Partitioned cookies, or CHIPS, could be an elegant solution to deprecating third-party cookies. But how do they work? And what problems do they solve?
Why it matters — CHIPS offers the technical integration of third-party cookies but with the privacy protections of site-scoped access to data. This lets first parties work with vendors to manage their first-party data with reduced data leakage risk. But how do they work, and when should we ask for a side of CHIPS?
TripleLift is active in the various W3C (World Wide Web Consortium) working groups. The Improving Web Advertising Working Group, the Privacy Community Group, and the Private Advertising Technologies Working Group (PATCG).
Some are well-known proposals, like FLEDGE and PARAKEET. Still, one that hasn’t received as much attention is the Cookies Having Independent Partitioned State or CHIPS proposal in the Privacy Sandbox.
What is CHIPS?
CHIPS is part of Google Chrome’s efforts to deprecate support for third-party cookies. It’s a middle ground that permits third-party cookies to operate, but not across sites.
Today, third-party cookies permit the owner to see the same cookie ID across different sites the user visits. This lets the third party see that it’s the same user across multiple sites. CHIPS proposes the browser instead isolate the third-party cookies through the first-party scope. From the third-party perspective, their third-party cookies still permit them to identify users within a site. But they can no longer link the users across sites.
Why Permit Some Third-Party Functionality?
The CHIPS proposal outlines three core use cases CHIPS should enable:
- SaaS providers offer as a widget to a publisher that requires identifying different users within the scope of the first party but not across sites.
- Headless Content Management System providers, such as platforms, make it easy to manage blog content as a service. At the same time, let the first party control the actual blog content presentation on their first-party page.
- Sandbox domains serve untrusted user content, such as googleusercontent.com, a domain where Google users can upload content. Therefore, Google wishes to ensure the user-uploaded content can never be accessed by the cookies in the google.com domain.
Limitations and Implementation of CHIPS
To set cookies partitioned to the first party, third parties should add the new “Partitioned” attribute to the cookie. This signals to the browser the third party expects and intends to scope the cookie to the current first-party domain. Chrome proposes all partitioned cookies must be secure, including the Secure attribute and __HOST prefix.
The CHIPS proposal is, on balance, an elegant solution. By continuing to rely on the technical rails of third-party cookies but limiting their scope to single sites, CHIPS threads the needle to help third parties move towards the first-party-scoped contexts for cookies that we expect to see when the Privacy Sandbox is fully implemented for all cross-site channels.