anything. If your team invested in Topics API or Protected Audience API integration inside a demand-side platform or ad server, confirm with your vendor how they are handling the retirement. Most vendors who built early-stage integrations are already redirecting that engineering capacity toward server-side measurement and first-party data pipelines.

The functional capabilities you wanted (audience targeting without cookies, privacy-preserving attribution) are still available through first-party data activation, Conversion API integrations, and media mix modelling. The path changed; the destination is similar.

How do privacy regulations differ across Singapore, Australia, the United States, and Canada?

Singapore's Personal Data Protection Act (PDPA) requires consent for collection, use, and disclosure of personal data. The PDPC's advisory guidelines on use of personal data for marketing purposes apply directly to tracking pixels, retargeting, and audience matching.

Australia's Privacy Act (as amended) and the OAIC's enforcement posture treat tracking pixels as a collection of personal information requiring consent or a disclosed legitimate interest basis. In 2026, the OAIC published findings from a Meta-Pixel-class tracking investigation confirming enforcement will continue.

In the United States, there is no federal privacy law for marketing data; state laws (California's CPRA, Colorado, Virginia, others) apply depending on user residence and thresholds. Canada's PIPEDA requires meaningful consent for collection and use of personal information; Bill C-27 would strengthen this if passed.

Any marketing stack that touches EU, AU, or SG users cannot rely on cookies-by-default. Consent management platform (CMP) configuration is not optional in these markets, regardless of Chrome's cookie policy.

► Next step

Build the measurement stack that survives the next browser decision.

20 minutes with us covers where your current stack is exposed, which consent and server-side investments are worth prioritising in your market mix, and what a defensible first-party data architecture looks like for your business.

Talk to leapbuzz