The End of Third-Party Cookies: What to Expect for the Future of Tracking

What are third-party cookies?

A cookie is a small file stored on a website visitor’s device, used to recognize returning users. There are two main categories of cookies: first-party cookies and third-party cookies.

• First-party cookies match the domain name of the website you’re currently browsing. They are generally used to improve user experience, for example by remembering your username, personalization preferences, and the contents of your shopping cart.
• Third-party cookies are attached to a domain that is different from the one you might be browsing. They have many different uses, but the most notorious are cross-site tracking cookies. These cookies stitch together your activity across different websites, recording your browsing history, usually to serve you personalized advertisements.

Major online advertisers like Google and Facebook use both first-party and third-party cookies to serve targeted ads. First-party cookies allow them to track how you behave on their own properties. For example, Google can use the terms you’ve searched for in the past to serve you ads on its properties, and Facebook can use what you’ve “liked” to serve ads on its properties.

Both tech companies also use third party cookies, as they have huge networks of other websites that partner with them for advertising. Websites that are part of the Google Display Network or that use the Facebook Pixel will place a third-party cookie on your device that allows them to share information about you with Google orFacebook. Every time you visit a site that is part of the Display Network or that uses the Pixel, that site will update the cookie, and it may also serve ads based on the information that the cookie contains.

Why do websites use third-party cookies?

Third-party cookies are an easy way for websites to share information with each other. There are many reasons why a site might want to use third-party cookies, including:

• Analytics. Many websites work with data partners that help collect data and analyze their web traffic to keep their sites running smoothly.
• Payments. Most online retailers and e-commerce businesses outsource their payment processing to a trusted third party.
• Online advertising. Many websites work with advertising partner networks to display targeted advertising. Advertising networks rely on third-party cookies to share user behavior and target ads across their network, and to engage in retargeting.

Thanks to two important pieces of data privacy legislation—the European Union’s General Data Protection Regulation and the California Consumer Privacy Act—it’s now easier to see which sites use third-party cookies and how they use them. The first time you visit a new website you’ll often see a pop-up or banner that explains which types of cookies a site uses. You may even have the option to opt out of certain cookies.

Are third-party cookies a risk for data privacy?

Before cookies, the internet was anonymous. Third-party cookies allowed websites to enlist services to customize and improve user experience, but they also allowed for widespread information-sharing that wasn’t always reasonable or transparent. The technology that was first developed to keep items in your shopping cart is now used to follow your actions across the web, serving precision-targeted advertisements.

“Like many other things in modern life, cookies are used to deliver critical functionality,” says Sridhar Ramaswamy, cofounder of Neeva. But there is a trade-off: “Third-party cookies have been abused for information-gathering, and have led to a loss of privacy for all of us.”

Targeted advertisements in particular can make you feel like advertisers know way too much about you, and can sometimes inadvertently disclose sensitive information—such as when you’re sharing your screen during a presentation and a medical ad pops up. Widespread data breaches have also made users feel wary of third-party cookies, although cookies, which store information on your own device—not websites’ servers—are rarely responsible.

In response to advertisers’ exploitation of cookies, consumers, legislators, and privacy-first companies have worked to limit tracking, with “do not track” signals, blocking of tracking cookies, and more. But instead of limiting tracking, the ad tech industry has decided to find new ways to further monitor our online behavior.

Although third-party tracking cookies do present a data privacy risk, they may be safer than other kinds of tracking technology used for advertising. Cookies store information on your own device, so you can delete it at any time. It’s also fairly easy to block cookies used for tracking purposes, and some web browsers (Safari and Firefox) do this automatically.

What is happening with third-party cookies?

When cookies were first invented in the mid-’90s, they were a developers’ secret, invisible to users but extremely useful to websites, especially websites that served ads. As tracking became more rampant, privacy concerns spurred changes in the way that third-party cookies can be used.

• In 2002, the European Union Privacy and Electronic Communications Directive was the first major privacy law that required that users be able to refuse cookies.
• In 2009, Google began serving ads based on users’ browsing history, rather than just the keywords associated with a website. To serve more precisely targeted ads, Google used cookies, which logged information every time a user visited one of the hundreds of thousands of websites in its AdSense network (now called the Google Display Network). Although Google was not the first to use this technique, its status as the biggest online advertiser had far-reaching consequences, paving the way for retargeting on a large scale.
• In 2010, Facebook introduced a plugin that would allow developers to add a “like” button to their websites. Whenever a user visited a page with a “like” button, that information would be transmitted to Facebook to be potentially used for targeted advertising. In 2015, Facebook rebranded this technology as its Pixel, which is still used by millions of sites across the web.
• In 2017, The use of ad blockers, some of which also block tracking cookies, increased by 30% worldwide. Apple began blocking third-party tracking cookies on its browser, Safari.
• In 2018, the European Union General Data Protection Regulation (GDPR), which requires advertisers to get users’ consent to place third-party cookies, went into effect. The GDPR applies to any company that collects personal information about people who live in the European Union, regardless of where the company is based. (When you visit a website and see a pop-up announcing “this site uses cookies,” you’re seeing the effects of GDPR.)
• In 2019, Mozilla announced that it would block third-party tracking cookies on its browser, Firefox. Google announced its Privacy Sandbox initiative, which includes phasing out third-party cookie support on the Chrome browser by 2023.
• In 2020, The California Consumer Privacy Act (CCPA) became effective. It required certain websites to disclose how they collect user data, including what types of cookies they use.

These government regulations and industry improvements have allowed consumers greater control over how third-party cookies are used. Unfortunately, as users have asserted their privacy rights, the digital advertising industry has developed even sneakier tracking methods.

What are the consequences of phasing out third-party cookies?

Although getting rid of third-party cookies altogether might seem like a win for digital privacy, there are some drawbacks:

Consolidation of power. With the spotlight on third-party cookies, most browsers and sites continue to support the use of first-party cookies, meaning that the website you’re on can continue to collect your information. This seems reasonable (and necessary), but it means that we’re not really protected from the largest and most powerful technology companies, like Google, Apple, and Facebook, who can continue to collect large amounts of first-party data through first-party cookies (and other means). For example, the personal data involved in the Facebook Cambridge Analytica scandal came directly from users’ Facebook profiles, not third-party cookies.

New tracking technology. As third-party cookies become more blocked and regulated, advertisers and tech companies are looking into new technology such as:

• Digital fingerprinting, which identifies users via information about their device, such as screen resolution, model, and operating system, and then uses this information to track them around the internet. Unlike cookies, this information is invisible. It’s stored on the trackers’ servers, not users’ devices, and much harder for users to change or delete than cookies. Fingerprinting may also be used to track users browsing the internet in private or Incognito modes. In 2019, about 3.5% of the most popular websites used digital fingerprinting for tracking purposes. Apple's iOS and Safari and Mozilla Firefox all provide some level of built-in fingerprinting protection.
• Federated Learning of Cohorts (FLoC), a technique Google is experimenting with that analyzes users’ recent browsing history to create “cohorts” with similar interests, with the purpose of serving relevant ads. Users FLoC IDs are stored on their web browsers and may be shared with any site that opts in, raising concerns that FLoc would actually increase tracking. You can use this website to find out if you are one of the 0.5% of Google Chrome users affected by Google’s trial.

The best way to protect your privacy online is to use products that do not collect and sell your data. Neeva is the world’s first private, ad-free search engine, committed to showing you the best results for every search. We will never share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.