What’s a third-party cookie?

Reading Time: 2 minutes

You might imagine that after seven years in the web analytics industry I would have worked out what a third-party cookie was. But it turns out that my thinking on this is fuzzy (like so much in my life), or at least incomplete. Let me explain.

When asked what a third-party cookie is, most people will say something along the lines of the Wikipedia definition:

“Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.”

So far, so good. But there’s an edge case, of interest to a small number of relatively influential companies (that is, Microsoft, Google, Yahoo! and a few others) which raises a question mark over this definition. This is the case where the cookie in question was originally set as a first-party cookie (e.g. from google.com), but is subsequently read in a ‘third-party’ context.

The reason that this would happen is that the owner of the cookie might be using that cookie as a key to behavior or profile data; and they might make a partnership with a third-party site, for example to serve advertising into. They might want to read the cookie of a user visiting that third-party site in order to serve him or her targeted ads (or even do more ‘benign’ things like frequency capping).

So at this point, is the cookie in question a third-party cookie? The language in the Wikipedia entry would seem to indicate not. But if not, what sort of cookie is it? A couple of other definitions seem to corroborate the Wikipedia definition:

“Third-party cookies are created by a Web site other than the one you are currently visiting; for example, by a third-party advertiser on that site” – Computing Dictionary

“Third-party cookies come from other websites’ advertisements (such as pop-up or banner ads) on the website that you’re viewing. Websites might use these cookies to track your web use for marketing purposes” – Internet Explorer 7 help

But then a widely-quoted definition from, ahem, us, takes a different tack:

“A third-party cookie either originates on or is sent to a Web site different from the one you are currently viewing”Microsoft Windows XP Product Documentation

Now you might think this is just so much cookie-related navel-gazing. But the NAI is currently in the process of putting together some ‘best practice’ guidelines for the use of cookies, and the definition of first-party vs. third-party cookies makes a big difference to the obligations imposed upon signatories to the guidelines.

The edge-case only really applies to companies who can build up a significant base of first-party cookie relationships with users and who are then in a position to leverage this base with third-parties – hence the list of big sites mentioned earlier. But I think it raises an interesting question about portability of identity – is it better for users to have their Google/MSN/Yahoo IDs re-used on third-party sites for profiling, or for entirely unknown third-party networks (say, Atlas or DoubleClick) to be aggregating this data? At least with the former case the user has heard of the organization in question. What do you think?

2 thoughts on “What’s a third-party cookie?”

  1. Great, great post. You hit the nail right on the head with the cookie scenario you have described. These cookies closer to 3rd party than 1st party, but you can be very sure that these will not be treated as such by modern browsers because the business plans of Google, Yahoo! and MSN depend on exploiting this loophole.
    The issue is not so much tracking users across domains. The issue is to be able to do ROI tracking for PPC networks. The ability to measure and track advertising ROI is a huge reason for the popularity of PPC networks.
    When you click on an Adwords ad you are being sent to googleadservices.com, which sets a cookie, before being sent to the actual landing page on say domain.com. Imagine that domain.com is an e-commerce site; on the sale confirmation or “thank you” page is where you put the Adwords conversion tracking script, so that you can get ROI data in your Adwords account. However, the confirmation page is on domain.com and the cookie was set by googleadservices.com, so how can this work if 3rd party cookies are disabled? Well, it’s simply because the conversion tracking script is called remotely on googleadservices.com, e.g. script src=googleadservices.com… The cookie gets sent in the header! Surely this is a loophole and goes against the definition of what 1st and 3rd party cookies are supposed to be. But if they were seen as 3rd party by the browser, ROI tracking would be so unreliable as to be useless.
    Imagine Microsoft having a PPC platform and not being able to reliably track ROI because IE blocks those cookies…Quite unlikely.

  2. Just to clarify Micheal’s comment – Adwords Conversion Tracker is indeed a 3rd party cookie tracking device that will not work if 3rd party cookies are blocked by a visitor’s browser/firewall.
    The alternative is to switch to Google Analytics which is a 1st party cookie technique – as defined by the technical definition of what a 1st party cookie is:
    The script setting the cookie(s) is on the same domain that the cookie is set – my definition.
    I agree with you Ian that when moving away from the technical description of cookies (the one that defines if a browser excepts or rejects a cookie), the description gets blurred i.e. the page tag script calls a 1st party cookie but the script itself is a 3rd party script provided by your analytics vendor.
    The solution for all web site owners is to be transparent about the information you are collecting from visitors in a easy to read privacy statement that can be clearly found on all of your web site pages. In fact this is a legal obligation for all web sites operating in the European Union.

Comments are closed.