What Actually Happened to Third-Party Cookies

The full story is more complicated than the headlines suggest. The 2026 landscape is a patchwork, and every publisher configuration has to map to the browser share of its own audience.

Safari — Gone Since 2020

Apple's Intelligent Tracking Prevention has blocked third-party cookies on Safari since 2020 and has since tightened into one of the most aggressive anti-tracking postures of any mainstream browser. Safari is already a fully cookieless environment for cross-site tracking, and any addressability on Safari traffic runs through first-party identity, contextual targeting, or SKAdNetwork-style attribution.

Firefox — Blocked by Default Since 2019

Firefox's Enhanced Tracking Protection has blocked known third-party tracking cookies by default since 2019. The share of Firefox traffic that carries usable third-party cookie identity is effectively zero for most publishers.

Chrome — The 2026 Inflection Point

Chrome, the last holdout with meaningful third-party cookie coverage, is the browser where most of the change is happening in 2026. After years of delays, Google shifted to a user-choice model: users can continue to allow third-party cookies, but the browser nudges toward stricter settings and the Privacy Sandbox APIs are now the recommended mechanism for most ad tech use cases. In practice, this means third-party cookie availability on Chrome is shrinking steadily rather than disappearing overnight, and every publisher is running some mix of cookied and cookieless traffic within the same browser.

Edge and Others

Edge follows Chromium but layers on its own tracking prevention. Brave and other privacy-first browsers have been cookieless by default for years. The long tail of mobile in-app environments — where there are no cookies at all — has always been addressed through advertising identifiers (IDFA, GAID) that are themselves now largely opt-in.

The Privacy Sandbox in Practice

Privacy Sandbox is not a single replacement for the third-party cookie. It is a collection of APIs, each addressing one slice of the old use case.

Topics API

The Topics API lets the browser observe a user's browsing across sites, classify it into a limited set of interest topics, and expose those topics to advertisers. It replaces broad behavioral targeting without letting any single advertiser reconstruct a user profile. Topics is available and in real use in 2026, but the accuracy is lower than cookie-based behavioral targeting and most publishers combine it with other signals rather than relying on it alone.

Protected Audience API

Protected Audience — the evolution of what was originally called FLEDGE — handles remarketing. It runs ad auctions inside the browser so an advertiser can reach users who previously visited their site without those users being identified across sites. Adoption is uneven, with demand-side platforms at different stages of integration.

Attribution Reporting API

Attribution Reporting replaces cookie-based conversion tracking. It delivers event-level and summary reports with enough delay and noise to prevent user-level reconstruction. The trade-off is lower-fidelity attribution; publishers measuring performance need to recalibrate their dashboards and expectations.

What Publishers Should Configure

Most publishers in 2026 are running Topics and Protected Audience alongside their existing SSPs, letting the wrapper handle the routing. This does not require a rebuild of the ad stack — it requires configuration at the SSP and header-bidding level, and a CMP that correctly passes consent signals into the Sandbox APIs.

The Rise of First-Party Identity

The most consistent winner in the cookieless transition has been authenticated first-party identity. Publishers with registration walls, newsletter subscribers, or logged-in experiences have a structural advantage in the new environment.

Email-Based Identity Graphs

Hashed email, sometimes wrapped in a standardized identifier like UID2 or RampID, is the backbone of cross-site identity in the post-cookie world. The user authenticates once, the email is hashed locally, and the hashed identifier flows into bid requests as a user signal. Crucially, this only works for users who are logged in — and only where the publisher has valid consent to share the identifier for advertising.

Consent is the Gating Factor

An email-based identity signal without GDPR or CCPA consent is worse than no signal at all — it is a compliance liability. CMPs must explicitly gate identity signals behind the same purposes that govern third-party cookies: typically TCF purposes 1, 3, 4, and 7, plus any vendor-specific permissions for the identity provider itself.

Logged-In Rate Is the New North Star

For publishers that monetize through advertising, the percentage of traffic that is logged in is now a revenue metric. Publishers are investing in soft-wall registration, newsletter capture, and reader loyalty programs not for editorial reasons but because logged-in traffic carries a meaningful CPM premium against anonymous traffic in a cookieless environment.

Seller-Defined Audiences

The IAB's Seller-Defined Audiences (SDA) specification lets publishers define and signal their own audience segments directly into bid requests, using a shared taxonomy. The publisher decides — based on its own first-party data — that a given user belongs to segments like Automotive Enthusiasts or Parents of Young Children, and that signal flows to every buyer without a cookie needing to cross any boundary.

Why SDA Matters

SDA converts a publisher's first-party editorial and behavioral data into programmatic value without exposing user-level data to the broader ecosystem. It is well-suited to publishers with strong editorial verticals and an existing analytics or DMP capability, and it is one of the few cookieless strategies that reward quality content directly.

Consent and SDA

SDA segments are still based on processing personal data and must flow through the CMP. The CMP should signal the relevant TCF purposes and any custom purposes the publisher has declared for its own audience-building activity.

Contextual Targeting — Quietly Resurgent

Contextual targeting — matching ads to page content rather than user history — has gone from being considered obsolete in 2018 to being a core strategy in 2026. Modern contextual vendors use natural-language models to understand page semantics at a depth that simple keyword matching never achieved, and contextual inventory routinely matches or outperforms cookie-based targeting on brand-safety-sensitive advertisers.

The Consent Advantage

Contextual targeting does not require user consent under most privacy regimes because it does not process personal data. For publishers with low consent rates or heavy EU and California traffic, contextual yield is often the highest-margin portion of the stack.

The Consent Configuration That Actually Works in 2026

A cookieless-ready consent stack in 2026 has several things that would have been unusual just two years ago.

• CMP signals consent to Privacy Sandbox APIs via Google Consent Mode v2, so that Topics and Protected Audience calls respect the user's choice
• Explicit consent gating for identity signals such as UID2, RampID, and publisher-specific IDs, separated from general advertising consent where jurisdiction requires
• Vendor list pruning — legacy cookie-reliant vendors that add compliance surface without contributing cookieless yield should be removed
• SDA segment declaration in the CMP's processing purpose register, with clear language in the privacy policy
• A contextual-only fallback path that runs cleanly when consent is refused, so refusal results in contextual ads rather than no ads

Revenue Expectations and Reality

Early studies of the cookieless transition predicted catastrophic publisher revenue losses. The 2026 reality is more nuanced. Publishers that adapted their stacks — with strong first-party identity, SDA adoption, consent-aware Privacy Sandbox integration, and contextual as a floor — are reporting roughly flat yield against the cookie era, sometimes higher on consented, logged-in traffic. Publishers that did nothing and hoped to ride out the transition are seeing 20 to 40 percent declines in programmatic CPMs on Chrome traffic, which compound as cookie availability continues to shrink.

The Revenue Gap

The revenue gap between adapted and unadapted publishers is now the largest single source of programmatic variance in 2026. Closing it is not a matter of a single integration — it is a sequence of CMP, identity, SDA, and contextual decisions that reinforce each other.

A 90-Day Action Plan

• Weeks 1-2 — Audit. Identify the browser mix of your traffic, the current consent rate, the logged-in rate, and the current share of revenue that still depends on third-party cookies
• Weeks 3-4 — CMP modernization. Upgrade to a CMP that supports Google Consent Mode v2, Privacy Sandbox signal passing, and custom purposes for first-party identity
• Weeks 5-8 — Identity integration. Wire a hashed-email identity provider into the header bidding wrapper and confirm consent gating works end-to-end
• Weeks 9-10 — SDA rollout. Define an initial set of seller-defined segments and signal them into bid requests, with matching privacy policy language
• Weeks 11-12 — Contextual fallback. Contract with a contextual vendor for the no-consent and no-identity path; confirm yield reporting separates contextual from addressable inventory

The Outlook

Third-party cookies will not be missed once the transition is complete. The mature cookieless stack — consent-aware, first-party identity rich, seller-defined, and contextually intelligent — is arguably better for users, better for brands, and, for publishers that invest in it, better for revenue. The publishers who win in 2026 are the ones who stopped treating cookie deprecation as a compliance threat and started treating it as an addressability rebuild. The cookie era is ending. The monetization era that replaces it is not cookieless — it is consent-led.