In the summer of 1994, a 23-year-old engineer at Netscape named Lou Montulli was working on a mundane problem: shopping carts. The web had no memory. Every page load treated the visitor as a stranger. You could browse shoes, click "add to cart," and find them gone by the next page. Talking to a website, Montulli later wrote, was like talking to someone with Alzheimer's disease.

The obvious fix, a universal browser identifier, kept surfacing in discussions. Montulli rejected it. A universal ID would let sites compare notes and track browsing history across the entire web. So he designed something more constrained: a small piece of data that a server could set and a browser would send back on return visits. Session state for a stateless protocol.

Three properties made cookies practical. They set silently, because the interaction needed to feel seamless. They persisted across browser sessions, because a shopping cart that forgot itself when you closed the window wasn't useful. And third-party content could read them across sites, because that's how the web's linking model already worked. Small, reasonable choices for a real problem. Exactly the properties that a tracking economy would eventually run on.

By February 1997, the IETF working group drafting the formal cookie specification had already identified third-party cookies as a "considerable privacy threat." RFC 2109 specified that third-party cookies should be disallowed or disabled by default. But advertising networks were already using them in production. And the co-author of that standard, David Kristol, observed the bind plainly: browser makers earned their revenue from websites paying for server software. Those websites wanted third-party advertising. The advertising networks pushed back so hard that restrictions on third-party cookies were stripped from the working standard entirely.

Protections were restored in a revised specification published in 2000. Every major browser accepted third-party cookies by default.

Over the next two decades, the money followed itself. Cookies spread quietly across the web, readable by dozens and sometimes hundreds of third-party domains per site. As of 2019, they were present on over 80% of websites, and programmatic advertising built on cookie-based tracking accounted for 78% of US display and video ad spending.

Google's own internal testing that year showed what removing cookies would cost: an average 52% revenue loss for affected publishers. News sites lost 62%.

In January 2020, Google announced it would deprecate third-party cookies in Chrome within two years. Google held 67% of the browser market. It also operated the advertising infrastructure that would lose billions if deprecation succeeded. The company was, in effect, proposing to demolish a foundation while standing on it.

The deadline moved to late 2023. Then to late 2024. In January 2024, Google managed to disable cookies for 1% of Chrome users. The UK's Competition and Markets Authority flagged 39 concerns and ordered a pause. Google's own Privacy Sandbox testing showed programmatic revenue dropping 20% for Ad Manager publishers even with the replacement tools running, and 34% without them. Each delay had the same shape: a deadline approached, the replacement technologies couldn't match what cookies provided, and the constituency that would need to adopt the alternative was the constituency that would lose the most by doing so.

In July 2024, Google abandoned deprecation entirely in favor of letting users choose. April 2025, even the choice prompt was gone. October, most of the Privacy Sandbox APIs built to replace cookies were retired, citing low adoption.

Five years. Four deadlines. Zero cookies removed. In Chrome today, third-party cookies remain on by default. The toggle to disable them is in Settings, under Privacy and Security. It has been there, more or less, since Netscape added it in 1997.