When the internet was young, web cookies were easy to understand — they were little packets of information sent to help you run a program on your computer.
Today, most types of internet cookies are just as harmless — however, some have become very controversial and intrusive.
While first-party cookies are often very useful and add to user experience, third-party cookies tend to be more commercial and used to track you and sell you things.
- What Are First-Party Cookies?
- What Are Third-Party Cookies?
- First-Party Cookies vs. Third-Party Cookies
- How Do Browsers Treat Third-Party vs. First-Party Cookies?
- Do Second-Party Cookies Exist? What Are They?
- Will First-Party Cookies Exist in the Future?
- Will Third-Party Cookies Exist in the Future?
- Summary
What Are First-Party Cookies?
First-party cookies are mainly about streamlining the users’ experience on a website.
The host domain — the website you visited — creates first-party cookies. These are non-controversial and seen as an agreement between the user and the site to help things run better.
Cookies can contain sensitive information, however, first-party cookies contain only the information you enter on the website and, maybe, your IP address. This information only goes to the party whose website you visit.
How Are First-Party Cookies Created?
Most of the time, websites create first-party cookies when you visit them. Alternatively, some computer scripts can create these cookies. Either way, a cookie is unique to the website.
Examples of First-Party Cookies
While first-party cookies do different tasks, we can reduce most of them to three categories:
- The Greeter: This first-party cookie recognizes you when you go to a website and allows you to log in with your sign-in ID and password.
- The Shopping Basket: This first-party cookie remembers all the items you have placed in a cart or on a wish list.
- The Personal Shopper: This first-party cookie sees what you like and recommends other items for you to buy based on your preferences.
What Are Third-Party Cookies?
Third-party cookies are created by parties other than the website owner. They are usually deemed “nonsessential cookies” by data privacy laws.
Most of these are tracking cookies created by advertising companies. Their tracking allows you to see ads for products like those you buy.
Third-party cookies mainly do three things:
- Tracking: They track you across different websites to see what you may buy.
- Retargeting: They send you to a website that sells products you may like.
- Ad-Serving: They deliver personal ads that target your desires.
How Are Third-Party Cookies Created?
Third-party cookies are used by companies that want to advertise to you and sell stuff to you.
Companies such as Ad-Tech use third-party cookies as a tool to send you ads or even take you to their client’s website, hoping you will buy something.
There is a significant difference between first-party cookies and third-party cookies: Anyone can create a third-party cookie, but only the host website can create first-party cookies.
Third-Party Services That Leave Cookies
Here’s a list of some types of companies that leave cookies on your browser to track you:
- Ad-retargeting services: Create tiny cookies that snag you when you visit a website with the same cookie code. It then follows you all over the internet, seeing where else you look, and generating their clients’ ads for these things on your browser.
- Social media plug-ins: These link you, the site you are visiting, and that party’s social media account — hopefully. They not only set up a link to Pinterest or YouTube, but they also start tracking you and may monitor your use of that social media service.
- Chat-box pop-ups: Offer you help if you will chat with a bot. These add a cookie to your interaction, so it can keep track of what you have done and covered. The cookie should disappear whenever you close your browser.
Examples of Third-Party Cookies
Third-party cookies are not always troublemakers, but they can cause trouble if used in a way that gathers and uses data without direct permission.
Some third-party cookies are stowaways, but websites choose to use others because they help improve the web-shopping experience.
Here are some examples of third-party cookies:
- The Helpful Cookie: This third-party cookie is one that you would probably consent to if you had the choice. These are cookies that do things like allowing you to use PayPal, Stripe, or another payment service. It may tie you to a program running on the website that lets you morph your face into animal faces. It may be a chatbot or other program sold to the site-maker.
- The Sales Cookie: This third-party cookie is a limited tracker, used only to create direct advertising — so you see ads that are like the items that you are searching for.
- The Shady Cookie: This third-party cookie connects to you without your knowledge on a website you visit. This cookie aims to follow you around the internet and pick up pieces of information about you. It will then aggregate that information by combining it with other cookies that have identifiable data. The goal here is selling your data to other companies, probably to sell you items, but you don’t know.
- The Bad Guy: This third-party cookie is nefarious. It is planning on doing something you would not like. A few will be identity thieves. Some are filling your social media feeds with all the ugly reasons you should not vote. A single pixel in an ad can hold a third-party cookie and pass it on to your browser.
First-Party Cookies vs. Third-Party Cookies
Now that we’ve covered what first-party and third-party cookies are, let’s take a look at the differences between the two:
- First-party cookies are very limited and link your browser to the webpage you use and share basic information. There is little controversy surrounding their use.
- Third-party cookies have no direct relationship with you. They are usually advertisement cookies and other tracking cookies that load onto your browser. However, several major browser-creators have announced they will no longer support third-party cookies.
Here’s a table summarizing the key differences between first-party vs. third-party cookies:
| First-party cookies | Third-party cookies | |
| Who made the cookies? | They come from the webpage publisher. Can be JavaScript code or part of the website’s server. | Ad servers and other servers load them onto your browser. They do not come from the main website you visited. |
| Where are the cookies used? | Only work on the website that made the code. | Accessible on any website that loads a third-party server’s code. |
| Who can read the cookie? | Only the original website can read them. | Anyone with the correct program can read them. |
| When can the cookie be read? | Only when the original user is actively on the original website can they be read. | Users can read them at any time. |
| What does my browser do with them? | Supported by all browsers. Browsers give users tools to reject cookies. | Once supported by all browsers. However, browsers are increasingly blocking them or providing ways around them. |
How Do Browsers Treat Third-Party vs. First-Party Cookies?
Browsers used to treat all cookies the same way — whether first or third party. However, after users complained about the actions of some cookies, browser programmers began to differentiate between cookie types.
Programmers developed ad-blockers and anti-trackers to fight against third-party cookies getting access to private information.
Some, including Mozilla, took a strong anti-third-party cookie stance. Others, like Microsoft, prioritized user experience. Nowadays, most browsers have settings that enable users to reject many cookies.
Do Second-Party Cookies Exist? What Are They?
Second-party cookies exist, but they have a much more limited purpose. They share data between three entities:
- The consumer
- The website they visit
- The website’s partner/s
Second-party cookies are primarily used in data-sharing agreements, although their usage is unpopular. Many of them represent data collection partnerships.
They’re only helpful to internet businesses that are also data brokers.
Will First-Party Cookies Exist in the Future?
First-party cookies will be around for a while because both websites and people using them benefit from them. However, one day someone may develop a better process — a more elegant way to fill their function. When that happens, those cookies will be gone.
Given the anti-cookie atmosphere of today, that new technology may arrive sooner rather than later.
Will Third-Party Cookies Exist in the Future?
Third-party cookies are slowly disappearing.
First, the EU laws required full disclosure and consent to anyone who activates one. California and other governments quickly followed suit.
Then, as American laws slowly caught up, Google announced it was phasing out third-party cookies in 2022–2023. Instead, they are exploring ways to use ads more openly and honestly.
Summary
First-party cookies connect you to a single website. They hold on to some personal information to make the website easier to use. Third-party cookies allow someone to track your shopping or other activity across the internet.
Many browsers are dropping their features that allow third-party cookies to work. Expect these to disappear soon. First-party cookies will stay around longer, but the general ire against cookies may also take them down. Between company and government action, expect big changes in internet advertising, tracking, and cookie use.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
