What Are Third-Party Cookies? Complete Guide (2026)
Hi, I'm Saar - a software engineer, SEO specialist, and lecturer who loves building tools and teaching tech.
View author profile →What Are Third-Party Cookies?
A third-party cookie is a cookie set by a domain other than the one shown in the browser's address bar. If a user visits shop.example.com and an embedded ad from adnetwork.com sets a cookie, that cookie is third-party. They have historically powered cross-site tracking, retargeting, conversion attribution, and frequency capping.
As of 2026, every major browser restricts them, though to different degrees: Safari and Firefox block third-party cookies by default; Chrome — after multiple delays of its deprecation plan — announced in April 2024 that it would not remove them, instead giving users a choice in privacy settings.
Key Facts (TL;DR)
- Definition: A cookie whose domain attribute differs from the top-level site the user is visiting.
- Safari: Blocks third-party cookies by default since March 2020 (Intelligent Tracking Prevention 2.x).
- Firefox: Total Cookie Protection enabled for all users since June 2022; partitions third-party cookies per top-level site.
- Chrome: April 2024, Google announced it will not remove third-party cookies; users opt in/out via Privacy Sandbox prompt.
- Modern alternatives: Privacy Sandbox APIs (Topics, Protected Audience, Attribution Reporting), FedCM for federated login, CHIPS for partitioned cookies, server-side tracking with consent.
- Compliance: GDPR, CCPA/CPRA, and ePrivacy require consent for any tracking cookie regardless of party. Fines up to 4% of global annual revenue under GDPR.
Browser Status in 2026
| Browser | Default behavior | Mechanism | Since |
|---|---|---|---|
| Safari | Blocked | Intelligent Tracking Prevention (ITP) | March 2020 (full block) |
| Firefox | Partitioned per-site | Total Cookie Protection | June 2022 |
| Brave | Blocked | Built-in shields | 2018 |
| Edge | Allowed (Strict mode blocks) | Tracking Prevention | 2020 |
| Chrome | Allowed; user-choice prompt | Privacy Sandbox | April 2024 reversal |
Modern Alternatives by Use Case
| Use case | Recommended alternative |
|---|---|
| Interest-based advertising | Topics API (Privacy Sandbox) |
| Retargeting / remarketing | Protected Audience API (formerly FLEDGE) |
| Conversion attribution | Attribution Reporting API |
| Federated login (Sign in with...) | FedCM (Federated Credential Management) |
| Embedded widgets needing state | CHIPS — partitioned cookies (Partitioned attribute) |
| Analytics | First-party analytics (Plausible, Fathom, server-side GA4) |
| Cross-domain session sharing | SSO with token exchange, not cookies |
| Frequency capping | Shared Storage API + Private Aggregation |
How to Audit Your Site's Cookies
- Open Chrome DevTools → Application tab → Cookies.
- Look at the Domain column. Anything not matching your top-level site is third-party.
- Switch to the Network tab and filter by
Set-Cookiein response headers to catch dynamically set cookies. - Run a free scan with a consent management platform's cookie scanner for a full inventory.
- Cross-check against your privacy policy. If a cookie is set and not declared, you have a compliance gap.
How to Use CHIPS (Partitioned Cookies)
CHIPS (Cookies Having Independent Partitioned State) lets a third-party iframe keep its own cookie jar per top-level site — useful for embeds like chat widgets, payment iframes, and CMS previews that need state but should not track across sites.
# Set a partitioned cookie from your embed origin
Set-Cookie: __Host-session=abc123;
Path=/;
Secure;
HttpOnly;
SameSite=None;
PartitionedWith Partitioned, the cookie is keyed to the top-level site. Your widget on siteA.com cannot see the cookie set on siteB.com — solving the use case without the tracking.
The 5 Mistakes Around Third-Party Cookies
1. Setting SameSite=None without Secure
# Bad — rejected by every modern browser since Feb 2020
Set-Cookie: id=abc; SameSite=None
# Good
Set-Cookie: id=abc; SameSite=None; Secure2. Cookie walls
Forcing users to accept all cookies before viewing the site is illegal under GDPR (EDPB Guidelines 05/2020) and CNIL guidance. Users must be able to refuse without losing access.
3. Pre-checked consent boxes
Ruled invalid in the CJEU's Planet49 decision (October 2019). Consent must be a clear affirmative action.
4. Loading tags before consent
// Bad — Google Analytics loads on page load, before consent
<script src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>
// Good — gate the script behind a consent check
if (userHasConsented('analytics')) {
loadScript('https://www.googletagmanager.com/gtag/js?id=G-XXX');
}5. Ignoring Google Consent Mode v2
Since March 2024, Google requires Consent Mode v2 for advertisers serving EEA traffic. Without it, conversion data is dropped.
How to Test Your Cookie Compliance
- Chrome DevTools → Application → Cookies — manual inspection, fastest way to see what you set.
- A consent management platform's cookie scanner — automated audits with categorization.
- EDAA Your Online Choices and the IAB TCF validator — verify your CMP implements TCF v2.2 correctly.
- Privacy Sandbox Analysis Tool (Chrome DevTools extension) — shows which APIs would replace each cookie use case.
- 2-cookie-test: load the page in Safari and Firefox; anything that breaks is relying on third-party cookies that no longer exist for those users.
FAQ
Are third-party cookies dead in 2026?
No, but they are unreliable. Safari and Firefox have blocked them for years; Chrome still allows them but behind a user prompt. Building anything critical on third-party cookies is risky.
Did Chrome remove third-party cookies?
No. After multiple delays (originally planned for 2022), Google announced in April 2024 that Chrome will keep third-party cookies and instead let users decide via a one-time prompt, alongside Privacy Sandbox APIs.
What is CHIPS?
CHIPS (Cookies Having Independent Partitioned State) is a web standard that lets a third-party set a cookie scoped to one top-level site. It enables embeds to work without enabling cross-site tracking.
Do I still need a cookie banner if I only use first-party cookies?
Yes if those cookies are non-essential (analytics, marketing). GDPR and ePrivacy regulate the purpose, not the party. Strictly necessary cookies (auth, cart) are exempt from consent.
Will analytics break if I drop third-party cookies?
Not if you switch to first-party analytics or server-side GA4. Plausible, Fathom, Simple Analytics, and Matomo work without any third-party cookies.
What is the difference between blocking and partitioning cookies?
Blocking refuses to set the cookie at all (Safari). Partitioning still sets it but isolates it per top-level site (Firefox Total Cookie Protection, Chrome CHIPS), so the cookie cannot follow the user across sites.
Are first-party cookies safe from these restrictions?
Mostly. ITP shortens the lifetime of first-party cookies set via JavaScript on Safari to 7 days. Cookies set by HTTP headers from your own server are unaffected.
Does this affect AI search engines like ChatGPT and Perplexity?
Yes, indirectly. AI crawlers from ChatGPT, Perplexity, and Google AI Overviews do not carry user cookies, so any content gated or personalized via third-party cookies is invisible to them. Sites that depend on cookie-based personalization to serve their primary content may end up showing a degraded or empty experience to AI bots, which hurts citation accuracy and the odds of being referenced. Move critical content out from behind cookie-gated logic so AI search engines see the same page a logged-out human would.
Conclusion
Third-party cookies are not gone, but the ground has moved: two of the three biggest browsers block them by default, and the third lets users opt out. Plan as if every visitor refuses them. Move analytics first-party, swap retargeting for Protected Audience, use CHIPS for legitimate embeds, and gate every non-essential tag behind real consent. The sites that finish this transition early collect cleaner data and avoid GDPR exposure. Run a Greadme deep scan to identify third-party cookie use across your site and surface the pages most exposed to browser blocking and consent gaps.