Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring users’ online activities without any consequence. In this article, we will third-party cookies in detail, why they have become a cause of worry for publishers and advertisers, and finally, the solution to use them without breaking any law.
(Free 14-day trial. Cancel anytime)
What are third-party cookies?
To understand what third-party cookies are, we must first get to know the differences between first-party and third-party cookies.
First-party vs third-party cookies
First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used for facilitating user experience and some core functionalities of the site. For e.g. first-party cookies can identify returning visitors so that they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.
Third-party cookies are generated and placed on the user’s device by a different website other than the one the user is visiting. They are created when a user visits a website that includes elements from other sites, such as third-party images or ads. If a server hosting one of these elements responds to the request by setting a cookie, that cookie is stored on the user’s browser.
E.g. If the user plays an embedded YouTube video on a website, the YouTube server will set cookies on their device. These cookies track user preferences and suggest similar videos when they visit YouTube.
How are third-party cookies created?
This JS file stores cookies in the user’s browser so that the analytics tool can track their activities.
It’s important to note that loading the third-party script and storing the cookies must be contingent on the user’s consent. If the user declines to use such cookies, the website must block the script.
How do third-party cookies work?
Have you ever wondered how ads seem to follow users around the internet? The answer lies in third-party cookies.
Imagine users are browsing a website selling sunglasses and check out some stylish aviators. They don’t buy them yet, but move on to a different website, let’s say a news channel. Suddenly, they start seeing ads for similar aviators and other sunglasses on the news website and various other websites they visit, even though they never searched for them there.
Here’s how third-party cookies made that happen:
- When they visited, the sunglasses website placed a first-party cookie on their device to remember their browsing activity within the site (e.g., viewed aviators).
- The sunglasses website also uses an invisible advertising service, which placed a third-party cookie on user’s device. This cookie doesn’t say “sunglasses website,” but it tracks their general browsing behavior.
- As the user visit other websites across the web, the same advertising service can access the third-party cookie it placed and see the user’s interest in sunglasses (based on the sunglasses website visit).
- The advertising service uses this information to show the users targeted ads for similar aviators and other sunglasses on other websites, even though they never directly searched for them there.
So, the third-party cookie acted like a tracker, connecting the user’s browsing activity across different websites and allowing advertisers to serve targeted ads for sunglasses despite them not actively searching for them.
Here is an illustration of how third-party cookies work:
While third-party cookies are often associated with targeted advertising, they have other roles in enhancing user experience and functionality across various applications. Let’s explore two common examples:
- Live chat for seamless support: Imagine users are browsing a complex website and need quick assistance. They initiate a live chat session. To remember their conversation history and preferences, the chat service might store a third-party cookie on your browser. This cookie isn’t about tracking their browsing habits elsewhere; it simply enables the chat application to function properly, offering a personalized and convenient support experience.
- Social sharing made easy: Suppose the user come across an insightful article on a website and want to share it with their network. With social media plugins embedded on the page, they can seamlessly share it with a click. These plugins often use third-party cookies to streamline the process. The cookie identifies their social media account and streamlines the login process, saving them the time and effort.
What are the pros and cons of using third-party cookies?
Here are the pros and cons of third-party cookies:
- Personalized advertising: They can enable advertisers to personalize ads based on a user’s browsing history, interests, and demographics, making ads more relevant to the user.
- Better user experience: Theys can help websites remember user preferences and login information, which can improve the user experience.
- User analytics: They can help website owners understand how users are interacting with their site, which can help them to improve its performance.
- Privacy concerns: Third-party cookies can collect a significant amount of personal information about a user, such as their browsing habits, which can be used to create detailed profiles of users.
- Security risks: They can also be used for malicious purposes, such as tracking users to steal their personal information or to deliver malware.
- Lack of transparency: Many users are not aware that third-party cookies are being used to track their activity across the web.
Are third-party cookies bad?
While third-party cookies are not inherently bad. Their use for tracking and targeted advertising has caused them to be viewed negatively by users concerned with privacy. Their absence does not typically affect a website’s core functionality, leading some to question their necessity. However, from a marketer’s perspective, these cookies are incredibly useful, allowing for personalized advertising and user tracking. Additionally, some websites rely on these cookies for essential services, meaning that their removal could cause a site to break. Ultimately, the debate around third-party cookies comes down to their application and the control users will have over their usage.
How to check if your website uses third-party cookies?
Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool.
For checking manually, the methods slightly vary in different browsers.
If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies
Check the domain of the cookie list. If the domain is different from the website you are currently visiting or managing, then you can confirm that they are third-party cookies.
Similarly for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.
For detailed instructions, click here.
Online cookie checkers are much better and faster than the traditional browser method. Other than that, you will get a detailed scan report with a list of all cookies set by the website.
What do GDPR and CPRA say about third-party cookies?
While GDPR and CPRA do not provide a detailed discussion of cookie regulation, they do include cookie identifiers in their definition of personal data (or personal information) that is subject to the law. Data collected by cookies can be categorized as personal data if they can be used to identify the user, making third-party cookies subject to GDPR and CPRA regulations.
Under GDPR, websites cannot store third-party cookies without the user’s consent. If a user denies consent, the website must block the cookie and cannot load the cookie script before receiving consent. To obtain GDPR cookie consent, websites must follow certain legal practices, including
- informing users about third-party cookies in plain language
- providing clear choices to accept or decline all cookies
- allowing users to give consent to cookies by categories
- letting users withdraw cookie consent at any time and blocking the cookie script immediately upon withdrawal
On the other hand, CPRA does not require websites to get consent for cookies but mandates that websites offer an opt-out option for users. The website must provide a “Do Not Sell or Share My Personal Information” link to opt-out of cookies that sell personal information. CCPA also requires websites to include a privacy or cookie notice to inform users in detail about third-party cookies and their purpose.
Block third-party cookies automatically
Auto-block third-party cookies before obtaining consent and manage compliance easily and for free!Try free cokie consent
Free 14-day trialCancel anytime
Are third-party cookies being phased out?
In January 2020, Google announced that it will be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”
Since then, the tech giant has postponed the implementation twice already, with the latest one being until second half of 2024.
The third-party cookie ban is part of Google’s larger scheme to enhance privacy as it followed after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new standards for privacy on the web and introduces five browser APIs to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will help the websites with ad selection (without cross-site tracking), conversion measurement, and fraud prevention, while still maintaining the anonymity of the users.
Google Chrome is not the first internet browser to do this. Earlier, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies.
Google’s decision to eliminate third-party cookies received a mixed reaction. While this was a welcome step to protect user privacy, it will adversely affect the ad tech companies, especially the smaller ones. According to Statcounter, the global market share of Chrome is about 66% in October 2022.
While this may affect other ad tech firms, Google will continue to track users using its advanced technologies.
What happens to consent banners after Chrome’s phase-out?
After Google’s decision to phase out third-party cookies, one question that remains is what will happen to cookie consent banners. The answer to this question depends on whether or not third-party cookies are the only type of cookies that collect personal data.
However, it’s important to note that the future of the cookie consent banner will remain intact even if third-party cookies are eliminated. Google is only phasing out cookies generated by domains other than the one the user is visiting. If your website generates cookies that collect personal data, you must still obtain user consent. Some websites may have their own analytics system that uses first-party cookies to collect user data. Unless the data is statistical aggregate data, you must obtain user consent to place cookies on their devices.
Unless the cookie is “strictly necessary,” you may still need consent to use it. Regardless of what cookies your website uses, it’s essential to inform users about them. A cookie banner is an effective solution for this. You still have more than a year before Google Chrome completely phases out third-party cookies, so you have time to use them carefully and according to data privacy regulations. You can also look for alternative options that ensure safe and best privacy practices.
Therefore, it’s clear that cookie consent banners are here to stay for a long time.
What are some alternatives to third-party cookies?
If not third-party cookies, then what? There are many alternatives to third-party cookies, but remiane dunder the shadow of third-party cookies.
Other than Google’s Privacy Sandbox APIs, here are three technologies that publishers and advertisers can use as a replacement to third-party cookies:
First-party data is data that you collect directly from your users, such as email addresses, contact number, demographic information, purchase history, etc. They are collected from website forms, surveys, website or app interaction. This data will give you a better understanding of your users and help you create personalized and targeted marketing campaigns.
Contextual targeting is a type of online advertising that delivers ads based on the content of the webpage that a user is viewing. You can choose keywords or topics that match their ads to relevant sites. E.g. if a user is reading an article about laptops, they might see an ad for a new laptop model.
These ads are more likely to be relevant to the user’s interests, which can make them more effective. Additionally, contextual targeting is a more privacy-friendly alternative to third-party cookies, as it does not require tracking users across websites.
Device fingerprinting is a process of collecting device information and settings information, like IP address, operating system, language, installed plugins, etc to create a “fingerprint.” This fingerprint is used to improve user experience or track user activity. Compared to third-party cookies, digital fingerprinting is muhc more effective and secure.
Frequently asked questions
Is it safe to allow third party cookies?
If you are not comfortable with third-party platforms or services tracking your online movement and monitoring your preferences for purposes like targeted advertising, then you should not allow third-party cookies.
Should I accept third-party cookies?
Accepting third-party cookies means allowing other websites, which you may not have even visited, to collect your data or monitor your browsing activity. However, blocking some websites may cause some of their services to break, as a lot of them rely on third-party providers. Nonetheless, blocking third-party cookies is a preferred practice for privacy reasons.
Should you block all third-party cookies?
Blocking or removing third-party cookies is easy, as all major web browsers provide this option.
As an internet user, whether or not you should block or remove third-party cookies depends on how you feel about being tracked by external sources. If you are comfortable with your browsing activity being monitored and receiving personalized advertisements, or if you don’t mind websites collecting your data for analytics, then you don’t need to block them. In fact, some of these cookies can be useful in providing a better internet experience. However, if you are privacy-conscious and dislike the idea of being tracked, you should consider blocking (or removing) such cookies.
What happens when you block third-party cookies?
Blocking third-party cookies will prevent websites from placing any cookies related to a third-party server on your device. This means they cannot track your online activity to deliver their services, like advertisements. It also means that some services may remain inactive or broken, or even break some parts of the website.
How to enable third-party cookies?
Enabling cookies on your web browser is easy.
To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:
Settings > Privacy and security > Cookies and other site data > Allow all cookies
Firefox blocks third-party cookies by default. However, if you want to enable third-party cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website. Or, you can go to the menu list from the top-right corner and select:
Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.
In Safari, you can allow all cookies and cross-site tracking which will enable third-party cookies.
Safari > Preferences > Privacy > uncheck Website tracking and Cookies and website data
To enable third-party cookies on iPhone:
Settings > Safari > PRIVACY & SECURITY > disable Block All Cookies and Prevent Cross-Site Tracking.
How do I know if my cookies are third-party?
To check if your cookies are from a third party, use the browser’s developer console, where you can check the domain that sets the cookies. If it is not the same as your website domain, then it is a third-party cookie. Alternatively, you can use an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies, and then categorize them based on their properties, so you can know which cookies are third-party.
Does Google use third-party cookies?
Will Google Analytics work without third party cookies?
Yes, Google Analytics will work without third-party cookies. In 2020, Google announced that the “new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adaptable to work with or without cookies.