📅 June 14, 2026 · ⏱️ 10 min read

Chrome Third-Party Cookies in 2026: They Survived. Privacy Sandbox Didn't.

A short and honest tour of where things actually stand. The cookie deprecation that never happened, the replacement that did happen but then died, and the small handful of APIs you should actually plan around.

The TL;DR if you only read this part. Chrome's third-party cookies are still on by default in 2026 — Google reversed the forced deprecation in July 2024. Then in October 2025, Google retired most of Privacy Sandbox itself — Topics, Protected Audience, Attribution Reporting, and most of the other APIs that were supposed to replace cookies. CHIPS, FedCM, and Private State Tokens are still alive. Cookies still work, but their reliability is steadily declining for everyone — Safari, Firefox, and ad-blocked Chrome traffic all chip away at them. Don't build new things on Topics or PAAPI.

How we got here

The five-year story in three acts:

Act 1 (2019–2024): The deprecation that took forever

Google announced in January 2020 that Chrome would stop supporting third-party cookies "within two years". The deadline slipped. Then slipped again. Then slipped again. Then slipped again. Meanwhile Privacy Sandbox APIs — Topics, Protected Audience (FLEDGE), Attribution Reporting — were proposed as cookieless replacements, with the implicit promise that they'd give advertisers enough signal to keep the web ad economy running.

Act 2 (July 2024): The reversal

Google announced it would no longer force-deprecate third-party cookies. Instead, Chrome would surface a new user choice: users could pick whether to allow or block third-party cookies through Chrome's Privacy & security settings. The framing was that Privacy Sandbox APIs would coexist with cookies as additional tools, not as replacements. In hindsight: a tell.

Act 3 (October 2025): The Sandbox itself shut down

On 17 October 2025, Anthony Chavez (VP of Privacy Sandbox at Google) published a blog post retiring most of the Privacy Sandbox APIs. The cited reason: low adoption by the ecosystem. The unstated context: the UK's Competition and Markets Authority had been investigating Privacy Sandbox for years on antitrust grounds; advertisers had complained that the APIs effectively concentrated more measurement and targeting power with Google; and the APIs were complex to integrate with little measurable upside.

The 17 October announcement marked the end of years of standards work. Several of the retired APIs had already been shipped to Chrome stable.

What's retired, what's still alive

API / feature	Status	What it did
Topics API	retired	Browser-derived interest categories for interest-based ads.
Protected Audience API (PAAPI)	retired	On-device auctions for remarketing, formerly FLEDGE.
Attribution Reporting API	retired	Privacy-preserving conversion measurement.
IP Protection	retired	Proxying third-party requests to mask user IPs.
Private Aggregation	retired	Aggregate-only measurement for ads.
Related Website Sets	retired	Letting a single owner declare related sites that could share cross-site state.
On-Device Personalization	retired	Android on-device personalisation primitives.
Protected App Signals	retired	App-derived signals for in-app ads.
CHIPS (Cookies Having Independent Partitioned State)	alive	Per-top-level-site partitioned third-party cookies. Lets embedded widgets keep state without cross-site tracking. Mark with `Partitioned` attribute.
FedCM (Federated Credential Management)	alive	Browser-mediated federated sign-in (Google, Apple, etc.) without third-party cookies. Actively maintained.
Private State Tokens	alive	Anti-fraud / anti-bot signals issued by one site and redeemed by another, without revealing identity.
Third-party cookies	alive (but degrading)	On by default in Chrome. Off by default in Safari and Firefox. Increasingly blocked by extensions and enterprise policies.

What "cookies still work" actually means

Don't confuse "the deprecation didn't happen" with "nothing's changed". Third-party cookies are quietly degrading even where they're technically still allowed:

Safari blocks third-party cookies entirely. Has done since 2020.
Firefox blocks third-party cookies entirely by default since 2022.
Chrome on iOS uses WebKit, so behaves like Safari.
Ad blockers remove the third-party requests altogether before cookies even matter.
Enterprise managed Chrome often blocks third-party cookies via policy.
Chrome users who toggle the setting (the choice surfaced in 2024) tend to skew toward blocking.

Empirically, "third-party cookies set on a Chrome user" is reachable for roughly 40–60% of US web traffic in 2026, depending on industry. The number was closer to 70–80% in 2023.

What to do, by job

If you operate a website with embedded widgets (chat, video, comments)

Add the Partitioned attribute to any third-party cookies your embeds set. With CHIPS, the cookie is stored in a partition keyed to the top-level site, so the widget keeps state without being a tracking vector.
Use FedCM instead of third-party cookies for embedded sign-in flows. The 2025–26 maturation made it production-ready.
Assume third-party cookies will be blocked for a meaningful share of users. The widget needs to degrade gracefully — read-only mode, in-iframe login prompt, etc.

If you build ad-tech or measurement

Stop investing in Topics or PAAPI integrations. They were shipped, then retired. Anything built on them will need to be replaced anyway.
Server-side conversion APIs (Conversions API, Enhanced Conversions, etc.) are now the de facto measurement path. They use first-party data hashed and uploaded server-to-server.
Contextual targeting is back. It's not novel — it's pre-cookie advertising — but it works in the absence of stable cross-site identifiers.
Modeled conversions and incrementality testing have become standard, partly to handle the measurement gap.
First-party data matters more than ever. The website you own, the email list you own, the loyalty programme you own.

If you build an authentication or identity product

Adopt FedCM as the supported path for browser-mediated federated sign-in. It's the only piece of the original Privacy Sandbox vision that has both shipped and stuck.
Passkeys have moved into the mainstream over 2024–2026 and are the most concrete replacement for "log in with password + remember-me cookie". They live on the authenticator, not in a cookie. If you want to try one in your browser, our Passkey Tester registers and verifies a real WebAuthn credential in-page.
OAuth/OIDC redirect flows still work — they don't depend on third-party cookies.

If you build for privacy-conscious users

The "fingerprint" story matters more as cookies decline. Our Browser Fingerprint tool shows what your browser leaks without any cookies set.
IPs are still the silent identifier. Use What's My IP and DNS Leak Test to see what's exposed even on a fresh profile.
Permissions matter. Many APIs that don't need cookies still expose identifying info. Audit with the Browser Permissions Inspector.

The big-picture lesson

Privacy Sandbox didn't fail because the engineering was bad. It failed because trying to replace cookies with browser-managed primitives — while also keeping the browser vendor's own ad business healthy — was a position no one trusted. Regulators distrusted it. Advertisers distrusted it. The open-web standards community distrusted it. The result, in 2026, is messier than either the cookie absolutists or the Privacy Sandbox optimists predicted in 2020.

For builders, the message is: don't bet on third-party cookies, don't bet on Privacy Sandbox API replacements either, and bet instead on the boring stuff — first-party data, server-side measurement, partitioned cookies for legitimate cross-site state, FedCM and passkeys for identity, and contextual signals for ads.

Useful primary sources

Privacy Sandbox: Update on Plans for Privacy Sandbox Technologies (Oct 2025) — Google's own retirement announcement.
Privacy Sandbox — Wikipedia
CHIPS documentation — partitioned third-party cookies.
FedCM API — MDN