At first glance, it sounded like an accommodating change. In reality, it's far from clear whether it truly gives privacy groups anything. First, giving up the 2038 date was easy, given that it's highly likely the Google cookie of today (or of a few years ago) will be entirely irrelevant to the Web user of 2038.
Much more importantly, though, is the practical impact today. That 2-year clock doesn't start ticking until the individual's last visit to Google. If they search for anything or follow a link from anywhere that happens to land on Google, the clock starts up again. The user doesn't have to visit Google once a week or once a month. If they visit just once within two years, they're back to square one.
Peter Fleischer, Google's privacy counsel (guess that's like being the environmentalist advocate reporting to James Watt or perhaps being the Public Librarian Delegate to Amazon.com), pointed out that users should always remove their own cookies themselves. "We were mindful of the fact that users can always go to their browsers to change their cookie management settings, e.g. to delete all cookies, delete specific cookies, or accept certain types of cookies (like first-party cookies) but reject others (like third-party cookies)," Fleischer said in a Google blog post.
Of course, very few consumers bother to deal with cookie cleanup.
Also, in the world of privacy problems and Google, the expiration of a cookie is a minor matter. Any cookie data older than two years is probably worthless to an advertiser anyway?another reason this wasn't an especially generous concession?and there are many more significant privacy threats.