You might imagine that after seven years in the web analytics industry I would have worked out what a third-party cookie was. But it turns out that my thinking on this is fuzzy (like so much in my life), or at least incomplete. Let me explain.
When asked what a third-party cookie is, most people will say something along the lines of the Wikipedia definition:
“Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.”
So far, so good. But there’s an edge case, of interest to a small number of relatively influential companies (that is, Microsoft, Google, Yahoo! and a few others) which raises a question mark over this definition. This is the case where the cookie in question was originally set as a first-party cookie (e.g. from google.com), but is subsequently read in a ‘third-party’ context.
The reason that this would happen is that the owner of the cookie might be using that cookie as a key to behavior or profile data; and they might make a partnership with a third-party site, for example to serve advertising into. They might want to read the cookie of a user visiting that third-party site in order to serve him or her targeted ads (or even do more ‘benign’ things like frequency capping).
So at this point, is the cookie in question a third-party cookie? The language in the Wikipedia entry would seem to indicate not. But if not, what sort of cookie is it? A couple of other definitions seem to corroborate the Wikipedia definition:
“Third-party cookies are created by a Web site other than the one you are currently visiting; for example, by a third-party advertiser on that site” – Computing Dictionary
“Third-party cookies come from other websites’ advertisements (such as pop-up or banner ads) on the website that you’re viewing. Websites might use these cookies to track your web use for marketing purposes” – Internet Explorer 7 help
But then a widely-quoted definition from, ahem, us, takes a different tack:
“A third-party cookie either originates on or is sent to a Web site different from the one you are currently viewing” – Microsoft Windows XP Product Documentation
The edge-case only really applies to companies who can build up a significant base of first-party cookie relationships with users and who are then in a position to leverage this base with third-parties – hence the list of big sites mentioned earlier. But I think it raises an interesting question about portability of identity – is it better for users to have their Google/MSN/Yahoo IDs re-used on third-party sites for profiling, or for entirely unknown third-party networks (say, Atlas or DoubleClick) to be aggregating this data? At least with the former case the user has heard of the organization in question. What do you think?