Cookies remember website configuration (e.g. language preferences), login details, and products added to the shopping cart, even after a user leaves the site, but because cookie files are widely used to collect certain pieces of information, they can also be used to carry out advertising processes like behavioral profiling and retargeting.
Understanding the role of cookies in advertising technology is critical to getting a better hold on online advertising and privacy.
Over the years, cookies have become the bread and butter of the Internet, and are currently the most common method of identifying users online and providing a personalized browsing experience.
With growing awareness of privacy issues, and the introduction of laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, comes a stronger need to educate users about what cookie files actually do, what information they can contain, and what types of cookies exist.
What Types of Cookies Are There?
There are essentially two types of cookies: first-party and third-party.
From a technical perspective, there is no real difference between the two types of cookies; they can contain the same information and perform the same functions.
However, the distinction between these types of cookies lies in how they are created and subsequently used, which often depends on the context. First-party cookies offer different benefits compared to third-party cookies.
- First-party cookies are stored by the domain (website) you are visiting directly. They allow website owners to collect analytics data, remember language settings, and perform other useful functions that help provide a good user experience.
- Third-party cookies are created by domains other than the one you are visiting directly, hence the name third-party. They are primarily used for cross-site tracking, retargeting and ad-serving.
In addition to first-party and third-party cookies, there are also second-party cookies, although they are less common.
Second-party cookies are cookies that are transferred from one company — the one that created first-party cookies — to another company via some sort of data partnership.
For example, an airline could sell its first-party cookies and other first-party data, such as names, email addresses, etc., to a trusted hotel chain for ad targeting, meaning the cookies become classed as second-party.
We Can Help You Build an AdTech Platform
Our AdTech development teams can work with you to design, build, and maintain a custom-built AdTech platform for any programmatic advertising channel.
How Are First-Party and Third-Party Cookies Different?
Technically speaking, first- and third-party cookies are the same type of file. What’s different is how they are created and used by websites.
What Are First-Party Cookies?
First-party cookies are created by the host domain — the domain the user is visiting. These types of cookies are generally considered good; they help provide a better user experience and keep the session active. This means the browser can remember key pieces of information, such as which items you add to shopping carts, your username and passwords, and language preferences.
What Are Third-Party Cookies?
Third-party cookies are those created by domains other than the one the user is currently visiting. They are mainly used for tracking and online advertising purposes. They also allow website owners to provide certain services, such as live chats.
To help illustrate the difference between first-party and third-party cookies, let’s imagine an Internet user accesses a website (somenewssite.com) containing ads.
In addition to a first-party cookie being created by the host site, somenewssite.com, a third-party cookie is also created by ad.doubleclick.net.
The third-party cookie is created because the URL (ad.doubleclick.net) doesn’t match the domain (somenewssite.com). The cookie is left by a third-party advertising provider, hence the name third-party cookie.
The table below provides a brief breakdown of how first- and third-party cookies differ.
How Are Third-Party Cookies Created on a Website?
A request needs to be sent from the web page to the third party’s server in order for a third-party cookie to be created.
The file being requested is different depending on the use, but it can be an actual creative (an ad) or a tracking pixel, which is completely invisible to the user but acts as a tracking cookie in situations when there is no click event — for instance, when just a web page is opened — and click redirects cannot be used.
For example, if the third party was an advertising service like DoubleClick by Google, the request would be for a creative – the actual ad the visitor sees. The DoubleClick ad markup can allow a third-party cookie to be placed.
Here’s what the unique ad markup could look like:
<a href="ad.doubleclick.net/some-other-parameters-specific-to-this-ad" target="_blank" rel="noopener"><img src="ad.doubleclick.net/the-extension-to-the-creative"></a>
When the web page loads, the above ad markup also loads, and a request is sent to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time.
Different third parties may request different files from their web servers and send them back to the browser.
Examples of Third-Party Services That Leave Cookies
There are a number of third-party service providers that usually leave cookies in a user’s browser. Here are a few of the main ones:
Ad-Retargeting Services
Ad retargeting involves following website visitors who have previously visited your website around the web and showing them ads for the products or services they’ve viewed or interacted with previously. Retargeting works across different channels, including social media, display, and email.
Website owners place a 1×1 transparent pixel on their site, which sends a request to the ad-retargeting server when the page loads. The server then returns the requested information (typically containing some JavaScript) to assign a cookie to the user and retarget them later on other websites.
To learn more, read our post about ad retargeting.
Social Buttons
Most social media plugins that enable users to log in, share and like content on third-party websites will place cookies on your device.
In this way, the social media sites that these cookies come from can track the sites you visit and send you relevant ads when you go back to these social media sites. Even if you are not signed in to your account, these cookies can still follow you by using deterministic matching, and sometimes fingerprinting your device to identify you.
You can learn more about device fingerprinting in our previous posts.
Live-Chat Popups As far as cookies are concerned, live chat popups work similarly to social buttons. Live-chat services leave a cookie in your browser to streamline the user experience.
For example, because the live-chat popup can identify you, the next time you visit the chat box, it will remember your name and the entire conversation history. Of course, this data is removed if you delete your cookies or when they expire.
It’s important to mention that first-party cookies can also be used for cross-site tracking, but this would require the tracking software (script) to be hosted under the website’s domain.
How Do Browsers Treat First-Party and Third-Party Cookies?
First-Party Cookies
As mentioned above, first-party cookies are created directly by the website whenever a user visits the site. Generally speaking, most browsers accept first-party cookies by default, as their primary role is to allow customization and improve user experience.
For example, if you visit a site like techcrunch.com, thehuffingtonpost.com or nytimes.com, a cookie will be created and saved to your computer by each site.
The specific site’s cookie will be used to remember user information and their behavior. With first-party cookies, the website decides what information to collect and store.
The big limitation of first-party cookies is that they can be read only when the user is visiting the website domain. This makes them useless for advertising purposes (e.g. retargeting) on other websites.
Third-Party Cookies
Third-party cookies (also known as tracking cookies or trackers) are created by parties other than the website the user is visiting.
Consider this example:
When you visit cnn.com and read a few articles, cnn.com will create a first-party cookie and save it to your computer. Because cnn.com (like most other publishers) uses online ads as a way to monetize its content, the ads you see on cnn.com will also create a cookie (e.g. in ads.somedsp.com domain) and save it to your computer.
These cookies are not created by cnn.com, so they are classified as third-party cookies.
Third-party cookies are placed not by the website, but by advertisers.
A website can use various third-party trackers (or cookies) to collect user information. This information can include data such as the user’s behavior on the site, location, and device type, which is passed on from the website.
Third-party trackers can also track a user’s behavior, such as the content they view on that website and the things they click on (e.g. products and ads). The trackers create third-party cookies and use them to display ads to the user when they visit different websites.
For example, if a user visits bestbuy.com and clicks on a product, third-party trackers will collect and analyze the information about that user and their activity on bestbuy.com. Then, if that user leaves bestbuy.com and accesses a different website, such as techcrunch.com, the user could be shown an ad for that exact same product or something similar (e.g. another TV or another electrical product).
The way it works is that both bestbuy.com and techcrunch.com load a piece of code from an ad server (e.g. ad.doubleclick.net). When the user navigates to either website, the piece of code loaded from ad.doubleclick.net is from a different domain than the URL in the user’s browser, so the cookies set in ad.doubleclick.net are considered third-party cookies.
The web server or a piece of JavaScript running on the website can set and read cookies. Software like Ghostery or AdBlock Plus can block these scripts – more on that below.
First-Party Cookies Used in a Third-Party Context
Some first-party cookies can be used to track users in the same way as third-party cookies in specific contexts.
For example, log-in boxes (widgets, plugins) to social sites like Facebook can be placed on different websites to facilitate commenting or “liking” content. This functionality uses first-party cookies in the third-party context; because the user interacts with the login widget (as in, visits its domain), the widget can leave a first-party cookie. As these first-party cookies are used in third-party context, they can enable cross-site tracking.
However, some internet browsers like Safari have methods of blocking this.
Privacy Settings in Popular Web Browsers That Block Third-Party Cookies
Apple Safari’s Intelligent Tracking Prevention (ITP)
Intelligent Tracking Prevention (ITP) is a feature offered with Safari and in iOS 11 by default. It changes the way the Apple browser handles first-party cookies, which is different from most other browsers.
- ITP (1.0 and 1.1) allowed cookies to be read and used in a “third-party context,” provided the user accessed the domain directly in the first 24 hours. That gave Facebook and Google an unfair advantage, as the 24-hour purge didn’t have the same effect on them as on other sites because users visit these websites regularly and rarely log out.
- ITP 2.0, started to detect cross-site tracking and partition (or isolate) first-party cookies, making it impossible to use them in a third-party context for tracking or analytics purposes. Some experts say that by introducing such strict rules to deal with third-party cookies, Apple is sabotaging the current economic model of the Internet.
- ITP 3.0, which became widely referenced though not officially named as such, introduced complete blocking of all third-party cookies by default, making any form of third-party tracking nearly impossible on Safari.
Read our blog post to learn all about Intelligent Tracking Prevention (ITP) and how it works.
Mozilla Firefox’s Enhanced Tracking Protection
Mozilla’s Firefox followed in Safari’s footsteps and released a Safari-like “intelligent” functionality in Firefox version 50 that blocked unwanted third-party tracking cookies.
A gray shield icon appeared in the address bar when Firefox blocked tracking domains.
Its Tracking Protection feature was developed in collaboration with Disconnect and is based on a number of tracker blacklists to allow third-party cookies only from trusted providers.
Mozilla Firefox has significantly advanced its privacy features since version 50. The browser now includes Enhanced Tracking Protection (ETP), which provides robust defenses against unwanted third-party tracking cookies and other tracking mechanisms.
- Introduced in 2020, ETP 2.0 expanded Firefox’s ability to protect users from trackers by blocking third-party cookies by default and introducing daily deletion of tracking cookies. This prevents advertisers and other entities from using third-party cookies to track your online activities across different sites.
- Firefox also added protection against advanced tracking techniques like redirect tracking, also known as bounce tracking.
- One of the latest privacy enhancements was introducing Enhanced Cookie Clearing within Firefox 91. The web browser made it easier to delete all cookies and supercookies that were stored on a user’s device by a website or by any trackers embedded in it. Enhanced Cookie Clearing is built on Total Cookie Protection and prevents hidden privacy violations.
Opera and Other Browsers
Opera and other browsers available on the market also offer more-or-less the same elaborate methods to block third-party cookies. Most of them offer some kind of cookie-blocking method, but not all of them are based on blacklists or algorithms.
How to Disable Third-Party Cookies
Third-party cookies are blocked when a user does one or more of the following:
- Browse the web in private or incognito mode.
- Uses Firefox or Safari as they block third-party cookies by default.
- Changes the cookie and tracking settings in their browsers (detailed below).
- Uses Tor.
- Installs ad blockers or similar add-ons (Ghostery, Pivacy Badger etc).
How to Block Cookies in the Browser (Updated in 2024)
Blocking third-party cookies can enhance your privacy by preventing websites from tracking your browsing activity across different sites. This process may reduce the personalization of ads but should not significantly impact your overall browsing experience.
Here’s how you can disable third-party cookies in major web browsers as of 2024:
Microsoft Edge
1. Open settings:
– Click the three-dot menu (ellipsis) in the top-right corner of the browser.
– Select Settings from the drop-down menu.
2. Navigate to Privacy Settings:
– Click on Cookies and site permissions in the left sidebar.
– Select Manage and delete cookies and site data.
3. Block third-party cookies:
– Toggle the switch to Block third-party cookies under the Cookies and site data section.
Google Chrome
1. Open Settings:
– Click the three-dot menu in the top-right corner.
– Choose Settings from the menu.
2. Access Privacy and security:
– Scroll down and click on Privacy and security in the left sidebar.
– Select Cookies and other site data.
3. Block third-party cookies:
– Under General settings, choose Block third-party cookies.
Mozilla Firefox
1. Open Options/Preferences:
– Click the three-line menu icon in the top-right corner.
– Select Settings (Options on Windows or Preferences on Mac).
2. Go to Privacy & Security:
– Click on Privacy & Security in the left sidebar.
– Under Browser Privacy, choose Custom.
3. Set third-party cookie preferences:
– Check the box for Cookies and select All third-party cookies to block them.
Safari (macOS)
1. Open Preferences:
– Click on Safari in the top menu and select Preferences.
2. Navigate to Privacy settings:
– Click the Privacy tab.
– Ensure the option Block all third-party cookies is checked (Note: Safari now blocks all third-party cookies by default).
Safari (iOS)
1. Open Settings App:
– Go to the Settings app on your iPhone or iPad.
2. Navigate to Safari Settings:
– Scroll down and tap Safari.
3. Block cookies:
– Toggle Prevent Cross-Site Tracking to block third-party cookies.
For more detailed guides, you can refer to the official support pages of each browser.
How to See Which Cookies Are Created When You Visit Websites
There are a number of methods that determine what cookies a website stores in your browser. You can do this by installing a dedicated cookie-management browser plugin or by using the browser’s developer console.
Browser Plugins
Installing a user-friendly cookie-management plugin is the easiest way to analyze first- and third- party cookies placed by websites, and to block them selectively when needed. The most popular cookie plugins for browsers include:
- uBlock
- Ghostery
- AdBlock Plus
- Privacy Badger
- Disconnect (now also a part of Firefox)
Browser Development Console
Using the development console in your Internet browser is one of the easiest methods to see all the cookies stored by particular websites. You can also determine which of the cookies stored in your browser are first-party cookies and which are third-party. First-party cookies will share the same domain as the website you are currently visiting.
Here’s how to see the cookies:
Google Chrome
For Google Chrome, follow these steps:
- Open your Chrome browser and type the URL of the site you want to analyze.
- To open the console, use the shortcut Ctrl + Shift + I to run the inspect console, or Ctrl + Shift + D to run the developer console.
- Once the console is open, you can view the cookies installed by the site by clicking on the Application tab at the top right of the console.
Mozilla Firefox
If you prefer to use Mozilla’s Firefox, you can open the browser’s developer console:
- Go to the Application menu and select More tools.
- Select Web developer tools and go to the Storage tab.
- Select Cookies to see the cookies created by the website.
The Future of First-Party and Third-Party Cookies
For many years now, third-party cookies have been the cornerstone of online advertising, but their days seem to be numbered.
Today, advertisers and publishers are not only fighting the increasingly popular ad blockers and other methods that block third-party tracking, but they now also have to deal with privacy-centered regulations, such as the GDPR. On top of that comes the growing awareness of privacy issues associated with third-party cookies propelled by the media.
And although there are a few alternatives to third-party cookies, it seems that the only way forward is by making the online advertising ecosystem more focused on openness, transparency and communicating directly to users, rather than on obscure methods of collecting their data without their knowledge or consent.
Every player in online advertising, from publishers to AdTech vendors, should focus on providing value and great user experiences to users willing to share their data.
But given how user data has been collected and shared previously, this shift will not be easy – neither from a technical perspective nor mindset.
We Can Help You Build an AdTech Platform
Our AdTech development teams can work with you to design, build, and maintain a custom-built AdTech platform for any programmatic advertising channel.