What Are Third-Party Cookies?
Third-party cookies are cookies set by a domain other than the website you are currently visiting. They get set by external services the page pulls in: ad networks, analytics tools, social plugins, embedded video players, and so on. Because the same external service can read its cookie on any site that loads it, the result is cross-site tracking of individual users.
How third-party cookies work
When you visit a website, your browser loads the site's own content plus a pile of resources from other domains: ad scripts, analytics tags, social buttons, chat widgets, embedded videos. Each of those external domains can set its own cookies in your browser.
For example, suppose you visit example.com and the page loads an advertising script from ads.network.com. That ad network can set a cookie under its own domain. Tracking pixels are a common way to do this; the pixel image request triggers a Set-Cookie header in the response (the full mechanism is covered in How Do Tracking Pixels Set Cookies?). When you later land on a different site that also loads ads.network.com, the network reads the same cookie back. Your visits to both sites are now linked.
First-party vs. third-party cookies
| First-party cookies | Third-party cookies | |
|---|---|---|
| Set by | The website you're visiting | An external domain (ad network, analytics, etc.) |
| Readable by | Only the issuing site | Any site loading that third party |
| Common use | Login sessions, preferences, cart state | Cross-site tracking, retargeting, analytics |
| Browser support | Universally supported | Increasingly blocked by default |
What third-party cookies are used for
- Ad networks use them to build a profile of where you browse and to serve you retargeted ads on other sites.
- Analytics products use them to attribute conversions back to ad clicks across different domains.
- Social plugins (Like buttons, share widgets, embedded posts) drop cookies that record which pages you visit.
- Some anti-fraud tools use cross-domain cookies to spot suspicious patterns.
Are third-party cookies going away?
Safari (via Intelligent Tracking Prevention) and Firefox (via Enhanced Tracking Protection) already block third-party cookies by default. Chrome has been promising to do the same in favour of its Privacy Sandbox APIs, but the deadline keeps slipping.
Browser policies aside, GDPR already requires informed consent before most third-party cookies can be set in the EU.
Why third-party cookies matter for your website
Most sites load far more third-party cookies than the people running them realise. Marketing tags, embedded content, and small page widgets can all bring in cookies the team never explicitly chose. Without an audit, you may be setting cookies that conflict with your own privacy policy or with regulations that apply to you.
Tagmaps scans your site from the outside, the way a real browser does. It catches each cookie, records which domain set it, traces back to the script that loaded it, and notes whether it was set before or after consent.