First-party vs third-party cookies: why first-party is the way to go

Written by Karolina Matuszewska

Published August 17, 2018

Although it’s been a long time since Cookies appeared on the digital landscape, they still stir debate and even confusion.

Center stage is taken by the matter of first-party vs. third-party cookies. There’s a lot to think about, from technical matters to privacy compliance, and almost nothing is black and white.

In this post we’ll try to put the record straight about some things and erase any doubts you might have. Let’s get down to it!

Cookies: what are they and why are they crucial?

You might have come across definitions saying that cookies are a sort of program, software, or script. None of this true – they’re just small text files placed on users’ devices after they visit a website.

The information they contain is then accessed by servers on the visited site. The data they carry makes it possible to identify and recognize users later on.

Moreover, cookies are inherently harmless. Cookies don’t contain any viruses, they don’t install malware, and they don’t do any other damage to a user’s computer.

The only threat they could pose relates to user privacy, but this only happens when they’re employed for shady purposes.

That being said, there are many different reasons for using cookies, such as:

  • session management: logins, shopping carts, game scores
  • user privacy controls & settings
  • user profiling, segmentation, optimization
  • analytics, attribution, verification
  • mapping users across platforms
  • ads frequency capping
  • targeting & retargeting

Considering the vast number of applications they have, it comes as no surprise that Internet cookies are a key element of the Web. They don’t just benefit advertisers and marketers.

The use of cookies exerts a big impact on user experience by making web browsing more convenient and personalized. In the long run, this translates into better brand loyalty.

First-party & third-party cookies: what’s the difference?

First and foremost, from a technical standpoint there’s no intrinsic difference between first-party and third-party cookies. The distinction is related to the context of a particular visit and who creates a cookie. Every cookie has an owner – this is a domain defined in the cookie.

To be more precise, first-party cookies are issued by a website that a user views directly. So if a user lands on a website – for example, forbes.com – then this site creates a cookie which is then saved on the user’s computer.

On the other hand, third-party cookies are not created by the website being visited, but rather by someone else. What does this mean in practice? Let’s say you’re visiting forbes.com, and that site has a YouTube video on one of its pages. In this case, YouTube will set a cookie which is then saved on your computer.

What’s happening here is that the website owner, forbes.com, embeds a piece of code and video provided by YouTube in their site. When the YouTube code is executed in the browser, or the video is loaded, YouTube can track the player and put data in cookies.

As a result, the cookie is classified as a third-party cookie, because it’s created by a different domain than forbes.com.

This type of cookie is used heavily in online advertising. As advertisers add their tags to a page they can display ads, as well as track users and devices across the different sites they visit.

PII vs Personal Data

Learn how to recognize PII and Personal Data to stay away from privacy issues.

The trouble with third-party cookies

If your company operates in the digital ecosystem, you already know that cookies can be a pain in the neck. One of the most significant concerns is about user privacy. The widespread use of cookies means that data is fragmented across websites, devices, apps, etc.

From the user’s perspective it’s hard to understand who is doing what with their data. Things get even trickier when third-party cookies are involved.

What this means for publishers and advertisers is that they have to come to terms with the growth of ad blockers and other methods, like Intelligent Tracking Prevention, that cause cookie churn.

But how, exactly, do users deal with third-party cookies? Cookies can be blocked when the user:

  • uses private/incognito mode on their browser
  • uses Safari web browser on Apple’s devices (which blocks third-party cookies by default)
  • changes the cookie & tracking settings in their browsers
  • uses Tor (free software that enables anonymous communication)
  • installs ad blockers or other similar browser extensions

As you can see, reliance on third-party cookies is not an optimal solution.

With the growing concern over user privacy we can expect a consistent trend towards building new tools and solutions that block ads and prevent tracking.

Why first-party cookies are leading the way

When it comes to cookies, nothing is really black and white. Whether you use first-party or third-party cookies, it’s crucial to clearly define the goals you want to achieve and determine which path will get you there best. That said, it’s clear that first-party cookies bring considerable advantages.

First off, using first-party cookies means it’s your domain collecting data. This translates into greater control and full ownership of data. In other words, you can handle the data responsibly and safeguard it as best as possible.

What’s more, these cookies offer a longer lifespan. Of course, users can delete all cookies on their devices, but first-party cookies won’t fall prey to automatic cookie blockers like private browsers or ad blockers.

You can also reap the benefits of branded domains. Applying first-party cookies shows users your brand instead of another site.

In short, first-party cookies are more flexible, and are better for storing and using data for various marketing and analytics strategies. They’re also considered more user friendly, as they help sites recognize visitors, automatically log users in, and personalize content without being intrusive or violating user privacy.

Since Internet cookies can be used to store and retrieve information about users and their interactions with websites, they’ve been recognized as a threat to privacy. Increasing concern over this issue has prompted the introduction of regulations to better safeguard users’ data.

In Europe there are two major regulations, one being the General Data Protection Regulation (GDPR), which took effect on May 25 this year, while the other is the Privacy and Electronic Communications Regulation, also called the EU Cookie Directive.

When it comes to the text of GDPR, you won’t find any direct mention of first-party cookies or third-party cookies. That said, there is reference to cookie identifier, and that’s the key.

Article 4 states that any information relating to an identified or identifiable natural person is considered personal data. This definition covers:

  • cookie identifier
  • device ID
  • network’s IP address

PII vs Personal Data

Learn how to recognize PII and Personal Data to stay away from privacy issues.

What it means is that cookies containing identifiers can be classified as personal data. And here you start going down a bumpy road. The groundwork of the regulation is to protect users’ privacy and personal data, so if you want to place cookies on their computers you need to obtain consent.

Moreover, this rule refers to any other technical method that enables storing or accessing data on a user’s device.

If you want to learn more about personal data, we recommend reading our post:

But that’s not all. Such practices are legal only if you inform users what happens with the data and you give them the possibility to refuse. Unfortunately, that last part is often neglected by companies and consent from the user is forced.

Consequently, users can either agree to all cookies or leave the site, as otherwise they can’t access it.

It should be noted that forcing consent seriously conflicts with the guidelines provided by the Article 29 Working Party, where it’s clearly stated that consent should be freely given, specific, informed, and unambiguously indicated.

Here’s a quick guide on how to write proper consent copy.

The request should be:

  • concise
  • prominent
  • easy to understand
  • written in plain language
  • separate from other terms and conditions

Talking about consent, obtaining consent in the case of first-party cookies should be a rather straightforward task since it’s basically one-on-one communication. On the other hand, when third-party cookies are involved, things get a bit more complicated. You need to keep in mind the intricacy of data flows between different parties.

Employing technology for consents management

As we’ve already mentioned, you need users’ consent to process personal data. This applies in many cases applies to first-party and third-party cookies. By obtaining consent, not only do you remain fully compliant with legal regulations, but you also show that you respect and protect your users’ right to privacy.

The decision to process personal data means taking a lot of responsibility, and the list of rules to follow is quite long.

It might seem like a complicated task but technology comes in really handy here. You just need to find the right vendor that helps you respect your visitors’ rights without interfering in your marketing strategies.

There are multiple tools on the market that can perform this job. They vary in functionalities, features, and UI. Under names like Cookie Consent Manager, GDPR Consent Manager, or Cookie Widget, you get software that handles your customers’ consents and passes this information to your analytics system.

It’s vital to find software that meets all the requirements of GDPR. For example, Piwik PRO Consent Manager is designed to help organizations collect and manage users’ consent for specific data processing purposes.

A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

It also enables you to provide complete transparency to your users and customers. It’s not only a legal requirement but also good professional practice.

Users want – and have every right – to know why you’re collecting data, how you handle it, and what happens to it later on. You should also be able to provide users with some options by asking them what data they want to share. Now it’s your move.

Get reliable software that address these issues and meets your customers’ needs and expectations.

Final thoughts

Discussions of cookies in respect of a comprehensive privacy framework and data security need to be conducted in a broader context. Getting the bigger picture is a must. After all, responsible data collection and use should be a priority for all parties involved.

All things considered, the future is brighter for first-party cookies as they add value to the user experience, and they’re resistant to blocking, unlike their third-party counterparts.

We hope that this article has dispelled some doubts about cookies and their role in the online ecosystem. However, we realize that some issues may require further explanation. If you have questions, reach out to our team and we’ll be happy to help.