What’s the Difference Between First-party and Third-party Cookies?

Cookies remember website configuration (e.g. language preferences), login details, and products added to the shopping cart, even after a user leaves the site, but because cookie files are widely used to collect certain pieces of information, they can also be used to carry out advertising processes like behavioral profiling and retargeting. 

Understanding the role of cookies in advertising technology is critical to getting a better hold on online advertising and privacy. 

Over the years, cookies have become the bread and butter of the Internet, and are currently the most common method of identifying users online and providing a personalized browsing experience. 

With growing awareness of privacy issues, and the introduction of laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, comes a stronger need to educate users about what cookie files actually do, what information they can contain, and what types of cookies exist. 

What Types of Cookies Are There? 

There are essentially two types of cookies: first-party and third-party. From a technical perspective, there is no real difference between them as they can contain the same information and perform the same functions. 

However, the distinction between these types of cookies lies in how they are created and subsequently used, which often depends on the context. First-party cookies offer different benefits compared to third-party cookies. 

• First-party cookies are stored by the domain (website) you are visiting directly. They allow website owners to collect analytics data, remember language settings, and perform other useful functions that help provide a good user experience.  
• Third-party cookies are created by domains other than the one you are visiting directly, hence the name third-party. They are primarily used for cross-site tracking, retargeting and ad-serving. 

In addition to first-party and third-party cookies, there are also second-party cookies, although they are less common. Second-party cookies are cookies that are transferred from one company — the one that created first-party cookies — to another company via some sort of data partnership. For example, an airline could sell its first-party cookies and other first-party data, such as names, email addresses, etc., to a trusted hotel chain for ad targeting, meaning the cookies become classed as second-party. 

How Are First-party and Third-party Cookies Different? 

Technically speaking, first- and third-party cookies are the same type of file. What’s different is how they are created and used by websites. 

What Are First-party Cookies? 

First-party cookies are created by the host domain — the domain the user is visiting. These types of cookies are generally considered good; they help provide a better user experience and keep the session active. This means the browser can remember key pieces of information, such as which items you add to shopping carts, your username and passwords, and language preferences. 

What Are Third-party Cookies?   

Third-party cookies are those created by domains other than the one the user is currently visiting. They are mainly used for tracking and online advertising purposes. They also allow website owners to provide certain services, such as live chats. 

To illustrate the difference between first-party and third-party cookies, imagine an Internet user accessing a website (somenewssite.com) containing ads. 

In addition to the first-party cookie created by the host site, somenewssite.com, ad.doubleclick.net creates a third-party cookie. The third-party cookie is created because the URL (ad.doubleclick.net) doesn’t match the domain (somenewssite.com). It is left by a third-party advertising provider, hence the name. 

The table below briefly summarizes how first- and third-party cookies differ. 

How Are Third-Party Cookies Created on a Website? 

A request needs to be sent from the web page to the third party’s server in order for a third-party cookie to be created. 

The file being requested is different depending on the use, but it can be an actual creative (an ad) or a tracking pixel, which is completely invisible to the user but acts as a tracking cookie in situations when there is no click event — for instance, when just a web page is opened — and click redirects cannot be used. 

For example, if the third party was an advertising service like DoubleClick by Google, the request would be for a creative – the actual ad the visitor sees. The DoubleClick ad markup can allow a third-party cookie to be placed. 

Here’s what the unique ad markup could look like: 

<a href="ad.doubleclick.net/some-other-parameters-specific-to-this-ad" target="_blank" rel="noopener"><img src="ad.doubleclick.net/the-extension-to-the-creative"></a> 

When the web page loads, the above ad markup also loads, and a request is sent to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time. 

Different third parties may request different files from their web servers and send them back to the browser. 

Examples of Third-party Services That Leave Cookies 

There are a number of third-party service providers that usually leave cookies in a user’s browser. Here are a few of the main ones: 

Ad-Retargeting Services 

Ad retargeting involves following website visitors who have previously visited your website around the web and showing them ads for the products or services they’ve viewed or interacted with previously. Retargeting works across different channels, including social media, display, and email. 

Website owners place a 1×1 transparent pixel on their site, which sends a request to the ad-retargeting server when the page loads. The server then returns the requested information (typically containing some JavaScript) to assign a cookie to the user and retarget them later on other websites. 

Social Buttons 

Most social media plugins that enable users to log in, share and like content on third-party websites will place cookies on your device.  

In this way, the social media sites that these cookies come from can track the sites you visit and send you relevant ads when you go back to these social media sites. Even if you are not signed in to your account, these cookies can still follow you by using deterministic matching and sometimes fingerprinting your device to identify you. 

Live-Chat Popups 

Live chat services leave a cookie in your browser to streamline the user experience. 

For example, because the live-chat popup can identify you, the next time you visit the chat box, it will remember your name and the entire conversation history. Of course, this data is removed if you delete your cookies or when they expire. 

It’s important to mention that first-party cookies can also be used for cross-site tracking, but this would require the tracking software (script) to be hosted under the website’s domain. 

How Do Browsers Treat First-Party and Third-Party Cookies? 

First-party Cookies 

As mentioned above, first-party cookies are created directly by the website whenever a user visits the site. Generally speaking, most browsers accept first-party cookies by default, as their primary role is to allow customization and improve user experience. 

For example, if you visit a site like techcrunch.com, thehuffingtonpost.com or nytimes.com, a cookie will be created and saved to your computer by each site. 

The specific site’s cookie will be used to remember user information and their behavior. With first-party cookies, the website decides what information to collect and store. 

The big limitation of first-party cookies is that they can be read only when the user is visiting the website domain. This makes them useless for advertising purposes (e.g. retargeting) on other websites. 

Third-Party Cookies 

Third-party cookies (also known as tracking cookies or trackers) are created by parties other than the website the user is visiting. 

Consider this example: 

When you visit cnn.com and read a few articles, cnn.com will create a first-party cookie and save it to your computer. Because cnn.com (like most other publishers) uses online ads as a way to monetize its content, the ads you see on cnn.com will also create a cookie (e.g., in ads.somedsp.com domain) and save it to your computer. 

These cookies are not created by cnn.com, so they are classified as third-party cookies. 

A website can use various third-party trackers to collect user information. This information can include data such as the user’s behavior on the site, location, and device type, which is passed on from the website. 

Third-party trackers can also track a user’s behavior, such as the content they view on that website and the things they click on (e.g., products and ads). The trackers create third-party cookies and use them to display ads to the user when they visit different websites. 

For example, if a user visits bestbuy.com and clicks on a product, third-party trackers will collect and analyze the information about that user and their activity on bestbuy.com. Then, if that user leaves bestbuy.com and accesses a different website, such as techcrunch.com, the user could be shown an ad for that exact same product or something similar. 

The way it works is that both bestbuy.com and techcrunch.com load a piece of code from an ad server (e.g., ad.doubleclick.net). 

When the user navigates to either website, the piece of code loaded from ad.doubleclick.net is from a different domain than the URL in the user’s browser, so the cookies set in ad.doubleclick.net are considered third-party cookies. 

The web server or a piece of JavaScript running on the website can set and read cookies. Software like Ghostery or AdBlock Plus can block these scripts – more on that below. 

First-party Cookies Used in a Third-party Context 

Some first-party cookies can be used to track users in the same way as third-party cookies in specific contexts.  

For example, log-in boxes (widgets, plugins) to social sites like Facebook can be placed on different websites to facilitate commenting or “liking” content. This functionality uses first-party cookies in the third-party context; because the user interacts with the login widget (as in, visits its domain), the widget can leave a first-party cookie. As these first-party cookies are used in third-party context, they can enable cross-site tracking. 

Privacy Settings in Popular Web Browsers That Block Third-Party Cookies 

Apple Safari’s Intelligent Tracking Prevention (ITP) 

Intelligent Tracking Prevention (ITP) is a feature offered with Safari and in iOS 11 by default. It changes the way the Apple browser handles first-party cookies, which is different from most other browsers. 

• ITP (1.0 and 1.1) allowed cookies to be read and used in a “third-party context,” provided the user accessed the domain directly in the first 24 hours. That gave Facebook and Google an unfair advantage, as the 24-hour purge didn’t have the same effect on them as on other sites because users visit these websites regularly and rarely log out. 
• ITP 2.0, started to detect cross-site tracking and partition (or isolate) first-party cookies, making it impossible to use them in a third-party context for tracking or analytics purposes. Some experts say that by introducing such strict rules to deal with third-party cookies, Apple is sabotaging the current economic model of the Internet. 
• ITP 3.0, which became widely referenced though not officially named as such, introduced complete blocking of all third-party cookies by default, making any form of third-party tracking nearly impossible on Safari​. 

Mozilla Firefox’s Enhanced Tracking Protection 

Mozilla’s Firefox followed in Safari’s footsteps and released a Safari-like “intelligent” functionality in Firefox version 50 that blocked unwanted third-party tracking cookies. 

A gray shield icon appeared in the address bar when Firefox blocked tracking domains. 

Its Tracking Protection feature was developed in collaboration with Disconnect and is based on a number of tracker blacklists to allow third-party cookies only from trusted providers. 

Mozilla Firefox has significantly advanced its privacy features since version 50. The browser now includes Enhanced Tracking Protection (ETP), which provides robust defenses against unwanted third-party tracking cookies and other tracking mechanisms 

Opera and Other Browsers 

Opera and other browsers available on the market also offer more-or-less the same elaborate methods to block third-party cookies. Most of them offer some kind of cookie-blocking method, but not all of them are based on blacklists or algorithms. 

How to Disable Third-Party Cookies 

Third-party cookies are blocked when a user does one or more of the following: 

• Browses the web in private or incognito mode. 
• Uses Firefox or Safari as they block third-party cookies by default. 
• Changes the cookie and tracking settings in their browsers. 
• Uses Tor. 
• Installs ad blockers or similar add-ons (Ghostery, Pivacy Badger etc). 

How to Block Cookies in the Browser 

Blocking third-party cookies can enhance your privacy by preventing websites from tracking your browsing activity across different sites. This process may reduce the personalization of ads but should not significantly impact your overall browsing experience.  

Here’s how you can disable third-party cookies in major web browsers as of 2024: 

Microsoft Edge 

1. Open Settings: 

• Click the three-dot menu (ellipsis) in the top-right corner of the browser. 
• Select Settings from the drop-down menu. 

2. Navigate to Privacy Settings: 

• Click on Cookies and site permissions in the left sidebar. 
• Select Manage and delete cookies and site data. 

3. Block third-party cookies: 

• Toggle the switch to Block third-party cookies under the Cookies and site data section. 

Google Chrome 

1. Open Settings: 

• Click the three-dot menu in the top-right corner. 
• Choose Settings from the menu. 

2. Access Privacy and security: 

• Scroll down and click on Privacy and security in the left sidebar. 
• Select Cookies and other site data. 

3. Block third-party cookies: 

• Under General settings, choose Block third-party cookies. 

Mozilla Firefox 

1. Open Options/Preferences: 

• Click the three-line menu icon in the top-right corner. 
• Select Settings (Options on Windows or Preferences on Mac). 

2. Go to Privacy & Security: 

• Click on Privacy & Security in the left sidebar. 
• Under Browser Privacy, choose Custom. 

3. Set third-party cookie preferences: 

• Check the box for Cookies and select All third-party cookies to Block them. 

Safari (macOS) 

1. Open Preferences: 

• Click on Safari in the top menu and select Preferences. 

2. Navigate to Privacy settings: 

• Click the Privacy tab. 
• Ensure the option Block all third-party cookies is checked (Note: Safari now blocks all third-party cookies by default). 

Safari (iOS) 

1. Open Settings app: 

• Go to the Settings app on your iPhone or iPad. 

2. Navigate to Safari Settings: 

• Scroll down and tap Safari. 

3. Block cookies: 

• Toggle Prevent Cross-Site Tracking to block third-party cookies. 

For more detailed guides, you can refer to the official support pages of each browser. 

How to See Which Cookies Are Created When You Visit Websites 

There are a number of methods that determine what cookies a website stores in your browser. You can do this by installing a dedicated cookie-management browser plugin or by using the browser’s developer console. 

Browser Plugins 

Installing a user-friendly cookie-management plugin is the easiest way to analyze first- and third-party cookies placed by websites, and to block them selectively when needed. The most popular cookie plugins for browsers include: 

• uBlock 
• Ghostery 
• AdBlock Plus 
• Privacy Badger 
• Disconnect (now also a part of Firefox) 

Browser Development Console 

Using the development console in your Internet browser is one of the easiest methods to see all the cookies stored by particular websites. You can also determine which of the cookies stored in your browser are first-party cookies and which are third-party. First-party cookies will share the same domain as the website you are currently visiting. 

Here’s how to see the cookies: 

Google Chrome 

For Google Chrome, follow these steps: 

1. Open your Chrome browser and type the URL of the site you want to analyze. 
2. To open the console, use the shortcut Ctrl + Shift + I to run the inspect console, or Ctrl + Shift + D to run the developer console. 
3. Once the console is open, you can view the cookies installed by the site by clicking on the Application tab. 

Mozilla Firefox 

If you prefer to use Mozilla’s Firefox, you can open the browser’s developer console: 

1. Go to the Application menu and select More tools. 
2. Select Web developer tools and go to the Storage tab. 
3. Select Cookies to see the cookies created by the website. 

The Future of First-party and Third-party Cookies 

For many years now, third-party cookies have been the cornerstone of online advertising, but their days seem to be numbered.  

Today, advertisers and publishers are not only fighting the increasingly popular ad blockers and other methods that block third-party tracking, but they now also have to deal with privacy-centered regulations, such as the GDPR. On top of that comes the growing awareness of privacy issues associated with third-party cookies propelled by the media. 

And although there are a few alternatives to third-party cookies, it seems that the only way forward is by making the online advertising ecosystem more focused on openness, transparency and communicating directly to users, rather than on obscure methods of collecting their data without their knowledge or consent. 

Every player in online advertising, from publishers to AdTech vendors, should focus on providing value and great user experiences to users willing to share their data. But given how user data has been collected and shared previously, this shift will not be easy – neither from a technical perspective nor mindset. 

Browser privacy rules are changing, and third-party cookies are becoming less reliable. If you need a solution tailored to your specific tracking and measurement challenges, let’s talk.