The past few years in programmatic advertising have been dominated by the various privacy changes introduced by governments and tech giants like Google, Apple and Mozilla. At the center of this are third-party cookies and their demise in popular web browsers.
In this article, we explain what third-party cookies are, how they work, how they are used in programmatic advertising, why they’re going away, and what the alternatives are.
- Web cookies are a storage mechanism in web browsers that are used to store data.
- There are generally two types of cookies: first-party and third-party cookies.
- First-party cookies are created by the domain (aka website) the user is currently visiting.
- Third-party cookies are created by domains other than the one the user is visiting.
- Third-party cookies are also referred to as tracking cookies, tracking codes, tracking pixels and the like.
- They are mainly used for cross-site identification, which can then power programmatic advertising processes like audience targeting, retargeting, frequency capping, and measurement.
- The main reason for the decline of third-party cookies in the web browsers is the changing privacy landscape in programmatic advertising.
- Third-party cookies are blocked by default in Apple Safari and Mozilla Firefox, but are still available in Google Chrome. Ad blockers also prevent third-party cookies from being saved to a user’s device.
- Other alternatives to third-party cookies include universal IDs and device graphs, data clean rooms, the IAB Tech Lab’s Seller Defined Audiences (SDA), self-serve ad platforms, and contextual targeting.
Table of Contents
What Are Third-Party Cookies?
Web cookies are a storage mechanism in web browsers that are used to store data. There are generally two types of cookies: first-party and third-party cookies. Both types of cookies are the same from a technical perspective with the only real difference being who created them. First-party cookies are created by the domain (aka website) the user is currently visiting. Third-party cookies are created by domains other than the one the user is visiting.
Third-party cookies are also referred to as tracking cookies, tracking codes, tracking pixels and the like. They are mainly used for cross-site identification, which can then power programmatic advertising processes like audience targeting, retargeting, frequency capping, and measurement.
Third-party cookies not only track users across sites to provide a bigger picture of their behavior, but they also allow website owners to provide certain services, such as live chats.
When a user visits a website, a first-party cookie is created on that domain (somewebsite.com), but in addition, a third-party cookie is often created by another domain (e.g. ad.doubleclick.net).
The latter is a third-party cookie because the URL (ad.doubleclick.net) doesn’t match the host domain (somewebsite.com). The cookie is created on somewebsite.com by a third-party provider (ad.doubleclick.net), hence the name “third-party cookie”.
How Are Third-Party Cookies Created?
For a cookie to be created, a request needs to be sent from the web page to a server. The file being requested is different depending on the use, but it can be an actual creative (an ad) or a tracking pixel, which is completely invisible to the user but acts as a tracker in situations when there is no click event — for instance, when the ad was viewed by not clicked on.
For example, if the third party was an advertising service like Google Ads, the request would be for a creative – the actual ad the visitor sees. The Google ad markup can allow a third-party cookie to be placed.
Here’s what the ad markup could look like:
When the web page loads, the above ad markup would also load and a request would be sent off to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time.
Different third parties may request different files from their web servers and send them back to the browser.
So essentially, in order to create a cookie — whether that be a first-party or third-party cookie — the website simply needs to send a request to a server.
The server will then respond to that request and create a cookie, provided the privacy settings in the web browser allow it.
Why Are Third-Party Cookies Being Phased Out?
The main reason for the decline of third-party cookies in the web browsers is the changing privacy landscape in programmatic advertising. Cookies aren’t inherently bad, and most websites use them to ensure a seamless experience for returning visitors.
Still, the process of identifying and tracking individuals across the web using third-party cookie tracking is unambiguous, and regulators and legislators have been trying to tame the problem for the last two decades.
Governments and web users are demanding more privacy and transparency regarding their choice and control over how their data is being processed and used around the Internet. As a result, many new privacy laws around the world have been introduced to help protect user privacy and secure their data.
Major web browsers like Mozilla Firefox and Apple Safari have also implemented changes to prevent third-party cookies from being created as a way to increase privacy for their users.
Safari and Firefox Turn off Support for Third-Party Cookies
Over the past few years, both Mozilla Firefox and Apple Safari have introduced new features in their web browsers to prevent cross-site tracking.
Apple’s privacy crusade started in its Safari browser back in 2015 when it allowed iOS users to install content blockers, which blocked certain elements on a web page, such as ads.
In 2017, they introduced Intelligent Tracking Prevention (ITP) which is a privacy feature that blocks third-party cookies by default and limits the lifespan of certain first-party cookies and other data storage mechanisms.
In 2019 Firefox also made a step towards protecting user privacy and introduced a feature called Enhanced Tracking Protection (ETP) that started to block third-party cookies by default.
In January 2020, Google Chrome announced that it too would be shutting off support for third-party cookies in the next few years. Currently, it’s expected that Google will shut off support for third-party cookies in Chrome in 2024.
The European Union’s General Data Protection Regulation (GDPR)
There are 6 legal bases for collecting personal data as outlined in the GDPR.
In the context of programmatic advertising, websites, AdTech companies, data companies and advertisers need to collect consent (Article 6, 1a), typically via a consent management platform (CMP), from users before they’re able to collect their personal data — e.g. create a third-party cookie on their device.
According to research from Reuters Institute, the introduction of the GDPR caused a 22% decrease in third-party cookies being created on news sites, including a 14% drop in advertising and marketing, and a 9% decrease in social media cookies on websites.
There was also a 7% drop in the number of news sites that host third-party social media content, such as sharing buttons from Facebook and Twitter.
Although the GDPR’s impact isn’t as direct as ad blockers or privacy settings in web browsers, it has significantly reduced the number of available audiences, especially in Europe.
What Information Can Be Stored in a Cookie?
Users are often unaware that their personal data is being harvested from third-party cookies.
Typically, the type of information that can be collected and stored in a first- and third-party cookie ranges from individual IP addresses, search and browser history, products and websites viewed, and specific details about devices.
This information can also be connected to sensitive information about a person’s health, family, sexuality, political views, religious beliefs and more.
Programmatic processes like real-time bidding (RTB) expose the personal data of billions of users by creating third-party cookies and saving them to the user’s device, often without the user’s knowledge or explicit permission.
The lack of self-regulation in the programmatic advertising industry has not only caused governments from different countries to introduce new privacy laws but also launch antitrust investigations into Google, Amazon Facebook and Apple (GAFA) because of their the dominance in the advertising industry, breach of user privacy, and use of privacy as a competitive advantage.
Can First- And Third-Party Cookies Still Be Created Even if a User Doesn’t Provide Consent?
In some web browsers, like Firefox and Safari, third-party cookies are blocked by default. But third-party cookies can still be created in Google Chrome.
Even though first- and third-party cookies should only be created when a user agrees to it and shares their consent to be tracked, many reports confirmed that consent management platforms (CMPs) were still firing tags on a user’s device, regardless of whether the user provided consent or rejected it.
The other thing is that users don’t seem to have a choice in whether a cookie is created or not. According to a study by Ebiquity, the vast majority (92.6%) of websites are tracking at least one user’s device prior to gaining their consent.
The study analyzed 200,000 cookies and half were defined as ”marketing cookies” by the CMP with 82.4% of these tracking tools determined to have been installed on users’ devices by third parties. A third (32.3%) of the cookies were fired without valid user consent.
Internet users also suffer from dark patterns in the design of the CMP to increase the chances of users giving consent. It means users aren’t given a clear choice of “yes” or “no” but rather click marathons which are supposed to discourage the user from providing informed consent and encourage them to simply select “yes” instead.
Third-party cookies can still be created even if a website is using a CMP in the following ways:
- Some websites still fire tags that create third-party cookies before a user has given consent or even after they have rejected it.
- Via the use of dark patterns and assumed-consent approaches where a CMP displays a default option “OK” to encourage the user to give consent without taking any other action.
- By leveraging legitimate interest as the basis for processing personal data — i.e. creating third-party cookies for AdTech companies because the website views advertising as “legitimate interest”.
Third-Party Cookies in Google Chrome
Third-party cookies can still be created in the Google Chrome browser, but the tech giant has set a deadline for phasing them out.
On Tuesday the 14th of January, 2020, Google Chrome announced it would stop supporting third-party cookies within the next two years.
Then, on Thursday June 24, 2021, Google Chrome announced it would be expanding the use of third-party cookies by 2 years and shut off support from the middle of 2023.
However, on Wednesday July 27, 2022, as the deadline was approaching, Google announced it will be delaying its shutdown of third-party cookies by another year to the second half of 2024.
Google is one the most popular browsers that accounts for 65.24% of the browser market and around 80% of the revenue derived from Alphabet, Google’s parent company, comes from advertising.
Therefore, the tech giant has decided to shut off third-party cookies but still leave the gate open for advertising and provide some alternatives that respect user privacy.
Google aims to create a thriving web ecosystem with improved user privacy and maintain an ad-supported web via the standards set by its Privacy Sandbox.
Third-Party Cookies in Safari & Firefox
Third-party cookies cannot be created in Safari and Firefox as they are blocked by default unless the users unmarks the option in their browser’s settings.
Ad blockers can be compared to gatekeepers that prevent users from downloading and loading unwanted elements on a given website.
The ad blocker prevents a number of key programmatic advertising processes from occurring which, for advertisers and marketers, means no data regarding:
- Identification across the web and AdTech platforms like SSPs and DSPs.
- Behavioral targeting and retargeting to show personalized ads.
- Audience activation via DMPs to create audiences and run the cookie syncing process.
- Frequency capping to limit the number of times the same user is shown the same ad.
- Attribution regarding ad views and conversions.
What Are the Alternatives to Third-Party Cookies?
Below are the main alternatives to third-party cookies in programmatic advertising:
- Universal IDs and Device Graphs
- Data Clean Rooms
- Google Chrome’s Privacy Sandbox
- The IAB Tech Lab’s Seller Defined Audiences (SDA)
- Self-Serve Ad Platforms
- Contextual Targeting
Read more about the alternatives here: Alternatives to Third-Party Cookies and Mobile IDs in AdTech