What's a third-party cookie?
You might imagine that after seven years in the web analytics industry I would have worked out what a third-party cookie was. But it turns out that my thinking on this is fuzzy (like so much in my life), or at least incomplete. Let me explain.
When asked what a third-party cookie is, most people will say something along the lines of the Wikipedia definition:
“Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.”
So far, so good. But there's an edge case, of interest to a small number of relatively influential companies (that is, Microsoft, Google, Yahoo! and a few others) which raises a question mark over this definition. This is the case where the cookie in question was originally set as a first-party cookie (e.g. from google.com), but is subsequently read in a 'third-party' context.
The reason that this would happen is that the owner of the cookie might be using that cookie as a key to behavior or profile data; and they might make a partnership with a third-party site, for example to serve advertising into. They might want to read the cookie of a user visiting that third-party site in order to serve him or her targeted ads (or even do more 'benign' things like frequency capping).
So at this point, is the cookie in question a third-party cookie? The language in the Wikipedia entry would seem to indicate not. But if not, what sort of cookie is it? A couple of other definitions seem to corroborate the Wikipedia definition:
"Third-party cookies are created by a Web site other than the one you are currently visiting; for example, by a third-party advertiser on that site" - Computing Dictionary
"Third-party cookies come from other websites' advertisements (such as pop-up or banner ads) on the website that you're viewing. Websites might use these cookies to track your web use for marketing purposes" - Internet Explorer 7 help
But then a widely-quoted definition from, ahem, us, takes a different tack:
"A third-party cookie either originates on or is sent to a Web site different from the one you are currently viewing" - Microsoft Windows XP Product Documentation
Now you might think this is just so much cookie-related navel-gazing. But the NAI is currently in the process of putting together some 'best practice' guidelines for the use of cookies, and the definition of first-party vs. third-party cookies makes a big difference to the obligations imposed upon signatories to the guidelines.
The edge-case only really applies to companies who can build up a significant base of first-party cookie relationships with users and who are then in a position to leverage this base with third-parties - hence the list of big sites mentioned earlier. But I think it raises an interesting question about portability of identity - is it better for users to have their Google/MSN/Yahoo IDs re-used on third-party sites for profiling, or for entirely unknown third-party networks (say, Atlas or DoubleClick) to be aggregating this data? At least with the former case the user has heard of the organization in question. What do you think?
 del.icio.us |
 Digg |
 Reddit |
 StumbleUpon |
 Facebook |
 Live Favorites |
