First-Party vs. Third-Party Cookies: How They Work and Why It Matters
Cookies remember website configuration (e.g., language preferences), login details, and products added to the shopping cart — even after a user leaves a site. But because cookie files are widely used to collect certain pieces of information, they can also power advertising processes like behavioural profiling and retargeting.
Understanding the role of cookies in advertising technology is essential for anyone working in online advertising or privacy. Over the years, cookies have become the backbone of the web — the most common method of identifying users online and delivering a personalized browsing experience.
With growing awareness of privacy issues, and the introduction of regulations like the EU's General Data Protection Regulation (GDPR) and ePrivacy, there's an increasing need for clear explanations of what cookie files actually do, what information they can contain, and what types of cookies exist.
Types of Cookies: First-Party, Third-Party, and Second-Party
There are essentially two types of cookies: first-party and third-party.
From a purely technical perspective, there is no real difference between the two; they can contain the same information and perform the same functions. The distinction lies in how they are created and subsequently used, which depends on context.
First-party cookies are stored by the domain (website) the user is visiting directly. They allow website owners to collect analytics data, remember language settings, and perform other useful functions that contribute to a good user experience.
Third-party cookies are created by domains other than the one the user is visiting directly — hence the name third-party. They are primarily used for cross-site tracking, retargeting, and ad-serving.
In addition to these two, there are also second-party cookies, though they are less common. Second-party cookies are first-party cookies transferred from one company to another via a data partnership. For example, an airline could sell its first-party cookies and other first-party data — such as names and email addresses — to a trusted hotel chain for ad targeting. At that point, the cookies become classed as second-party data for the receiving company.
How Are First-Party and Third-Party Cookies Different?
Technically, first- and third-party cookies are the same type of file. What differs is how they are created and used.
First-Party Cookies
First-party cookies are created by the host domain — the domain the user is actually visiting. These cookies are generally considered beneficial: they help provide a better user experience and keep the session active. The browser can use them to remember key pieces of information, such as items added to a shopping cart, usernames and passwords, and language preferences.
Third-Party Cookies
Third-party cookies are created by domains other than the one the user is currently visiting. They are mainly used for tracking and online advertising purposes, and also allow website owners to provide certain services, such as live chat.
To illustrate the difference, consider an Internet user visiting a news site (somenewssite.com) that contains ads. In addition to a first-party cookie created by somenewssite.com itself, a third-party cookie is also created by ad.doubleclick.net.
The third-party cookie is created because the domain ad.doubleclick.net doesn't match the host domain somenewssite.com. The cookie is left by a third-party advertising provider — hence the name third-party cookie.
The table below provides a brief breakdown of how first- and third-party cookies differ.
| First-Party Cookies | Third-Party Cookies | |
|---|---|---|
| Setting and Reading the Cookie | Can be set by the publisher's web server or any JavaScript loaded on the website. | Can be set by a third-party server (e.g., an AdTech platform) via code loaded on the publisher's website. |
| Availability | A first-party cookie is only accessible via the domain that created it. | A third-party cookie is accessible on any website that loads the third-party server's code. |
| Browser Support, Blocking and Deletion | Supported by all browsers and can be blocked and deleted by the user, but doing so may provide a bad user experience. | Supported by all browsers, but many are now blocking the creation of third-party cookies by default. Many users also delete third-party cookies on a regular basis. |
How Third-Party Cookies Are Created on a Website
For a third-party cookie to be created, a request must be sent from the web page to a third party's server. The file being requested varies depending on the use case — it could be an actual ad creative or a tracking pixel.
A tracking pixel is a 1×1 transparent pixel that sends a request to a third-party server without being visible to the user. It acts as a tracking mechanism in situations where there is no click event — for instance, when a page simply loads — and click redirects cannot be used.
If the third party is an advertising service like DoubleClick by Google, the request would typically be for a creative (the actual ad the visitor sees). The DoubleClick ad markup can allow a third-party cookie to be placed. Here's what that markup could look like:
<a href="ad.doubleclick.net/some-other-parameters-specific-to-this-ad" target="_blank" rel="noopener"><img src="ad.doubleclick.net/the-extension-to-the-creative"></a>
When the web page loads, this ad markup also loads, and a request is sent to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image — assigning a cookie to the user at the same time.
Different third parties may request different files from their web servers and return them to the browser.
Examples of Third-Party Services That Leave Cookies
A number of third-party service providers routinely leave cookies in a user's browser. Here are the main categories:
Ad-Retargeting Services
Ad retargeting involves identifying users who previously visited a website and showing them ads for the products or services they interacted with, across other sites and channels — including social media, display, and email.
Website owners place a 1×1 transparent pixel on their site. When the page loads, the pixel sends a request to the ad-retargeting server, which returns information (typically some JavaScript) to assign a cookie to the user and retarget them later on other websites.
Social Buttons
Most social media plugins — those that enable users to log in, share content, or like posts on third-party websites — will place cookies on a user's device.
Many social-button plugins are known to place third-party cookies in the browser and enable cross-site tracking and advertising
Many social-button plugins are known to place third-party cookies in the browser and enable cross-site tracking and advertising.
Through these cookies, the originating social media platforms can track which sites a user visits and serve them relevant ads when they return. Even if the user is not signed in to their account, these cookies can still track them through deterministic matching or, in some cases, device fingerprinting.
Live-Chat Popups
From a cookie perspective, live-chat popups work similarly to social buttons. Live-chat services leave a cookie in the browser to streamline user experience.
An example of a live-chat popup
An example of a live-chat popup.
Because the live-chat popup can identify returning users, it will remember a user's name and the full conversation history on subsequent visits. This data is removed if cookies are deleted or when they expire.
It's important to note that first-party cookies can also be used for cross-site tracking, but this requires the tracking script to be hosted under the website's own domain.
How Browsers Treat First-Party and Third-Party Cookies
First-Party Cookies
Most browsers accept first-party cookies by default, since their primary role is to allow customization and improve user experience. Visiting sites like techcrunch.com, huffingtonpost.com, or nytimes.com will result in a cookie being created and saved to the user's computer by each site, used to remember user information and behaviour.
The significant limitation of first-party cookies is that they can only be read when the user is visiting that specific website domain. This makes them ineffective for advertising purposes — such as retargeting — on other websites.
Third-Party Cookies
Third-party cookies (also known as tracking cookies or trackers) are created by parties other than the website the user is visiting.
Consider this example: when a user visits cnn.com and reads a few articles, cnn.com creates a first-party cookie and saves it to their computer. Because cnn.com (like most publishers) uses online ads to monetize its content, the ads displayed on cnn.com will also create a cookie — for example, under a domain like ads.somedsp.com — and save it to the user's computer. These cookies are not created by cnn.com, so they are classified as third-party cookies.
A website can use various third-party trackers to collect user information including browsing behaviour, location, and device type. Third-party trackers can monitor what content a user views, what they click on (products, ads, etc.), and use that data to display targeted ads when the user visits different websites.
For instance, if a user visits bestbuy.com and clicks on a product, third-party trackers collect and analyze information about that user and their activity. If that user then navigates to techcrunch.com, they could be shown an ad for that exact product or a related one.
This works because both bestbuy.com and techcrunch.com load a piece of code from an ad server (e.g., ad.doubleclick.net). When the user navigates to either site, the code loaded from ad.doubleclick.net originates from a different domain than the URL in the user's browser — so cookies set by ad.doubleclick.net are classified as third-party cookies.
The web server or JavaScript running on a page can set and read cookies. Software like Ghostery or AdBlock Plus can block these scripts — more on that below.
First-Party Cookies Used in a Third-Party Context
Some first-party cookies can track users in the same way as third-party cookies, depending on context.
For example, login widgets for social platforms like Facebook can be embedded on third-party websites to facilitate commenting or liking content. This functionality uses first-party cookies in a third-party context: because the user interacts with the login widget (visiting its domain), the widget can leave a first-party cookie. When those cookies are used in a third-party context, they can enable cross-site tracking.
Some browsers, notably Safari, have introduced mechanisms to block this behaviour.
Browser Privacy Features That Block Third-Party Cookies
Apple Safari's Intelligent Tracking Prevention (ITP)
Intelligent Tracking Prevention (ITP) is a feature built into Safari and iOS 11 by default. It changes how the Apple browser handles first-party cookies, in a way that differs from most other browsers.
- ITP 1.0 and 1.1 allowed cookies to be read and used in a "third-party context," provided the user had accessed the domain directly within the first 24 hours. This gave platforms like Facebook and Google an advantage, since users visit those sites regularly and rarely log out, limiting the impact of the 24-hour purge.
- ITP 2.0 introduced detection of cross-site tracking and began partitioning (isolating) first-party cookies, making it impossible to use them in a third-party context for tracking or analytics purposes. Some observers noted that these strict rules had significant implications for the web's prevailing advertising model.
- ITP 3.0, though not officially named as such, introduced complete blocking of all third-party cookies by default, making virtually any form of third-party tracking nearly impossible on Safari.
Mozilla Firefox's Enhanced Tracking Protection
Mozilla Firefox followed Safari's lead and released similar intelligent tracking functionality in Firefox version 50, blocking unwanted third-party tracking cookies. A grey shield icon appeared in the address bar when Firefox blocked tracking domains.
Firefox's Tracking Protection feature was developed in collaboration with Disconnect and is based on a number of tracker blocklists to allow third-party cookies only from trusted providers.
Firefox has significantly advanced its privacy features since then:
- Introduced in 2020, ETP 2.0 expanded Firefox's defences by blocking third-party cookies by default and introducing daily deletion of tracking cookies — preventing advertisers and other entities from using third-party cookies to track online activity across sites.
- Firefox also added protection against bounce tracking (also known as redirect tracking), an advanced technique that uses URL redirects to preserve tracking state and circumvent standard cookie-blocking measures.
- Enhanced Cookie Clearing, introduced in Firefox 91, made it easier to delete all cookies and supercookies stored on a user's device by a website or by any trackers embedded in it. It is built on Total Cookie Protection and addresses hidden privacy violations.
Opera and Other Browsers
Opera and other browsers on the market offer comparable methods for blocking third-party cookies. Most provide some form of cookie-blocking, though the implementations vary — not all are based on blocklists or classification algorithms.
How to Disable Third-Party Cookies
Third-party cookies are blocked when a user does one or more of the following:
- Browses in private or incognito mode.
- Uses Firefox or Safari, which block third-party cookies by default.
- Changes the cookie and tracking settings in their browser (detailed below).
- Uses Tor.
- Installs ad blockers or similar extensions (Ghostery, Privacy Badger, etc.).
How to Block Cookies in the Browser (Updated in 2024)
Blocking third-party cookies can enhance privacy by preventing websites from tracking browsing activity across different sites. This may reduce ad personalization but should not significantly impact the general browsing experience.
Here's how to disable third-party cookies in major web browsers as of 2024:
- Open settings: Click the three-dot menu (ellipsis) in the top-right corner and select Settings.
- Navigate to Cookies and site permissions in the left sidebar, then select Manage and delete cookies and site data.
- Toggle the switch to Block third-party cookies under the Cookies and site data section.
- Click the three-dot menu in the top-right corner and choose Settings.
- Scroll to Privacy and security in the left sidebar, then select Cookies and other site data.
- Under General settings, choose Block third-party cookies.
- Click the three-line menu icon in the top-right corner and select Settings (Options on Windows or Preferences on Mac).
- Click on Privacy & Security in the left sidebar.
- Under Browser Privacy, choose Custom, then check the box for Cookies and select All third-party cookies.
- Click Safari in the top menu and select Preferences.
- Click the Privacy tab.
- Ensure Block all third-party cookies is checked. (Note: Safari now blocks all third-party cookies by default.)
- Open the Settings app on your iPhone or iPad.
- Scroll down and tap Safari.
- Toggle Prevent Cross-Site Tracking to block third-party cookies.
For more detailed guidance, refer to the official support pages of each browser.
How to See Which Cookies Are Created When You Visit Websites
There are several methods for determining which cookies a website stores in your browser — either by installing a dedicated cookie-management browser plugin or by using the browser's developer console.
Browser Plugins
Installing a cookie-management plugin is the easiest way to analyze first- and third-party cookies placed by websites, and to selectively block them. Popular options include:
- uBlock
- Ghostery
- AdBlock Plus
- Privacy Badger
- Disconnect (now also integrated into Firefox)
Ghostery analyzes websites, identifies trackers (e.g., third-party cookies), and lets users selectively block them.
Browser Developer Console
The developer console built into most browsers is a straightforward way to see all cookies stored by a given website, and to distinguish first-party from third-party cookies. First-party cookies will share the same domain as the website being visited.
Google Chrome
- Open Chrome and navigate to the site you want to analyze.
- Use Ctrl + Shift + I to open the inspect console, or Ctrl + Shift + J to open the developer console.
- Click on the Application tab at the top of the console panel.
- Under Storage, expand Cookies to view all cookies set by the site. Those with a domain different from the page URL are third-party cookies.
Mozilla Firefox
- Go to the application menu and select More tools, then Web Developer Tools.
- Open the Storage tab.
- Select Cookies to see all cookies created by the website.
The Future of First-Party and Third-Party Cookies
For many years, third-party cookies have been the cornerstone of online advertising — but their long-term viability has been seriously eroded.
Advertisers and publishers are fighting increasingly widespread ad blockers and tracking-prevention mechanisms, while simultaneously navigating privacy-centred regulations like the GDPR. Growing media coverage of privacy risks associated with third-party cookies has also raised user expectations considerably.
While alternatives to third-party cookies exist — including first-party data strategies, contextual targeting, and privacy-preserving measurement frameworks — the broader direction of travel points toward an advertising ecosystem built on greater openness, transparency, and direct user consent, rather than opaque data collection methods operating without users' knowledge.
Every participant in online advertising — from publishers to AdTech vendors — faces pressure to provide genuine value to users who are increasingly selective about the data they share. That shift is neither technically simple nor a quick change in industry mindset, but the regulatory and platform pressures driving it are not going away.