Cookies remember website configuration, login details and products added to the shopping cart. For years they’ve also been the backbone of online advertising for targeting, retargeting, tracking and attribution. We’ve compiled a list of the most popular web browsers and explain how they handle first-party and third-party cookies.
Cookies are currently the most common method of identifying users online and providing a personalized browsing experience, as they can persist after a user leaves the site. They’ve been responsible for delivering a consistent and personalized user experience, which many of us take for granted today.
However, their days seem numbered due to a growing awareness of privacy issues, laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, and ultimately, browsers introducing changes to how cookies are handled.
In order to provide users with more choice and control over online advertising, and possibly to position themselves as more privacy-friendly, browsers have introduced new privacy features over the years.
These vary greatly – some browsers allow users to block third-party cookies, which are the ones typically used for advertising purposes. Others also take aim at first-party cookies, which help deliver a good user experience, but can also be used for online tracking.
We’ve compiled a list of the most popular web browsers and explain how they handle first-party and third-party cookies.
What’s the Difference Between First-Party and Third-Party Cookies?
Before we look at how browsers handle first-party and third-party cookies, we should explain the difference.
First-party cookies: These cookies are set by the domain you are visiting at the time and help deliver a good user experience (remembering your language preferences, for example).
Third-party cookies: These cookies are set by domains other than the one you are visiting and are typically used for online advertising purposes.
To learn more about the difference between first-party and third-party cookies, read our blog post.
Now let’s look at how popular web browsers handle first- and third-party cookies and what it means for AdTech.
AdTech & Programmatic Platform Development
We can help you design and build real-time bidding, and programmatic advertising platforms for all advertising channels — display and native, in-app mobile, video and audio, OTT and CTV, in-game and DOOH.
Google Chrome
Google Chrome is by far the most popular web browser, with an estimated global market share of 62.8%. Its crushing dominance is unthreatened; the closest competitor, Apple’s Safari has a mere 15.8% market share.
Because Chrome is the most popular browser across all devices (including mobile), changes in how it handles cookies will likely have the strongest impact on the AdTech industry.
Chrome offers quite granular privacy settings, but they are hidden deep in the browser’s menus.
First-party cookies
First-party cookies aren’t blocked by default in Chrome, but can be deleted by the user. In this case, both first-party and third-party cookies would be removed.
Third-party cookies
Chrome does not block third-party cookies by default either, but it can be done through the settings menu. Simply go to Settings > Advanced > Site settings > Cookies and set Block third-party cookies to On.
Users can choose to delete cookies, which removes both first-party and third-party cookies. However, in May 2019, Google announced that it would implement a number of changes to give users more control over which cookies are created in the first place.
Once the new features are implemented in Chrome, users will be able to block and delete third-party cookies, while keeping first-party cookies intact.
Then, on the 14th of January, 2020, Google Chrome announced that they would be shutting off support for third-party cookies by 2022.
Google has since announced that it would be extending its planned sunset of third-party cookies by 2 years. It’s currently expected that Chrome will shut off support for third-party cookies starting from the middle of 2023.
Chrome’s plan is to replace third-party cookies used for ad selection and measurement with Privacy Sandbox — a new open initiative that Google is hoping will become the new standard for running advertising campaigns in Google Chrome.
The impact on AdTech
Due to Google’s large share of the web-browser market, the new privacy features in Chrome will likely have a bigger impact on online advertising than other browsers have had so far.
At the same time, however, privacy features in Chrome are still not as strict as those in Safari or Tor. This is because a large majority of Google’s revenue (about 86%) is derived from advertising.
Outside of its walled garden, Google (as well as Facebook and Amazon) also places its bids in almost every programmatic auction on the internet.
Because the other major web browsers (Firefox and Safari) already block third-party cookies by default, when Google Chrome turns off third-party cookies it will mean lights out for activities like behavioral targeting, retargeting, frequency capping, and cookie syncing.
The impact on AdTech will be significant.
We’ve written about what Chrome’s decision to turn off support for third-party cookies means for AdTech in another post on our blog.
Safari
Apple’s crusade against cookies has continued for a few years now since the release of Intelligent Tracking Prevention (ITP) 1.0, a privacy feature that came with Safari 11 in September 2017. Apple can afford to be very strict about cookies and position itself as a company focused on user privacy because its revenue does not depend on advertising.
While the introduction of ITP is seen as Apple’s consumer-facing move, it’s also a discreet jab at Google and other AdTech companies, crippling its ad revenue.
For example, the impact of ITP-like features and limited reliance of third-party cookies has impacted retargeting platforms like Criteo, whose stock price plummeted during the Apple ITP to over half its value over the last nine months of 2018.
Increasing restrictions on user tracking makes platforms like Criteo less effective and less attractive from the business perspective.
First-party cookies
As of ITP 2.1, Safari uses its machine-learning magic to identify which first-party cookies can be used for tracking. Then, it blocks cookies unless you use the Storage Access API to ask users to allow the use of your cookie.
Cookies created via the JavaScript document.cookie API (even first-party cookies for things like web analytics) will be set to expire in seven days, regardless of their existing expiry date. JavaScript will be able to access cookies created via the HTTP response, as long as they don’t contain HttpOnly flag.
Third-party cookies
Prior to the release of ITP, Safari had automatically blocked third-party cookies by default. The way Safari manages first- and third-party cookies has serious reverberations for the AdTech industry today.
The name “Intelligent Tracking Prevention” was used (rather than “Intelligent Cookie Prevention”) for a reason. Until version 2.0, ITP used the so-called “machine-learning classifier” to predict which domains had cross-site tracking capability, and partitioned the cookies immediately. Today, Safari does not support partitioned cookies anymore and third-parties are restricted to Storage Access API to get any type of cookie access – for both tracking and non-tracking purposes.
View a timeline of Apple Safari’s privacy changes.
The impact on AdTech
Analytics cookies that would previously last for two years (if not purged) are now deleted by Safari after seven days under ITP. This has some specific consequences for players in the AdTech industry: publishers, marketers, and vendors.
Walled Gardens
While companies like Google, Facebook and Amazon weren’t initially affected too much by ITP 1.0 and 1.1, the introduction of ITP 2.0, 2.1 and 2.2 is a whole different story.
Safari does not allow third-party login widgets to place cookies in users’ devices without first obtaining consent from the storage access API, which comes at a trade-off – a broken user experience.
Frequency capping and retargeting
Because Safari, by default, blocks third-party cookies, advertisers cannot properly implement ad-frequency management and capping, retargeting, or view-through attribution modeling.
As a result, Safari users will still see ads, but they will be badly targeted, irrelevant and will likely repeat too often.
Attribution
ITP 2.2 restricts all conversion attribution carried out via so-called link decoration if the referring domain has been classified as having cross-site tracking capabilities.
For example, when users come from domains like Facebook or Google through a URL that contains extra query parameters (which follow the “?” in the address) or hash fragments (which follow the “#” symbol), then all JavaScript cookies set on the page via document.cookie will expire after 24 hours, shortening the look back period.
The last marketing touch will be too highly credited for attribution, increasing the risk of excessive spend on ineffective channels.
Web analytics
Safari, since the introduction of ITP 2.1, deletes first-party cookies set by web analytics and other MarTech tools after seven days – or in 24 hours in specific situations set out by ITP 2.2.
From a marketer’s perspective, this makes view-through attribution and accurate analytics impossible. Because users’ clickstream data disappears after one or seven days, the customer journey is broken and badly represented in most analytics tools. ITP makes analytics tools incorrectly display the number of unique visitors on a website (it artificially inflates the numbers).
Firefox
Firefox is an open-source browser created by the Mozilla Foundation, a non-profit organization. It is one of the most popular web browsers globally.
In January 2019, Firefox 65 introduced a set of new privacy controls.
The browser now gives users three options to fine-tune how it handles cookies: standard, strict and custom.
- Standard originally only blocked known third-party trackers in private browsing mode, but with the arrival of Firefox 69 on September 3, 2019, the default setting now covers both private and standard browsing modes. This means Firefox’s Enhanced Tracking Protection will work for all users, blocking third-party trackers and cryptominers (based on the disconnect.me list). Mozilla tested this setting for new installations of the browser in June 2019.
- Strict blocks all known trackers, third-party trackers, cryptominers and fingerprints across all windows. These changes can cause some websites to not work properly.
- Custom lets users fine-tune their privacy settings, but can mean websites might not work properly.
The default privacy setting after a fresh install of Firefox is Standard. Because changing these settings requires additional steps, it is unlikely that many users switch it to Strict or Custom.
To access the setting, users simply need to click the “shield” icon in the browser’s address bar. This will also let them see just what trackers are there on a particular website by clicking the arrow > to the right Cookies.
From here, clicking the “gear” icon next to Content Blocking takes users to advanced blocking settings:
First-party cookies
First Party Isolation was a little-known feature released in Firefox Version 55 that prevented cross-origin (cross-domain) tracking. When enabled, first-party cookies are isolated from website to website, which stops their use in a third-party context.
First Party Isolation is not enabled by default, and first-party cookies are not blocked by default either. This is because the feature is known to break websites and has been found to interfere with authentication systems, which could compromise the browsing experience of the user.
Firefox users can enable the feature (at their own risk) by typing about:config in the address bar, to access the browser’s advanced settings, and changing the privacy.firstparty.isolate setting (it is set to false by default):
This is very similar to Safari’s Private Browsing mode where each tab is isolated from another, meaning the websites you visit in one tab can’t track you if you open a new Private Browsing tab.
Third-party cookies
As of June 2019, Firefox blocks third-party cookies by default.
Prior to June 2019, Firefox only blocked known trackers in private windows as part of the Standard setting.
Users can adjust this setting by going to the drop-down menu in the browser (again, by clicking the “i” icon in a website’s address bar).
The setting can be changed to block cookies from all unvisited websites, all third-party cookies or all cookies (including first-party cookies). The last two settings may cause websites to break or work incorrectly.
A Timeline of Privacy Changes in Firefox
Firefox 63, released on October 23, 2018: Content blocking, is introduced, allowing users to block third-party cookies and block known trackers. Content blocking became Enhanced Tracking Prevention (ETP) with the release of Firefox 70.
Firefox 65, released on January 29, 2019: Three different privacy settings of Enhanced Tracking Prevention are introduced: Standard, Strict, and Custom. Originally, Standard just blocked third-party trackers in privacy browsing mode.
Firefox 69, released September 3, 2019: Enhanced Tracking Prevention’s Standard setting now blocks third-party cookies and cryptominers by default for both normal and private browsing modes. The Strict setting blocks device fingerprints.
Firefox 70, released October 22, 2019: Social tracking protection is added to the Standard setting, aimed at preventing social media sites like Facebook, Twitter, and LinkedIn from tracking users across websites.
Firefox 72, released January 7, 2020: Device fingerprinting scripts are blocked by default across all Enhanced Tracking Prevention settings.
Facebook Container, released March 27, 2020: Aimed at preventing Facebook from tracking users and collecting data about them when they visit non-Facebook websites, Firefox’s Facebook Container isolates a user’s Facebook identity from the rest of their web browsing activities.
Enhanced Tracking Prevention 2.0, released August 4, 2020: ETP 2.0 strengthens user privacy by checking to see whether cookies and site data created by redirect services needs to be deleted. Data created by known trackers will be deleted in 24 hours.
This was introduced in response to workarounds AdTech companies implemented to collect user data and is similar to the restrictions Safari’s Intelligent Tracking Prevention (ITP) introduced to combat the very same workarounds.
Below is a diagram that illustrate how redirect services work:
View a timeline of Mozilla Firefox’s privacy changes.
The impact on AdTech
Firefox’s default setting (Standard) blocks third-party cookies by default and stops most types of tracking for advertising purposes.
These default settings have a big and negative impact on all companies in the digital advertising and marketing industries as it makes it much harder to run behavioral ad targeting, frequency capping, measurement, and attribution.
Also, when the First-Party Isolation feature is enabled on top of that (it is not enabled by default), tracking users on websites ends at the domain level. So, from an advertising and marketing point of view, it makes it much harder for AdTech and MarTech companies to track users across different websites.
Internet Explorer
Microsoft’s legacy browser, Internet Explorer, isn’t getting much love from users these days; IE has a minute user base of just 2.47%. Even the Redmond giant itself urges users to stop using it and switch to its newer, faster browser, Edge.
First-party cookies
Internet Explorer’s default setting does not restrict first-party cookies. The browser only blocks first-party cookies if they don’t meet certain conditions – e.g. if no privacy policy is defined for a given website (expressed through the now-obsolete P3P protocol).
Third-party cookies
The default setting in Internet Explorer blocks some third-party cookies thanks to tracking protection, a baked-in feature that uses tracking-protection lists.
The sites found on the list are restricted from dropping cookies (trackers) in the browser. On the other hand, because IE is closed-source software, no one knows what kind of surveillance Microsoft uses for itself.
The impact on AdTech
Internet Explorer does not offer any of the modern cookie-blocking features that other browsers offer and certainly is not a browser that would restrict first- or third-party cookies in a significant way. The impact on AdTech is rather minimal.
Edge (Chromium)
Microsoft Edge is the younger, faster sibling of Internet Explorer. Its most recent version, hailed Edge Chromium(now in beta), is strongly focused on improving user privacy, as it offers features to block trackers.
You can download the Edge Chromium build here.
Edge Chromium, Chrome, Opera and dozens of other browsers are based on the open-source Chromium project, which explains why they look so similar.
Microsoft has recently teased an updated and redesigned Privacy and security page in the Edge Chromium settings. From there, you can choose between three different levels of privacy (much like Firefox): unrestricted, balanced and strict. Tinkering around the settings will alter how Edge Chromium handles cookies.
First-party cookies
Edge, like many other popular browsers, accepts all first-party cookies by default.
Third-party cookies
Edge does not block third-party cookies by default. Also, for some reason, it lacks Internet Explorer’s best feature – tracking protection.
IE’s tracking protection used lists to restrict sites known to ignore DNT requests or invade privacy in other ways, blocking their requests for data.
While Edge does send “do not track” requests if you ask it to, they are not always honored around the web. This means that sites may still share your browsing information for tracking purposes.
Surprisingly, there is no tracking protection in Edge’s private-browsing mode either.
Also, a group of Belgian researchers found that Edge’s “block only third-party cookies” feature is rather spotty – as is the case in many other browsers.
Opera
Opera is a browser developed by Chinese-owned company Opera AG. It utilizes the same rendering engine as Chrome and Edge – Chromium. This makes the interface a little similar to the others, but Opera has a slew of functionalities that make it unique in its own way.
Many of these features, like VPN and built-in cookie blocking, help users fine-tune the browser to their specific, more sophisticated privacy requirements.
First-party cookies
Opera, like many other browsers, accepts all first-party cookies by default. These settings can be changed, but may break websites and is not recommended.
Third-party cookies
By default, Opera does not block third-party cookies in any way.
However, you can enable cookie blocking from the browser’s advanced settings under the section Privacy and security > Content settings > Cookies > Block third-party cookies.
For those concerned about tracking and third-party cookies, Opera recently introduced a free, baked-in VPN. To activate it, go to Menu > Settings > Privacy > VPN. This will enable an icon on the address bar showing whether VPN is on; clicking it toggles Opera’s VPN on and off.
Opera’s VPN replaces your IP with a virtual one, making it difficult for websites to track your location and identify your computer. It also blocks many tracking cookies.
Opera also provides a private-browsing mode for such cases, ensuring that all cookies are purged at the end of each browsing session.
Which Browser Is the Ultimate Cookie Buster?
For users wanting to stop AdTech vendors and data companies from identifying and tracking them around the internet, they have a few options available to them. Most of the popular browsers offer some sort of privacy protection.
This would mean settling for Firefox, a browser that includes baked-in ad-blockers or anti-tracking functionalities and keeps users relatively safe online. Safari would do the job just as well, but is limited to Apple devices. Tor Browser, while not on our list, also provides strong privacy protection, but ultimately results in a broken user experience and therefore isn’t the browser of choice for the average internet user.
A 2018 study (you can read the whole paper here) found that all popular browsers available on the market today fail at blocking cookies for certain redirects, regardless of their “block third-party cookies” or “tracking protection” settings.
Black circle: Request is sent by the site, the cookie is set.
Half circle: Request is sent, but no cookie is set.
White circle: Request is blocked, and thus no cookie is set.
If you want to be up-to-date about browser vulnerabilities and inefficiencies connected with blocking third-party cookies, head over to wholeftopenthecookiejar.com and read their study in its entirety – not for the faint of heart.
Conclusion
Blocking third-party cookies in browsers can be marketed under the banner of privacy, but at the end of the day, it only reinforces the dominance of the so-called walled gardens – big AdTech companies with strong first-party relationships.
On top of it all, we are also dealing with the “privacy paradox” – a discrepancy between expressed privacy concerns and actual online behavior. There has been much talk about data privacy in the media since the GDPR kicked in, but online users rarely go the extra mile to fine-tune their browser’s settings and actually protect their data.
Instead, they browse the internet with the default settings, which is much like walking naked in public.
AdTech & Programmatic Platform Development
We can help you design and build real-time bidding, and programmatic advertising platforms for all advertising channels — display and native, in-app mobile, video and audio, OTT and CTV, in-game and DOOH.
