Skip to main content
CodeRocket
Privacymediumtracking

Avoid third-party cookies

rule · third-party-cookies

A cookie is "third-party" when it is set by a domain different from the page the user is currently viewing. A social media share button, an ad pixel, or an analytics script loaded from an external domain can all set third-party cookies.

Code Example

Text
1. User visits news.example.com — page loads tracker.ad.com/pixel.gif
2. tracker.ad.com sets cookie: user_id=xyz789 for domain tracker.ad.com
3. User visits shop.example.com — page also loads tracker.ad.com/pixel.gif
4. Browser sends the same cookie to tracker.ad.com
5. tracker.ad.com links both visits to the same user profile

This works across any site that includes tracker.ad.com — building behavioral profiles without users knowing.

Why It Matters

Third-party cookies enable advertising networks to build detailed behavioral profiles of users across every site they visit — without users being aware. Regulatory penalties for non-compliance with GDPR reach up to 4% of global annual turnover.

Identifying Third-Party Cookies

Browser DevTools

  1. Open DevTools → Application tab → Cookies in sidebar
  2. Compare cookie domains against the current page origin
  3. Cookies from different domains are third-party

Network Tab Filter

Text
Filter: third-party

In Chrome DevTools Network tab, the "Third-party requests" checkbox shows all cross-origin resource requests.

curl Audit

Shell
# Check for Set-Cookie headers from a page's resources
curl -sI https://tracker.example.com/pixel.gif | grep -i set-cookie

Common Sources of Third-Party Cookies

TechnologyCookie PurposeConsent Required
Google Analytics (GA4 Universal)Cross-site trackingYes (non-essential)
Facebook PixelConversion trackingYes
Google AdsRemarketingYes
Hotjar / FullStorySession recordingYes
Intercom / Zendesk chatSupport widgetMay be essential
YouTube embedsTrackingYes — use youtube-nocookie.com instead

Browser Blocking Status

BrowserStatus
Safari (ITP)Third-party cookies blocked by default since 2017
FirefoxEnhanced Tracking Protection blocks most third-party cookies
ChromeTransitioning to Privacy Sandbox; phased removal ongoing
EdgeTracking Prevention blocks third-party trackers

Alternatives to Third-Party Tracking

Privacy-Preserving Analytics

Replace Google Analytics with a first-party solution:

HTML
<!-- Plausible Analytics — no cookies, no cross-site tracking -->
<script defer data-domain="example.com" src="https://plausible.io/js/script.js"></script>
 
<!-- Fathom Analytics — GDPR compliant, no cookies -->
<script src="https://cdn.usefathom.com/script.js" data-site="ABCDEFGH" defer></script>

YouTube Embeds Without Tracking Cookies

HTML
❌ Sets third-party tracking cookies
<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>
 
✅ Privacy-enhanced mode — no tracking cookies until play
<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID"></iframe>

For your own cookies, prevent them from being sent in cross-site contexts:

HTTP
Set-Cookie: session=abc123; SameSite=Lax; Secure; HttpOnly
# or stricter:
Set-Cookie: session=abc123; SameSite=Strict; Secure; HttpOnly
SameSite ValueSent on cross-site requests
StrictNever
LaxOnly top-level navigations (GET)
NoneAlways (requires Secure) — opt-in for third-party use

Under GDPR (EU) and similar regulations, non-essential cookies require prior, informed, freely given consent:

  • Consent must be obtained before the cookie is set
  • Users must be able to withdraw consent as easily as they gave it
  • Pre-ticked boxes or consent buried in T&Cs are not valid
  • Refusing consent must not prevent access to core functionality

Standards

  • Use these references as the standard for the legal or product-facing privacy behavior that users actually experience.
  • Check the implementation against MDN: Third-party cookies before treating the rule as satisfied.
  • Check the implementation against web.dev: Preparing for the end of third-party cookies before treating the rule as satisfied.

Verification

Automated Checks

  • Test the affected flow in a production-like environment, not just local development.
  • Document any intentional exceptions explicitly.

Manual Checks

  • Inspect the final HTTP response or browser behavior to confirm the control is actually enforced.
  • Verify third-party integrations or embeds still work after the restriction is applied.