Tracking Cookies & the First Party vs Third Party Cookies

Cookies are small files that a website creates to store data regarding your activity on that site. Some cookies include data that is important for a webpage to function, such as your login credentials. Other non-essential cookies collect user information that might be used for advertising purposes.

With the increase in privacy awareness among users in recent years, internet cookies have earned a bad reputation. But that sentiment is only partially justified since most first-party cookies are necessary for a seamless browsing experience.

Various laws like the GDPR and CCPA have targeted these cookies to provide better privacy to consumers. Let's take a look at what first-party, third-party, and tracking cookies are, how they're affected by these laws, and why some of these cookies might not last the test of time.

What are first-party cookies?

First-party cookies are deemed essential cookies since they massively improve the user's experience.

These cookies are created by the website or domain that you visit, and only that website can access its contents. The information they contain, like the user's login credentials, or for an e-commerce website, the user's shopping basket contents, allows the website to provide the user with a more personalized experience.

Some domains also use these cookies to collect analytical data such as the webpage you visited the most on their website and how much time you spent there. This allows the business to improve its website's functionality.

A great example of a first-party cookie enhancing the user experience is when you visit a website, like Amazon, and log into your account. The first-party cookie containing this information will be stored on your PC, and the next time you visit that website, you'll be automatically logged in.

This automatic log-in will only occur when you log in using the same browser and device through which the cookie was created, adding a layer of security.

When you first visit Chick-fil-A, you'll be greeted with a cookie banner where they clearly differentiate essential from non-essential cookies:

Chick-fil-A Privacy Preference center

What are third-party cookies?

Third-party cookies are more shady in their purpose and how they work. As the name implies, these cookies are created and stored under a different domain than the one the user visits, not necessarily with their permission, and that same party also accesses the data on it.

The primary purpose of third-party cookies is to provide targeted advertising to users. Other possible uses of third-party cookies include using social media and payment service integrations or a support chat functionality on the first-party website.

Unlike first-party cookies that stop collecting data once you close the webpage, third-party cookies tend to linger behind, secretly collecting data.

The collected data includes a user's browsing habits, the websites they visit, and their purchasing preferences. This data is then used by advertisers to push relevant advertisements that the user is most likely to click on and purchase. These are typically called tracking cookies.

If this data is collected without the user's permission, it can invade the user's privacy, which is why third-party cookies tend to have a bad reputation.

In its cookie banner, Hershey indicates which third-party cookies it allows on its website and other details. One of these cookies is from TikTok, and it can stay on your computer for 389 days:

Hershey Privacy Preference center

Due to rising privacy concerns among consumers, third-party cookies are slowly being phased out. Mozilla Firefox and Apple's Safari already block third-party cookies, and now Google's taking steps to make these cookies obsolete.

What are tracking cookies and how are they used?

Any cookie that tracks your activity across a website or a browsing session is called a tracking cookie. These can be further divided into two types, third-party and first-party tracking cookies.

Third-party tracking cookies

The more commonly used and invasive type of tracking cookies are the third-party ones, which we discussed in the previous section. They collect users' data across various websites and track their purchases so that third-party advertisement services like Facebook and Google Ads can provide them with more relevant advertisements.

In some cases, a third-party tracking cookie can be beneficial to the user. For example, a user who wants to purchase shoes will search for them and visit a website that sells shoes. That website will embed tracking cookies from a third-party advertisement company that tracks which products the users click on and add to the cart. This cookie continues to follow the user's interactions across any subsequent websites they visit.

Afterward, the user will see advertisements for shoes on the various websites they visit. This targeted advertising will automatically show users a variety of different shoes they might be interested in and might even help them land a much better deal.

However, many users consider this tracking to be invasive, and if a website allows third-party tracking cookies without the user's permission, it can raise serious privacy concerns and potentially violate regulations regarding user consent and data protection.

First-party tracking cookies

These cookies are considered minimally invasive and are often necessary for the proper functioning of a website. They only track the user's activity on the website they visited and are typically deleted after the user closes the webpage, without any involvement of a third party.

The data they collect is mainly for analytical purposes, remembering your login credentials, and retaining the items you added to your cart.

Without first-party tracking cookies, your cart would empty every time you open a different product page because the website won't be able to keep track of the products you added to the cart.

Or you would have to log into the website every time you visit a different webpage or return to the site since the website wouldn't be able to remember your login credentials or if you even logged in in the first place.

Do any laws regulate tracking cookies?

Yes, since most of the data that tracking cookies collect constitutes personal data, various privacy laws for each country govern how a business should use tracking cookies on their website.

EU cookie law and GDPR

The EU Cookie Law, also called the ePrivacy Directive, takes precedence over the GDPR, and together they uphold the privacy of European consumers. Both apply to any business that collects and processes the data of European consumers, regardless of the country the business is based in.

The Cookie Law requires businesses to:

  • Inform users about all the cookies on your site and their purpose
  • Ask for the consumer's consent before installing tracking cookies
  • If they give consent, give the consumer the option to opt out of consent whenever they wish to

Unless the consumer explicitly gives permission, the website isn't allowed to install tracking cookies on their browser.

Note that these requirements don't apply to essential cookies, which are required by a website to function properly. However, the website should still openly inform users about the presence and purpose of essential cookies.

Compared to the Cookie Law, the GDPR is a broader law that applies to all types of personal data collected by a business, including cookies, and also indicates how a business should handle this data.

State Laws in the USA

Every state in the USA has its own privacy law, which is applicable to the businesses and residents of that state.

The CCPA was the USA's first comprehensive privacy act for the state of California. It applies to the consumer's personal data collected by businesses, and since cookies are classified as "unique identifiers," they fall under the scope of this law. Unlike the GDPR and Cookie Law, the CCPA doesn't apply globally and is a bit more lenient in its requirements.

Only the businesses that meet the following requirements are affected by the CCPA:

  • Does business in California

  • Meets one or more of the following requirements:

    • Earns more than $25 million in annual gross revenue
    • Half of its revenue is derived from selling personal information
    • It buys, sells, receives, or shares personal information from over 100,000 consumers, households, or devices per year

For businesses that fall under the jurisdiction of the CCPA, the following requirements should be met:

  • Allow users to opt out of the sale of their personal data by providing a link to a "Do Not Sell My Personal Information" page
  • Have a detailed Privacy and Cookie Policy page with a link to these pages provided on the cookie banner
  • If a user opts out of installing cookies, wait 12 months before notifying them again

The main difference between the CCPA and European laws is that it doesn't require a website to ask for the user's consent before installing cookies. Instead, it takes an opt-out approach for the consent.

However, if a Californian business caters to consumers under 16 years of age, asking for consent becomes mandatory.

How to have cookie compliance on your website?

The laws we discussed put forward very specific requirements for websites to follow if they want to have cookie compliance. Let's look at how you can meet these requirements on your website.

Ask for permission or provide an option to opt out

If you're a U.S.-based business and collect data from American residents, your cookie banner needs only to provide the consumer with the option to opt out.

Businesses that collect data from European consumers need to explicitly ask for the consumer's consent before installing cookies.

List the cookies your website uses and their purpose

To remain compliant with privacy laws, it's important to inform the consumer about all the cookies your website uses and the reason for using them. This can be done in the cookie banner or within the Cookie Policy.

Paul Smith's cookie policy lists every cookie the website installs and explains its purpose:

Paul Smith cookie policy excerpt

Provide a detailed cookie policy

Every website should have a cookie policy that's compliant with the major privacy laws. A cookie policy should ideally include the following:

  • Explain to consumers what cookies are and how you use them
  • List of all the cookies, their types, and their purpose
  • A link through which consumers can opt out of cookie installation

Nvidia's Cookie Policy is a great example of how clear and open a company should be regarding the use of cookies on its website:

Nvidia cookie policy excerpt

How will cookies change in the future?

Recently, many people have raised concerns regarding their privacy, which led countries to enact laws like the CCPA and GDPR. These laws restrict businesses from collecting consumer information without their permission or require them to provide the means to opt out of the collection.

Since a majority of consumers don't want to disclose their personal information to businesses and choose to opt out of its collection, third-party non-essential cookies are set on a trajectory to death.

Various browsers already block third-party cookies, and now Google Chrome, which has more than 60% market share, is taking steps to do the same. They call this a Privacy Sandbox, where advertisers can target users without invading their privacy.

Only 1% of third-party cookies are disabled in Q1 of 2024, with plans to delay the complete blocking of these cookies until the second half of 2024.

With the death of third-party cookies, first-party cookies become more important than ever for advertisers. The user data will now be collected by the first-party website itself, through transparent means like creating profiles, providing feedback, or filling out survey forms.

This means instead of a third-party tracking cookie silently collecting user data behind their backs, the user will consensually provide that data themselves. The advertisements the user sees will be based on the data collected by the first-party website itself, eliminating the need for data sourced from external platforms.

Summary

Internet cookies come in two flavors. Where first-party cookies are usually essential and provide the website with the necessary information for it to function properly, third-party cookies are mostly used for advertisement purposes by sharing personal data with third parties.

A particularly questionable type of third-party cookies is tracking cookies. These cookies tend to stay on your computer long after you've ended the browsing session, secretly collecting data regarding your browsing habits. Advertisers then use this data to provide you with advertisements that better align with your interests.

Various laws like the ePrivacy Directive, GDPR, and CCPA have given consumers the right to choose whether a business can collect data from them. When it comes to third-party cookies, a website should follow these practices to stay compliant with these laws:

  • Informs the user about the type of cookies the website uses and the third parties involved
  • Informs the user regarding the source and purpose of cookies
  • Ask for the user's consent before installing cookies or provide an option to opt out
  • Provide a link to the business's Privacy Policy and Cookie Policy

These laws were just the beginning of the end for third-party cookies. Various browsers like Mozilla Firefox and Safari already block third-party cookies. With the recent push for removing third-party cookies by Google in their Chrome browser, which holds the largest market share, these cookies will be gone by the end of 2024.

First-party cookies will take their place. All the data a website collects from a user will be with their permission and will remain with that first party. Advertisements shown to a consumer will be within the context of the data collected by that website, giving consumers better digital privacy.