Resources Home

What’s 3rd Party Cookie, and how is it used to track users?

Last updated February 16, 2017

Previously, we covered what cookies are. Although we didn’t say so explicitly, we talked exclusively about 1st party cookies. In this article, we will cover 3rd party cookies: what they are and their primary use case: online advertising.

Who is the “3rd Party”, anyway?

3rd party cookies are like any other cookies: a piece of text stored by your browser per domain. The only distinction between 3rd party cookies and 1st party cookies is which domain the cookie is set by. Suppose you open your browser and visit www.cnn.com. Then, the cookies set on

  1. www.cnn.com is the 1st party cookie.
  2. The cookies set on any other domain is the 3rd party cookie.

The critical thing to realize is that whether a cookie is 1st party or 3rd party depends on which domain you are visiting. If the cookie is associated with the domain you are visiting, it’s the 1st party cookie. Otherwise, it’s a 3rd party cookie.

Pretty simple, right?

How 3rd party cookies are set: step-by-step

So, how does the 3rd party cookie get set? It’s just like the 1st party cookies: either by the server or by the browser via JavaScript. The only difference is that on the client side, JavaScript only has access to the cookies associated with its own domain. To work around this limitation, you create an iframe (inline frame) for the 3rd party domain and set the cookie within that iframe.

Seeing is believing, so here’s the example where the 3rd party cookie for bob.com is set when you visit alice.com.

ow 3rd party cookies work

The key observation is that alice.com must make the browser request resources from bob.com: Otherwise, bob.com has no opportunity to send a response that tells the browser to set a (3rd party) cookie for its domain. A popular way to do this is via “pixels”: an <img> HTML tag that requests resources from the 3rd party domain (in this case bob.com). They were called pixels because the response is typically an invisible 1px-by-1px image (= pixel) used to read and set cookies and track users across domains: across alice.com and charlie.com, for example.

Why does a 3rd party domain want to set cookies for me?

The most common use case for 3rd party cookies is tracking users across domains, especially by advertisers. The 1st party cookie is useful in identifying and tracking users on a single domain. However, there’s times you want to track users across multiple domains

 

  • You run a big brand with multiple sub-brands: If you are a major retail, consumer packaged goods (CPG) or food & beverage company, you are likely to have multiple brands under the parent brand: For example, Gap has five sub-brands whereas AB-Inbev has dozens. Each sub-brand has their own domain, and hence their own 1st party cookies, which means that the parent company cannot use 1st party cookies to identify users on sub-brands’ websites. The solution? Use the 3rd party cookie associated with the parent brand such as gap.com and ab-inbev.com.
  • You run an advertising platform and want to know where consumers go: advertising companies live or die by the relevance of their ads. Thus, it’s helpful for them to know which user visited which website when so that they can retarget visitors for their customers or show ads that are likely to be relevant (ex: showing the ads for a Lenovo Thinkpad for someone who just visited lenovo.com). One way to achieve this is via 3rd party cookies. By asking their advertising clients to embed pixels on their websites, the advertiser can identify web visitors across all client websites. For example, more than 14M websites are known to be Google Adsense customers, which means Google can identify users across these 14M+ websites (and likely to be many more) via their 3rd party cookies.

 

But…isn’t this too much tracking?

Largely due to the aggressive user tracking by advertising platforms, 3rd party cookies have gained much notoriety among privacy-conscious web users. For example, the usage of ad blockers, which blocks ad pixels (hence their ability to set 3rd party cookies), has gone up in recent years:

internet-trends-2016-pagefair-slide

Also, modern browsers are beginning to have more private default settings. Mobile Safari’s Content Blocker blocks ad pixels as well as 3rd party cookies altogether, and all modern browsers support the ability to block 3rd party cookies.

So, if you are thinking of using 3rd party cookies to collect user data, think twice: the tide has turned, and it’s becoming a less reliable source of customer data. Going forward, 3rd party cookies will play an auxilary role at best.

This is why 1st party data matters more now

Truth of the matter is that the heyday of 3rd party cookies (and the 3rd party data that Data Management Platforms (DMP) collect) is over. More and more companies are realizing that 1st party data, the data they and only they can collect about their customers, is what helps them differentiate against their competitors.

This realization has led data-driven companies to build or buy customer data platforms (CDP). If you are starting to hit the limits of your DMP or want to double their ROI, I encourage the reader to check out “4 Ways Customer Data Platforms Will Change the Way You Look at Marketing”.