Google has announced another delay to its long-promised plan to eliminate third-party cookies in Chrome, framing the decision as a reflection of its commitment to giving users more control over tracking technologies rather than enforcing a complete shutdown.
This marks the second major reversal of its original Privacy Sandbox timeline, first unveiled in 2019.
In an update published yesterday, Anthony Chavez, VP of Privacy Sandbox, cited the evolving regulatory landscape and varied feedback from developers, advertisers, and global regulators as core reasons for the shift. Rather than pushing out a new prompt or forcing cookie changes, Google will continue offering users choices through existing Privacy and Security settings in Chrome.
The decision reflects the ongoing difficulty of balancing privacy improvements with the economic realities of the ad-supported web. Industry stakeholders have expressed concerns about disruption, while privacy advocates continue to criticize Google for lagging behind competitors like Safari and Firefox, which have blocked third-party cookies by default for years.
Despite this change in direction, Google will continue to invest in the Privacy Sandbox APIs and seek new ways to strengthen tracking protections, especially in Chrome’s Incognito mode.
While the cookie deprecation has been pushed back, Google is moving forward with another privacy enhancement: IP Protection, a feature first announced in 2023. The company now plans to roll it out in Chrome’s Incognito mode sometime in Q3 2025, starting with desktop and Android platforms.
IP Protection is designed to limit the use of IP addresses for cross-site tracking by masking a user’s original IP when they visit certain domains in a third-party context. These domains, which appear on a curated Masked Domain List (MDL), include advertising, marketing, and analytics services known for tracking users across sites.
To achieve this, Chrome will route third-party traffic through a two-hop proxy system — with the first proxy operated by Google and the second by an external CDN. This architecture ensures that no single proxy has visibility into both the user’s identity and destination, preserving anonymity while maintaining necessary functionality like geo-targeting and anti-fraud measures.
IP Protection retains coarse geolocation accuracy by assigning IP addresses that reflect the user’s general region. The feature uses RSA blind signatures, short-lived authentication tokens, and rate limits to prevent abuse of the proxy network. Additionally, websites will have access to probabilistic revealed tokens, which offer a limited and delayed mechanism for fraud detection.
The feature will only be active in Incognito mode for users signed into Chrome with a Google account. Enterprise-managed browsers will have it disabled by default, and availability will start in select regions before expanding more broadly.
Leave a Reply