What Are Third-Party Cookies? Complete Guide (2026)

Browser Status in 2026

Modern Alternatives by Use Case

How to Audit Your Site's Cookies

1. Open Chrome DevTools → Application tab → Cookies.
2. Look at the Domain column. Anything not matching your top-level site is third-party.
3. Switch to the Network tab and filter by Set-Cookie in response headers to catch dynamically set cookies.
4. Run a free scan with a consent management platform's cookie scanner for a full inventory.
5. Cross-check against your privacy policy. If a cookie is set and not declared, you have a compliance gap.

How to Use CHIPS (Partitioned Cookies)

CHIPS (Cookies Having Independent Partitioned State) lets a third-party iframe keep its own cookie jar per top-level site — useful for embeds like chat widgets, payment iframes, and CMS previews that need state but should not track across sites.

# Set a partitioned cookie from your embed origin
Set-Cookie: __Host-session=abc123;
            Path=/;
            Secure;
            HttpOnly;
            SameSite=None;
            Partitioned

With Partitioned, the cookie is keyed to the top-level site. Your widget on siteA.com cannot see the cookie set on siteB.com — solving the use case without the tracking.

The 5 Mistakes Around Third-Party Cookies

1. Setting SameSite=None without Secure

# Bad — rejected by every modern browser since Feb 2020
Set-Cookie: id=abc; SameSite=None

# Good
Set-Cookie: id=abc; SameSite=None; Secure

2. Cookie walls

Forcing users to accept all cookies before viewing the site is illegal under GDPR (EDPB Guidelines 05/2020) and CNIL guidance. Users must be able to refuse without losing access.

3. Pre-checked consent boxes

Ruled invalid in the CJEU's Planet49 decision (October 2019). Consent must be a clear affirmative action.

4. Loading tags before consent

// Bad — Google Analytics loads on page load, before consent
<script src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>

// Good — gate the script behind a consent check
if (userHasConsented('analytics')) {
  loadScript('https://www.googletagmanager.com/gtag/js?id=G-XXX');
}

5. Ignoring Google Consent Mode v2

Since March 2024, Google requires Consent Mode v2 for advertisers serving EEA traffic. Without it, conversion data is dropped.

How to Test Your Cookie Compliance

• Chrome DevTools → Application → Cookies — manual inspection, fastest way to see what you set.
• A consent management platform's cookie scanner — automated audits with categorization.
• EDAA Your Online Choices and the IAB TCF validator — verify your CMP implements TCF v2.2 correctly.
• Privacy Sandbox Analysis Tool (Chrome DevTools extension) — shows which APIs would replace each cookie use case.
• 2-cookie-test: load the page in Safari and Firefox; anything that breaks is relying on third-party cookies that no longer exist for those users.

FAQ

Are third-party cookies dead in 2026?

No, but they are unreliable. Safari and Firefox have blocked them for years; Chrome still allows them but behind a user prompt. Building anything critical on third-party cookies is risky.

Did Chrome remove third-party cookies?

No. After multiple delays (originally planned for 2022), Google announced in April 2024 that Chrome will keep third-party cookies and instead let users decide via a one-time prompt, alongside Privacy Sandbox APIs.

What is CHIPS?

CHIPS (Cookies Having Independent Partitioned State) is a web standard that lets a third-party set a cookie scoped to one top-level site. It enables embeds to work without enabling cross-site tracking.

Do I still need a cookie banner if I only use first-party cookies?

Yes if those cookies are non-essential (analytics, marketing). GDPR and ePrivacy regulate the purpose, not the party. Strictly necessary cookies (auth, cart) are exempt from consent.

Will analytics break if I drop third-party cookies?

Not if you switch to first-party analytics or server-side GA4. Plausible, Fathom, Simple Analytics, and Matomo work without any third-party cookies.

What is the difference between blocking and partitioning cookies?

Blocking refuses to set the cookie at all (Safari). Partitioning still sets it but isolates it per top-level site (Firefox Total Cookie Protection, Chrome CHIPS), so the cookie cannot follow the user across sites.

Are first-party cookies safe from these restrictions?

Mostly. ITP shortens the lifetime of first-party cookies set via JavaScript on Safari to 7 days. Cookies set by HTTP headers from your own server are unaffected.

Does this affect AI search engines like ChatGPT and Perplexity?

Yes, indirectly. AI crawlers from ChatGPT, Perplexity, and Google AI Overviews do not carry user cookies, so any content gated or personalized via third-party cookies is invisible to them. Sites that depend on cookie-based personalization to serve their primary content may end up showing a degraded or empty experience to AI bots, which hurts citation accuracy and the odds of being referenced. Move critical content out from behind cookie-gated logic so AI search engines see the same page a logged-out human would.