What Is The Difference Between 1st Party Cookies And 3rd Party Cookies?

Peter Schroeder
4 min readJan 23, 2020

--

Brought to you by The API Economy. APIs are complicated but essential. Find out how API-first companies are slowly building the infrastructure of the internet one API call at a time in this monthly newsletter.

Simply put, a cookies “party” is defined by its domain of creation. 1st party cookies are cookies stored directly from a visited website, 3rd party cookies are cookies stored from other (3rd-party) websites.

Brought to you by The API Economy. APIs are complicated but essential. Find out how API-first companies are slowly building the infrastructure of the internet one API call at a time in this monthly newsletter.

Cookies remember website configuration (e.g. language preferences), login details, and products added to the shopping cart, even after a user leaves the site, but because cookie files are widely used to collect certain pieces of information, they can also be used to carry out advertising processes like behavioral profiling and retargeting. Understanding the role of cookies in advertising technology is critical to getting a better hold on online advertising and privacy.

To be fair, third-party cookies aren’t any less cookies than first-party cookies. They’re both data files that web browsers save to a user’s computer in order to track their site preferences, login status, and information regarding active plugins. The difference between them boils down to what domain created the cookies in the first place.

A first-party cookie refers to a cookie created by the domain that a web user is visiting. When a user clicks on Amazon.com from a web browser, for example, that browser sends a web request in the first context, a process that entails a high level of trust that the user is directly interacting with Amazon.com. The web browser subsequently saves this data file to the user’s computer under the “amazon.com” domain.

Why are cookies important?

It helps the site to recognize you and your specific browser with its specific information that represent you once you return to the same site.

Now, what’s the difference between the 1st party ones and the 3rd part ones, and what defines the party of the cookies?

So the answer is whoever created the cookie.

A 1st party cookie refers to a cookie created by the domain that a web user is visiting has visited. For example, if I have visited Amazon and it wants to create a cookie which will store my preferences while visiting that site, it will be a 1st party cookie.

In a similar way, a 3rd part cookie is a cookie that’s created to store information for a domain which is not the principal domain name (the website in the address bar) that we currently visiting.

The future of cookies

Google recently announced its plans to phase out support for third-party cookies in Chrome within the next two years. The fact that Google will drop support for these cookies, which are typically used to track users across the web, doesn’t necessarily come as a surprise, given Google’s announcements around privacy in Chrome, including its proposed “privacy sandbox.” But this aggressive timeline is new and puts the company on a track that will have repercussions for a lot of other industries, as well.

Not to mention CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation)… So what do CCPA and GDPR say about cookies?

CCPA

The CCPA defines personal information to include a “unique identifier.” This means “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology… or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.” As a result, personal information collected by website cookies that identifies or could reasonably be linked to a particular consumer, family or device may be subject to the same disclosure notices and consumer rights, including the right to delete or opt-out of the sale of information to a third party, as other personal information collected through the website.

GDRP

The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.

Summary

1st party cookies are cookies stored directly from a visited website.

2nd party cookies are cookies transferred from one party to another.

3rd party cookies are cookies stored from other (3rd-party) websites.

--

--