TinyFish | Echoes

The Persistent State

The Cookie That Couldn't Be Killed

By Rina Takahashi— February 25, 2026

Feature image for article: The Cookie That Couldn't Be Killed

In 1994, a Netscape engineer needed websites to remember shopping carts. He made three small design choices: cookies would set silently, persist across sessions, and be readable across sites. Practical, almost obvious. Those same three properties turned out to be the exact foundation that behavioral advertising would later require at scale. By the time anyone tried to undo them, the cookie was load-bearing for an industry worth hundreds of billions of dollars. Google spent five years trying. The story of what happened is also the story of why it couldn't.

The Persistent State

The Cookie That Couldn't Be Killed

By Rina Takahashi— February 25, 2026

In 1994, a Netscape engineer needed websites to remember shopping carts. He made three small design choices: cookies would set silently, persist across sessions, and be readable across sites. Practical, almost obvious. Those same three properties turned out to be the exact foundation that behavioral advertising would later require at scale. By the time anyone tried to undo them, the cookie was load-bearing for an industry worth hundreds of billions of dollars. Google spent five years trying. The story of what happened is also the story of why it couldn't.

The Replacement Nobody Wanted

Google's Privacy Sandbox Asked an Industry to Volunteer for Worse Outcomes. The Industry Declined.

Google spent six years engineering a replacement for third-party cookies. The Privacy Sandbox moved ad targeting onto the device through Topics API, Protected Audience, and Attribution Reporting. Technically functional. Also, by every independent measure, significantly less capable than what it replaced.

Criteo's testing showed publisher revenue dropping 60%. Index Exchange measured CPMs falling by a third. Latency doubled. And the whole time, third-party cookies kept working fine in Chrome's 70% of the browser market.

By October 2025, Google began retiring the major APIs. The only survivors, CHIPS and FedCM, solved problems without asking anyone to sacrifice performance. Everything that required the ad industry to trade revenue for privacy died waiting for volunteers who never showed up.

The Replacement Nobody Wanted

Google's Privacy Sandbox Asked an Industry to Volunteer for Worse Outcomes. The Industry Declined.

Google spent six years engineering a replacement for third-party cookies. The Privacy Sandbox moved ad targeting onto the device through Topics API, Protected Audience, and Attribution Reporting. Technically functional. Also, by every independent measure, significantly less capable than what it replaced.

Criteo's testing showed publisher revenue dropping 60%. Index Exchange measured CPMs falling by a third. Latency doubled. And the whole time, third-party cookies kept working fine in Chrome's 70% of the browser market.

By October 2025, Google began retiring the major APIs. The only survivors, CHIPS and FedCM, solved problems without asking anyone to sacrifice performance. Everything that required the ad industry to trade revenue for privacy died waiting for volunteers who never showed up.

TAKE NOTE

Market consolidation: Criteo's CMA testing showed Google Ad Manager's share jumping from 23% to 83% under Privacy Sandbox, confirming fears of concentration

Repeated rejection: FLoC was abandoned in 2021 after browser-wide refusal; its successor Topics API met structurally identical resistance from the same players

Contractual erasure: IAB Tech Lab warned that embedding an ad server inside Chrome eliminated the contractual relationships governing programmatic advertising entirely

Missing pressure: Chrome's market share held steady throughout, so privacy concerns never became a forcing function that could override economic inertia

Split reality: Safari and Firefox already block third-party cookies by default, meaning the cookieless web exists everywhere except the dominant browser

The Shopping Cart Fix

We Solved a Shopping Cart Problem — A Fictional Interview About the Birth of the Cookie

The Shopping Cart Fix

We Solved a Shopping Cart Problem — A Fictional Interview About the Birth of the Cookie

Compounding Consequences

The Consent Layer That Can't Keep Up

A session-state mechanism from 1994 sits beneath a $900 million compliance industry. Cookie consent banners interrupt every site visit in Europe, powered by platforms that largely fail at what they promise. Each regulatory layer was built to manage the consequences of the one before it. The regulation meant to finally clean up the whole structure was recently withdrawn. What remains is a stack of workarounds, still compounding.

Compounding Consequences

The Split Web

The same mechanism also fractured the web along a seam most people never notice. Safari and Firefox block third-party cookies by default. Chrome does not. Which privacy architecture governs your browsing depends on which browser icon you tap. Advertisers now maintain parallel infrastructure for both regimes. The split exists because the original cookie was never replaced. Half the web removed it. The other half kept going.

Compounding Consequences

The Consent Layer That Can't Keep Up

A session-state mechanism from 1994 sits beneath a $900 million compliance industry. Cookie consent banners interrupt every site visit in Europe, powered by platforms that largely fail at what they promise. Each regulatory layer was built to manage the consequences of the one before it. The regulation meant to finally clean up the whole structure was recently withdrawn. What remains is a stack of workarounds, still compounding.

Compounding Consequences

The Split Web

The same mechanism also fractured the web along a seam most people never notice. Safari and Firefox block third-party cookies by default. Chrome does not. Which privacy architecture governs your browsing depends on which browser icon you tap. Advertisers now maintain parallel infrastructure for both regimes. The split exists because the original cookie was never replaced. Half the web removed it. The other half kept going.

Compounding Consequences

The Consent Layer That Can't Keep Up

A session-state mechanism from 1994 sits beneath a $900 million compliance industry. Cookie consent banners interrupt every site visit in Europe, powered by platforms that largely fail at what they promise. Each regulatory layer was built to manage the consequences of the one before it. The regulation meant to finally clean up the whole structure was recently withdrawn. What remains is a stack of workarounds, still compounding.

Compounding Consequences

The Split Web

The same mechanism also fractured the web along a seam most people never notice. Safari and Firefox block third-party cookies by default. Chrome does not. Which privacy architecture governs your browsing depends on which browser icon you tap. Advertisers now maintain parallel infrastructure for both regimes. The split exists because the original cookie was never replaced. Half the web removed it. The other half kept going.

Further Threads