First-party cookies vs. third-party cookies
Both types of cookies are bits of information that collect web-user data. Both are typically used to store user data such as surfing and personalization preferences and tracking information. The difference is in who uses that data and who the cookie collects data for.
First-party cookies. A first-party cookie is placed on a website by the publisher/owner of the site, and collects user data for the publisher/owner. They are often used to improve user experience (UX) by remembering user preferences and settings. Items added to online retail shopping carts, usernames, passwords and language preferences are information that first-party cookies store. They also can be used by a site owner to provide services -- live chats are one example of this.
Third-party cookies. A third-party cookie is placed on a website by someone other than the owner (a third party) and collects user data for the third party. As with standard cookies, third-party cookies are placed so that a site can remember something about the user at a later time. Third-party cookies, however, are often set by advertising networks that a site may subscribe to in the hopes of driving up sales or page hits.
For example, a user visits a website called news.com. Cookies placed on this domain by news.com are first-party cookies. A cookie placed by any other site, such as an advertiser or social media site, is a third-party cookie.
Cookies in general also may be referred to as HTTP cookies, web cookies and browser cookies. Third-party cookies also may be referred to as trackers.
How third-party cookies work
When creating a cookie, cookie attributes are specified in the HTTP response header that determines whether the cookie is first or third party. The "SameSite" attribute allows the creator of the cookie to determine whether the cookie will be a third-party cookie or a first-party cookie (same-site cookie). When a user makes a request to the browser (performs any action on the site), the cookie attributes determine if and when cookies will be sent along with the response.
For example, if a website user requests an image from the same site domain (by clicking on the image, for example), the cookie with the attribute SameSite will record user information. If the user requests an image from a third-party site, where the domain name is not the same, a cookie with the SameSite attribute will not collect user information across sites.
The SameSite attribute basically determines that the cookie will be first party. Within SameSite, there are a couple of descriptors.
- If the cookie creator sets SameSite to "Strict," the cookie will be strictly first party, and never be sent on cross-site requests. It will only be activated when the domain of both parties in the exchange come from the same web domain. This setting works well for remembering user preferences on the site but will not work for a request coming from an external link. So, for example, if the user clicks on a site link in an email from a friend, the cookie will not be sent, because the user is coming from a different domain.
- If the cookie is set to "Lax," it will be sent on certain cross-site requests. Lax means the cookie is sent with secure, top-level navigations (top-level means the URL does change). Lax does not allow third-party sites to POST, or in other words load information on the original user site. This means that a third-party cookie with "Lax" can be sent when a user clicks a link to the cookie's site but will not be able to load advertisements from another site in an iframe, for example, as this uses the HTTP command POST, which is considered less secure.
- If no specification is made, all requests are subject to cookies, and the cookie is by definition a third-party cookie. It does not restrict POST requests, which can be used by advertisers, social networks and other third parties to load information from their site. This lack of specification makes cookies useful for advertisers because they often use methods that don't fit the criteria of "SameSite = Strict" and "SameSite = Lax." For example, an external site makes a GET request that does not change the URL as a top-level navigation. This action (which may be an <iframe> or <img> request) is blocked by both "Lax" and "Strict." Having no specification allows that type of communication, in which a page is loaded inside of another page. This is a common way for advertisements to appear on webpages.
Why third-party cookies are used and who uses them
Third-party cookies are named as such because they come from a website other than the one a user is currently on -- a third party in other words. They are often used by advertisers and social networks to monitor user activity online and for behavioral targeting. This is useful for advertisers because specific user data can enhance the advertiser's success at marketing the user the correct product. They track users across domains. Both advertisers and social media platform rely heavily on user data to inform the content they curate and create. Third-party cookies allow users to be tracked across sites, making for a richer picture of user behavior than first-party cookies could offer by only collecting user data when interacting with the owner's site. User profiles can be made from this data to inform how information will be presented to the user, whether it be an advertisement pop-up or a social media feed.
Enabling, disabling and blocking cookies in web browsers
Third-party cookies are often blocked and deleted through browser settings and security settings such as same origin policy; by default, Mozilla Firefox blocks all third-party cookies; Chrome and Apple Safari have recently begun doing so as well. Blocking third-party cookies does not create login issues on websites (which can be an issue after blocking first-party cookies) and may result in seeing fewer ads on the internet. However, blocking all cookies can sometimes lead to problems, as some websites rely on first-party cookies to function properly.
How to enable or disable cookies in popular browsers:
- Apple Safari:
- Open Safari
- Click Safari> Preferences in the upper left-hand corner of the screen
- Click on Privacy. An option to "Block all cookies" will appear.
- Check the box next to "Block all cookies" to disable all cookies.
- Uncheck it to enable all cookies.
- Check the "Prevent cross-site tracking:" option to block only third-party cookies.
- Google Chrome:
- Open Chrome
- Click the button that looks like three dots in the upper right-hand corner of the browser window
- Scroll down to the Privacy and Security section.
- Click cookies and other site data. You will be presented with the following options
- Allow all cookies
- Block third-party cookies in incognito
- Block third-party cookies
- Block all cookies (not recommended)
- Click the bubble next to the option that most applies to you.
- Mozilla Firefox:
- Open Firefox
- Click the menu button (looks like three horizontal lines stacked on top of each other). Select options.
- Select privacy and security. This will present your settings for enhanced tracking protection (including cookies).
- Three options appear:
- This means all cookies are enabled except for trackers. Trackers are for most intents and purposes the same as third-party cookies. This is the default setting.
- Blocks most cookies, and may cause sites to break.
- This allows you to choose which cookies are blocked.
Firefox gives the option for extra protection against social media trackers. For example, if a site contains a Facebook "like" button somewhere on the page, Facebook can track user browsing activity on the site even if the like button is never clicked.
Third-party cookies and data privacy
Third-party cookies, and cookies in general, pose a significant data security risk, and are viewed by some as infringing on user privacy rights. This is why all the main browsers mentioned above now block third-party cookies by default. In 2011, the European Union passed the cookie law that required users to be informed of the cookies they'd be interacting with upon visiting a site.
Although not dangerous by themselves, cookies can be hijacked and used by malicious actors to gain information. This happens when any cookie related to authentication is not transmitted securely. For example, Kaspersky discovered a cookie-stealing Trojan that gives hackers the ability to control victims' social media accounts.
Cookies related to authentication will normally have had a security flag that instructs the browser to only access the cookie using secure channels (SSL/TLS). If not transmitted using these channels, hackers can eavesdrop and gain access illegitimately.
What's happening to third-party cookies?
There has been a general move away from third-party cookies. Blocking third-party cookies increases user privacy and security but has created a problem for consumer tracking/ad serving firms, which often place ads that follow users around the web.
Combined with the removal of third-party cookies by other means, some firms estimate that 40% of all third-party cookies are removed. As it affects their survival, web publishers have tried to undermine these changes by using other techniques such as respawning cookies, Flash cookies, entity tags (Etags) and canvas fingerprinting.
Browser fingerprinting is also replacing third-party cookies as a way of identifying users online. A browser fingerprint consists of a collection of details about the user, for example, the type of browser they are using, the contents of the browser cache, the time and date and the operating system. It collects all of these in a hash value, and the collector of the information can then look for that same combination of details and follow users around the web with accuracy.
A group of researchers at Cambridge University found that smartphones are particularly vulnerable to browser fingerprinting, in ways that the user cannot protect against. If on a computer, users can take steps to mitigate browser fingerprinting. One simple way is to clear the browser cache; other ways involve using a Tor browser, an incognito window, or a variety of browser plugins that limit the exposure of user data.