Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before the GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring user online activities without any consequence. We will cover third-party cookies in detail and how the privacy acts regulate them. We will also discuss what you need to do for the compliant use of such cookies.

CookieYes helps you stay compliant with GDPR by automatically blocking third-party cookies on your website until visitors give their consent to use them.

(Free 14-day trial. Cancel anytime)

What are third-party cookies?

To understand what third-party cookies are, we must first get to know the differences between first-party and third-party cookies. 

First-party vs third-party cookies

First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used for facilitating user experience and some core functionalities of the site. For e.g. first-party cookies can identify returning visitors so that they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.

Third-party cookies are generated and placed on the user’s device by a different website other than the one the user is visiting. Third-party cookies are created when a user visits a website that includes elements from other sites, such as third-party images or ads. If a server hosting one of these elements responds to the request by setting a cookie, that cookie is stored on the user’s browser.

E.g. If the user plays an embedded YouTube video on a website, the YouTube server will set cookies on their device. These cookies track user preferences and suggest similar videos when they visit YouTube.

How are third-party cookies created?

Third-party cookies are created when any website requests scripts or resources from another domain. For example, a user visits the website www.website.com which uses an integrated analytics tool to measure its audience. The website requests scripts and resources from the analytics tool company, e.g. www.example.com (a third party) to activate it. The service provider responds by sending a JavaScript file as a response.

The JavaScript file from the third-party service may look like this:

<script src="https://example.com/js/analytics.js"></script>

This JS file stores cookies in the user’s browser so that the analytics tool can track them.

Of course, the loading of the third-party script and storing of the cookies must be subject to the user’s consent. If they decline the use of such cookies, the website must block the script.

How do third-party cookies work?

You are searching for a new pair of sunglasses. You browse through many options on a few e-commerce websites before deciding to purchase it later. Later, you are reading a news website when you see advertisement popups about sunglasses you were browsing a few moments ago. The reason is that the e-commerce website stored a cookie on your browser, which tracked your online behavior and used the data to place advertisements related to your interest. Watch this example video:

Here is an illustration of how third-party cookies work:

How third-party cookies are used for retargeting
How a website uses third-party cookies to place targeted ads

Another example is the cookies stored by a live chat service installed on a website on the browser to activate the application. Third-party cookies are also used by social media plugins installed on websites to allow users to sign in or share the website content on the social platform.

Are third-party cookies bad?

Third-party cookies are not bad, per se. It is its application that gives it a negative press. They are often seen as privacy intruders because of how they are used for tracking and targeted advertisements. Since the absence of these cookies does not usually affect the core functionality of the website, users deem them unnecessary. 

However, if we try to answer the same question from the perspective of a marketer, third-party cookies are the most useful. They enable tracking users and placing personalized advertisements that benefit their business. 

Some websites use these cookies for their services and without them, the sites may break. 

Should I block all third-party cookies?

Blocking or removing third-party cookies from your browser is easy, as all major web browsers provide this option.

To block or remove third-party cookies or not depends on how, as a user, you feel about being tracked by an external source. If you are okay with your browsing activity being monitored and receiving personalized advertisements or websites collecting your data for analytics, then you do not need to block them. In fact, some of these are very useful to give you a better internet experience. But, if you are privacy-conscious and do not like the idea of being tracked, you should consider blocking (or removing) such cookies. 

If you use Google Chrome…

To block cookies: select Settings from the top right corner menu and select: Privacy and security > Cookies and other site data > Block third-party cookies.

To remove cookies: Cookies and other site data > See all cookies and site data > Remove all > Clear all.

Firefox and Safari have built-in default blockers that stop third-party cookies. However, you can remove or block all cookies.  

If you use Firefox…

Go to Options from the top right corner menu and select: Privacy & Security > Cookie and Site Data > Clear Data or Delete cookies and site data when Firefox is closed.

If you use Safari…

Go to Preferences > Privacy > check Prevent cross-site tracking and Block all cookies. To remove cookies, select Manage website data under Cookies and website data and click Remove.

How to enable third party cookies?

Enabling cookies on your web browser is easy.

To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:

Settings > Privacy and security > Cookies and other site data > Allow all cookies

Firefox blocks third-party cookies by default. However, if you want to enable third-party cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website. Or, you can go to the menu list from the top-right corner and select:

Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.

In Safari, you can allow all cookies and cross-site tracking which will enable third-party cookies.

Safari > Preferences > Privacy > uncheck Website tracking and Cookies and website data

To enable third-party cookies on iPhone:

Settings > Safari  > PRIVACY & SECURITY > disable Block All Cookies and Prevent Cross-Site Tracking.

How to check for third-party cookies?

Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool. 

For checking manually, the methods slightly vary in different browsers.

 If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies

Check the domain of the cookie list. If the domain is different from the website you are currently visiting or managing, then you can confirm that they are third-party cookies.

Similarly for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.

For detailed instructions, click here.

Online cookie checkers are much better and faster than the traditional browser method. Other than that, you will get a detailed scan report with a list of all cookies set by the website.

What do GDPR and CCPA say about third-party cookies?

GDPR and CCPA do not discuss cookie regulation in detail. However, their definition of personal data (or personal information) that are subject to the law, includes cookie identifiers. Data collected by cookies are categorized as personal data if they can be used to identify the user. Both laws have rules and regulations for elements that track users. Therefore, third-party cookies are subject to GDPR and CCPA.

As per GDPR, a website cannot store third-party cookies without the consent of its users. If the user denies consent, then the site must block it. In fact, it cannot load the cookie script before receiving consent. For a GDPR cookie consent, you must follow certain practices for it to be legal:

  • Inform users about third-party cookies, who sets them, and why, in simple and plain language.
  • Give them a clear choice to accept or decline all cookies
  • Allow them to give consent to cookies by categories.
  • Let users withdraw cookie consent at any time, and if they do, block the cookie script immediately.
  • Inform users how to manage cookies in the privacy/cookie policy.

The CCPA does not require websites to get consent for cookies. But, it must let users opt out of it. Therefore, for CCPA compliance,  the website must provide an opt-out option, preferably a Do Not Sell My Personal Information link to opt out of cookies that sell personal information. Like GDPR, it also requires you to add a privacy or cookie notice to inform users in detail about the cookies set by third-party services and their purpose. 

Block third-party cookies automatically

Auto-block third-party cookies before obtaining consent and manage compliance easily and for free!

Try free cokie consent

Free 14-day trialCancel anytime

Are third-party cookies being phased out?

In January 2020, Google announced that it will be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”

Google Chrome is not the first internet browser to do this. Earlier, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies. The third-party cookie ban is part of Google’s larger scheme to enhance privacy as it followed after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new standards for privacy on the web and introduces five browser APIs to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will help the websites with ad selection (without cross-site tracking), conversion measurement, and fraud prevention, while still maintaining the anonymity of the users. Privacy Sandbox proposes tracking a group of people rather than an individual. This mechanism is called Federated Federated Learning of Cohorts (FLoC).

Recently, Google announced that it is delaying the phase-out to the second half of 2024 as they are expanding the testing windows for the Privacy Sandbox APIs.

Google blog announcing delay of Chrome's third-party cookie phase-out
Image source

Google’s decision to eliminate third-party cookies received a mixed reaction. While this was a welcome step to protect user privacy, it will adversely affect the ad tech companies, especially the smaller ones. According to Statcounter, the global market share of Chrome is about 66% in October 2022. 

Source: StatCounter Global Stats – Browser Market Share

While this may affect other ad tech firms, Google will continue to track users using its advanced technologies.

What happens to consent banners after Chrome’s phase-out?

One of the burning questions that remain after Google’s decision is: what’s next with cookie consent banners if there are no third-party cookies? The answer depends on whether third-party cookies are the only type of cookies that collect the personal data of users.

The future of the cookie consent banner remains intact even if the third-party cookies are out of the picture. It is crucial to note that Google is not phasing out all cookies. Cookies that fall outside the third-party category will still be used. Browsers are only going to eliminate cookies generated by a different domain than the one the user is visiting. That means if there are cookies generated by your website that will collect personal data, you still have to get informed user consent. Some websites may use their own analytics system that uses first-party cookies to collect user data. Unless it’s statistical aggregate data, you need the users’ consent to place them on their devices. 

That is, unless the cookie is “strictly necessary,” you may still need consent to use it.

The fact remains that whatever cookies your website generates or uses, you need to inform users about it.  A cookie banner is a solution for it. Moreover, you still have time before Google Chrome completely phases out third-party cookies. That is, more than a year to use those cookies with care and per the data privacy regulations. Also, to look for alternatives that ensure safe and best privacy practices. 

Cookie consent banners are here to stay for a long time. 

Frequently asked questions

Are third-party cookies legal?

Third-party cookies are legal if used with user consent. Without the user’s permission, a website should not store such cookies on user devices, as the laws like GDPR prohibit such practices.

Should I accept third-party cookies?

Accepting third-party cookies means allowing other websites (that you probably have not even visited) to collect your data or monitor your browsing activity. However, blocking some websites to break as a lot of their services rely on third-party providers. But, for privacy reasons, blocking third-party cookies is a preferred practice. 

What happens if I block third-party cookies?

Blocking third-party cookies will stop the websites from pacing any cookies related to a third-party server on your device. This means that they cannot track your online activity to deliver their services like advertisements. It also means that some services may remain inactive or broken or even break some part of the website.

How do I know if my cookies are third-party?

To check if your cookies are from a third party, use the browser’s developer console, where you can check the domain that sets the cookies. If it is not the same as your website domain, then it is a third-party cookie.

Alternatively, you can use an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies, and then categorize them based on their properties. This way you can know which cookies are third-party.

Does Google use third-party cookies?

Google uses cookies to “remember your preferred language, to make the ads you see more relevant to you, to count how many visitors we receive to a page, to help you sign up for our services, to protect your data, and to remember your ad settings.” However, the cookies set by Google for its services such as Analytics are categorized as the third party by privacy laws. 

As discussed earlier, it is planning to ban all third-party cookies from Chrome from 2023. 

Learn more about how Google uses cookies.

Will Google Analytics work without third party cookies?

Yes, Google Analytics will work without third-party cookies. In 2020, Google announced that  “the new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adapt to work with or without cookies.