third-party cookies

Guide to Third-party Cookies

Last updated on November 22, 2021|Published on September 20, 2021

Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before the GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring user online activity without any consequence. We will cover third-party cookies in detail and how the privacy acts regulate them. We will also discuss what you need to do for the compliant use of such cookies.

What are third-party cookies?

To understand what third-party cookies are, we must first get to know the differences between first-party and third-party cookies. 

What is the difference between first and third-party cookies?

First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used for facilitating user experience and some core functionalities of the site. For e.g. first-party cookies can identify a returning visitor so that they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.

Third-party cookies are generated and placed on the user’s device by a different website other than the one the user is visiting. Most third-party cookies are used for analytical or marketing purposes. 

What are examples of third-party cookies?

You are searching for a new smartphone. You browse through many options on a few e-commerce websites before deciding to purchase it later. After a few days, you are reading a news website when you see advertisement popups about the same shoes you were browsing a few days ago. The reason is that the e-commerce website stored a cookie on your browser, which tracked your online behavior and used the data to place advertisements related to your interest. Such cookies are called third party cookies.

third-party cookies retargeting
How a website uses third-party cookies to place targeted ads

Another example is the cookies stored by a live chat service installed on a website on the browser to activate the application. Third-party cookies are also used by social media plugins installed on websites to allow users to sign in or share the website content on the social platform.

How does a third-party cookie work?

When a user loads a website, it sends a request to its third-party provider to activate a service. As a reply, it sends back the required script along with the cookies, and stores them on the user’s web browser.

Of course, the loading of the third-party script and storing the cookies must be subject to the user’s consent. If they decline the use of such cookies, the website must block the script.

Are third-party cookies bad?

Third-party cookies are not bad, per se. It is its application that gives it a negative press. They are often seen as privacy intruders because of how they are used for tracking and targeted advertisements. Since the absence of these cookies does not usually affect the core functionality of the website, users deem them unnecessary. 

However, if we try to answer the same question from the perspective of a marketer, third-party cookies are the most useful. They enable tracking users and placing personalized advertisements that benefit their business. 

Some websites use these cookies for their services and without them, the sites may break. 

Should I block all third-party cookies?

To block or remove third-party cookies or not depends on how, as a user, you feel about being tracked by an external source. If you are okay with your browning activity being monitored and receiving personalized advertisements or websites collecting your data for analytics, then you do not need to block third-party cookies. In fact, some of these are very useful to give you a better internet experience. But, if you are privacy-conscious and do not like the idea of being tracked, you should consider blocking (or removing) such cookies. 

Blocking or removing third-party cookies from your browser is easy, as all major web browsers provide this option.

If you use Google Chrome, select Settings from the top right corner menu and select: Privacy and security > Cookies and other site data > Block third-party cookies

To remove cookies in Chrome: Cookies and other site data > See all cookies and site data > Remove all > Clear all

Firefox and Safari hs built-in default blockers that stop third-party cookies. However, you can remove or block all cookies.  

In Firefox, go to Options from the top right corner menu and select: Privacy & Security > Cookie and Site Data > Clear Data or Delete cookies and site data when Firefox is closed

In Safar: Preferences > Privacy

How to check for third-party cookies?

Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool. 

For checking manually, the methods slightly vary in different browsers.

 If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies

Check the domain of the cookie list and you will be able to identify the third-party cookies set by the website.

Similarly for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.

For detailed instructions, click here.

Online cookie checkers are much better and faster than the traditional browser method. Other than that, you will get a detailed scan report with a list of all cookies set by the website.

(No email required)

What does GDPR and CCPA say about third-party cookies?

GDPR and CCPA do not discuss the cookie regulation in detail. However, their definition for personal data (or personal information) that are subject to the law, includes cookie identifiers. Data collected by cookies are categorized as personal data if they can be used to identify the user. Both the laws have rules and regulations for elements that track users. Therefore, third-party cookies are subject to GDPR and CCPA.

As per GDPR, a website cannot store third-party cookies without the consent of its users. If the user denies consent, then the site must block it. In fact, it cannot load the cookie script before receiving consent. For a GDPR cookie consent, you must follow certain practices for it to be legal:

  • Inform users about third-party cookies, who sets them and why, in simple and plain language.
  • Give them a clear choice to accept or decline all cookies
  • Allow them to give consent to cookies by categories.
  • Let users withdraw cookie consent any time, and if they do, block the cookie script immediately.
  • Inform users how to manage cookies in the privacy/cookie policy.

The CCPA does not require websites to get consent for cookies. But, it must let users opt-out of it. Therefore, for CCPA compliance,  the website must provide an opt-out option, preferably a Do Not Sell My Personal Information link to opt-out of cookies that sell personal information. Like GDPR, it also requires you to add a privacy or cookie notice to inform users in detail about the cookies set by third-party services and their purpose. 

The death of third-party cookies

In January 2020, Google announced that it will be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”

Google Chrome is not the first internet browser to do this. Earlier, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies. The third-party cookie ban is part of Google’s larger scheme to enhance privacy as it followed after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new standards for privacy on the web and introduces five browser APIs to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will help the websites for ad selection (without cross-site tracking), conversion measurement, and fraud prevention, while still maintaining the anonymity of the users. Privacy Sandbox proposes tracking a group of people rather than an individual. This mechanism is called Federated Federated Learning of Cohorts (FLoC).

Recently, Google announced that it is delaying the phase-out until 2023. They have pinned the reason behind this decision to allow time for “public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.”

This should not be a surprise since the UK’s  Competition and Markets Authority (CMA) opened an investigation into the Privacy Sandbox in January. So, to comply with the regulators and explore more privacy approaches, Chrome will phase out third-party cookies starting mid-2023 till late 2023. 

Google’s decision to eliminate third-party cookies received a mixed reaction. While this was a welcome step to protect user privacy, it will adversely affect the ad tech companies, especially the smaller ones. According to Statcounter, the global market share of Chrome is about 67% in August 2021. 

Source: StatCounter Global Stats – Browser Market Share

While this may affect other ad tech firms, Google will continue to track users using its advanced technologies.

What will happen to cookie banners after third-party cookies?

One of the burning questions that remain after Google’s decision is: what’s next with cookie consent banners if there are no third-party cookies? The answer depends on whether third-party cookies are the only type of cookies that collect the personal data of users.

The future of the cookie consent banner remains intact even if the third-party cookies are out of the picture. It is crucial to note that Google is not phasing out all cookies. Cookies that fall outside the third-party category will still be used. Browsers are only going to eliminate cookies generated by a different domain than the one the user is visiting. That means if there are cookies generated by your website that will collect personal data, you still have to get informed user consent. Some websites may use their own analytics system that uses first-party cookies to collect user data. Unless it’s statistical aggregate data, you need the users’ consent to place them on their device. 

Unless the cookie is “strictly necessary,” you may still need consent to use it.

The fact remains that whatever cookies your website generates or uses, you need to inform users about it.  A cookie banner is perfect for it. Moreover, you still have time before Google Chrome completely phases out third-party cookies. That is, more than a year to use those cookies with care and per the data privacy regulations. Also, to look for alternatives that ensure safe and best privacy practices. 

Cookie consent banners are here to stay for a long time. 

CookieYes for blocking third-party cookies

CookieYes is a cookie consent management solution for websites that need to comply with data privacy laws like GDPR, ePrivacy Directive, CCPA, and CNIL. It provides cookie consent banner templates and other features that make sure your website stays compliant with the privacy laws. 

One of the primary features of CookieYes is that it scans your website and identifies the third-party cookies and then automatically blocks those scripts (recognized from the database) until the user gives consent. This way your website will not violate cookie guidelines and ensure safe use of cookies.

Other features include:

  • Full control over the behavior, content and look of the consent banner.
  • Supports all major CMS and custom-coded websites.
  • Allows granular cookie consent option for users.
  • Auto-scans websites for cookies.
  • Auto-translation of the banner to 30 languages. 
  • Logs user consent for cookies.
  • Privacy policy and cookie policy generator that quickly generates privacy policy page.
  • Geo-targeted display of the consent banner.

More than 1 million websites trust and use our solutions, and it is a testament to our commitment and user-friendly solution. 

To make your website cookie-compliant, sign up for a free 14-day trial. 

Frequently asked questions

How do I enable 3rd party cookies?

Enabling cookies on your web browser is easy.

To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:

Settings > Privacy and security > Cookies and other site data > Allow all cookies

Firefox and Safari block third-party cookies by default. 

However, if you want to allow such cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website.

Or, you can go to the menu list from the top-right corner and select:

Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.

Are third-party cookies legal?

Third-party cookies are legal if used with user consent. Without the user permission, a website should not store such cookies on user devices, as the laws like GDPR prohibit such practices.

Should I accept third-party cookies?

Accepting third-party cookies means allowing other websites (that you probably have not even visited) to collect your data or monitor your browsing activity. However, blocking some websites to break as a lot of their services rely on third-party providers. But, for privacy reasons, blocking third-party cookies is a preferred practice. 

What happens if I block third-party cookies?

Blocking third-party cookies will stop the websites from pacing any cookies related to a third-party server on your device. This means that they cannot track your online activity to deliver their services like advertisements. It also means that some services may remain inactive or broken or even break some part of the website.

How do I know if my cookies are third-party?

To check if your cookies are third party, use the browser’s developer console, or an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies and then categorize them based on their properties. This way you can know which cookies are third party.

Does Google use third-party cookies?

Google uses cookies to “remember your preferred language, to make the ads you see more relevant to you, to count how many visitors we receive to a page, to help you sign up for our services, to protect your data, and to remember your ad settings.” However, the cookies set by Google for its services such as Analytics are categorized as the third party by privacy laws. 

As discussed earlier, it is planning to ban all third-party cookies from Chrome from 2023. 

Learn more about how Google uses cookies.

Will Google Analytics work without third party cookies?

With Google’s decision to ban third-party cookies from Chrome, we may be looking at cookie-less tracking by websites. Browsers like Firefox and Safari block third-party cookies by default. What is amusing here is that Google Analytics cookies are considered the third party per privacy regulations. So, no wonder this is quite a confusing thought of many website owners. However, in 2020, Google announced that  “the new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adapt to work with or without cookies.

Therefore, yes, Google Analytics will work without third-party cookies. 

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.