Third-party cookies

A third-party cookie thus can belong to a domain different from the one shown in the address bar, yet can still potentially be correlated to the content of the main web page, allowing the tracking of user visits across multiple websites.

This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements.

As of 2024[update], all major web browser vendors had plans to phase out third-party cookies.

However, a newer standard, RFC 6265,[7] released in April 2011 explicitly allowed user agents to implement whichever third-party cookie policy they wish, and until the late 1990s allowing third party cookies was the default policy implemented by most major browser vendors.

[8] This led to the creation of "cookie consent" dialogs, which rapidly became a standard feature across advertising-funded (and many other) websites, and notable for their use of dark patterns to attempt to force users to allow tracking by making it hard for them to refuse to grant consent.

Other approaches include the use of browser fingerprinting to track users across sites, which is generally viewed as being as bad a threat to privacy as third-party cookies.

As this would easily allow the website operator to serve false information to the tracking service, this is unlikely to be widely adopted.

In this fictional example, an advertising company has placed banners in two websites. By hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.