The Role of Third-Party Cookies in Programmatic Advertising and AdTech
This guide explains what third-party cookies are, how they function inside programmatic advertising infrastructure, why cookie syncing is central to real-time bidding, and what the industry stands to lose — and gain — as browsers phase them out.
What Cookies Actually Are
At the most basic level, cookies are small files created within a given domain to improve or simplify a user's web experience. The information stored in those files can include language preferences, viewed products, or session activity — all of which make a return visit more seamless. A user who selected a language preference on their first visit won't have to select it again; browsing history can surface relevant product recommendations.
That description covers cookies in general. The distinction between first-party and third-party cookies is not a technical one — both are the same type of file. The difference lies entirely in context: who created the cookie and for which domain.
First-party cookies are created by the domain the user deliberately navigated to. Enter a URL in a browser, and the website at that address can create a cookie — that's a first-party cookie.
Third-party cookies are created by domains the user never explicitly requested. Whenever a web page loads code or scripts from an external domain — an AdTech platform's tag, for instance — that external domain can create its own cookie in the user's browser. That's a third-party cookie.
First-party cookies are created by the domain the user is visiting.
Third-party cookies are created by all other domains loaded on that page.
Cookies can be created in two ways: server-side, by calling a third-party server directly, or client-side (front-end), using JavaScript or another scripting language embedded in the page.
The Role of Third-Party Cookies in AdTech
Within the AdTech environment, the primary function of a third-party cookie is straightforward: assign a user a unique ID. That ID allows the AdTech platform to recognize the same user across multiple websites, build a behavioural history, and eventually use that history to serve relevant advertising.
When a user visits an e-commerce site that has an AdTech platform's tag installed, the platform assigns that user an ID stored in a third-party cookie. Over time, the platform accumulates a picture of what that user browses, how long they spend on pages, what product categories interest them, and what they appear to ignore. This is the mechanism by which user profiles are constructed in AdTech.
The privacy concern here is real. Studies suggest that 90% of web-browsing history is known by more than 90 companies, and that more than 600 companies have access to 50% of any given user's browsing history. The data is created and shared at scale, and controlling who holds it is genuinely difficult.
Cookie Syncing: Matching Identities Across Platforms
One important limitation of cookies — both first- and third-party — is that they can only be read by the domain that created them. (It's worth noting that users can also access and delete their own cookies through most modern browsers, which is an important distinction.)
In a programmatic advertising transaction, multiple platforms are involved simultaneously: demand-side platforms (DSPs), data management platforms (DMPs), ad exchanges, and supply-side platforms (SSPs). Each of these platforms creates its own cookie for the same user, so each ends up with a different cookie ID for the same person. Without a way to reconcile those IDs, platforms cannot collaborate effectively on targeting.
Cookie syncing is the process that solves this. The mechanics are relatively simple in principle, even if they're difficult to describe concisely:
- A user's browser sends a request to Platform A's server. Platform A creates a third-party cookie and stores a unique ID.
- The browser also sends a request to Platform B's server, carrying over Platform A's cookie ID as a parameter.
- Platform B now knows Platform A's ID for this user. Platform B creates its own cookie and shares its ID back to Platform A.
- Both platforms store these paired IDs in a cookie-matching table — essentially a database that records which IDs from different platforms refer to the same user.
How cookie syncing works between two AdTech platforms.
The practical outcome is profile merging: a user might have one set of browsing history on one cluster of websites and a separate history elsewhere. Cookie syncing allows participating platforms to stitch those histories together into a single enriched profile.
Cross-device matching extends this further. If a user logs into their email on both a smartphone and a desktop, the email address acts as a common identifier, allowing platforms to recognize with reasonable accuracy that both devices belong to the same person — independent of any cookie.
Use Cases: What Third-Party Cookies Enable
Identity, on its own, is only the starting point. Once a platform can reliably recognize a user across websites, several core advertising functions become possible:
Targeting and retargeting: Advertisers can define audiences based on demographics, interests, or prior behaviour. A travel advertiser, for example, can target users who have recently browsed similar holiday packages or visited their own website — rather than broadcasting to an undifferentiated audience.
Frequency capping: Cookies allow platforms to track how many times a given user has already seen a particular ad. After a threshold is reached — say, fifteen impressions — the platform stops serving that ad to that user, avoiding overexposure and wasted spend.
Measurement and attribution: Cookies make it possible to trace a user's journey through a campaign and determine which touchpoint — the first ad, the last ad, or something in between — was responsible for a conversion. (A conversion is the campaign's end goal: a purchase, a form submission, a site visit, and so on.)
Each of these functions depends on the same underlying capability: identifying the same user reliably across multiple websites at scale. That scale is precisely what is at stake in a post-third-party-cookie environment. Some degree of targeting, frequency capping, and attribution will still be achievable through alternative solutions, but the reach across the open web will be substantially reduced.
Why Removing Third-Party Cookies Is Complicated
The obvious question is: if third-party cookies create significant privacy problems, why not simply remove them?
The economic reality makes it complicated. Billions of dollars flow through AdTech platforms that depend on third-party cookies for their core functionality. Publishers — particularly small and medium-sized ones — rely on programmatic advertising revenue to fund their content. Targeted advertising, enabled by third-party cookies, generates meaningfully more ad revenue than non-identified advertising. Google's own research found that when third-party cookies were disabled for a portion of its Google Ad Manager customers, ad revenue dropped by 52%.
This produces two uncomfortable conclusions:
- Third-party cookies, despite their privacy costs, allow publishers to earn significantly more ad revenue than advertising that cannot identify individuals.
- The industry needs a way to run interest-based or targeted advertising in a more privacy-preserving manner — not simply an on/off switch.
Safari and Firefox have already blocked third-party cookies. Mozilla can take a strong privacy stance partly because it has no significant stake in the digital advertising industry. Google is in a different position: advertising is central to its business model, and its tools are used by the majority of advertisers and publishers. Simply turning off third-party cookies without providing an alternative would be economically damaging to the ecosystem Google depends on.
This is the rationale behind Privacy Sandbox — Google's proposed framework for preserving the functional outcomes of programmatic advertising while eliminating the privacy exposure of third-party cookies. Privacy Sandbox is being developed through a W3C business group that includes Google Chrome, Google's Ads teams, independent AdTech companies, ad agencies, advertisers, and publishers.
Proposals within Privacy Sandbox — including FLoC and TURTLEDOVE — are designed to replicate the advertising functions that third-party cookies currently provide, but in ways that don't expose individual browsing histories to hundreds of companies. Importantly, third-party cookies were never purpose-built for programmatic advertising. AdTech companies adopted them as a pragmatic workaround to solve the identity problem. The goal of Privacy Sandbox is to replace that workaround with something purpose-built and privacy-respecting.
Who Gets Hit Hardest
The impact of third-party cookie deprecation will not be distributed equally across the industry.
Large publishers — those with the scale and first-party data infrastructure to build their own walled gardens, such as The New York Times or Zee5 — will be comparatively insulated. They can offer advertisers direct access to their authenticated audiences and maintain ad revenue through proprietary identity solutions.
Small and medium publishers, who depend on open programmatic advertising to monetize their audiences and who lack the scale to build walled garden equivalents, will feel the impact most severely. Many advertisers are already consolidating spend within the walled gardens of large platforms like Google and Facebook for precisely this reason — the targeting certainty those environments provide is harder to replicate on the open web.
The Technical Challenge Ahead
Third-party cookies were a practical solution to an identity problem, not a deliberate design for privacy. The industry now has to solve the same functional problems — targeting, frequency capping, measurement, attribution — through mechanisms that respect user privacy by design. Privacy Sandbox represents one attempt at that; the broader ecosystem will likely produce others.
For publishers, advertisers, and AdTech vendors, the transition will require investment in first-party data strategies, new identity frameworks, and updated measurement approaches. The challenge is real, but so is the precedent: the programmatic advertising industry has navigated major technical shifts before.