Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before the GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring user online activities without any consequence. We will cover third-party cookies in detail and how the privacy acts regulate them. We will also discuss what you need to do for the compliant use of such cookies.
What are third-party cookies?
To understand what third-party cookies are, we must first get to know the differences between first-party and third-party cookies.
First-party vs third-party cookies
First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used for facilitating user experience and some core functionalities of the site. For e.g. first-party cookies can identify returning visitors so that they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.
Third-party cookies are generated and placed on the user’s device by a different website other than the one the user is visiting. Third-party cookies are created when a user visits a website that includes elements from other sites, such as third-party images or ads. If a server hosting one of these elements responds to the request by setting a cookie, that cookie is stored on the user’s browser.
E.g. If the user plays an embedded YouTube video on a website, the YouTube server will set cookies on their device. These cookies track user preferences and suggest similar videos when they visit YouTube.
What are examples of third-party cookies?
You are searching for a new pair of sunglasses. You browse through many options on a few e-commerce websites before deciding to purchase it later. Later, you are reading a news website when you see advertisement popups about sunglasses you were browsing a few moments ago. The reason is that the e-commerce website stored a cookie on your browser, which tracked your online behavior and used the data to place advertisements related to your interest. Watch this example video:
Another example is the cookies stored by a live chat service installed on a website on the browser to activate the application. Third-party cookies are also used by social media plugins installed on websites to allow users to sign in or share the website content on the social platform.
How does a third-party cookie work?
When a user loads a website, it sends a request to its third-party provider to activate a service. As a reply, it sends back the required script along with the cookies, and stores them on the user’s web browser.
Of course, the loading of the third-party script and storing the cookies must be subject to the user’s consent. If they decline the use of such cookies, the website must block the script.
Are third-party cookies bad?
Third-party cookies are not bad, per se. It is its application that gives it a negative press. They are often seen as privacy intruders because of how they are used for tracking and targeted advertisements. Since the absence of these cookies does not usually affect the core functionality of the website, users deem them unnecessary.
However, if we try to answer the same question from the perspective of a marketer, third-party cookies are the most useful. They enable tracking users and placing personalized advertisements that benefit their business.
Some websites use these cookies for their services and without them, the sites may break.
Should I block all third-party cookies?
Blocking or removing third-party cookies from your browser is easy, as all major web browsers provide this option.
To block or remove third-party cookies or not depends on how, as a user, you feel about being tracked by an external source. If you are okay with your browsing activity being monitored and receiving personalized advertisements or websites collecting your data for analytics, then you do not need to block them. In fact, some of these are very useful to give you a better internet experience. But, if you are privacy-conscious and do not like the idea of being tracked, you should consider blocking (or removing) such cookies.
If you use Google Chrome, select Settings from the top right corner menu and select: Privacy and security > Cookies and other site data > Block third-party cookies.
To remove cookies in Chrome: Cookies and other site data > See all cookies and site data > Remove all > Clear all.
Firefox and Safari hs built-in default blockers that stop third-party cookies. However, you can remove or block all cookies.
In Firefox, go to Options from the top right corner menu and select: Privacy & Security > Cookie and Site Data > Clear Data or Delete cookies and site data when Firefox is closed.
To block cookies in Safari: Preferences > Privacy > check Prevent cross-site tracking and Block all cookies. To remove cookies, select Manage website data under Cookies and website data and click Remove.
How to enable third party cookies?
Enabling cookies on your web browser is easy.
To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:
Settings > Privacy and security > Cookies and other site data > Allow all cookies
Firefox blocks third-party cookies by default. However, if you want to enable third-party cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website. Or, you can go to the menu list from the top-right corner and select:
Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.
In Safari, you can allow all cookies and cross-site tracking which will enable third-party cookies.
Safari > Preferences > Privacy > uncheck Website tracking and Cookies and website data
To enable third-party cookies on iPhone:
Settings > Safari > PRIVACY & SECURITY > disbale Block All Cookies and Prevent Cross-Site Tracking.
How to check for third-party cookies?
Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool.
For checking manually, the methods slightly vary in different browsers.
If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies
Check the domain of the cookie list. If the domain is different from the website you are currently visiting or managing, then you can confirm that they are third-party cookies.
Similarly for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.
For detailed instructions, click here.
Online cookie checkers are much better and faster than the traditional browser method. Other than that, you will get a detailed scan report with a list of all cookies set by the website.
(No email required)
What does GDPR and CCPA say about third-party cookies?
GDPR and CCPA do not discuss the cookie regulation in detail. However, their definition for personal data (or personal information) that are subject to the law, includes cookie identifiers. Data collected by cookies are categorized as personal data if they can be used to identify the user. Both the laws have rules and regulations for elements that track users. Therefore, third-party cookies are subject to GDPR and CCPA.
As per GDPR, a website cannot store third-party cookies without the consent of its users. If the user denies consent, then the site must block it. In fact, it cannot load the cookie script before receiving consent. For a GDPR cookie consent, you must follow certain practices for it to be legal:
- Inform users about third-party cookies, who sets them and why, in simple and plain language.
- Give them a clear choice to accept or decline all cookies
- Allow them to give consent to cookies by categories.
- Let users withdraw cookie consent any time, and if they do, block the cookie script immediately.
The CCPA does not require websites to get consent for cookies. But, it must let users opt-out of it. Therefore, for CCPA compliance, the website must provide an opt-out option, preferably a Do Not Sell My Personal Information link to opt-out of cookies that sell personal information. Like GDPR, it also requires you to add a privacy or cookie notice to inform users in detail about the cookies set by third-party services and their purpose.
Block third-party cookies automatically
Auto-block third-party cookies before obtaining consent and manage compliance easily and for free!Free Cookie Consent
Free foreverNo credit card required
Google’s third-party cookies phase out
In January 2020, Google announced that it will be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”
Google Chrome is not the first internet browser to do this. Earlier, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies. The third-party cookie ban is part of Google’s larger scheme to enhance privacy as it followed after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new standards for privacy on the web and introduces five browser APIs to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will help the websites for ad selection (without cross-site tracking), conversion measurement, and fraud prevention, while still maintaining the anonymity of the users. Privacy Sandbox proposes tracking a group of people rather than an individual. This mechanism is called Federated Federated Learning of Cohorts (FLoC).
Recently, Google announced that it is delaying the phase-out until 2023. They have pinned the reason behind this decision to allow time for “public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.”
This should not be a surprise since the UK’s Competition and Markets Authority (CMA) opened an investigation into the Privacy Sandbox in January. So, to comply with the regulators and explore more privacy approaches, Chrome will phase out third-party cookies starting mid-2023 till late 2023.
Google’s decision to eliminate third-party cookies received a mixed reaction. While this was a welcome step to protect user privacy, it will adversely affect the ad tech companies, especially the smaller ones. According to Statcounter, the global market share of Chrome is about 66% in May 2022.
While this may affect other ad tech firms, Google will continue to track users using its advanced technologies.
What will happen to cookie banners after third-party cookies?
One of the burning questions that remain after Google’s decision is: what’s next with cookie consent banners if there are no third-party cookies? The answer depends on whether third-party cookies are the only type of cookies that collect the personal data of users.
The future of the cookie consent banner remains intact even if the third-party cookies are out of the picture. It is crucial to note that Google is not phasing out all cookies. Cookies that fall outside the third-party category will still be used. Browsers are only going to eliminate cookies generated by a different domain than the one the user is visiting. That means if there are cookies generated by your website that will collect personal data, you still have to get informed user consent. Some websites may use their own analytics system that uses first-party cookies to collect user data. Unless it’s statistical aggregate data, you need the users’ consent to place them on their device.
That is, unless the cookie is “strictly necessary,” you may still need consent to use it.
The fact remains that whatever cookies your website generates or uses, you need to inform users about it. A cookie banner is a solution for it. Moreover, you still have time before Google Chrome completely phases out third-party cookies. That is, more than a year to use those cookies with care and per the data privacy regulations. Also, to look for alternatives that ensure safe and best privacy practices.
Cookie consent banners are here to stay for a long time.
Frequently asked questions
Are third-party cookies legal?
Third-party cookies are legal if used with user consent. Without the user’s permission, a website should not store such cookies on user devices, as the laws like GDPR prohibit such practices.
Should I accept third-party cookies?
Accepting third-party cookies means allowing other websites (that you probably have not even visited) to collect your data or monitor your browsing activity. However, blocking some websites to break as a lot of their services rely on third-party providers. But, for privacy reasons, blocking third-party cookies is a preferred practice.
What happens if I block third-party cookies?
Blocking third-party cookies will stop the websites from pacing any cookies related to a third-party server on your device. This means that they cannot track your online activity to deliver their services like advertisements. It also means that some services may remain inactive or broken or even break some part of the website.
How do I know if my cookies are third-party?
To check if your cookies are from a third party, use the browser’s developer console, where you can check the domain that sets the cookies. If it is not the same as your website domain, then it is a third-party cookie.
Alternatively, you can use an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies, and then categorize them based on their properties. This way you can know which cookies are third-party.
Does Google use third-party cookies?
As discussed earlier, it is planning to ban all third-party cookies from Chrome from 2023.
Will Google Analytics work without third party cookies?
Yes, Google Analytics will work without third-party cookies. In 2020, Google announced that “the new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adapt to work with or without cookies.