Data protection: Third-party cookies vs. first-party cookies

The most important facts in brief

• Third party cookies are one of the most important technologies for digital advertising. They allow better and better personalisation of advertising.
• However, many internet browsers have disabled third party cookies - now Google Chrome is following suit.
• Cookies can basically be divided into three types: technically necessary cookies, performance cookies and functional cookies.
• In contrast to third party cookies, first party cookies are hosted by a website provider itself. We look at each of these and how they relate to consent managegement and consent management platforms.
• A guide: How to turn off third party cookies in Google Chrome
  
  

In this article

• The importance of cookies - an overview
• Background information: What are technically necessary cookies, performance cookies and functional cookies?
• How do first party cookies vs. third party cookies work?
  • Example: First Party Cookies
  • Example: Third Party Cookies
• How to disable third party cookie tracking already today in Google Chrome
• The legal situation of third party cookies and privacy concerns

What are cookies – An overview

Even established companies that don’t place any particular emphasis on ads invest at least five per cent of revenue in marketing in keeping with the “5% rule”. Booming tech companies tend to invest closer to 20% or more. Tech giant Salesforce is even reported to directly reinvest 46% of its revenue in marketing. And according to the Gartner CMO Spend Survey 2020–2021, CMOs spend an average of 13.5% of the marketing budget on digital and PPC advertising.

A foundational technology of digital advertising are cookies – specifically, third-party cookies.

Third-party cookies allow advertisers to track users across various sites to create user-specific interest profiles. This lets advertisers gear ads toward a user’s personal preferences.

But cookies have long been a thorn in the side of campaigners for privacy rights. The growing awareness of privacy issues among the general public has already prompted

Firefox and Safari to block third-party cookies. Now Google Chrome is following suit.

How do first-party cookies work differently from third-party cookies?

Cookies are small files (usually JavaScript) that websites store on your device while surfing the web in your browser. First-party cookies are hosted directly by the page you’re visiting; they run on the website operator’s own server. On the other hand, third-party cookies are stored by another provider – our examples below make it easier to understand.

First-party cookies: An example

When you visit the DataGuard homepage and consent to cookie tracking via the pop-up cookie banner at the bottom of the page, we will “remember” that you’ve already been here the next time you visit our site. This makes it easier for us to make your experience on our homepage a pleasant one. For example, if you download our whitepaper on the six biggest privacy mistakes that almost every company makes, the next time you visit the site, you won’t see a pop-up about it. Instead, our site will recommend other content you might be interested in. But if a user clears their cookie cache, the banner will re-appear and will need consent again.

The online retailers like Zalando do this really well. If Zalando “knows” that you were browsing white ball gowns the last time you were on their site, the next time you’re there shopping for clothes, you’re likely to see similar items in a similar price category – in fact, you may even see related products such as veils and white shoes.

What have we learned? First-party cookies let website operators recognize users and remember their preferences.

Third-party cookies: An example

Stored by a party other than the website operator, third-party cookies typically serve the purpose of tracking a user’s online behaviour across multiple websites. To work, some form of service offered by the respective third-party in question must be active on the website.

Third-party cookies are usually associated with advertisements. Google Ads is one of the largest online advertising platforms. Millions of companies use the Google service to place ads on websites that allow Google Ads. And every website that uses Google Ads collects data for Google on its visitors and learns their topics of interest as well as what type of ads have prompted a response in the past. By the way, Google Ads is not the only service that works this way. Other smaller advertising platforms and agencies also place these types of ads. Some companies even form their own advertising platform.

Modern advertising platforms allow companies to make granular decisions about who to target with their ads. This all (still) works thanks to third-party cookies.

What have we learned? Third-party cookies allow parties other than the website operator to track user behaviour across a multitude of sites. The data gathered is typically used to place targeted ads.

Do this to deactivate third-party cookie tracking in Google Chrome now:

• In the Chrome menu bar at the top, click on the three-dot button to enter the “Settings” menu

• Click on "Privacy and security" in the menu on the left
• Select “Cookies and other site data”
  
  

• Now select “Block third-party cookies”

Third-party cookies: Legality and privacy concerns

Strictly speaking, third-party cookies do not violate the law, as long as the user is properly informed of their use and gives their consent; however, no Cookies should be dropped until an affirmative action is taken. The best way to do this is by implementing Zero Cookie Load, which prevents trackers from being put onto a user’s browser, until consent is provided. Modern websites achieve this by means of a cookie banner and a privacy statement. Experts believe the EU’s privacy Regulation will impose further requirements once it is published.

Despite these pending increased restrictions, third-party cookies are a source of great annoyance to data privacy experts as well as tech-savvy web surfers.

At the risk of stating the obvious, privacy concerns arise from the great amount of data that cookies collect and the extensive user profiles they are used to create. As a means of collecting data, cookies have a serious anonymity deficit, since they track user behaviour across multiple sites and share this information with third parties.

It is precisely these privacy concerns that Google cites as the primary reason behind its decision to end the use of third-party cookies in Chrome:

“Users are demanding greater privacy – including transparency, choice and control over how their data is used – and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”

Despite this concession, you don’t hear a chorus of praise from privacy advocates. Why is that exactly? Even without third-party cookies, tracking online user behaviour will still be possible. Not on the level of individual users, but in so-called cohorts. Besides, some have also expressed scepticism as to whether Google’s decision to end third-party cookies is really in the interest of privacy first. Many (smaller) competitors may no longer be able to offer their services once third-party cookies are deactivated. Google on the other hand, experts warn, can work on alternatives for advertisers in the interim, and secure a monopoly in the web advertising industry.

2023 may seem a long way away but it’s worth thinking now about what you can do once third-party cookies disappear. Watch out for the next article : Alternatives to third-party cookies and how companies can prepare for the coming changes today.

Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A sessions