How Different Browsers Handle First-Party and Third-Party Cookies

Cookies are currently the most common method of identifying users online and providing a personalized browsing experience, as they can persist after a user leaves the site.

They’ve been responsible for delivering a consistent and personalized user experience, which many of us take for granted today. Cookies remember website configuration, login details and products added to the shopping cart. For years they’ve also been the backbone of online advertising for targeting, retargeting, tracking and attribution.

However, their days seem numbered due to a growing awareness of privacy issues, laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, and ultimately, browsers introducing changes to how cookies are handled.

In order to provide users with more choice and control over online advertising, and possibly to position themselves as more privacy-friendly, browsers have introduced new privacy features over the years.

These vary greatly – some browsers allow users to block third-party cookies, which are the ones typically used for advertising purposes. Others also take aim at first-party cookies, which help deliver a good user experience, but can also be used for online tracking.

We’ve compiled a list of the most popular web browsers and explain how each browser handles first-party and third-party cookies. 

What’s the Difference Between First-Party and Third-Party Cookies?

Before we look at how browsers handle first-party and third-party cookies, we should explain the difference.

First-party cookies: These cookies are set by the domain you are visiting at the time and help deliver a good user experience (remembering your language preferences, for example).

Third-party cookies: These cookies are set by domains other than the one you are visiting and are typically used for online advertising purposes.

To learn more about the difference between first-party and third-party cookies, read our blog post. 

Now let’s look at how popular web browsers handle first- and third-party cookies and what it means for AdTech.

Google Chrome

Google Chrome is by far the most popular web browser, with an estimated global market share of 62.8%. Its crushing dominance is unthreatened; the closest competitor, Apple’s Safari has a mere 15.8% market share.

Because Chrome is the most popular browser across all devices (including mobile), changes in how it handles cookies will likely have the strongest impact on the AdTech industry.

Chrome offers quite granular privacy settings, but they are hidden deep in the browser’s menus.

First-party cookies

First-party cookies aren’t blocked by default in Chrome, but can be deleted by the user. In this case, both first-party and third-party cookies would be removed.

Third-party cookies

Chrome does not block third-party cookies by default either, but it can be done through the settings menu. Simply go to Settings > Advanced > Site settings > Cookies and set “Block third-party cookies” to On.

Users can choose to delete cookies, which removes both first-party and third-party cookies. However, in May 2019, Google announced that it would implement a number of changes to give users more control over which cookies are created in the first place.

Once the new features are implemented in Chrome, users will be able to block and delete third-party cookies, while keeping first-party cookies intact. We’ve written about Chrome’s new privacy features in more detail in another post on our blog.

The impact on AdTech

Due to Google’s large share of the web-browser market, the new privacy features in Chrome will likely have a bigger impact on online advertising than other browsers have had so far. At the same time, however, privacy features in Chrome are still not as strict as those in Safari or Tor. This is because a large majority of Google’s revenue (about 86%) is derived from advertising.

Outside of its walled garden, Google (as well as Facebook and Amazon) also places its bids in almost every programmatic auction on the internet.

This means that Google still depends on cookies to some extent and can’t crank its third-party cookie blocking too high, as it will open the gates to numerous antitrust investigations.

Apple, on the other hand, can restrict the use of third-party cookies as it pleases because it is not an AdTech company and doesn’t derive its revenue from display ads.

Safari

Apple’s crusade against cookies has continued for a few years now since the release of Intelligent Tracking Prevention (ITP) 1.0, a privacy feature that came with Safari 11 in September 2017. Apple can afford to be very strict about cookies and position itself as a company focused on user privacy because its revenue does not depend on advertising.

While the introduction of ITP is seen as Apple’s consumer-facing move, it’s also a discreet jab at Google and other AdTech companies, crippling its ad revenue.

For example, the impact of ITP-like features and limited reliance of third-party cookies has impacted retargeting platforms like Criteo, whose stock price plummeted during the Apple ITP to over half its value over the last nine months of 2018. Increasing restrictions on user tracking makes platforms like Criteo less effective and less attractive from the business perspective.

First-party cookies

As of ITP 2.1, Safari uses its machine-learning magic to identify which first-party cookies can be used for tracking. Then, it blocks cookies unless you use the Storage Access API to ask users to allow the use of your cookie.

Cookies created via the JavaScript document.cookie API (even first-party cookies for things like web analytics) will be set to expire in seven days, regardless of their existing expiry date. JavaScript will be able to access cookies created via the HTTP response, as long as they don’t contain HttpOnly flag.

Third-party cookies

Prior to the release of ITP, Safari had automatically blocked third-party cookies by default. The way Safari manages first- and third-party cookies has serious reverberations for the AdTech industry today.

The name “Intelligent Tracking Prevention” was used (rather than “Intelligent Cookie Prevention”) for a reason. Until version 2.0, ITP used the so-called “machine-learning classifier” to predict which domains had cross-site tracking capability, and partitioned the cookies immediately. Today, Safari does not support partitioned cookies anymore and third-parties are restricted to Storage Access API to get any type of cookie access – for both tracking and non-tracking purposes.

The impact on AdTech

Analytics cookies that would previously last for two years (if not purged) are now deleted by Safari after seven days under ITP. This has some specific consequences for players in the AdTech industry: publishers, marketers, and vendors.

Walled Gardens

While companies like Google, Facebook and Amazon weren’t initially affected too much by ITP 1.0 and 1.1, the introduction of ITP 2.0, 2.1 and 2.2 is a whole different story.

Safari does not allow third-party login widgets to place cookies in users’ devices without first obtaining consent from the storage access API, which comes at a trade-off – a broken user experience.

Frequency capping and retargeting

Because Safari, by default, blocks third-party cookies, advertisers cannot properly implement ad-frequency management and capping, retargeting, or view-through attribution modeling.

As a result, Safari users will still see ads, but they will be badly targeted, irrelevant and will likely repeat too often.

Attribution

ITP 2.2 restricts all conversion attribution carried out via so-called link decoration if the referring domain has been classified as having cross-site tracking capabilities.

For example, when users come from domains like Facebook or Google through a URL that contains extra query parameters (which follow the “?” in the address) or hash fragments (which follow the “#” symbol), then all JavaScript cookies set on the page via document.cookie will expire after 24 hours, shortening the look back period.

The last marketing touch will be too highly credited for attribution, increasing the risk of excessive spend on ineffective channels.

Web analytics

Safari, since the introduction of ITP 2.1, deletes first-party cookies set by web analytics and other MarTech tools after seven days – or in 24 hours in specific situations set out by ITP 2.2.

From a marketer’s perspective, this makes view-through attribution and accurate analytics impossible. Because users’ clickstream data disappears after one or seven days, the customer journey is broken and badly represented in most analytics tools. ITP makes analytics tools incorrectly display the number of unique visitors on a website (it artificially inflates the numbers).

Firefox

Firefox is an open-source browser created by the Mozilla Foundation, a non-profit organization.

It is fast, private and regularly audited, which means Mozilla cannot engage in shady practices like implementing under-the-hood data collection.

Earlier in 2019, Firefox Version 65.0 introduced a set of new privacy controls.

The browser now gives users three options to fine-tune how it handles cookies: standard, strict and custom.

• Standard blocks known third-party trackers by default in both Private and normal browsing modes.
• Strict blocks tracking across all windows (it’s not recommended, as it could break some websites).
• Custom lets users fine-tune the behavior, including blocking fingerprinting.

The default privacy setting after a fresh install of Firefox is Standard, meaning known third-party trackers will be blocked. Because changing these settings requires additional steps, it is unlikely that many users switch it to Strict or Custom.

To access the setting, users simply need to click the “i” icon in the browser’s address bar. This will also let them see just what trackers are there on a particular website by clicking the arrow > to the right of Trackers and Cookies.

From here, clicking the “gear” icon next to Content Blocking takes users to advanced blocking settings:

First-party cookies

First Party Isolation was a little-known feature released in Firefox Version 55 that prevented cross-origin (cross-domain) tracking. When enabled, first-party cookies are isolated from website to website, which stops their use in a third-party context.

First Party Isolation is not enabled by default, and first-party cookies are not blocked by default either. This is because the feature is known to break websites and has been found to interfere with authentication systems, which could compromise the browsing experience of the user.

Firefox users can enable the feature (at their own risk) by typing about:config in the address bar, to access the browser’s advanced settings, and changing the privacy.firstparty.isolate setting (it is false by default):

Third-party cookies

As of June 2019, Firefox also blocks third-party cookies – specifically third-party trackers – by default. This features is known as Enhanced Tracking Protection.

Prior to June 2019, Firefox only blocked known trackers in private windows as part of the Standard setting.

Users can adjust this setting by going to the drop-down menu in the browser (again, by clicking the “i” icon in a website’s address bar).

The setting can be changed to block cookies from all unvisited websites, all third-party cookies or all cookies (including first-party cookies). The last two settings may cause websites to break or work incorrectly.

The impact on AdTech

The default setting (Standard) blocks third-party cookies in Firefox and stops most types of tracking for advertising purposes, but only fine-tuning the settings allows users to block both first- and third-party cookies, as well as fingerprinting – and not every user will take the extra step.

Also, when the First-Party Isolation feature is enabled on top of that (and it is not enabled by default), tracking on websites ends at the domain level. Then, from a marketing point of view, advertisers cannot use cookies anymore to create fuller user profiles by dropping and reading cookies across the internet.

Internet Explorer

Microsoft’s legacy browser, Internet Explorer, isn’t getting much love from users these days; IE has a minute user base of just 2.47%. Even the Redmond giant itself urges users to stop using it and switch to its newer, faster browser, Edge.

First-party cookies

Internet Explorer’s default setting does not restrict first-party cookies. The browser only blocks first-party cookies if they don’t meet certain conditions – e.g. if no privacy policy is defined for a given website (expressed through the now-obsolete P3P protocol).

Third-party cookies

The default setting in Internet Explorer blocks some third-party cookies thanks to tracking protection, a baked-in feature that uses tracking-protection lists.

The sites found on the list are restricted from dropping cookies (trackers) in the browser. On the other hand, because IE is closed-source software, no one knows what kind of surveillance Microsoft uses for itself.

The impact on AdTech

Internet Explorer does not offer any of the modern cookie-blocking features that other browsers offer and certainly is not a browser that would restrict first- or third-party cookies in a significant way. The impact on AdTech is rather minimal.

Edge (Chromium)

Microsoft Edge is the younger, faster sibling of Internet Explorer. Its most recent version, hailed Edge Chromium (now in beta), is strongly focused on improving user privacy, as it offers features to block trackers.

You can download the Edge Chromium build here.

Edge Chromium, Chrome, Opera and dozens of other browsers are based on the open-source Chromium project, which explains why they look so similar.

Microsoft has recently teased an updated and redesigned “Privacy and security” page in the Edge Chromium settings. From there, you can choose between three different levels of privacy (much like Firefox): unrestricted, balanced and strict. Tinkering around the settings will alter how Edge Chromium handles cookies.

First-party cookies

Edge, like many other popular browsers, accepts all first-party cookies by default.

Third-party cookies

Edge does not block third-party cookies by default. Also, for some reason, it lacks Internet Explorer’s best feature – tracking protection.

IE’s tracking protection used lists to restrict sites known to ignore DNT requests or invade privacy in other ways, blocking their requests for data.

While Edge does send “do not track” requests if you ask it to, they are not always honored around the web. This means that sites may still share your browsing information for tracking purposes.

Surprisingly, there is no tracking protection in Edge’s private-browsing mode either.

Also, a group of Belgian researchers found that Edge’s "block only third-party cookies" feature is rather spotty – as is the case in many other browsers.

Opera

Opera is a browser developed by Chinese-owned company Opera AG. It utilizes the same rendering engine as Chrome and Edge – Chromium. This makes the interface a little similar to the others, but Opera has a slew of functionalities that make it unique in its own way.

Many of these features, like VPN and built-in cookie blocking, help users fine-tune the browser to their specific, more sophisticated privacy requirements.

First-party cookies

Opera, like many other browsers, accepts all first-party cookies by default. These settings can be changed, but may break websites and is not recommended.

Third-party cookies

By default, Opera does not block third-party cookies in any way.

However, you can enable cookie blocking from the browser’s advanced settings under the section “Privacy and security” > “Content settings” > “Cookies” > “Block third-party cookies”.

For those concerned about tracking and third-party cookies, Opera recently introduced a free, baked-in VPN. To activate it, go to Menu > Settings > Privacy > VPN. This will enable an icon on the address bar showing whether VPN is on; clicking it toggles Opera’s VPN on and off.

Opera’s VPN replaces your IP with a virtual one, making it difficult for websites to track your location and identify your computer. It also blocks many tracking cookies.

Opera also provides a private-browsing mode for such cases, ensuring that all cookies are purged at the end of each browsing session.

Which Browser Is the Ultimate Cookie Buster?

For users wanting to stop AdTech vendors and data companies from identifying and tracking them around the internet, they have a few options available to them. Most of the popular browsers offer some sort of privacy protection.

This would mean settling for Firefox, a browser that includes baked-in ad-blockers or anti-tracking functionalities and keeps users relatively safe online. Safari would do the job just as well, but is limited to Apple devices. Tor Browser, while not on our list, also provides strong privacy protection, but ultimately results in a broken user experience and therefore isn’t the browser of choice for the average internet user.

A 2018 study (you can read the whole paper here) found that all popular browsers available on the market today fail at blocking cookies for certain redirects, regardless of their “block third-party cookies” or “tracking protection” settings.

This screenshot comes from the referenced study on third-party cookie policy in popular browsers. As seen above, popular browsers include cookies in all requests.

Legend:

Black circle: Request is sent by the site, the cookie is set.

Half circle: Request is sent, but no cookie is set.

White circle: Request is blocked, and thus no cookie is set.

If you want to be up-to-date about browser vulnerabilities and inefficiencies connected with blocking third-party cookies, head over to wholeftopenthecookiejar.com and read their study in its entirety – not for the faint of heart.

Conclusion

Blocking third-party cookies in browsers can be marketed under the banner of privacy, but at the end of the day, it only reinforces the dominance of the so-called walled gardens – big AdTech companies with strong first-party relationships.

On top of it all, we are also dealing with the “privacy paradox” – a discrepancy between expressed privacy concerns and actual online behavior. There has been much talk about data privacy in the media since the GDPR kicked in, but online users rarely go the extra mile to fine-tune their browser’s settings and actually protect their data.

Instead, they browse the internet with the default settings, which is much like walking naked in public.