What’s the difference between a first-party cookie and a third-party cookie, why is the distinction between the two important for digital marketers, and how can you check which cookies your website is issuing to visitors? Get all the answers in our marketers’ guide.
First, let’s recap: what is a cookie?
Cookies are snippets of information that get added to a web user’s browser by the websites they visit. Once installed on the browser, they can provide the cookie owner with info on the user’s online activity. This information can be used for activity tracking, or to make websites act differently when the user visits in future. Common uses of this technology include:
- Activating retargeting ads
- Storing ecommerce cart status
- Adding autocomplete options to forms
- Saving user preferences
- Authenticating user accounts
- Tracking ad conversions
Such uses of cookies can be helpful to both a website’s visitors and its owners. The visitors get an enhanced experience; the owners get user data to feed into their marketing processes, plus direct opportunities to deploy marketing strategy (e.g. delivering special interest content to uses with relevant interests).
If you’d like to develop a better understanding of the types of cookie currently in use, a good approach would be to check which cookies are currently active on your own browser. Here are instructions on how to view and manage cookies in Chrome, Firefox, Internet Explorer and Safari. Check which cookies you have installed, then do some online research to find out what they do.
You can read more on the fundamentals of cookies in our Guide to cookies for digital marketers.
What’s the difference between third-party and first-party cookies?
As we know, cookies are added to users’ browsers by the websites they visit.
If a cookie is owned by the same domain that installs it on the visitor’s browser, we call it a first-party cookie. So, if you were to visit targetinternet.com and see that a cookie linked to the domain “targetinternet.com” has been added to your browser, that would be a first-party cookie.
If a cookie is owned by a different domain to the one that installs it, we call it a third-party cookie. So, if you visited targetinternet.com and received a cookie with the domain name “ads4u.biz” (which we have completely made up), that would be a third-party cookie.
The problem with third-party cookies
Until recently, marketers could use third-party cookies safe in the knowledge that their usage was a non-issue for most web users and technology providers. For years this status quo enabled cookie-powered marketing processes like web analytics and display advertising.
The problem now facing marketers is that a growing number of web users and technology providers are rejecting third-party cookies.
Let’s start with individual web users. Driven by growing concerns over web privacy, some users have taken to deleting third-party cookies from their browsers on a regular basis. Others are using software to automatically block them from being installed (some of which are more effective than others). This trend has undoubtedly been fuelled to an extent by news coverage of the Cambridge Analytica scandal and GDPR.
What’s perhaps even more worrying for marketers is that some web browsers and anti-spyware applications now block third-party cookies by default, meaning the number of users not accepting third-party cookies is greater than the number who deliberately reject them.
By contrast, only a small minority of web users block first-party cookies – less than 5% according to Opentracker.
There are two causes behind this disparity: firstly, privacy-conscious users are less likely to delete cookies from a known such as Facebook, Gmail or any other website they use frequently, as these cookies are generally understood to play a role in making that website work properly; and secondly, many of the applications that block third-party cookies do not block third-party ones.
Users who block third-party cookies are usually validated in their choice, as their web experience is not noticeably worsened. If they were to block first-party cookies from a site they use regularly, they would likely encounter problems with logging in, filling out forms that would normally autocomplete, and so on.
Why this is a hot topic in 2018
Problems with third-party cookies rocketed straight to the top of the marketing agenda in September 2017, when Apple rolled out its iOS 11 and macOS High Sierra operating systems.
Both these OS include a version of Safari equipped with a feature called Intelligent Tracking Prevention, which automatically removes third-party OR first-party cookies which are identified as unimportant to user experience. Third-party cookies are removed after 24 hours, while first-party cookies are removed after an idle period of 30 days. Although this tech targets both types of cookie, its effects have been most significant in the case of third-party cookies belonging to domains which users are unlikely to visit.
As of May 2018, iOS accounts for 49.85% of the UK mobile web browser market (source: Statista), up from 40.8% in December 2011. Even considering the time it takes for users to migrate to the latest version of iOS, this represents the potential for a huge share of mobile visitors to block third-party cookies via their browser.
In an open letter responding to the rollout of ITP, a bloc of organisations including the American Association of Advertising Agencies (4A’s) and the Interactive Advertising Bureau (IAB) wrote:
“We are deeply concerned about the Safari 11 browser update that Apple plans to release, as it overrides and replaces existing user-controlled cookie preferences with Apple’s own set of opaque and arbitrary standards for cookie handling.
Safari’s new “Intelligent Tracking Prevention” would change the rules by which cookies are set and recognized by browsers. In addition to blocking all third-party cookies […] this new functionality would create a set of haphazard rules over the use of first-party cookies (i.e. those set by a domain the user has chosen to visit) that block their functionality or purge them from users’ browsers without notice or choice.”
The letter is reproduced in full at CNET.
Responding to the advertising consortium’s criticisms, an Apple representative stated: “Ad-tracking technology has become so pervasive that it is possible for ad-tracking companies to re-create the majority of a person’s web browsing history. This information is collected without permission and is used for ad retargeting, which is how ads follow people around the internet.”
In August this year the situation for advertisers got worse still, as Mozilla announced plans to block third party cookies by default on their browser Firefox, which has a 5.24% market share in the UK.
The response to Apple’s anti-tracking tech
Apple ruffled a few feathers with the release of Intelligent Tracking Prevention – not least among its key rivals, Google, Microsoft and Facebook. All three have used third-party cookies in their advertising products.
Google’s response to ITP was immediate. To preserve the capability for Google Ads advertisers to track conversions, Google switched the cookie used to track how individual users interacted with campaigns from a third-party cookie set on the googleadservices.com domain to a first-person cookie set on the advertiser’s own domain. This approach ensured the tracking of visitors using the latest Safari browsers could continue in spite of ITP.
In January this year, Bing announced its own response to ITP: Microsoft Click ID auto-tagging via Universal Tracking Cookies. If you think that sounds a little complex, you’d be right. Here’s how it works:
- Advertiser enables auto-tracking of Click ID in Bing Ads;
- Bing Ads adds a unique Click ID to the landing page URL when the user clicks through from an ad;
- UET sets a first-person cookie on the advertiser’s site, which captures the Microsoft Click ID from the URL;
- Bing Ads can then use the Click ID to tie conversion events to ads that helped make them happen.
Although Bing’s workaround is different to Google’s, the outcome for advertisers is similar: analytical business as usual. The key mechanic in both cases is the switch from a third-party cookie to a first-party one.
Facebook launched its own solution, specifically for advertisers using Facebook Pixel tracking, on October 24th 2018. Prior to that date, the Facebook Pixel let advertisers choose between using first-party or third-party cookies to track user behaviour. After the change, first-party cookies will be used by default (though advertisers do have the choice to opt-out).
In an email to digiday.com, Facebook spokesperson Joe Osborne explained:
“We are offering a first-party cookie option for the Facebook pixel to help businesses continue understanding site activity and ad attribution across browsers. This change is in line with updates made by other online platforms, as the use of first-party cookies for ads and analytics is becoming the preferred approach by some browsers. The controls people have over ads will not change.”
A big concern with these measures from Google, Microsoft and Facebook is that they could be construed as a smoke-and-mirrors approach to getting users to accept cookies they don’t really want. This seems to ignore the fact many people want more visibility and control over who is tracking their online activity.
There are two sides to this debate. The marketing industry clearly needs tracking cookies. However, from legal and ethical standpoint, it can also be argued that web users deserve a clear choice as to which companies can track them.
Using a first-party cookie that links up to a third-party such as Google or Facebook makes it harder to use browser settings to manually “opt out” of having data processed by certain parties, which creates the unexpected scenario of users having less real-terms control over their data than they did before. This point could be especially pertinent to marketers working in sensitive sectors such as medical, insurance and personal finance, where customers might be especially concerned about their data.
Which marketing processes can’t be done without third-party cookies?
As we’ve seen, advertising providers have found ways to track user activity pretty much as well as ever, without third-party cookies. The same can’t be said of another key area of cookie usage: ad retargeting.
In retargeting, cookies (mostly third-party ones) are used to serve relevant display ads to users whose online behaviour suggests they are likely to make a purchase. For instance, if you have been admiring a nice pair of shoes in an online shop and then keep seeing ads for those shoes, that’s probably an example of retargeting in practice.
Retargeting is a valuable tool for digital marketers, as repeatedly drawing customers’ attention to certain products can increase click-through rate (CTR) and conversion rate. According to ReTargeter, traditional ads have a CTR of 0.07%, while the rate can be as high as 0.7% with retargeted ads.
We can still run remarketing campaigns using services such as Google Ads, but this now comes with the proviso that remarketing to users who block third-party cookies might not be as effective as it once was.
How to find out whether your site is issuing third-party cookies
Despite ongoing debate, most marketers agree that third-party cookie remain an important and acceptable component of how the web works. The key is to ensure your website is using cookies responsibly, and also to provide users with clear, accurate info on what happens to their data when they interact with your site.
Any third-party services that interact with your site – including analytics applications, advertising networks and content plugins – could be issuing third-party cookies to your visitors. Most of these them probably support core functionalities, though it’s possible that some will exist only to serve the third-party’s own commercial interests.
Either way, it’s important to know which cookies your site is issuing. In the interest of GDPR compliance, every website using cookies should feature a message that tells visitors what you’ll do with their data – and to do this accurately, you’ll need to know which domains your website’s cookies are owned by.
You (or anyone else) can find out which cookies your site is issuing by entering its URL into a cookie-checker tool. Here’s a free one, that will show you a list of cookies triggered by accessing your domain. The results linked to your own domain are first-person cookies; those linked to other domains are third-party. Your website’s notice to users about cookies should cover everything these cookies are doing.