Skip to Main Content
Main Menu
article

Guide to Third-Party Cookie Trackers

What are online trackers?

Online trackers, in simplest terms, are technologies used by websites and apps to collect data about user interactions. These trackers remember and recognize users by recording, processing, or logging details such as browsing habits, time spent on a webpage, clicked links, and more. This data may serve multiple purposes, from personalizing content and targeted ads to improving website functionality, analytics, or authenticating users for web experiences.

Some common organizational or business purposes for using online trackers include:

  • Website analytics: Understanding how users interact with websites or which features they use help businesses improve their user experience and marketing strategies.
  • Targeted advertising: Tracking technologies allow advertisers to show personalized ads based on your interests and browsing behavior.
  • Fraud detection and security: Tracking can be used to identify and prevent suspicious activity, such as credit card fraud or online hacking.
  • Market research: Companies use tracking data to learn about consumer behavior and preferences.
  • Personalization: Some websites, advertising, and social media platforms use tracking to personalize your experience by remembering your preferences and settings.

Cookies, a type of tracker, are small pieces of data stored on a user’s device by websites a user visits. Cookies are used to remember user preferences, login information, auto-fill information, shopping cart information, and other information that help enhance a user’s experience.

First-party and third-party data: What’s the difference?

Online trackers (including first-party and third-party cookies) have the ability to collect two different kinds of data: first-party data and third-party data. What is the difference between the two?

First party data provides valuable specific information to your organization as it is collected directly from your audience (e.g., consumers, data subjects, or website users) and the lawful basis (e.g., consent, legitimate interest, etc.) will vary depending on the purpose and use of the data. In other words, first party data utilizes in-house or internally developed cookies or trackers set directly by your organization on your own web pages or web properties.

On the other hand, third-party data is information collected by other organizations that do not have a direct relationship or interaction with the user. This type of data is typically what is collected by online trackers that are provided by third-party providers (e.g., a third-party analytics or advertising provider) on a website. In other words, third-party data utilizes cookies that may be set by your organization, but are created by third-party service providers or partners, and placed in your web pages or web properties.

Third-party cookies can be accessed by external parties in a manner that results in less user control or understanding of data processed, collected, or tracking – including without the knowledge of the website owner. Since the result of third-party cookies is a physical file/data being placed on a users’ device, some browser providers believe there is elevated privacy risk and have decided to block third-party trackers/cookies, including Firefox and Safari, with Chrome following suit in early 2025 (expected).

Different types of online trackers

Online trackers can, depending on their use case and implementation, share personal or sensitive information with third-party entities, such as advertisers, to help with tailoring and personalizing advertising. This is done for a variety of reasons, including to make ads more relevant to recipients and also to manage ad spend. Trackers come in several forms, each serving distinct purposes and collecting different types of data. Below are some common examples of trackers:

  1. Cookie trackers: These are small files stored on your device that track your website activities. Third-party cookies have been the primary method of storing client-side data for over two decades.
  2. Pixels: Also known as web beacons, these are tiny, invisible images embedded in web pages or emails, used to track user interaction. These are popularly used for advertising as well, but have numerous purposes.
  3. Browser fingerprinting: A more advanced method that gathers data about your device (like screen resolution, installed fonts, or browser type) to create a unique profile for tracking, even without cookies.
  4. Embedded scripts: Code snippets that track user behavior within a website. These scripts create most trackers and are responsible for reading and storing data
  5. Web beacons: Embedded images that track when a page is loaded.

Types of cookies

Generally speaking and historically, cookies have been one of the most common and popular forms of tracking technologies. Cookies can serve many purposes, including remembering preferences (language, login credentials), tracking website usage (clicks, pages visited), securing a page/preventing fraud, and aiding in personalized content, user experiences, and ads.

Types:

  • Session cookies: Temporary, deleted when you close your browser.
  • Persistent cookies: Remain on your device for a set period or until manually deleted.
  • First-party cookies: Placed by the website you’re visiting or by embedded scripts loaded on your site.
  • Third-party cookies: Placed by a different website (e.g., advertising network). They are usually created as a hidden frame and exchange information with a third-party domain.

Examples:

  • Session cookie remembering your login on a website.
  • Persistent cookie saving your language preference on a news site.
  • Third-party cookie tracking your browsing across different websites to show targeted ads.

As noted above, cookies are a specific type of tracker, while trackers are a broader category. Cookies in particular primarily collect website browsing data, while trackers can gather a wider range of information.

Third-party cookies and trackers are at the center of recent privacy concerns due to their ability to collect, aggregate, and store information across sites without user consent. They are able to mass data harvesting, profiling, and real-time bidding for marketing advertising and analytics as well as gather extensive personal data, including IP addresses, search and browsing history, and private details like health and religious beliefs.

Cookie Consent Manager

Meet global consent requirements with minimal effort while maximizing opt-ins and fueling customer trust.

Learn more

Website Monitoring Manager

Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.

Learn more

Current and future state of third-party cookies in browsers

Cookies, first introduced in the 1990s as a way for websites to remember information about the user or their visits and at a time, called “HTTP cookies.” Cookies were designed to fill the gap created by the stateless nature of the web, where websites could not inherently remember previous interactions.
In some circumstances, third-party cookies can be used to track users around the web and build a detailed profile based on browser history and hence are referred to also as tracking cookies. This type of profiling and targeting that is not aggregated has become an essential tool for online advertisers, who use them to track individual user behavior across multiple websites to deliver personalized ads.

Legislation like the General Data Privacy Regulation (GDPR) and Digital Markets Act (DMA) in the European Union and the California Consumer Privacy Act (CCPA) have strong data privacy components around third-party cookie tracking. Combined with strong consumer demand for greater privacy, the combination of regulation and consumer demand has led web browsers and major publishers or media houses like the New York Times to react to these concerns by blocking or depreciating third-party cookies.

Chrome

While Google first pledged depreciation in 2022, there have been a number of delays over the last few years. On January 4th, 2024, Chrome began restricting third-party cookies for 1% of users, or approximately 30 million users, under Tracking Protection, with intention to restrict 100% of users in 2024. Google has now reversed it’s decision to phase out third-party cookies, and plans to maintain third-party cookie support while continuing to develop additional privacy-preserving functionality.

Google’s Privacy Sandbox, is the main vehicle which Google uses to test and development proposals for the replacement of third-party cookies with a collection of emerging technologies aimed at protecting users’ online privacy while also providing tools to provide relevant advertising and targeting.

The sandbox is designed to allow users to still see relevant ads based on interests, with the intent to keep personal information from being tracked or stored by websites. The effectiveness of these new approaches is novel and therefore, is yet unproven, and many details are still being worked out. Regulators such as the CMA (Competition & Markets Authority) and ICO (Information Commissioner’s Office) still have questions about these approaches.

Google’s Privacy Sandbox proposal

Some of the new mechanisms within Google’s Privacy Sandbox include Google’s TopicsAI, a type of contextual targeting, which uses categories of topics of interest, without relevant additional information about the user’s browsing history. Other types of contextual targeting include keyword and semantic versus behavioral targeting. Some critics have had concerns that this may introduce discriminatory practices.

Google has also introduced other mechanisms such as Enhanced Conversions to capture hashed customer data where advertisers can collect hashed first party conversion data from a website to Google in a privacy safe way. Essentially, matching the data against Google’s logged-in data for identification.

CHIPS (Cookies Having Independent Partitioned State) is another method introduced by Google that allows developers to opt a cookie into partitioned storage, with a separate cookie jar per top-level site. This allows cookies to be set by third-party services, but only read within the context of the top-level site where they were initially set. This blocks cross-site tracking while still enabling non-tracking uses of cookies for different persisting use cases such as persisting chat widgets across different sites, persisting configuration information for CDN load balancing, or headless CMS providers.

FLoC (Federated Learning of Cohorts) is a new way for advertisers to show relevant ads by grouping users into cohorts with similar recent browsing history without being individually identified, providing a level of anonymity, while still allowing advertisers to deliver targeted ads.

Google continues to solicit feedback on its Privacy Sandbox proposal.

Firefox

Mozilla’s Firefox has already phased out third-party cookies and implemented Enhanced Tracking Protection (ETP) by default, blocking third-party cookies and limiting the data advertisers can collect. Firefox has yet to initiate alternative solutions, however it is possible to allow for usage of third-party cookies on a case-by-case basis in Firefox via browser settings.

Safari

Apple has also already blocked third-party cookies by default and implemented Intelligent Tracking Prevention (ITP) to protect user privacy. Apple has also taken a stringent approach towards cookies, where allowing access to third-party cookies per frame can only be done at the code level, via the Storage Access API. Similarly, Apple’s iOS updates (e.g., AppTrackingTransparency framework also known as ATT) has given users more control over their data, requiring apps to ask for permission to track user activities.

Emerging advertising technologies across platforms

With the demise of third-party cookies, advertisers are also turning to other emerging tech and advertising options such as universal IDs (e.g., TradeDesk Unified 2.0 solution), data clean rooms, device IDs, “on device” and client-side processing (e.g., Privacy Sandbox Solutions), contextual targeting, and server-side tags or customer data platforms. Techniques like fingerprinting and CNAME cloaking are also being considered.

Time will tell what privacy initiatives will be popular with consumers and marketers. While these new approaches and emerging tech are being tested for effectiveness, advertisers may need to further rely on first-party data instead.

Future of tracker vendor management

The challenge in the future as alternative tracking technologies arise will be two-fold. First, effective management of online trackers in compliance with privacy regulations will be increasingly important. Second, advertisers and publishers will need to obtain consent to process user data.

Organizations can future-proof their business by effectively managing cookies and online tracking technologies as well as obtaining end-user tracker consent with TrustArc’s compliance solutions:

  • Cookie Consent Manager: Obtain tracker consents and manage trackers. Easily support server-side tag management integrations and zero-load best practices. Set up automated tracker scans (of pixel tags, beacons, HTML 5 local storage, HTTPS/JavaScript cookies, etc.) regularly and receive on-demand tracker reports for compliance (e.g., CCPA report). Amplify your advertising compliance and recognize enhanced privacy requirements and signals such as Global Privacy Controls (GPC), IAB TCF and GPP frameworks support, and Google Consent Mode as Google certified CMP.
  • Website Monitoring Manager: Enrich tracker scanning, auditing, and reporting across your websites. This product includes on-demand compliance risk reports, regular automated tracker vendor scanning, and simplified compliance review to ensure adherence to regulations such as GDPR, CCPA, and guidelines by the FTC.
  • Consent & Preference Manager: Leverage a universal preference center that captures all first-party data consents from your customers and sync preferences across all your third-party systems. With a universal repository, Tag Manager technologies can manage tracker technologies based on recorded consents and within an ad ecosystem, Ad Publishers can retrieve the consent status for a particular user in real-time from the Consent & Preferences Manager at the time of serving ads.
  • DAA AMI Validation: Demonstrate your online advertising privacy compliance when using data collected through addressable media identifiers to safeguard consumer privacy. TRUSTe helps validate your practices in a cost-effective way assuring your partners and customers that your interest-based advertising practices align with industry standards and best practices.

As privacy regulations tighten and user awareness increases, it’s more crucial than ever for businesses to understand and manage online trackers effectively while maintaining transparency and trust.

Get the latest resources sent to your inbox

Subscribe

Managing Online Tracking Technology Vendors: A Checklist for Compliance Webinar

Watch now
Back to Top