Web cookies remember website configuration, login details, and products added to the shopping cart. For years, they’ve also been the backbone of online advertising for targeting, retargeting, tracking, and attribution.
In this article, we’ve compiled a list of the most popular web browsers and explained how they handle first-party and third-party cookies.
Cookies are currently the most common method of identifying users online. However, the days of third-party cookies are numbered due to privacy changes in web browsers.
Also, first-party cookies, which are often tipped as the replacement for third-party cookies, require consent in certain countries due to privacy laws, presenting their own set of challenges for use in programmatic advertising.
What’s the Difference Between First-Party and Third-Party Cookies?
Before we look at how browsers handle first-party and third-party cookies, we should explain the difference.
First-party cookies: These cookies are set by the domain the user is visiting at the time and help deliver a good user experience (remembering language preferences, for example).
Third-party cookies: These cookies are set by domains other than the one the user is visiting and are typically used for online advertising purposes.
Read our blog post to learn more about the difference between first-party and third-party cookies.
Popular web browsers differently handle first- and third-party cookies. Let’s examine what this means for AdTech.
We Can Help You Build an AdTech Platform
Our AdTech development teams can work with you to design, build, and maintain a custom-built AdTech platform for any programmatic advertising channel.
Google Chrome
Google Chrome is by far the most popular web browser, with an estimated global market share of about 65%. Its crushing dominance is unthreatened; the closest competitor, Apple’s Safari, has a mere 18% market share.
Because Chrome is the most popular browser across all devices (including mobile), changes in how it handles cookies will likely have the strongest impact on the AdTech industry.
Chrome offers granular privacy settings, but they are hidden deep in the browser’s menus.
First-Party Cookies
First-party cookies aren’t blocked by default in Chrome, but the user can delete them. In this case, both first-party and third-party cookies would be removed.
Third-Party Cookies
Chrome does not block third-party cookies by default either, but you can turn them off through the settings menu. Go to Settings > Privacy & security > Cookies and other site data and set “Block third-party cookies” to On.
Users can choose to delete cookies, which removes both first-party and third-party cookies.
In May 2019, Google announced that it would implement a number of changes to provide users with more transparency about how sites are using cookies and simpler controls for cross-site cookies.
Once Chrome’s new features are implemented, users will be able to block and delete third-party cookies while keeping first-party cookies intact.
As it’s not entirely dependent on Google Chrome, the decision to deprecate third-party cookies was postponed several times. Here’s a brief description of Google’s announcements on the topic:
- January 2020: Google announced its intent to phase out third-party cookies by 2022, aiming to enhance privacy and security on the web. This was part of the broader Privacy Sandbox initiative designed to develop open standards that improve privacy online.
- June 2021: The company provided an update for Chrome’s plan to phase out support for third-party cookies. The plan considered shutting down cookies over a three-month period, finishing in late 2023.
- July 2022: Google further delayed the cookies phase-out timeline to the second half of 2024, citing the need for more time to test the proposed technologies and to allow the digital advertising industry to prepare for the transition.
- May 2023: Google declared that in Q1 of 2024, the company plans to deprecate third-party cookies for one percent of Chrome users. However, the next phase of the plan is dependent on the UK’s Competition and Markets Authority (CMA) decision.
- April 2024: The latest update on Google’s plan to shut off third-party cookies provided an overview of the timeline expansion. Google announced that the deprecation will not be completed during the second half of Q4.
It’s currently expected that Chrome will shut off support for third-party cookies in 2025.
Chrome plans to replace third-party cookies used for ad targeting and measurement with the Privacy Sandbox, an open initiative that Google hopes will become the new standard for running advertising campaigns in Chrome.
The Impact on AdTech
Due to Google’s large share of the web browser market, the new privacy features in Chrome will likely have a bigger impact on online advertising than other browsers have had so far.
However, Chrome’s privacy features are still not as strict as those in Safari or Tor. This is because the vast majority of Google’s revenue is derived from advertising.
Outside of its walled garden, Google (along with Meta and Amazon) also places bids in almost every programmatic auction on the Internet.
Because the other major web browsers (Firefox and Safari) already block third-party cookies by default, when Google Chrome turns off third-party cookies, it will change the way advertising activities like ad targeting, retargeting, and frequency capping are run.
Google’s Privacy Sandbox
The Privacy Sandbox initiative aims to transform the AdTech industry, requiring both publishers and advertisers to adapt to a world with reduced third-party tracking and increased emphasis on privacy.
Publishers will need to rely on first-party data and build trust with users, while advertisers will need to adopt new targeting and measurement methods.
Both must embrace new technologies and collaborate across the ecosystem to navigate these changes successfully.
- Both publishers and advertisers will need to focus more on first-party data collection and usage.
- Integrating with the Privacy Sandbox APIs and other privacy-preserving technologies will be crucial.
- Enhancing privacy practices will help comply with regulations and build user trust.
- New methods for targeting and measuring ad effectiveness will need to be adopted and optimized.
We’ve written about Chrome’s new privacy features in more detail in another post on our blog.
Safari
Since the first version of Intelligent Tracking Prevention (ITP) in 2017, Apple’s crusade against cookies and the overuse of cross-site identification has intensified. Compared to Google’s parent company Alphabet, whose revenue is mainly derived from advertising, Apple’s main source of revenue comes from its hardware and software businesses. This means Apple can implement strict privacy changes without seeing a negative impact on its revenues.
While introducing ITP was seen as Apple’s consumer-facing move, it was also a discreet jab at Google and other AdTech companies, impacting their stock prices.
However, the AdTech landscape has continued to evolve.
Many companies have adapted by shifting their focus to first-party data and other privacy-preserving technologies.
The broader impact on the AdTech industry includes a move towards alternative tracking methods and the development of more robust consent mechanisms.
First-Party Cookies
All script-writeable storage, including first-party cookies, is capped at a 7-day expiration by default unless there is ongoing user interaction with the site.
This applies universally to cookies set via JavaScript and HTTP headers.
Third-Party Cookies
Prior to the release of ITP, Safari automatically blocked third-party cookies by default. The way Safari manages first- and third-party cookies has serious reverberations for the AdTech industry today.
The name “Intelligent Tracking Prevention” was chosen (rather than “Intelligent Cookie Prevention”) for a reason.
Until version 2.0, ITP used the so-called “machine-learning classifier” to predict which domains had cross-site tracking capability and partitioned the cookies immediately.
Today, Safari does not support partitioned cookies anymore and third-parties are restricted to the Storage Access API to get any type of cookie access — for both tracking and non-tracking purposes.
The Impact on AdTech
Analytics cookies that would previously last for two years (if not purged) are now deleted by Safari after seven days under ITP. This has some specific consequences for players in the AdTech industry: publishers, marketers, and vendors.
Walled Gardens
While companies like Google, Facebook and Amazon weren’t initially affected too much by ITP 1.0 and 1.1, the introduction of ITP 2.0, 2.1 and 2.2 was a whole different story.
Safari does not allow third-party login widgets to place cookies in users’ devices without first obtaining consent from the storage access API, which comes at a trade-off – a broken user experience.
Frequency Capping and Retargeting
Because Safari, by default, blocks third-party cookies, advertisers cannot properly implement ad-frequency management and capping, retargeting, or view-through attribution modeling.
As a result, Safari users will still see ads, but they will be badly targeted, irrelevant, and likely repeated too often.
Attribution
Since ITP 2.2, Safari restricts all conversion attribution carried out via link decoration if the referring domain has been classified as having cross-site tracking capabilities.
For example, when users come from domains like Facebook or Google through a URL that contains extra query parameters (which follow the “?” in the address) or hash fragments (which follow the “#” symbol), then all JavaScript cookies are set on the page via document.cookie will expire after 24 hours, shortening the look-back period.
The last marketing touch will be too highly credited for attribution, increasing the risk of excessive spending on ineffective channels.
Web Analytics
Safari, since the introduction of ITP 2.1, deletes first-party cookies set by web analytics and other MarTech tools after seven days – or in 24 hours in specific situations set out by ITP 2.2.
From a marketer’s perspective, this makes view-through attribution and accurate analytics impossible. Because users’ clickstream data disappears after one or seven days, the customer journey is broken and badly represented in most analytics tools. ITP makes analytics tools incorrectly display the number of unique visitors on a website (it artificially inflates the numbers).
Firefox
Firefox is an open-source browser created by the Mozilla Foundation, a non-profit organization. It is one of the most popular web browsers globally.
Since 2015, Firefox has constantly enhanced tracking protection. Here is the list of major changes the web browser has made to handle first-party and third-party cookies.
- 2015: Firefox 42 rolled out the Tracking Protection feature within Private Browsing. This feature actively blocked content like ads, analytics trackers and social share buttons that may record user behavior without their knowledge across sites.
- 2018: Firefox 65 introduced Enhanced Tracking Protection (ETP), a new set of content-blocking controls that allows users to choose between standard, strict, and custom protection modes. With ETP in Firefox 69 and 70, social media trackers, cross-site tracking cookies, tracking content in Private Browsing, cryptominers, and fingerprints were blocked by default for all users in the Standard mode.
- 2020: Firefox 79 first introduced Total Cookie Protection (TCP) and enabled it by default in 2023. This feature isolated cookies to the site where they were created, preventing cross-site tracking and enhancing user privacy. Also, Firefox’s ETP 2.0 was introduced, blocking redirect tracking (also known as bounce tracking) by partitioning storage and site data for trackers.
- 2021: Firefox 87 introduced SmartBlock for Private Browsing and Strict Mode — the first iteration of this anti-tracking mechanism fixed up web pages that were broken by Firefox’s tracking protections; it did it by providing local stand-ins for blocked third-party tracking scripts. Next, Firefox 91 introduced Enhanced Cookie Clearing. The feature allowed users to fully erase browser history for any website. Finally, Firefox 93 strengthened the Referrer Policy, and thus the HTTP Referrer Protections, to always trim the HTTP referrer for cross-site requests, regardless of the website’s settings.
You can find all past, current and future security Firefox updates here.
First-Party Cookies
First-Party Isolation (FPI) is a privacy feature first introduced in Firefox 55 (2017). It prevents cross-origin tracking by isolating cookies and other site data on a per-site basis. This means that cookies from one site cannot be accessed by another site, effectively stopping third-party tracking mechanisms from using first-party cookies.
FPI was not enabled by default when it was first introduced. This was because it could disrupt the functionality of certain websites, particularly those that rely on cross-origin data sharing for authentication or other services.
With the release of Firefox 86 (2021), Mozilla introduced State Partitioning as a default feature. State Partitioning goes beyond FPI by isolating a broader range of web resources per site, including cache, cookies, and storage, effectively replacing and expanding upon FPI.
Total Cookie Protection (TCP) was introduced in 2020 in a strict mode and later made more widely available. TCP confines cookies to the site where they were created, preventing them from being used to track users across different sites.
Third-Party Cookies
As of June 2019, Firefox blocks third-party cookies by default.
Prior to June 2019, Firefox only blocked known trackers in private windows as part of the Standard setting.
Users can adjust this setting by going to the drop-down menu in the browser (again, by clicking the “i” icon in a website’s address bar).
The setting can be changed to block cookies from all unvisited websites, all third-party cookies or all cookies (including first-party cookies). The last two settings may cause websites to break or work incorrectly.
The Impact on AdTech
Firefox’s default setting (Standard) blocks third-party cookies by default and stops most types of tracking for advertising purposes.
These default settings have a big and negative impact on all companies in the digital advertising and marketing industries as it makes it much harder to run behavioral ad targeting, frequency capping, measurement, and attribution.
Also, when the First-Party Isolation feature is enabled on top of that, tracking users on websites ends at the domain level. So, from an advertising and marketing point of view, it makes it much harder for AdTech and MarTech companies to track users across different websites.
Edge (Chromium)
Microsoft Edge, which is built on the open-source Chromium project, has rapidly evolved from its Internet Explorer roots to become a modern, fast, and privacy-focused browser. The latest versions of Edge, often referred to simply as Edge Chromium, offers more control over user privacy.
First-Party Cookies
Edge, like many other popular browsers, accepts all first-party cookies by default.
Third-Party Cookies
Edge does not block third-party cookies by default. However, users can manage cookies accordingly to their preferences, i.e.:
- View all cookies
- Allow all cookies
- Allow cookies from a specific website
- Block third-party cookies
- Block all cookies
- Block cookies from a specific site
- Delete all cookies
- Delete cookies from a specific site
- Delete cookies every time after closing the browser
The instructions for each operation are here.
Opera
Opera is a browser developed by Chinese-owned Opera AG. It utilizes the same rendering engine as Chrome and Edge — Chromium. This makes the interface a little similar to the others, but Opera has a slew of functionalities that make it unique in its own way.
Many of these features, like VPN and built-in cookie blocking, help users fine-tune the browser to their specific, more sophisticated privacy requirements.
First-Party Cookies
Opera, like many other browsers, accepts all first-party cookies by default. These settings can be changed, but changing them may break websites, so they are not recommended.
Third-Party Cookies
By default, Opera does not block third-party cookies in any way.
Users can set their cookie preferences in Opera by going to Settings > Advanced > Privacy & security > Site settings > Cookies and site data. At the top, users can turn on or off Allow sites to save and read cookie data.
There are two additional options for handling cookies:
- Clear cookies and site data when you quit Opera: Deletes cookies that have been added after this preference was enabled when closing the browser.
- Block third-party cookies: Blocks cookies set by other websites whose content is displayed in frames or images on the current website you are visiting. Blocking third-party cookies will allow only the cookies for the site you are visiting to be set on your system.
Opera also offers a free, baked-in VPN. To activate it, go to Menu > Settings > Privacy > VPN. This will enable an icon on the address bar showing whether the VPN is on; clicking it toggles Opera’s VPN on and off.
Opera’s VPN replaces your IP with a virtual one, making it difficult for websites to track your location and identify your computer. It also blocks many tracking cookies.
Opera also provides a private browsing mode for such cases, ensuring that all cookies are purged at the end of each browsing session.
Which Browser Is the Ultimate Cookie Buster?
Different browsers employ varying strategies to handle cookies. This study evaluates how modern browsers like Firefox, Chrome, Edge, and Safari handle first-party and third-party cookies.
- Firefox: With its Enhanced Tracking Protection and Total Cookie Protection, Firefox partitions cookies by site, limiting cross-site tracking even through first-party cookies.
- Safari: Uses Intelligent Tracking Prevention (ITP) to limit the capabilities of third-party cookies and has evolved to block almost all third-party cookies.
- Edge and Chrome: Edge offers configurable tracking prevention levels, while Chrome plans to phase out third-party cookies but still permits first-party cookies with less stringent controls compared to Firefox and Safari.
Conclusion
Blocking third-party cookies in browsers can be marketed under the banner of privacy, but at the end of the day, it only reinforces the dominance of the so-called walled gardens – big AdTech companies and other entities, such as retailers and CTV operators, with strong first-party relationships.
On top of it all, we are also dealing with the “privacy paradox” – a discrepancy between expressed privacy concerns and actual online behavior. There has been much talk about data privacy in the media since the GDPR kicked in, but online users rarely go the extra mile to fine-tune their browser’s settings and actually protect their data.
Instead, they browse the internet with the default settings.
We Can Help You Build an AdTech Platform
Our AdTech development teams can work with you to design, build, and maintain a custom-built AdTech platform for any programmatic advertising channel.
