What Makes a Cookie First-Party or Third-Party?
The distinction is not about the cookie itself. A first-party cookie and a third-party cookie are technically identical: both are small text files stored on a visitor's browser using the Set-Cookie HTTP header. The difference lies entirely in context.
A first-party cookie is set by the domain the visitor is currently browsing. If someone visits example.com, any cookie set by example.com is first-party. Common examples include session identifiers like PHPSESSID, language preferences such as pll_language, and authentication tokens that keep users logged in.
A third-party cookie is set by a domain other than the one in the address bar. When example.com loads a Facebook pixel, the _fbp cookie set by facebook.com is third-party. The same applies to Google Analytics cookies like _ga when loaded through a third-party context, advertising network trackers, and embedded social media widgets.
This context-based classification means the same cookie can be first-party on one site and third-party on another.
Why Third-Party Cookies Exist
Third-party cookies were originally designed for cross-site functionality: loading images from CDNs, embedding videos, and handling federated logins. Over time, advertising networks discovered they could use third-party cookies to track users across millions of websites, building detailed browsing profiles without users realising it.
A single advertising cookie like IDE from doubleclick.net can follow a visitor from a news site to a shopping site to a travel blog, stitching together a behavioural profile used for targeted advertising. This capability made third-party cookies the backbone of programmatic advertising for two decades.
That era is ending.
How Browsers Restrict Third-Party Cookies
Safari was the first major browser to take action. Apple introduced Intelligent Tracking Prevention (ITP) in 2017, and Safari now blocks all third-party cookies by default. ITP also caps first-party cookies set via JavaScript to seven days and purges all site data for domains a user has not visited in 30 days. Safari 26, released in September 2025, added Advanced Fingerprinting Protection as a further measure against tracking.
Firefox followed a similar path, enabling Enhanced Tracking Protection by default since 2019. It blocks known tracking cookies from third-party domains while allowing functional third-party cookies like those used by payment processors.
Chrome took a different route. After years of promising to deprecate third-party cookies, Google reversed course in April 2025, announcing it would not add a separate opt-out prompt and would leave cookie controls inside Chrome's existing privacy settings. In October 2025, Google also scaled back its Privacy Sandbox initiative, retiring most of its APIs while keeping a small set of features including CHIPS (Cookies Having Independent Partitioned State) and Federated Credential Management.
| Browser | Third-Party Cookie Policy | First-Party Cookie Limits |
|---|---|---|
| Safari (ITP) | Blocked by default since 2020 | JS-set cookies capped at 7 days |
| Firefox (ETP) | Known trackers blocked by default | No blanket cap |
| Chrome | Allowed; user can disable in settings | No cap |
| Brave | Blocked by default | No blanket cap |
| Edge | Balanced mode blocks known trackers | No blanket cap |
The practical result: roughly 30-40% of web traffic already operates without third-party cookies, depending on your audience's browser mix.
The SameSite Attribute and Partitioned Cookies
The SameSite cookie attribute introduced a mechanism for developers to control cross-site cookie behaviour. Since 2020, Chrome defaults cookies to SameSite=Lax, meaning they are not sent in cross-site requests unless the developer explicitly sets SameSite=None; Secure.
Google's CHIPS proposal goes further. It allows third-party cookies to exist but partitions them per top-level site. A payment processor's cookie set on shop-a.com would be invisible when the same processor runs on shop-b.com. This preserves functionality while blocking cross-site tracking.
For developers, this means reviewing every cookie your site relies on and understanding whether it needs cross-site access or can operate within a partitioned context.
Legal Treatment: Both Types Need Scrutiny
Article 5(3) of the ePrivacy Directive does not distinguish between first-party and third-party cookies. Any storage of information on a user's device requires consent unless the cookie is strictly necessary for the service the user requested. A first-party analytics cookie like _ga still requires valid consent under EU law, just as a third-party advertising pixel does.
The GDPR adds a second layer. If a cookie processes personal data, you need a lawful basis under Article 6. For non-essential cookies, legitimate interest is no longer considered sufficient by most Data Protection Authorities. The CNIL, ICO, and Irish DPC have all made clear that analytics and marketing cookies require opt-in consent.
Under the CCPA/CPRA, third-party cookies used for cross-context behavioural advertising may constitute a "sale" or "sharing" of personal information, triggering opt-out requirements. First-party cookies used solely for your own analytics generally fall outside this definition.
Practical Impact on Your Website
The shift away from third-party cookies forces a rethinking of how your website collects data. Tools that rely on third-party cookies for attribution, remarketing, and audience building are losing signal on Safari and Firefox visitors today.
Server-side tagging converts what would be third-party cookies into first-party ones by proxying tracking requests through your own domain. Google Tag Manager's server-side container, for example, can set the _ga cookie as a genuine first-party cookie from your domain rather than through a JavaScript snippet that Safari's ITP may restrict.
Google's Consent Mode v2 uses modelling to estimate conversions when users decline cookies. This helps fill data gaps but relies on having enough consented data to build accurate models.
First-party data strategies - email lists, logged-in user behaviour, CRM data - become more valuable as third-party signals degrade. The websites that invest in direct relationships with their visitors will have the most reliable data.
What This Means for Cookie Consent
Your cookie banner must account for both cookie types. Visitors need clear information about which cookies are first-party and which are third-party, what each category does, and who receives the data.
Proper cookie categorisation is the foundation. Group cookies by purpose (strictly necessary, functional, analytics, marketing) and clearly identify which involve third-party data sharing. A cookie audit using an automated scanner can reveal third-party cookies you may not even know your site sets, particularly from embedded widgets, fonts, and social media buttons.
The European Commission's Digital Omnibus proposal, published in November 2025, acknowledges that the current cookie consent framework has led to widespread consent fatigue. Future changes may simplify requirements, potentially allowing browser-level consent signals to replace individual website banners. Until then, per-site consent remains the legal requirement across the EU.
Frequently Asked Questions
Do first-party cookies need consent under GDPR?
Yes, if they are not strictly necessary. Article 5(3) of the ePrivacy Directive requires consent for all non-essential cookies regardless of whether they are first-party or third-party. A first-party analytics cookie needs the same consent as a third-party advertising cookie.
Does Safari block all third-party cookies?
Safari's Intelligent Tracking Prevention blocks all third-party cookies by default. It also limits first-party cookies set via JavaScript to a maximum lifespan of seven days and purges all storage for domains not visited within 30 days.
Will Chrome ever remove third-party cookies?
As of early 2026, Google has abandoned plans to deprecate third-party cookies in Chrome. Instead, users can manually disable them in Chrome's privacy settings. Google has also scaled back its Privacy Sandbox initiative, keeping only a few features like CHIPS and Federated Credential Management.
What is the SameSite cookie attribute?
The SameSite attribute controls whether a cookie is sent with cross-site requests. The default value Lax prevents cookies from being sent in most cross-site contexts. Developers must explicitly set SameSite=None; Secure to allow cross-site cookie transmission.
Can server-side tagging convert third-party cookies to first-party?
Yes. Server-side tagging proxies tracking requests through your own domain, allowing cookies to be set as first-party. This avoids many browser restrictions on third-party cookies, though consent is still required for non-essential tracking.
Are third-party cookies considered a sale of data under CCPA?
Third-party cookies used for cross-context behavioural advertising can constitute a "sale" or "sharing" of personal information under the CCPA/CPRA. This triggers opt-out requirements, including support for Global Privacy Control signals.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they are first-party or third-party, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
