Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before the GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring user online activities without any consequence. We will cover third-party cookies in detail and how the privacy acts regulate them. We will also discuss what you need to do for the compliant use of such cookies.
(Free 14-day trial. Cancel anytime)
What are third-party cookies?
To understand what third-party cookies are, we must first get to know the differences between first-party and third-party cookies.
First-party vs third-party cookies
First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used for facilitating user experience and some core functionalities of the site. For e.g. first-party cookies can identify returning visitors so that they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.
Third-party cookies are generated and placed on the user’s device by a different website other than the one the user is visiting. Third-party cookies are created when a user visits a website that includes elements from other sites, such as third-party images or ads. If a server hosting one of these elements responds to the request by setting a cookie, that cookie is stored on the user’s browser.
E.g. If the user plays an embedded YouTube video on a website, the YouTube server will set cookies on their device. These cookies track user preferences and suggest similar videos when they visit YouTube.
How are third-party cookies created?
It’s important to note that loading the third-party script and storing the cookies must be contingent on the user’s consent. If the user declines to use such cookies, the website must block the script.
How do third-party cookies work?
Have you ever wondered how those pesky ads seem to follow you around the internet? The answer lies in third-party cookies. Let’s say you’re shopping for sunglasses online. As you browse different websites, the e-commerce site you visited stores a cookie on your browser. This cookie tracks your online behavior and collects data about your interests. Later, when you’re reading a news website, you may see ads for the sunglasses you were looking at earlier. This is because third-party cookies are used to place targeted ads based on your browsing history. Watch this example video:
Here is an illustration of how third-party cookies work:
Let’s explore another scenario where third-party cookies are utilized. When a live chat service is installed on a website, it may store cookies on the user’s browser to activate the application. Additionally, social media plugins installed on websites may utilize third-party cookies to enable users to sign in or share website content on social platforms. These examples demonstrate the usefulness of third-party cookies in enhancing user experience and functionality across various applications.
What are the pros and cons of using third-party cookies?
Here are the pros and cons of third-party cookies:
- Personalized advertising: They can enable advertisers to personalize ads based on a user’s browsing history, interests, and demographics, making ads more relevant to the user.
- Better user experience: Theys can help websites remember user preferences and login information, which can improve the user experience.
- Analytics: They can help website owners understand how users are interacting with their site, which can help them to improve its performance.
- Privacy concerns: Third-party cookies can collect a significant amount of personal information about a user, such as their browsing habits, which can be used to create detailed profiles of users.
- Security risks: They can also be used for malicious purposes, such as tracking users to steal their personal information or to deliver malware.
- Lack of transparency: Many users are not aware that third-party cookies are being used to track their activity across the web.
Are third-party cookies bad?
While third-party cookies are not inherently bad. As we’ve mentioned earlier, their use for tracking and targeted advertising has caused them to be viewed negatively by users concerned with privacy. Their absence does not typically affect a website’s core functionality, leading some to question their necessity. However, from a marketer’s perspective, these cookies are incredibly useful, allowing for personalized advertising and user tracking. Additionally, some websites rely on these cookies for essential services, meaning that their removal could cause a site to break. Ultimately, the debate around third-party cookies comes down to their application and the control users will have over its usage.
Should I block all third-party cookies?
To block or remove third-party cookies, it is easy, as all major web browsers provide this option.
Whether or not you should block or remove third-party cookies depends on how you feel about being tracked by external sources. If you are comfortable with your browsing activity being monitored and receiving personalized advertisements, or if you don’t mind websites collecting your data for analytics, then you don’t need to block them. In fact, some of these cookies can be useful in providing a better internet experience. However, if you are privacy-conscious and dislike the idea of being tracked, you should consider blocking (or removing) such cookies.
How to enable third party cookies?
Enabling cookies on your web browser is easy.
To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:
Settings > Privacy and security > Cookies and other site data > Allow all cookies
Firefox blocks third-party cookies by default. However, if you want to enable third-party cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website. Or, you can go to the menu list from the top-right corner and select:
Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.
In Safari, you can allow all cookies and cross-site tracking which will enable third-party cookies.
Safari > Preferences > Privacy > uncheck Website tracking and Cookies and website data
To enable third-party cookies on iPhone:
Settings > Safari > PRIVACY & SECURITY > disable Block All Cookies and Prevent Cross-Site Tracking.
How to check for third-party cookies?
Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool.
For checking manually, the methods slightly vary in different browsers.
If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies
Check the domain of the cookie list. If the domain is different from the website you are currently visiting or managing, then you can confirm that they are third-party cookies.
Similarly for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.
For detailed instructions, click here.
Online cookie checkers are much better and faster than the traditional browser method. Other than that, you will get a detailed scan report with a list of all cookies set by the website.
What do GDPR and CPRA say about third-party cookies?
While GDPR and CPRA do not provide a detailed discussion of cookie regulation, they do include cookie identifiers in their definition of personal data (or personal information) that is subject to the law. Data collected by cookies can be categorized as personal data if they can be used to identify the user, making third-party cookies subject to GDPR and CPRA regulations.
Under GDPR, websites cannot store third-party cookies without the user’s consent. If a user denies consent, the website must block the cookie and cannot load the cookie script before receiving consent. To obtain GDPR cookie consent, websites must follow certain legal practices, including
- informing users about third-party cookies in plain language
- providing clear choices to accept or decline all cookies
- allowing users to give consent to cookies by categories
- letting users withdraw cookie consent at any time and blocking the cookie script immediately upon withdrawal
On the other hand, CPRA does not require websites to get consent for cookies but mandates that websites offer an opt-out option for users. The website must provide a “Do Not Sell or Share My Personal Information” link to opt-out of cookies that sell personal information. CCPA also requires websites to include a privacy or cookie notice to inform users in detail about third-party cookies and their purpose.
Block third-party cookies automatically
Auto-block third-party cookies before obtaining consent and manage compliance easily and for free!Try free cokie consent
Free 14-day trialCancel anytime
Are third-party cookies being phased out?
In January 2020, Google announced that it will be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”
Google Chrome is not the first internet browser to do this. Earlier, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies. The third-party cookie ban is part of Google’s larger scheme to enhance privacy as it followed after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new standards for privacy on the web and introduces five browser APIs to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will help the websites with ad selection (without cross-site tracking), conversion measurement, and fraud prevention, while still maintaining the anonymity of the users. Privacy Sandbox proposes tracking a group of people rather than an individual. This mechanism is called Federated Federated Learning of Cohorts (FLoC).
Google’s decision to eliminate third-party cookies received a mixed reaction. While this was a welcome step to protect user privacy, it will adversely affect the ad tech companies, especially the smaller ones. According to Statcounter, the global market share of Chrome is about 66% in October 2022.
Source: StatCounter Global Stats – Browser Market Share
While this may affect other ad tech firms, Google will continue to track users using its advanced technologies.
What happens to consent banners after Chrome’s phase-out?
After Google’s decision to phase out third-party cookies, one question that remains is what will happen to cookie consent banners. The answer to this question depends on whether or not third-party cookies are the only type of cookies that collect personal data.
However, it’s important to note that the future of the cookie consent banner will remain intact even if third-party cookies are eliminated. Google is only phasing out cookies generated by domains other than the one the user is visiting. If your website generates cookies that collect personal data, you must still obtain user consent. Some websites may have their own analytics system that uses first-party cookies to collect user data. Unless the data is statistical aggregate data, you must obtain user consent to place cookies on their devices.
Unless the cookie is “strictly necessary,” you may still need consent to use it. Regardless of what cookies your website uses, it’s essential to inform users about them. A cookie banner is an effective solution for this. You still have more than a year before Google Chrome completely phases out third-party cookies, so you have time to use them carefully and according to data privacy regulations. You can also look for alternative options that ensure safe and best privacy practices.
Therefore, it’s clear that cookie consent banners are here to stay for a long time.
Frequently asked questions
Are third-party cookies legal?
Third-party cookies are legal if used with user consent. However, without the user’s permission, websites should not store such cookies on user devices, as laws like GDPR prohibit such practices.
Should I accept third-party cookies?
Accepting third-party cookies means allowing other websites, which you may not have even visited, to collect your data or monitor your browsing activity. However, blocking some websites may cause some of their services to break, as a lot of them rely on third-party providers. Nonetheless, blocking third-party cookies is a preferred practice for privacy reasons.
What happens if I block third-party cookies?
Blocking third-party cookies will prevent websites from placing any cookies related to a third-party server on your device. This means they cannot track your online activity to deliver their services, like advertisements. It also means that some services may remain inactive or broken, or even break some parts of the website.
How do I know if my cookies are third-party?
To check if your cookies are from a third party, use the browser’s developer console, where you can check the domain that sets the cookies. If it is not the same as your website domain, then it is a third-party cookie. Alternatively, you can use an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies, and then categorize them based on their properties, so you can know which cookies are third-party.
Does Google use third-party cookies?
Will Google Analytics work without third party cookies?
Yes, Google Analytics will work without third-party cookies. In 2020, Google announced that the “new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adaptable to work with or without cookies.