Cookies remember website configuration, login details and products added to the shopping cart. For years they’ve also been the backbone of online advertising for targeting, retargeting, tracking and attribution. We’ve compiled a list of the most popular web browsers and explain how they handle first-party and third-party cookies.
Cookies are currently the most common method of identifying users online and providing a personalized browsing experience, as they can persist after a user leaves the site. They’ve been responsible for delivering a consistent and personalized user experience, which many of us take for granted today.
However, their days seem numbered due to a growing awareness of privacy issues, laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, and ultimately, browsers introducing changes to how cookies are handled.
In order to provide users with more choice and control over online advertising, and possibly to position themselves as more privacy-friendly, browsers have introduced new privacy features over the years.
These vary greatly – some browsers allow users to block third-party cookies, which are the ones typically used for advertising purposes. Others also take aim at first-party cookies, which help deliver a good user experience, but can also be used for online tracking.
We’ve compiled a list of the most popular web browsers and explain how they handle first-party and third-party cookies.
Table Of Contents
What’s the Difference Between First-Party and Third-Party Cookies?
Before we look at how browsers handle first-party and third-party cookies, we should explain the difference.
First-party cookies: These cookies are set by the domain you are visiting at the time and help deliver a good user experience (remembering your language preferences, for example).
Third-party cookies: These cookies are set by domains other than the one you are visiting and are typically used for online advertising purposes.
To learn more about the difference between first-party and third-party cookies, read our blog post.
Now let’s look at how popular web browsers handle first- and third-party cookies and what it means for AdTech.
Google Chrome is by far the most popular web browser, with an estimated global market share of 62.8%. Its crushing dominance is unthreatened; the closest competitor, Apple’s Safari has a mere 15.8% market share.
Because Chrome is the most popular browser across all devices (including mobile), changes in how it handles cookies will likely have the strongest impact on the AdTech industry.
Chrome offers quite granular privacy settings, but they are hidden deep in the browser’s menus.
First-party cookies aren’t blocked by default in Chrome, but can be deleted by the user. In this case, both first-party and third-party cookies would be removed.
Chrome does not block third-party cookies by default either, but it can be done through the settings menu. Simply go to Settings > Advanced > Site settings > Cookies and set Block third-party cookies to On.
Users can choose to delete cookies, which removes both first-party and third-party cookies. However, in May 2019, Google announced that it would implement a number of changes to give users more control over which cookies are created in the first place.
Once the new features are implemented in Chrome, users will be able to block and delete third-party cookies, while keeping first-party cookies intact.
Then, on the 14th of January, 2020, Google Chrome announced that they would be shutting off support for third-party cookies by 2022.
Chrome’s plan is to replace third-party cookies used for ad selection and measurement with Privacy Sandbox — a new open initiative that Google is hoping will become the new standard for running advertising campaigns in Google Chrome.
The impact on AdTech
Due to Google’s large share of the web-browser market, the new privacy features in Chrome will likely have a bigger impact on online advertising than other browsers have had so far.
At the same time, however, privacy features in Chrome are still not as strict as those in Safari or Tor. This is because a large majority of Google’s revenue (about 86%) is derived from advertising.
Outside of its walled garden, Google (as well as Facebook and Amazon) also places its bids in almost every programmatic auction on the internet.
Because the other major web browsers (Firefox and Safari) already block third-party cookies by default, when Google Chrome turns off third-party cookies it will mean lights out for activities like behavioral targeting, retargeting, frequency capping, and cookie syncing.
The impact on AdTech will be significant.
We’ve written about what Chrome’s decision to turn off support for third-party cookies means for AdTech in another post on our blog.
Apple’s crusade against cookies has continued for a few years now since the release of Intelligent Tracking Prevention (ITP) 1.0, a privacy feature that came with Safari 11 in September 2017. Apple can afford to be very strict about cookies and position itself as a company focused on user privacy because its revenue does not depend on advertising.
While the introduction of ITP is seen as Apple’s consumer-facing move, it’s also a discreet jab at Google and other AdTech companies, crippling its ad revenue.
For example, the impact of ITP-like features and limited reliance of third-party cookies has impacted retargeting platforms like Criteo, whose stock price plummeted during the Apple ITP to over half its value over the last nine months of 2018.
Increasing restrictions on user tracking makes platforms like Criteo less effective and less attractive from the business perspective.
As of ITP 2.1, Safari uses its machine-learning magic to identify which first-party cookies can be used for tracking. Then, it blocks cookies unless you use the Storage Access API to ask users to allow the use of your cookie.
Prior to the release of ITP, Safari had automatically blocked third-party cookies by default. The way Safari manages first- and third-party cookies has serious reverberations for the AdTech industry today.
The name “Intelligent Tracking Prevention” was used (rather than “Intelligent Cookie Prevention”) for a reason. Until version 2.0, ITP used the so-called “machine-learning classifier” to predict which domains had cross-site tracking capability, and partitioned the cookies immediately. Today, Safari does not support partitioned cookies anymore and third-parties are restricted to Storage Access API to get any type of cookie access – for both tracking and non-tracking purposes.
The impact on AdTech
Analytics cookies that would previously last for two years (if not purged) are now deleted by Safari after seven days under ITP. This has some specific consequences for players in the AdTech industry: publishers, marketers, and vendors.
While companies like Google, Facebook and Amazon weren’t initially affected too much by ITP 1.0 and 1.1, the introduction of ITP 2.0, 2.1 and 2.2 is a whole different story.
Safari does not allow third-party login widgets to place cookies in users’ devices without first obtaining consent from the storage access API, which comes at a trade-off – a broken user experience.
Frequency capping and retargeting
Because Safari, by default, blocks third-party cookies, advertisers cannot properly implement ad-frequency management and capping, retargeting, or view-through attribution modeling.
As a result, Safari users will still see ads, but they will be badly targeted, irrelevant and will likely repeat too often.
ITP 2.2 restricts all conversion attribution carried out via so-called link decoration if the referring domain has been classified as having cross-site tracking capabilities.
The last marketing touch will be too highly credited for attribution, increasing the risk of excessive spend on ineffective channels.
Safari, since the introduction of ITP 2.1, deletes first-party cookies set by web analytics and other MarTech tools after seven days – or in 24 hours in specific situations set out by ITP 2.2.
From a marketer’s perspective, this makes view-through attribution and accurate analytics impossible. Because users’ clickstream data disappears after one or seven days, the customer journey is broken and badly represented in most analytics tools. ITP makes analytics tools incorrectly display the number of unique visitors on a website (it artificially inflates the numbers).
Firefox is an open-source browser created by the Mozilla Foundation, a non-profit organization.
It is fast, private and regularly audited, which means Mozilla cannot engage in shady practices like implementing under-the-hood data collection.
The browser gives users three options to fine-tune how it handles cookies: Standard, Strict and Custom.
- Standard originally only blocked known third-party trackers in private browsing mode. As of 3rd September 2019, the default setting will cover both private and standard browsing modes, which means Firefox’s Enhanced Tracking Protection will work for all users, blocking third-party trackers and cryptominers (based on the disconnect.me list). Mozilla tested this setting for new installations of the browser in June 2019.
- Strict blocks all known trackers, third-party trackers, cryptominers and fingerprints across all windows, (can break some websites).
- Custom lets users fine-tune the behavior, including blocking fingerprinting.
The default privacy setting after a fresh install of Firefox is Standard. Because changing these settings requires additional steps, it is unlikely that many users switch it to Strict or Custom.
To access the setting, users simply need to click the “shield” icon in the browser’s address bar. This will also let them see just what trackers are there on a particular website by clicking the arrow > to the right Cookies.
From here, clicking the gear icon next to Content Blocking takes users to the settings menu mentioned above:
First Party Isolation was a little-known feature released in Firefox Version 55 that prevented cross-origin (cross-domain) tracking. When enabled, first-party cookies are isolated from website to website, which stops their use in a third-party context.
First Party Isolation is not enabled by default, and first-party cookies are not blocked by default either. This is because the feature is known to break websites and has been found to interfere with authentication systems, which could compromise the browsing experience of the user.
Firefox users can enable the feature (at their own risk) by typing
about:config in the address bar, to access the browser’s advanced settings, and changing the
privacy.firstparty.isolate setting (it is set to false by default):
As of June 2019, Firefox also blocks third-party cookies – specifically third-party trackers – by default. This features is known as Enhanced Tracking Protection.
Prior to June 2019, Firefox only blocked known trackers in private windows as part of the Standard setting.
Users can adjust this setting by going to the drop-down menu in the browser (again, by clicking the “i” icon in a website’s address bar).
The setting can be changed to block cookies from all unvisited websites, all third-party cookies or all cookies (including first-party cookies). The last two settings may cause websites to break or work incorrectly.
The impact on AdTech
The default setting (Standard) blocks third-party cookies in Firefox and stops most types of tracking for advertising purposes, but only fine-tuning the settings allows users to block both first- and third-party cookies, as well as fingerprinting – and not every user will take the extra step.
Microsoft’s legacy browser, Internet Explorer, isn’t getting much love from users these days; IE has a minute user base of just 2.47%. Even the Redmond giant itself urges users to stop using it and switch to its newer, faster browser, Edge.
The default setting in Internet Explorer blocks some third-party cookies thanks to tracking protection, a baked-in feature that uses tracking-protection lists.
The sites found on the list are restricted from dropping cookies (trackers) in the browser. On the other hand, because IE is closed-source software, no one knows what kind of surveillance Microsoft uses for itself.
The impact on AdTech
Internet Explorer does not offer any of the modern cookie-blocking features that other browsers offer and certainly is not a browser that would restrict first- or third-party cookies in a significant way. The impact on AdTech is rather minimal.
Microsoft Edge is the younger, faster sibling of Internet Explorer. Its most recent version, hailed Edge Chromium(now in beta), is strongly focused on improving user privacy, as it offers features to block trackers.
You can download the Edge Chromium build here.
Edge Chromium, Chrome, Opera and dozens of other browsers are based on the open-source Chromium project, which explains why they look so similar.
Microsoft has recently teased an updated and redesigned Privacy and security page in the Edge Chromium settings. From there, you can choose between three different levels of privacy (much like Firefox): unrestricted, balanced and strict. Tinkering around the settings will alter how Edge Chromium handles cookies.
Edge, like many other popular browsers, accepts all first-party cookies by default.
Edge does not block third-party cookies by default. Also, for some reason, it lacks Internet Explorer’s best feature – tracking protection.
IE’s tracking protection used lists to restrict sites known to ignore DNT requests or invade privacy in other ways, blocking their requests for data.
While Edge does send “do not track” requests if you ask it to, they are not always honored around the web. This means that sites may still share your browsing information for tracking purposes.
Surprisingly, there is no tracking protection in Edge’s private-browsing mode either.
Also, a group of Belgian researchers found that Edge’s “block only third-party cookies” feature is rather spotty – as is the case in many other browsers.
Opera is a browser developed by Chinese-owned company Opera AG. It utilizes the same rendering engine as Chrome and Edge – Chromium. This makes the interface a little similar to the others, but Opera has a slew of functionalities that make it unique in its own way.
Many of these features, like VPN and built-in cookie blocking, help users fine-tune the browser to their specific, more sophisticated privacy requirements.
Opera, like many other browsers, accepts all first-party cookies by default. These settings can be changed, but may break websites and is not recommended.
By default, Opera does not block third-party cookies in any way.
However, you can enable cookie blocking from the browser’s advanced settings under the section Privacy and security > Content settings > Cookies > Block third-party cookies.
For those concerned about tracking and third-party cookies, Opera recently introduced a free, baked-in VPN. To activate it, go to Menu > Settings > Privacy > VPN. This will enable an icon on the address bar showing whether VPN is on; clicking it toggles Opera’s VPN on and off.
Opera’s VPN replaces your IP with a virtual one, making it difficult for websites to track your location and identify your computer. It also blocks many tracking cookies.
Opera also provides a private-browsing mode for such cases, ensuring that all cookies are purged at the end of each browsing session.
Which Browser Is the Ultimate Cookie Buster?
For users wanting to stop AdTech vendors and data companies from identifying and tracking them around the internet, they have a few options available to them. Most of the popular browsers offer some sort of privacy protection.
This would mean settling for Firefox, a browser that includes baked-in ad-blockers or anti-tracking functionalities and keeps users relatively safe online. Safari would do the job just as well, but is limited to Apple devices. Tor Browser, while not on our list, also provides strong privacy protection, but ultimately results in a broken user experience and therefore isn’t the browser of choice for the average internet user.
A 2018 study (you can read the whole paper here) found that all popular browsers available on the market today fail at blocking cookies for certain redirects, regardless of their “block third-party cookies” or “tracking protection” settings.
Black circle: Request is sent by the site, the cookie is set.
Half circle: Request is sent, but no cookie is set.
White circle: Request is blocked, and thus no cookie is set.
If you want to be up-to-date about browser vulnerabilities and inefficiencies connected with blocking third-party cookies, head over to wholeftopenthecookiejar.com and read their study in its entirety – not for the faint of heart.
Blocking third-party cookies in browsers can be marketed under the banner of privacy, but at the end of the day, it only reinforces the dominance of the so-called walled gardens – big AdTech companies with strong first-party relationships.
On top of it all, we are also dealing with the “privacy paradox” – a discrepancy between expressed privacy concerns and actual online behavior. There has been much talk about data privacy in the media since the GDPR kicked in, but online users rarely go the extra mile to fine-tune their browser’s settings and actually protect their data.
Instead, they browse the internet with the default settings, which is much like walking naked in public.