01What a Cookie Is — First, Get the Words Right

Before the discussion, let's be precise about the words. A cookie (= a small piece of data a website stores in a visitor's browser) comes in two broad kinds. If you blur this distinction and say "cookies are going away," the conversation goes crossways.

In other words, "the end of cookies" is, strictly speaking, the end of cross-site tracking. The convenience that stays within a single site remains; the mechanism by which another company shadows you from behind stops working — read it that way, and the rest of the discussion falls into order.

02How It Came to This — The Privacy Sandbox Current

The shrinking of third-party cookies is not one company's whim but the accumulated result of social pressure and the responses of browser makers. Safari (Apple) and Firefox (Mozilla) blocked third-party cookies by default at an early stage. Chrome (Google), which holds a large market share, has advanced its own work toward a phased removal and has published its framework of alternatives as the Privacy Sandbox (= a collective name for Google's set of technologies that try to make advertising work without identifying individuals).

The idea behind the Privacy Sandbox is to "make only the bare minimum of advertising work, without chasing individuals." Rather than letting ad companies hold individual-level behavioral histories, it aims to handle only classifications of interest inside the browser, or to aggregate results in a form that does not reveal any individual. The technical details and timing remain fluid and have shifted back and forth. So what matters here is not memorizing a particular feature name, but the fact that an irreversible current — "rebuild advertising on the premise of not tracking individuals" — has now set in.

Behind this current sits the law. Japan's Act on the Protection of Personal Information puts a brake on acquiring personal data, or providing it to third parties, in ways the person would not anticipate. Europe's GDPR (= the EU General Data Protection Regulation, General Data Protection Regulation, in force since 2018) strictly restricts tracking without consent and sets high fines for violations. Tracking is not ending because the technology changed. Society decided "please don't follow me without permission," and the technology is adjusting to that.

03First-Party Data — Trust You Received Yourself

When tracking can no longer be used, what comes to the center in its place is first-party data (= data a company received directly, with the other party's consent). Not behavioral histories bought from another company, but information the person handed over willingly through your own site, app, or inquiries. This becomes the foundation of marketing from here on.

First-party data is strong not only in terms of accuracy or volume. It is because the data itself is proof of a relationship of trust with the other party. Information someone gives thinking "I'm willing to tell this company" carries a different weight than a history collected without permission. Precisely for that reason, the side that receives it is required to handle it in a way that does not betray that trust.

Source 01

Membership / Login Data

"gave their name"

Attributes and interests the person handed over deliberately through registration or login. Not obtained by shadowing someone, but information the other party offered themselves.

Source 02

Inquiries / Document Requests

"came to ask"

A record of contacts made seeking product information or materials. The locus of interest is clear, and it becomes a clue to what should be delivered next.

Source 03

Behavior on Your Own Site

"chose to read"

Which articles were read on your own site, and what was compared. Because it is behavior within your own garden and does not span sites, it does not amount to tracking.

Source 04

Surveys / Consent Collection

"chose to tell"

Information collected with the person's consent after clearly stating the purpose. Because you tell them up front what it is for, it is unlikely to damage trust later.

What the four share is that the other party is handing it over "of their own will." Where tracking meant "collecting without their noticing," first-party means "entrusting with knowledge." This difference is not merely a difference of means; it is a difference in the very ethics on which marketing stands.

04The Return to Context — Not "Who," But "What Are They Reading Now"

The other center is contextual advertising (= a technique that places ads to match the content of the page currently displayed). To someone reading an explainer on diabetes, you show information in keeping with the context of that article. This requires no need to pin down "who" the reader is. What it looks at is the content of the page, not the person.

Contextual advertising is an old technique that existed before cookies. It was once set aside because "tracking-based advertising is more accurate." But as tracking became unusable, and generative AI became able to read the meaning of text deeply at the same time, this old technique has returned in a new form. AI precisely understands a page's subject, tone, and surrounding context, and adds only information that truly fits — advertising designed by "what context to stay close to" rather than "whom to chase."

Tracking type (third-party cookie)Context type (contextual)
Follows "who is this person" across sitesLooks only at "what is this page about"
Premised on accumulating individual behavioral historyWorks by content match, without identifying individuals
Heavy burden of consent and legal regulationLight burden, since it handles no personal data
Always haunted by concern over privacy harmEasier to gain the recipient's acceptance, since it "fits the context they are reading"

The context type has an advantage pharma cannot overlook. Medical and health information can touch a reader's medical history, the information that must be handled most carefully of all. Tracking always carries the danger of "chasing people by disease name" in this sensitive area. With the context type, you can provide information in keeping with the article's content without knowing who the person is. Not having to hold sensitive information translates directly into lower risk.

05Data Clean Rooms — Match Without Mixing

Once first-party data is at the center, situations arise where you want to "compare your own data against another company's data without revealing individuals." What is used here is a data clean room (= data clean room, an isolated mechanism where several parties bring data together, never showing each other the raw data, and can extract only aggregate results).

The name is imposing, but the idea is simple. Two companies each deposit their data in the same locked room. Matching happens only inside the room, and what comes out is only an aggregate result such as "how many people overlapped." The raw data itself is passed neither to the other party nor to yourself. It is a mechanism for obtaining only the answer you need, without exchanging information that can identify individuals.

That said, there is a caution behind the convenience. A clean room is a mechanism for "not revealing individuals," not an indulgence for "doing anything you like." Even in aggregate, an individual can be inferred if the count is extremely small. Matching that exceeds the scope of purpose or consent can become a use the person did not anticipate, even if you never see the raw data. What the mechanism protects is technical separation; the legitimacy of the purpose is guaranteed by people — not mistaking this order is what matters.

06Consent Management — The Checkpoint Called CMP

In a world without tracking, accurately recording "how far the person consented" and staying within that scope carries heavier meaning than ever. What carries this is the CMP (= Consent Management Platform, a consent management platform, a mechanism that handles the acquisition, recording, and withdrawal of visitor consent in one place). Think of it as the recording-and-control mechanism behind the "Do you consent to the use of cookies?" prompt that appears when you open a site.

The role of a CMP is not merely to display a consent button. It carries out the plain but indispensable work below.

What is essential here is that consent is not "done once you take it." Consent is a promise that continues within the relationship. If uses increase, ask again. If consent is withdrawn, stop promptly. A CMP is the checkpoint for keeping that promise, not a tool for slipping past the law.

07Practice in Pharma — Within Sensitive Information and Regulation

Let's bring all of this to the ground of pharmaceutical marketing. Pharma is a field where the shift to a world without tracking carries heavier meaning than other industries, because the information it handles — health and medical history — is the kind that demands the greatest care.

First, confirm the regulatory footing precisely. Advertising for medicines sits under the Pharmaceutical and Medical Device Act, and not mistaking the articles is a premise of trust. The prohibition of exaggerated advertising is Article 66, the prohibition of advertising pre-approval drugs is Article 68, and the provision of information for proper use is Article 68-2 — these three do not move even when the way data is collected changes. Furthermore, information-provision activity toward healthcare professionals sits under the Sales Information Provision Activity Guideline (= HanteiG, the Guideline on Sales Information Provision Activities for Prescription Drugs, notice of the Director-General of the Pharmaceutical Safety and Environmental Health Bureau, MHLW, 2018), and advertising expression is judged against the Standards for Fair Advertising of Drugs (= a yardstick set out as a notice from the Director of the Compliance and Narcotics Division, Pharmaceutical Safety and Environmental Health Bureau, MHLW).

On that basis, the practice of a world without tracking is built as follows.

Practice 01

Put the context type at the core

Deliver disease-awareness and healthcare-professional information along the context of the article, without tracking the reader. Make a design that avoids holding medical history — a piece of sensitive information — the basic form first.

Practice 02

Take consent carefully

In information provision to members, state the purpose clearly and obtain consent in a form that can be withdrawn. The trust of healthcare professionals and patients becomes, directly, the quality of the data.

Practice 03

Design not to handle special-care data

Medical history is special-care-required personal information, for which the Act on the Protection of Personal Information demands especially careful handling. Make "not collecting, not holding" the first move for risk avoidance.

Practice 04

Build regulatory checks into the process

Even with first-party, put what you send out through the review of the Pharmaceutical Act and HanteiG. Even if the data is your own, the yardstick for expression does not loosen at all.

A world without tracking is also a tailwind for pharma: Pharma has long been an industry that held strong ethical hesitation about handling medical history — a piece of sensitive information — through tracking. The abolition of third-party cookies is also a turning point where the institutional framework takes over that hesitation. Once "not chasing" becomes the standard, a design that holds no sensitive information is no longer a competitive disadvantage. Rather than competing on the precision of chasing individuals, you compete on the accuracy of fit to context and the depth of a relationship supported by consent — and this meshes directly with the essence of medicine as a good built on trust.

08Connections to Other Chapters on This Site

As the closing installment of the series, this piece connects to each of the earlier chapters as follows. Read together, the whole picture of a world without tracking rises into view.

In Closing

The end of third-party cookies is not a story of advertising technology growing one generation older. It is the event of society rejecting the very premise of "following without noticing." What the Act on the Protection of Personal Information and the GDPR showed is an order in which the person's will comes before accuracy or efficiency. Technology is being rebuilt to fit that order.

Two things come to the center in place of tracking. One is first-party data the person entrusted with knowledge and consent — itself proof of trust, and something that collapses in an instant if betrayed. The other is contextual advertising that stays close to context rather than to people — a design that responds precisely to the story being read now, without pinning anyone down. For pharma, this shift is at once a burden and a tailwind. A world where "not holding" the heaviest information of all — medical history — becomes standard meshes, at a deep level, with the essence of medicine as a good built on trust. The era of competing on the precision of tracking is over. From here, we rebuild marketing on the depth of a relationship supported by consent and on fidelity to context. From the next installment we enter a new series — AI Programming — beginning with the foundations of code generation.

Key Points — Three to Take Away
  1. "The end of cookies" is, strictly, the end of cross-site tracking. First-party cookies, such as those that keep you logged in, remain; the third-party cookies by which other companies chase individuals across sites stop working. Technology did not force the change — technology is adjusting to society's will, "please don't chase me without permission," as expressed in the Act on the Protection of Personal Information and the GDPR.
  2. The centers that replace tracking are two. First-party data (data the person entrusted directly with consent, as proof of trust) and contextual advertising (the old-yet-new technique of matching to a page's context rather than to the person). Because generative AI can now read the meaning of text precisely, the context type has returned at a practical level.
  3. In pharma, a world without tracking can be a tailwind. Because a design that "does not hold" medical history — special-care-required personal information — becomes standardized, the institutional framework takes over the hesitation about handling sensitive information. But the Pharmaceutical Act (exaggeration Article 66, unapproved Article 68, information provision Article 68-2) and HanteiG and the Standards for Fair Advertising do not loosen at all, even if the data is your own. Keeping the promise through consent management (CMP) is the premise.