Over the last few years, third-party cookies have found their way into the minds of many web owners and internet users more than ever. Before GDPR, cookies set by another domain were not scrutinized this way. Advertisers and third-party providers got away with collecting personal data and monitoring users’ online activities without any consequence. In this article, we will discuss third-party cookies in detail, why they have become a cause of worry for publishers and advertisers, and finally, the solution to use them without breaking any law.
CookieYes helps you stay compliant with GDPR by automatically blocking third-party cookies on your website until visitors give their consent to use them.
Try CookieYes for free
(Free 14-day trial. Cancel anytime)
What are third-party cookies?
To understand third-party cookies, we must first understand the differences between first-party and third-party cookies.
First-party vs third-party cookies
First-party cookies are usually generated and placed on the user’s device by the website that the user is visiting. Such cookies are often used to facilitate user experience and some core functionalities of the site. E.g. first-party cookies can identify returning visitors so they do not have to use the username and password to log in on successive visits. They are usually harmless since they do not “spy” on the users. Some analytics tools use first-party cookies to gather analytics data. These, however, may sometimes require deliberation.
Third-party cookies are generated and placed on the user’s device by a website other than the one the user is visiting. They are created when a user visits a website with elements from other sites, such as third-party images or ads. If a server hosting one of these elements responds to the request by setting a cookie, that cookie is stored on the user’s browser.
E.g. If the user plays an embedded YouTube video on a website, the YouTube server will set cookies on their device. These cookies track user preferences and suggest similar videos when they visit YouTube.
How are third-party cookies created?
Third-party cookies are created when a website requests resources or scripts from a different domain. E.g. when a user visits a website (say, www.website.com), which uses an integrated analytics tool to measure its audience, the website needs to request resources and scripts from the analytics tool company, (say, www.example.com), a third party, to activate the analytics tool. The service provider then responds by sending a JavaScript file to the website.
The JavaScript file from the third-party service provider will look like this:
<script src="https://example.com/js/analytics.js"></script>
This JS file stores cookies in the user’s browser so that the analytics tool can track their activities.
It’s important to note that loading the third-party script and storing the cookies must be contingent on the user’s consent. The website must block the script if the user declines to use such cookies.
How do third-party cookies work?
Have you ever wondered how ads seem to follow users around the internet? The answer lies in third-party cookies.
Imagine browsing a website selling sunglasses and checking out some stylish aviators. They don’t buy them yet but move on to a news channel or a different website. Suddenly, they start seeing ads for similar aviators and other sunglasses on the news and other websites they visit, even though they never searched for them there.
Here’s how third-party cookies made that happen:
- When they visited,the sunglasses website placed a first-party cookie on their device to remember their browsing activity within the site (e.g.,viewed aviators).
- The sunglasses website also uses an invisible advertising service,which placed a third-party cookie on the user’s device. This cookie doesn’t say “sunglasses website,” but it tracks the user’s general browsing behavior.
- As the user visit other websites across the web,the same advertising service can access the third-party cookie it placed and see the user’s interest in sunglasses (based on the sunglasses website visit).
- The advertising service uses this information to show the users targeted ads for similar aviators and other sunglasses on other websites,even though they never directly searched for them there.
So, the third-party cookie acted like a tracker, connecting the user’s browsing activity across different websites and allowing advertisers to serve targeted ads for sunglasses despite them not actively searching for them.
Here is an illustration of how third-party cookies work:
While third-party cookies are often associated with targeted advertising, they have other roles in enhancing user experience and functionality across various applications. Let’s explore two common examples:
- Live chat for seamless support: Imagine users are browsing a complex website and need quick assistance. They initiate a live chat session. The chat service might store a third-party cookie on your browser to remember their conversation history and preferences. This cookie isn’t about tracking their browsing habits elsewhere; it enables the chat application to function properly, offering a personalized and convenient support experience.
- Social sharing made easy: Suppose the user comes across an insightful article on a website and wants to share it with their network. With social media plugins embedded on the page, they can seamlessly share it with a click. These plugins often use third-party cookies to streamline the process. The cookie identifies their social media account and streamlines the login process, saving them time and effort.
What are the pros and cons of using third-party cookies?
Here are the pros and cons of third-party cookies:
Pros:
- Personalized advertising: They can enable advertisers to personalize ads based on a user’s browsing history, interests, and demographics, making ads more relevant to the user.
- Better user experience: Theys can help websites remember user preferences and login information, improving the user experience.
- User analytics: They can help website owners understand how users are interacting with their site, which can help them improve its performance.
Cons:
- Privacy concerns: Third-party cookies can collect a significant amount of personal information about a user, such as their browsing habits, which can be used to create detailed profiles of users.
- Security risks: They can also be used for malicious purposes, such as tracking users to steal their personal information or to deliver malware.
- Lack of transparency: Many users are unaware that third-party cookies are being used to track their online activity.
Are third-party cookies bad?
While third-party cookies are not inherently bad, their use for tracking and targeted advertising has caused them to be viewed negatively by users concerned with privacy. Their absence does not typically affect a website’s core functionality, leading some to question their necessity. However, from a marketer’s perspective, these cookies are incredibly useful, allowing for personalized advertising and user tracking. Additionally, some websites rely on these cookies for essential services, meaning that their removal could cause a site to break. Ultimately, the debate around third-party cookies comes down to their application, and the control users will have over their usage.
How to check if your website uses third-party cookies?
Checking for third-party cookies on a website is the same as checking for any cookies. You can either do it manually using your browser settings or use a free online cookie checker tool.
For checking manually, the methods slightly vary in different browsers.
If you use Chrome, press Ctrl + Shift + I and select: Application > Storage > Cookies
Check the domain of the cookie list. If the domain is different from the website you are currently visiting or managing, you can confirm that the cookies are third-party cookies.
Similarly, for Firefox and Safari, you can open the developer console (inspect element) and check for cookies.
For detailed instructions, click here.
Online cookie checkers are much better and faster than the traditional browser method. You will also get a detailed scan report with a list of all cookies set by the website.
Identify third-party cookies on website
What do GDPR and CPRA say about third-party cookies?
While GDPR and CPRA do not provide a detailed discussion of cookie regulation, they do include cookie identifiers in their definition of personal data (or personal information) subject to the law. Data collected by cookies can be categorized as personal data if they can be used to identify the user, making third-party cookies subject to GDPR and CPRA regulations.
Under GDPR, websites cannot store third-party cookies without the user’s consent. If a user denies consent, the website must block the cookie and cannot load the cookie script before receiving consent. To obtain GDPR cookie consent, websites must follow certain legal practices, including
- informing users about third-party cookies in plain language
- providing clear choices to accept or decline all cookies
- allowing users to give consent to cookies by categories
- letting users withdraw cookie consent at any time and blocking the cookie script immediately upon withdrawal
- informing users how to manage cookies in the privacy/cookie policy
On the other hand, CPRA does not require websites to obtain consent for cookies but mandates that they offer an opt-out option for users. The website must provide a “Do Not Sell or Share My Personal Information” link to opt out of cookies that sell personal information. CCPA also requires websites to include a privacy or cookie notice to inform users in detail about third-party cookies and their purpose.
Block third-party cookies automatically
Auto-block third-party cookies before obtaining consent and manage compliance easily and for free!
Try free co*kie consent
Free 14-day trialCancel anytime
Are third-party cookies being phased out?
In January 2020, Google announced that it would be phasing out support for third-party cookies in Chrome by 2022. They stated, “Users are demanding greater privacy–including transparency, choice and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”
Since then, the tech giant has postponed the implementation thrice, ultimately deciding to pivot the plan.
Initially, Google Privacy Sandbox was designed to replace third-party cookies. Now, Chrome will introduce a new setting that allows users to make informed privacy choices and adjust them anytime. Privacy Sandbox APIs will continue to provide privacy-preserving alternatives, especially for developers. This initiative aims to reduce intrusive user tracking while still supporting the digital advertising ecosystem.
What happens to consent banners after Google’s updates?
After Google’s decision, one question remains: what will happen to cookie consent banners? The answer to this question depends on whether or not third-party cookies are the only type of cookies that collect personal data.
However, it’s important to note that the future of the cookie consent banner will remain intact even if third-party cookies become obsolete. You must obtain user consent if your website generates cookies that collect personal data, even if its first-party cookies. Some websites may have their own analytics system that uses first-party cookies to collect user data. Unless the data is statistical aggregate data, you must obtain user consent to place cookies on their devices.
Unless the cookie is “strictly necessary,” you may still need consent. Regardless of what cookies your website uses, it’s essential to inform users about them. A cookie banner is an effective solution for this. You can also look for alternative options that ensure safe and best privacy practices.
Therefore, it’s clear that cookie consent banners are here to stay for a long time.
What are some alternatives to third-party cookies?
If not third-party cookies, then what? There are many alternatives to third-party cookies, but they remain under the shadow of third-party cookies.
Other than Google’s Privacy Sandbox APIs, here are three technologies that publishers and advertisers can use as a replacement for third-party cookies:
First-party data
First-party data is data that you collect directly from your users, such as email addresses, contact numbers, demographic information, purchase history, etc. It is collected from website forms, surveys, and website or app interactions. This data will better understand your users and help you create personalized and targeted marketing campaigns.
Contextual targeting
Contextual targeting is a type of online advertising that delivers ads based on the content of a user’s webpage. You can choose keywords or topics that match your ads to relevant sites. For example, if a user is reading an article about laptops, they might see an ad for a new laptop model.
These ads are more likely relevant to the user’s interests, making them more effective. Additionally, contextual targeting is a more privacy-friendly alternative to third-party cookies, as it does not require tracking users across websites.
Device fingerprinting
Device fingerprinting is collecting device information and settings information, like IP address, operating system, language, installed plugins, etc, to create a “fingerprint.” This fingerprint is used to improve user experience or track user activity. Compared to third-party cookies, digital fingerprinting is much more effective and secure.
Frequently asked questions
Is it safe to allow third party cookies?
If you are not comfortable with third-party platforms or services tracking your online movement and monitoring your preferences for purposes like targeted advertising, then you should not allow third-party cookies.
Should I accept third-party cookies?
Accepting third-party cookies means allowing other websites you may not have visited to collect your data or monitor your browsing activity. However, blocking some websites may cause some of their services to break, as many rely on third-party providers. Nonetheless, blocking third-party cookies is a preferred practice for privacy reasons.
Should you block all third-party cookies?
Blocking or removing third-party cookies is easy, as all major web browsers provide this option.
As an internet user, whether or not you should block or remove third-party cookies depends on how you feel about being tracked by external sources. If you are comfortable with monitoring your browsing activity and receiving personalized advertisem*nts, or if you don’t mind websites collecting your data for analytics, you don’t need to block them. Some of these cookies can be useful in providing a better internet experience. However, if you are privacy-conscious and dislike being tracked, you should consider blocking (or removing) such cookies.
If you use Google Chrome…
To block cookies: select Settings from the top right corner menu and select: Privacy and security > Cookies and other site data > Block third-party cookies.
To remove cookies: Cookies and other site data > See all cookies and site data > Remove all > Clear all.
Firefox and Safari have built-in default blockers that stop third-party cookies. However, you can remove or block all cookies.
If you use Firefox…
Go to Options from the top right corner menu and select: Privacy & Security > Cookie and Site Data > Clear Data or Delete cookies and site data when Firefox is closed.
If you use Safari…
Go to Preferences > Privacy > check Prevent cross-site tracking and Block all cookies. To remove cookies, select Manage website data under Cookies and website data and click Remove.
What happens when you block third-party cookies?
Blocking third-party cookies will prevent websites from placing any cookies related to a third-party server on your device. This means they cannot track your online activity to deliver their services, like advertisem*nts. It also means that some services may remain inactive or broken, or even break some parts of the website.
How to enable third-party cookies?
Enabling cookies on your web browser is easy.
To enable cookies in Google Chrome, open the Menu list from the top-right corner and select:
Settings > Privacy and security > Cookies and other site data > Allow all cookies
Firefox blocks third-party cookies by default.
However, if you want to enable third-party cookies for specific sites in Firefox, click the shield icon on the address bar and turn off the Enhanced Tracking Protection is ON for this site toggle switch for the website. Or, you can go to the menu list from the top-right corner and select:
Settings > Privacy & Security > Choose Custom protection mode > uncheck Cookies checkbox to request Firefox to not block cookie scripts.
In Safari, you can allow all cookies and cross-site tracking which will enable third-party cookies.
Safari > Preferences > Privacy > uncheck Website tracking and Cookies and website data
To enable third-party cookies on iPhone:
Settings>Safari > PRIVACY & SECURITY > disable Block All CookiesandPrevent Cross-Site Tracking.
How do I know if my cookies are third-party?
To check if your cookies are from a third party, use the browser’s developer console, where you can check the domain that sets the cookies. If it is not the same as your website domain, then it is a third-party cookie. Alternatively, you can use an online cookie scanner to scan and identify the cookies. The scanner will crawl through the website, activate all cookies, and then categorize them based on their properties so you can know which cookies are third-party.
Does Google use third-party cookies?
Google uses cookies for various purposes, such as remembering your preferred language, making ads more relevant to you, counting how many visitors they receive to a page, helping you sign up for their services, protecting your data, and remembering your ad settings. However, cookies set by Google for its services, such as Analytics, are categorized as third-party by privacy laws.
Learn more about how Google uses cookies.
Will Google Analytics work without third party cookies?
Yes, Google Analytics will work without third-party cookies. In 2020, Google announced that the “new Google Analytics” will use machine learning to gather analytics and analyze customers’ journeys. The privacy-centric design will make it adaptable to work with or without cookies.
