Third-party cookies are one of the main reasons ads seem to follow you around the internet.
They help websites, advertisers, and analytics tools recognize users across different sites, build behavior-based profiles, measure campaigns, and personalize ads. This guide explains what third-party cookies are, how they work, what data they can collect, and why browsers are changing the way they handle them. We’ll also look at what these changes mean for website owners, marketers, and anyone who wants to understand what happens when they click “accept cookies.”
New to the world of cookies? Start with our guide on what “accept cookies” means. And if you run a website, we’ll also cover which third-party cookies are active on your site, so you can understand what your cookie banner and privacy setup need to cover.
What are third party cookies and how do they work?
Third-party cookies are small text files set by a service other than the website you’re visiting. They’re also called 3rd-party cookies, trackers, or cross-site cookies.
The key difference is the domain. A cookie is first-party if it’s set by the website you’re on. It’s third-party if it’s set by another domain, such as an ad network, analytics tool, embedded video platform, or social media service.
For example, if an online store remembers what’s in your cart, that’s usually done with a first-party cookie. But if the same page loads an external ad or sets in own cookie, it’s a third-party cookie because it’s set by a different domain.
When you visit another website using the same third-party service, your browser may send that cookie back to the third party. This allows the service to recognize the same browser across different sites and build a picture of browsing behavior over time.
This usually happens in the background. Users don’t need to click the ad, video, or button for the cookie exchange to happen.
First party vs. third party cookies
| First-party cookies | Third-party cookies | |
|---|---|---|
| Who sets them | The website you’re visiting | An external service loaded by the page |
| Domain | Matches the page URL | Different from the page URL |
| Main purpose | Session management, preferences, logins | Cross-site tracking, advertising, analytics |
| Visible to users | Most likely to support features that users can see or use directly, like logins, carts, or preferences | Often work in the background through external services, such as ads or analytics tools |
| Browser support | All browsers | Increasingly blocked by default |
| Consent required | Depends on purpose (essential uses may be exempt) | Generally requires explicit user consent. See what the GDPR requires |
| Privacy risk | Lower (scoped to one site) | Higher (tracks behavior across many sites) |
Common use cases
Third-party cookies are most commonly used for advertising, measurement, and cross-site functionality. Typical use cases include:
- Targeted advertising: showing ads based on a user’s browsing behavior across different websites.
- Retargeting: showing ads to people who previously visited a site, viewed a product, or abandoned a cart.
- Conversion tracking: measuring whether an ad click or campaign led to a signup, purchase, or other action.
- Frequency capping: limiting how often the same person sees the same ad.
- Audience segmentation: grouping users based on inferred interests, behavior, or intent.
- Social media and embedded content: enabling features like share buttons, embedded posts, videos, and login widgets.
Most of these use cases involve non-essential tracking, so the relevant scripts should usually be blocked until the user has given valid consent. Here’s how prior blocking works and what it means in practice for your site setup.
What data do third-party cookies collect?
Individual data points collected by third-party cookies can seem minor in isolation. The privacy concern comes from what happens when those points are combined: behavioral data stitched together across hundreds of sites over time can produce detailed profiles that go well beyond what any single data point would suggest.
This is one of the core reasons the EU’s ePrivacy Directive introduced specific rules around cookies, separate from the broader GDPR framework. Read more in our ePrivacy and Cookie Law compliance guide.
Depending on the service, third-party cookies may be used to track things like:
- Browsing history: Which pages you’ve visited, how long you spent on them, and how frequently you return
- Click patterns: Which links, ads, and page elements you interact with
- Search queries: What you’ve been looking for across search engines and individual sites
- Purchase behavior: Products viewed, added to a cart, or purchased
- Geographic location: Approximate location inferred from your IP address
- Device information: Browser type, operating system, screen resolution, and device model
- Cross-site activity: A behavioral record across multiple sites, used to build inferred interest and intent profiles
How that data is typically used:
- Building user profiles for advertising and audience targeting
- Behavioral targeting: serving ads based on inferred interests and browsing history
- Remarketing: re-engaging users who’ve previously interacted with a product or service
- Attribution modeling: understanding which touchpoints contributed to a conversion
- Audience segmentation: grouping users by predicted demographics or interests
- Frequency capping: controlling how often the same ad is shown to the same person
Third-party cookies now depend on the browser
Third-party cookies are now handled differently depending on the browser.
Safari and Firefox restrict or block many third-party tracking cookies by default. Chrome has taken a different path: after years of planned phase-outs and delays, Google confirmed in 2025 that it would not fully remove third-party cookies from Chrome. Instead, Chrome will continue to rely on user settings and privacy controls.
For website owners and marketers, this means tracking can vary depending on the user’s browser, settings, and consent choices. Some third-party cookies may be blocked automatically, while others may still run, depending on the browser and how your site is configured.
It’s crucial to keep in mind that browser settings don’t replace legal requirements. Under the GDPR and ePrivacy Directive, non-essential cookies generally require valid user consent before they’re set. That means website owners still need to know which cookies and tracking tools their site uses, explain them clearly, and block non-essential scripts until consent is given. For a full breakdown of what’s legally required, see:
- Cookies and the GDPR: what’s really required?
- ePrivacy and Cookie Law compliance
- Understanding the Digital Omnibus Regulation proposal: what it means for privacy and compliance
For website owners, the right approach is to audit which third-party scripts you’re loading, ensure your cookie banner captures valid consent before those scripts run, and maintain a documented record of that consent. You’ll also want a cookie policy in place. Here’s how to generate one.
Start by checking which cookies your site uses
Third-party cookies have shaped how the web tracks, targets, and measures user behavior for decades. Their future is less certain than it once was, but they remain widely used, closely regulated, and directly relevant to anyone running a website or working in digital marketing.
For website owners, the next step is making sure your consent setup reflects the cookies and trackers your site actually uses. iubenda’s Cookie Consent Banner helps you scan your site, block non-essential scripts before consent, and keep clear records of users’ choices, so your cookie setup stays accurate and easier to manage.
FAQs
Are third party cookies a privacy risk?
They can be, depending on how they’re used.
A single cookie is just a small piece of data. The privacy concern comes from what happens at scale. If the same ad network or tracking provider appears across many websites, it can use third-party cookies to build a picture of someone’s browsing behavior over time.
That’s why privacy laws like the GDPR require valid consent before non-essential tracking begins. See our GDPR compliance guide for more on how those rules may apply to your site.
Can third party cookies identify me personally?
Not directly in most cases.
Third-party cookies usually don’t store your name or email address. Instead, they assign a unique ID to your browser and connect activity to that ID.
But that data can become personally identifiable if it’s linked to an account you’re logged into, or combined with enough other information. That’s why behavioral tracking data can be treated as personal data under the GDPR, even when no name is attached.
Who can access third party cookie data?
Usually, the company that sets the cookie. This could be an ad network, analytics provider, social media platform, or another third-party service loaded on the page.
In some cases, that data may also be shared with other partners or data providers, depending on how the service works and what permissions are in place.
How to enable third party cookies
The steps depend on your browser.
In Chrome, go to Settings > Privacy and security > Cookies and other site data. In Safari, open Settings or Preferences, then go to Privacy. In Firefox, go to Settings, then Privacy and Security.
Most browsers also let you allow third-party cookies for specific websites instead of enabling them everywhere. That’s usually a more controlled option than switching them on globally.