Guidesthird-party cookiesprivacy regulation

The Demise of Third-Party Cookies in AdTech: Why They're Being Phased Out

tracking cookiesfirst-party cookiesGDPRITPETPPrivacy Sandboxconsent management platformsreal-time biddingaudience targetingretargetingfrequency cappingdata clean roomsuniversal IDsdevice graphsSafariFirefoxChromead blockerscross-site identification

The past several years in programmatic advertising have been shaped by privacy changes introduced by governments and major tech companies — Google, Apple, and Mozilla chief among them. At the centre of that shift are third-party cookies and their gradual disappearance from mainstream web browsers.

This article explains what third-party cookies are, how they work, how they're used in programmatic advertising, why they're going away, and what alternatives are emerging in their place.

Key Points

  • Web cookies are a storage mechanism in web browsers used to store data.
  • There are generally two types of cookies: first-party and third-party.
  • First-party cookies are created by the domain (i.e., the website) the user is currently visiting.
  • Third-party cookies are created by domains other than the one the user is visiting.
  • Third-party cookies are also referred to as tracking cookies, tracking codes, and tracking pixels.
  • They are primarily used for cross-site identification, which powers programmatic advertising processes like audience targeting, retargeting, frequency capping, and measurement.
  • The main driver behind the decline of third-party cookies is the changing privacy landscape across programmatic advertising.
  • Third-party cookies are blocked by default in Apple Safari and Mozilla Firefox, but remain available in Google Chrome. Ad blockers also prevent them from being saved to a user's device.
  • Alternatives to third-party cookies include universal IDs, device graphs, data clean rooms, Google's Privacy Sandbox, the IAB Tech Lab's Seller Defined Audiences (SDA), self-serve ad platforms, and contextual targeting.

What Are Third-Party Cookies?

Web cookies are a storage mechanism in web browsers used to store data. There are generally two types: first-party and third-party cookies. Both are technically identical — the only meaningful difference is who created them. First-party cookies are created by the domain the user is currently visiting. Third-party cookies are created by domains other than the one the user is on.

Third-party cookies are also referred to as tracking cookies, tracking codes, and tracking pixels. They are primarily used for cross-site identification, enabling programmatic advertising processes such as audience targeting, retargeting, frequency capping, and measurement.

Beyond advertising, third-party cookies also allow website owners to offer certain services — live chat widgets being a common example. They track users across sites to build a broader picture of individual browsing behaviour.

When a user visits a website, a first-party cookie is created on that domain (somewebsite.com). At the same time, a third-party cookie is often created by another domain — for example, ad.doubleclick.net.

The latter is a third-party cookie because the URL (ad.doubleclick.net) doesn't match the host domain (somewebsite.com). The cookie is created on somewebsite.com by a third-party provider (ad.doubleclick.net) — hence the name "third-party cookie."

How Are Third-Party Cookies Created?

For a cookie to be created, a request must be sent from the web page to a server. The file being requested varies by use case: it can be an actual ad creative, or a tracking pixel — an element completely invisible to the user that acts as a tracker in situations where there is no click event (for instance, when an ad was viewed but not clicked).

If the third party is an advertising service like Google Ads, the request would be for a creative — the actual ad the visitor sees. The ad markup can allow a third-party cookie to be placed on the user's device.

Here's what that ad markup could look like:

Ad markup example showing a third-party cookie request to ad.doubleclick.net

When the web page loads, the ad markup loads alongside it, and a request is sent to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time.

Different third parties may request different files from their web servers and return them to the browser. In essence, creating a cookie — whether first-party or third-party — simply requires the website to send a request to a server. The server responds and creates the cookie, provided the browser's privacy settings permit it.

Diagram showing how first-party and third-party cookies are created from a browser request

Why Are Third-Party Cookies Being Phased Out?

The primary driver behind the decline of third-party cookies is the changing privacy landscape in programmatic advertising. Cookies themselves aren't inherently problematic — most websites use them to ensure a seamless experience for returning visitors.

That said, the process of identifying and tracking individuals across the web via third-party cookies is unambiguous, and regulators have been trying to address it for two decades. Governments and users alike are demanding more privacy and transparency around how personal data is collected, processed, and used. New privacy laws have been introduced in many jurisdictions as a result.

Major browsers — Mozilla Firefox and Apple Safari in particular — have also implemented changes to block third-party cookies by default.

Safari and Firefox End Support for Third-Party Cookies

Both Mozilla Firefox and Apple Safari have introduced features to prevent cross-site tracking. Apple's privacy push in Safari began in 2015 when it allowed iOS users to install content blockers, which prevented certain page elements — including ads — from loading.

In 2017, Apple introduced Intelligent Tracking Prevention (ITP), a privacy feature that blocks third-party cookies by default and limits the lifespan of certain first-party cookies and other data storage mechanisms.

In 2019, Firefox followed suit by introducing Enhanced Tracking Protection (ETP), which also began blocking third-party cookies by default.

In January 2020, Google Chrome announced it would phase out support for third-party cookies within two years. That timeline was subsequently extended — first to mid-2023, and then again, in July 2022, to the second half of 2024.

The EU's General Data Protection Regulation (GDPR)

The European Union's GDPR came into force in May 2018 with the aim of protecting personal data and strengthening user privacy. The regulation outlines six legal bases for collecting personal data.

In the context of programmatic advertising, websites, AdTech companies, data companies, and advertisers are required to collect user consent (Article 6, 1a) — typically via a consent management platform (CMP) — before collecting personal data or creating third-party cookies on a user's device.

Research from the Reuters Institute found that the introduction of the GDPR caused a 22% decrease in third-party cookies being created on news sites, including a 14% drop in advertising and marketing cookies and a 9% decrease in social media cookies. There was also a 7% drop in the number of news sites hosting third-party social media content like sharing buttons from Facebook and Twitter.

While GDPR's impact isn't as direct as ad blockers or browser-level privacy controls, it has significantly reduced the pool of available audiences — particularly in Europe.

Users are often unaware of how much personal data is being harvested through third-party cookies.

The type of information that can be collected and stored ranges from individual IP addresses, search and browser history, products and websites viewed, and device-specific details, to sensitive information about a person's health, family, sexuality, political views, and religious beliefs.

Programmatic processes like real-time bidding (RTB) expose the personal data of billions of users by creating third-party cookies and saving them to devices — often without the user's knowledge or explicit permission.

The lack of self-regulation in the programmatic advertising industry has prompted governments in multiple countries to introduce new privacy laws, and has led to antitrust investigations into Google, Amazon, Facebook, and Apple due to their dominance in the advertising industry, breaches of user privacy, and the use of privacy as a competitive advantage.

In Firefox and Safari, third-party cookies are blocked by default. In Google Chrome, they can still be created.

Even though cookies should technically only be created once a user has provided consent, multiple reports have confirmed that many consent management platforms were firing tags on users' devices regardless of whether consent was granted or rejected.

According to a study by Ebiquity, 92.6% of websites track at least one user's device before gaining consent. The study analyzed 200,000 cookies, half of which were classified as "marketing cookies" by the CMP. Of those, 82.4% were determined to have been installed by third parties. A further 32.3% of the cookies analyzed were fired without valid user consent.

Users are also frequently subjected to dark patterns in CMP design — interfaces deliberately engineered to increase consent rates. Rather than a clear "yes" or "no," users are often presented with cumbersome multi-step processes intended to discourage informed refusal and nudge them toward simply clicking "accept."

Third-party cookies can still be created even on sites using a CMP in the following ways:

  • Some websites fire tags that create third-party cookies before consent is given, or even after it has been rejected.
  • Dark patterns and assumed-consent approaches display a default "OK" option, encouraging users to consent without actively engaging with their choices.
  • Websites invoke "legitimate interest" as the legal basis for processing personal data — treating advertising as legitimate interest and creating third-party cookies for AdTech partners on that basis.

Third-Party Cookies in Google Chrome

Third-party cookies remain available in Chrome, but Google has committed to phasing them out.

On 14 January 2020, Google Chrome announced it would stop supporting third-party cookies within two years. On 24 June 2021, that timeline was extended by two years, moving the shutdown to mid-2023. Then on 27 July 2022, Google announced a further delay — pushing the deadline to the second half of 2024.

Chrome accounts for approximately 65.24% of the global browser market, and around 80% of Alphabet's revenue comes from advertising. That context explains why Google has taken a measured approach: phasing out third-party cookies while simultaneously developing privacy-preserving alternatives that keep the ad-supported web viable.

Google's stated goal is to create a healthier web ecosystem through its Privacy Sandbox initiative — a set of standards designed to improve user privacy while maintaining the ability to serve relevant advertising.

Third-Party Cookies in Safari and Firefox

Third-party cookies are blocked by default in both Safari and Firefox. Users can manually override this in browser settings, but most don't.

Ad Blockers

Ad blockers function as gatekeepers that prevent users from downloading and loading unwanted elements on a given website. In practice, they block JavaScript ad tags from AdTech vendors from firing, which means third-party cookies cannot be created.

When an ad blocker is active, several key programmatic advertising processes break down. For advertisers and marketers, this means no data on:

  • Identification across the web and AdTech platforms like SSPs and DSPs.
  • Behavioural targeting and retargeting to serve personalized ads.
  • Audience activation via DMPs, including cookie syncing processes.
  • Frequency capping to limit how often the same user sees the same ad.
  • Attribution for ad views and conversions.

Diagram comparing cookie loading with and without an ad blocker active

Alternatives to Third-Party Cookies

The following are the main alternatives being developed and adopted in programmatic advertising:

  • Universal IDs and Device Graphs — identifiers that replace the cookie-based user ID with persistent, cross-site user recognition built on consented or probabilistic data.
  • Data Clean Rooms — secure environments where multiple parties can run analysis on overlapping datasets without directly sharing raw personal data.
  • Google Chrome's Privacy Sandbox — a suite of browser-based APIs designed to support targeting and measurement use cases without exposing individual user data.
  • IAB Tech Lab's Seller Defined Audiences (SDA) — a standard that allows publishers to classify their audiences using a shared taxonomy, enabling targeting without third-party identifiers.
  • Self-Serve Ad Platforms — walled-garden environments (e.g., retail media networks, social platforms) where targeting is powered by first-party data and doesn't depend on third-party cookies.
  • Contextual Targeting — inferring audience intent from the content of a page rather than the identity of the user viewing it.

Each of these approaches involves trade-offs across scale, accuracy, privacy compliance, and technical complexity. The industry is still working through which combination will best replace the functionality that third-party cookies provided for over two decades.

<Related />