Data protection: Third-party cookies vs. first-party cookies

Google Chrome, the world’s most-used browser, will be ending third-party cookies in the year 2023. While the data privacy movement is cheering, marketing teams the world over are rattled. To keep you up to date, this three-part series will illuminate the following aspects of this contentious issue:

  1. Third-party cookies vs. first-party cookies and how they relate to data protection
  2. Third-party cookie alternatives for the marketing world (cookieless tracking)
  3. Examples of innovative marketing concepts that better support data protection

The most important facts in brief

  • Third party cookies are one of the most important technologies for digital advertising. They allow better and better personalisation of advertising.
  • However, many internet browsers have disabled third party cookies - now Google Chrome is following suit.
  • Cookies can basically be divided into three types: technically necessary cookies, performance cookies and functional cookies.
  • In contrast to third party cookies, first party cookies are hosted by a website provider itself. We look at each of these and how they relate to consent managegement and consent management platforms.
  • A guide: How to turn off third party cookies in Google Chrome

In this article

What are cookies – An overview

Even established companies that don’t place any particular emphasis on ads invest at least five per cent of revenue in marketing in keeping with the “5% rule”. Booming tech companies tend to invest closer to 20% or more. Tech giant Salesforce is even reported to directly reinvest 46% of its revenue in marketing. And according to the Gartner CMO Spend Survey 2020–2021, CMOs spend an average of 13.5% of the marketing budget on digital and PPC advertising.

A foundational technology of digital advertising are cookies – specifically, third-party cookies.

Third-party cookies allow advertisers to track users across various sites to create user-specific interest profiles. This lets advertisers gear ads toward a user’s personal preferences.

But cookies have long been a thorn in the side of campaigners for privacy rights. The growing awareness of privacy issues among the general public has already prompted

Firefox and Safari to block third-party cookies. Now Google Chrome is following suit.

By way of background: What are strictly necessary cookies, performance cookies, and functionality cookies?

It’s worth taking a closer look at the different cookie 'flavours'. In a nutshell, cookies are a simple technology that permit online user activity to be tracked – Often with a focus on marketing outcomes rather than data protection.

First, there are strictly necessary cookies that are essential to browse a given website. The textbook example are the cookies a web shop uses to save the contents of your shopping basket. Once you’ve placed an item in the basket, the cookies ensure your basket item isn’t forgotten as you navigate to a new page, either to continue shopping or to check out.

Just as with strictly necessary cookies, without which today’s websites simply wouldn’t work, there is little fault to be found with performance cookies. They track a website’s load times and other performance indicators to provide the owner of the website with important information on user friendliness.

Finally, functionality cookies improve the user experience, but would not be strictly necessary to browse a given page. Their uses include helping to embed video and other media content as well as enabling the use of special fonts.

banner5

How do first-party cookies work differently from third-party cookies?

Cookies are small files (usually JavaScript) that websites store on your device while surfing the web in your browser. First-party cookies are hosted directly by the page you’re visiting; they run on the website operator’s own server. On the other hand, third-party cookies are stored by another provider – our examples below make it easier to understand.

First-party cookies: An example

When you visit the DataGuard homepage and consent to cookie tracking via the pop-up cookie banner at the bottom of the page, we will “remember” that you’ve already been here the next time you visit our site. This makes it easier for us to make your experience on our homepage a pleasant one. For example, if you download our whitepaper on the six biggest privacy mistakes that almost every company makes, the next time you visit the site, you won’t see a pop-up about it. Instead, our site will recommend other content you might be interested in. But if a user clears their cookie cache, the banner will re-appear and will need consent again.

The online retailers like Zalando do this really well. If Zalando “knows” that you were browsing white ball gowns the last time you were on their site, the next time you’re there shopping for clothes, you’re likely to see similar items in a similar price category – in fact, you may even see related products such as veils and white shoes.

What have we learned? First-party cookies let website operators recognize users and remember their preferences.

Third-party cookies: An example

Stored by a party other than the website operator, third-party cookies typically serve the purpose of tracking a user’s online behaviour across multiple websites. To work, some form of service offered by the respective third-party in question must be active on the website.

Third-party cookies are usually associated with advertisements. Google Ads is one of the largest online advertising platforms. Millions of companies use the Google service to place ads on websites that allow Google Ads. And every website that uses Google Ads collects data for Google on its visitors and learns their topics of interest as well as what type of ads have prompted a response in the past. By the way, Google Ads is not the only service that works this way. Other smaller advertising platforms and agencies also place these types of ads. Some companies even form their own advertising platform.

Modern advertising platforms allow companies to make granular decisions about who to target with their ads. This all (still) works thanks to third-party cookies.

What have we learned? Third-party cookies allow parties other than the website operator to track user behaviour across a multitude of sites. The data gathered is typically used to place targeted ads.

  First-party cookies Third-party cookies

Who is tracking?

Website users are tracked by the website they are currently visiting (not only for marketing purposes, but also to ensure user friendliness and smooth surfing)

Website users are tracked by a website other than the one they are currently visiting

Who hosts the cookies?

The website operator

A third party, e.g., advertising platforms, agencies, other companies whose services are used on the website (e.g., live chat service providers)

Example of strictly necessary cookies

  • Session cookies (Shopping basket, language settings, etc.)
  • Flash cookies
  • Consent management tool cookie (remembers opt-in setting using cookie banner)

 

  • Payment service provider cookies possible

Example of non-essential cookies

  • Tracking and analysis cookies
  • Retargeting / Remarketing cookies

  • Social media plug-in cookies

  • Live chat cookies

  • Typically affiliate tracking cookies

Do this to deactivate third-party cookie tracking in Google Chrome now:

  • In the Chrome menu bar at the top, click on the three-dot button to enter the “Settings” menu

 

Picture3-1

  • Click on "Privacy and security" in the menu on the left
  • Select “Cookies and other site data”

    Picture1-1

 

  • Now select “Block third-party cookies”

Picture2-1

Third-party cookies: Legality and privacy concerns

Strictly speaking, third-party cookies do not violate the law, as long as the user is properly informed of their use and gives their consent; however, no Cookies should be dropped until an affirmative action is taken. The best way to do this is by implementing Zero Cookie Load, which prevents trackers from being put onto a user’s browser, until consent is provided. Modern websites achieve this by means of a cookie banner and a privacy statement. Experts believe the EU’s privacy Regulation will impose further requirements once it is published.

Despite these pending increased restrictions, third-party cookies are a source of great annoyance to data privacy experts as well as tech-savvy web surfers.

At the risk of stating the obvious, privacy concerns arise from the great amount of data that cookies collect and the extensive user profiles they are used to create. As a means of collecting data, cookies have a serious anonymity deficit, since they track user behaviour across multiple sites and share this information with third parties.

It is precisely these privacy concerns that Google cites as the primary reason behind its decision to end the use of third-party cookies in Chrome:

“Users are demanding greater privacy – including transparency, choice and control over how their data is used – and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”

Despite this concession, you don’t hear a chorus of praise from privacy advocates. Why is that exactly? Even without third-party cookies, tracking online user behaviour will still be possible. Not on the level of individual users, but in so-called cohorts. Besides, some have also expressed scepticism as to whether Google’s decision to end third-party cookies is really in the interest of privacy first. Many (smaller) competitors may no longer be able to offer their services once third-party cookies are deactivated. Google on the other hand, experts warn, can work on alternatives for advertisers in the interim, and secure a monopoly in the web advertising industry.

2023 may seem a long way away but it’s worth thinking now about what you can do once third-party cookies disappear. Watch out for the next article : Alternatives to third-party cookies and how companies can prepare for the coming changes today.

Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A sessions

Subscribe now

 

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk