The industry spent six years preparing for a future that arrived in the worst possible shape: cancelled.
Google launched the Privacy Sandbox in 2019 as the replacement plan for the third-party cookie in Chrome. Ad tech companies rebuilt measurement systems around it. Publishers tested new monetization. Standards bodies argued over its APIs in working groups. Then on 17 October 2025, Google retired most of the project. Ten technologies were discontinued, including the Topics API, the Protected Audience API, and the Attribution Reporting API, the three pieces that were supposed to do the actual work of interest-based targeting, remarketing, and conversion measurement without cookies. Three smaller utilities survived: CHIPS, FedCM, and Private State Tokens.
Here is the strange part. The cookie did not go anywhere. Google had already abandoned its deprecation timeline in July 2024 and scrapped the user-choice prompt in April 2025. So the cookie still works in Chrome, and the replacement APIs the industry built toward are gone. Advertisers were left with neither the clean new system nor a stable old one. We cover the cookie reversal itself in the cookie that did not die. This piece is about the harder question: how you actually resolve identity and target an audience now.
Origin: why a single replacement was always the wrong dream
When the cookie's decline began, the industry wanted one thing. A single privacy-safe universal identifier that would slot into the space the cookie vacated and let everything else keep working. That dream shaped years of roadmaps. It was never realistic.
The reason is that the third-party cookie was never a clean piece of engineering. It was an accident of how browsers handled state in the 1990s, repurposed into a cross-site tracking layer it was never designed to be. It worked because it was everywhere and free, not because it was good. A Google partner, Criteo, tested the Topics API for a year and found it roughly five times less effective than the cookie it was meant to replace. That gap is the whole story. Nothing matches the cookie's combination of reach and zero cost, because nothing else gets that reach for free.
So the cookie's slow failure was never going to produce one heir. It was going to fragment into a set of methods, each strong in one place and weak in others. That fragmentation is not a temporary mess on the way to a tidy solution. It is the solution.
Present: signal loss is real, and the toolkit is a portfolio
Start with the thing that did not change. Even with the cookie alive in Chrome, addressability is genuinely decaying. Safari and Firefox have blocked third-party cookies for years. Apple's app tracking rules cut off most mobile IDs. Comscore's measurement found that 54 percent of mobile impressions and 36 percent of desktop impressions carry no identifier at all, not a cookie and not an alternative ID. Roughly 35 percent of US browsers block third-party cookies by default. ID-free inventory is not the exception anymore. It is most of the open web.
That is why the practitioner question, "did the cookie thing actually happen," has a frustrating answer: the deadline was cancelled, the signal loss was not. So advertisers run a portfolio. Six tools, each doing a different job.
First-party data is the foundation. This is the data you collect directly from your own customers with their consent: logged-in accounts, purchases, email subscribers, app behavior. It does not depend on any browser policy because it never left your systems. Salesforce's tenth State of Marketing report found that customer insight, first-party, and transactional data are the three sources marketers lean on most, named by 84 percent of them, yet only 26 percent said they were completely satisfied with their ability to unify customer data across sources. That gap matters. First-party data is the base every other method builds on, and most companies have collected it without making it usable. We cover building it properly in a separate piece; here the point is that nothing downstream works well if this layer is weak.
Authenticated identifiers turn logged-in emails into a portable signal. This is where Unified ID 2.0 and ID5 sit. Unified ID 2.0, built by The Trade Desk and now run as an open framework, takes a hashed, encrypted email or phone number that a user provided when they logged in and converts it into a token that publishers, DSPs, and advertisers can match on without passing raw personal data around. Users can opt out through a single portal. ID5 does similar work with a graph that connects identifiers across sites.
The honest number here is reach. These IDs only exist where a user has logged in, and most of the web is logged out. ID5's own 2025 State of Digital Identity report found that fewer than 30 percent of publisher users are logged in or registered. LiveRamp advises publishers to aim for at least 30 percent authentication as a realistic target, and an executive quoted by AdExchanger put it plainly: it is unrealistic to expect the whole web to authenticate. Authenticated IDs are deterministic and accurate where they reach. They simply do not reach most impressions. Adoption is real, though. The Trade Desk has publicly claimed that around three quarters of the third-party data ecosystem now carries UID2 in some form, and ID5's survey found a majority of respondents using alternative IDs to address otherwise non-addressable traffic.
Probabilistic and modeled identity fills the gaps the deterministic methods leave. When there is no email and no ID, you can still make an educated guess. Probabilistic matching uses signals like IP address, device type, operating system, and behavior to estimate that two impressions belong to the same person or household. The tradeoff is exactly what it sounds like. Deterministic matching links profiles through a shared real identifier, so it is close to certain where it works; probabilistic matching reaches far more inventory but is an inference, with accuracy that swings with data quality. The mainstream approach now is a layered graph that uses deterministic links where they exist and probabilistic modeling to extend reach, with machine learning doing the matching. This is the part of the post-cookie world that practitioners find uncomfortable. You are targeting and measuring against models, not certainties.
Data clean rooms let two parties collaborate without either handing over raw data. A clean room is a controlled environment where a brand and a publisher, or a brand and a retailer, can match their datasets and get aggregate results without either side seeing the other's personal records. Adoption has climbed: an IAB survey found around 66 percent of organizations using clean rooms in some capacity, with retail media driving much of it. The limits are real too. The same research found 39 percent of users struggle to get actionable insights out of them, and only 48 percent of US retail media networks offer clean room capabilities at all. The category also consolidated hard. LiveRamp acquired Habu, WPP acquired InfoSum, and the cloud platforms moved in, with AWS and Snowflake and Google Cloud offering clean room functionality as a feature. The term is fading into the broader language of data collaboration, but the technique is now standard plumbing. Our data clean rooms explainer goes deeper on when to use one.
Contextual targeting never needed identity, and it is genuinely back. Contextual places an ad based on the content of the page, not the history of the person. It went out of fashion when behavioral targeting promised precision. Now it is returning, and not as a fallback. Comscore's research found 41 percent of marketers name contextual as their primary targeting approach, almost level with first-party data at 40 percent, and 54 percent planned to increase contextual spend. The revival has substance because the technology improved. Modern contextual uses natural language processing and computer vision to read page meaning, sentiment, and imagery, not just keywords. The performance case has caught up with it too: industry research compiled by Eskimi cites GumGum work showing contextual campaigns running at roughly 48 percent lower cost per click than behavioral targeting, and a GumGum survey in which 94 percent of consumers said they prefer ads matched to the content they are reading over ads based on their browsing history. Contextual will not do suppression or frequency capping, the jobs that need to know who someone is. For reaching the right mindset on ID-free inventory, it is the strongest tool in the set.
The walled gardens sit above all of this, and they win from it. Google, Meta, Amazon, and TikTok run on their own logged-in identity. Their users authenticate by default, so these platforms never depended on the third-party cookie for targeting inside their own walls. Every trend above, the rising value of first-party data, the move to authenticated identity, the spread of clean rooms, plays to their advantage, because they have the most logged-in users and the cleanest first-party data on the internet. Signal loss on the open web is, in effect, a transfer of pricing power to the closed platforms.
Future and impact: a managed portfolio, not a fix
The near-term reality is a market that has stopped waiting for rescue. ID5's survey found 91 percent of respondents implementing or testing alternative solutions, and the spread of methods they use, alternative IDs, private marketplaces, clean rooms, publisher IDs, contextual, shows a market integrating several approaches at once rather than betting on one.
Three things follow for anyone making decisions.
First, interoperability is now the constraint. Unified ID 2.0, ID5, RampID, and the rest do not freely translate between each other. MarTech's analysis of identity in 2026 describes a multi-ID ecosystem where marketers must support several frameworks to hold reach. The cost of fragmentation did not disappear with the Sandbox. It moved into the work of stitching identifiers together.
Second, measurement gets harder before it gets easier. When more than half of impressions carry no identifier, deterministic attribution covers a shrinking slice of activity. The honest response is to lean on modeled measurement, marketing mix modeling and incrementality testing, alongside whatever deterministic signal you still have. The post-cookie world is more modeled in measurement, not only in targeting.
Third, the agentic shift raises the stakes on clean, structured data. AI systems are moving into media buying, planning, and optimization, and they perform only as well as the identity and audience data feeding them. An autonomous buying agent that resolves identity against a thin first-party base and a noisy probabilistic graph will make confident, fast, wrong decisions. Companies that built genuine first-party data foundations and disciplined consent will get more from agentic tooling than companies that did not. This is the practical reason the unglamorous work, the data layer, matters more now than the identifier debate. Perform Digital's work on agentic systems for enterprise starts from that premise: the model is only as good as the resolved, consented data underneath it.
The uncomfortable summary is the accurate one. There is no replacement for the third-party cookie. There is a portfolio, and running it is ongoing work, not a project with an end date. First-party data is the foundation. Authenticated IDs are precise but limited to logged-in reach. Probabilistic identity extends coverage at the cost of certainty. Clean rooms enable collaboration within real constraints. Contextual handles the ID-free majority. The walled gardens quietly benefit from all of it. The deterministic era, where a cookie followed nearly everyone for free, is over regardless of what Chrome does. What replaced it is messier, more modeled, and more dependent on data you own and govern yourself.
Council summary
This post argues that the Privacy Sandbox shutdown settled a question the industry kept refusing to face: there is no single heir to the third-party cookie, and there was never going to be one. The honest replacement is a six-part portfolio, first-party data as the foundation, authenticated IDs, probabilistic modeling, clean rooms, contextual, and the walled gardens that quietly profit from all of it, each strong in one place and weak elsewhere. The reader's takeaway is operational rather than reassuring: addressability decay is real even with the cookie alive, the work is now interoperability and modeled measurement rather than picking a winner, and the payoff has shifted to whoever owns and governs the cleanest first-party data. The piece earns its keep by naming the real tools, tracing each figure to a published source, and refusing the tidy-solution framing the category still wants. Council verdict: publishable.
Comments