Your Guide to the Third-Party Cookie

Everything to know about what it is, why it’s going away, and what’s next

October 13, 2021 | by: Minda Smiley, Phoebe Bain, Ryan Barwick

An image that says "Click here" on a laptop surrounded by cookies covered with the "no" symbol

If you’ve spent any amount of time online, then this has probably happened to you.

One minute, you’re casually browsing for a new bathing suit. Or maybe a gift for a friend’s baby shower. Whatever it might be, it’s not long before you’re seeing that product appearing across the websites you’re visiting, following you around and begging you to click. Sometimes you do, sometimes you don’t.

That experience stems from the third-party cookie, a simple piece of technology that’s had an outsized impact on the advertising industry as we know it today. Now, after years of controversy surrounding the third-party cookie, its days are numbered.

So what is a cookie, exactly? “It’s really just a text file that is placed in your browser by a website,” explained Natasha Potashnik, SVP and partner at marketing agency Known. “It’s sort of like an identifier for you.”

Of course, that definition only scratches the surface. While its origins and the mechanisms that make it work might be simple, the cookie has helped fuel the 455.3 billion digital advertising industry through the 21st century, making it possible for marketers to send personalized—or invasive, depending on who you ask—ads to people based on their browsing behavior.

In this guide, after talking to more than a dozen industry experts, we explain why the third-party cookie became so popular, what led to its demise, the many alternatives trying to replace it, and what the industry might look like without it.

What is a cookie?

Computer screen with tons of ads for lipstick on it

Francis Scialabba

For starters, there are different types of cookies. A first-party cookie is dropped by the site a visitor is on, helping it remember things like that visitor’s password or what’s in their shopping cart. It was invented in 1994 by Lou Montulli, who, at the time, was working as an engineer at (now defunct web browser) Netscape.

“The idea with a first-party cookie is that you as a consumer have a relationship with a brand if you enter that brand domain,” explained Jamie Seltzer, global managing director of martech and data strategy at Havas Media Group. “I’ve chosen to go to Sephora to browse. Therefore, I’m saying inherently, ‘Sephora, you can have my information because I’m choosing to visit your site.’”

Third-party cookies, however, are owned by someone other than the site a person is visiting. Say you’re visiting CNN’s website, and you see an ad for a cereal brand. That ad could place a cookie for said cereal brand, which can then be used for tracking and targeting purposes by the advertiser in question.

According to Susan Parker, chief strategy officer at Nexstar Media Group, the “most notable” part of the third-party cookie is the fact that it can be created by an outsider, since this is what lets marketers track and identify people across the web—then target them with ads.

“They can look at that cookie and say, ‘Oh, I recognize that user. I know that they belong to this advertising target, or they’ve seen this ad before,’” Parker explained. In other words, instead of targeting segments and categories of people—like those who read The New York Times, for instance—third-party cookies make it possible for marketers to reach individuals.

And yes, there is such a thing as a second-party cookie. According to the MMA, a marketing trade association, second-party cookies “are transferred from one company to another company via some sort of data partnership” that’s beneficial for both. A clothing chain might share its data with a jewelry brand that has a similar customer base, for example.

Essentially, third-party cookies take the guesswork out of advertising. A resort plugging an all-inclusive trip to Cancun doesn’t have to hope its ads will reach people in the market for a vacation to Mexico. It knows which people are likely already interested, thanks to third-party-cookie data. Because they’re tailored to the individual, these ads are—at least in theory—more relevant to the people who see them.

“We may want to target very precisely, but we want to fish in the biggest ponds possible, and cookies created this big pond of data,” said Eric Schmitt, senior director analyst at Gartner. Schmitt added that cookies have provided a “cheaper” way of advertising, not in the sense that marketers pay less per impression, but because they don’t “waste money sending it to a bunch of people who wouldn’t have been interested anyway.”

Digital advertising and the cookie, it seemed, would finally answer John Wanamaker’s (in)famous quote: “Half the money I spend on advertising is wasted; the trouble is, I don’t know which half.”

Over the years, marketers quickly became reliant on “the cookie crutch,” David Olesnevich, head of product at IBM Watson Advertising, said. “It was easy. I don’t have to think, I don’t have to go outside my comfort zone to reinvent the way I work. I can lean on this technology.”

Publishers have reaped the benefits of the third-party cookie, too. For bloggers and publishers, programmatic advertising—enabled by third-party cookies—provided an easy way to bring in some extra cash for unsold ad inventory, explained Jason Kint, CEO of Digital Content Next, a trade group that represents publishers. Plus, publishers could avoid having direct relationships with advertisers, he explained.

“You could avoid having, in many cases, your own sales team. You could avoid a lot of operational costs,” Kint said.

Parker said smaller publishers have especially benefited from programmatic advertising since “they’re just not big enough to ever make it on any major buyer’s media plan.” She added that, “for better or for worse,” the cookie disintermediated publishers from ad transactions, explaining that marketers “no longer needed to talk to the publisher to be able to identify their audience and to target an ad to them.”


There’s no denying the third-party cookie has made marketers’ lives easier since its inception. But it’s also come with several drawbacks, some of which have spurred its demise.

Just because you can endlessly target people doesn’t mean they’ll actually buy what’s being sold. Research is mixed as to the effectiveness, and even the relevancy, of targeted ads in influencing users.

  • A 2016 study of targeted advertising came to the conclusion that “ads do not have a statistically significant impact on purchase probabilities of consumers.”
  • In 2019, researchers found that serving ads based on third-party audience data is “often economically unattractive” due to “the high extra costs of targeting solutions and the relative inaccuracy.”
  • Though based on a small sample size of 25, recent research discovered multiple instances of targeted advertising reaching the wrong audience (for instance, shoe ads intended for men were instead shown to women).

Another 2019 study found that third-party cookies aren’t particularly beneficial for publishers, either; per its analysis of “millions of advertising transactions” at one media company, a publisher’s revenue “increases by only about 4%” when a targeted ad is served, or a fraction of a cent per advertisement.

Plus, cookies are based on history—where someone has been. Sure, this can help marketers understand where someone might go next, but most people don’t need to be sold on a book they’re already planning to buy, or a hotel room for a vacation they’ve already booked.

All that aside, the biggest problem attached to cookies is that they come with major privacy concerns. “The cookie was never designed with privacy in mind,” Olesnevich said. “It can be used to capture all sorts of data on you.”

Data captured from third-party cookies can be combined with separate data sets about consumers, making it even easier for marketers to target the people they want to reach. Data brokers are in the business of compiling data and selling it to interested parties, like marketers, and the info they sell (which they often claim is aggregated and anonymous) can include everything from marriage records to credit card transactions. In 2018, the Interactive Advertising Bureau said American companies were expected to spend nearly $19.2 billion on acquiring and managing third-party audience data.

In the right hands, all of this data can be pretty powerful. “Data sets are getting bigger and bigger, cross-referenced, linked to each other, aggregated, combined, recombined, and the end result is that there are big pools of data that have been linked up by cookies that can provide a fairly broad amount of information about us,” Schmitt explained. “Not every provider is completely ethical.”

Why is the third-party cookie going away?

Image showing a bunch of "Accept Cookies" pop-ups on sites

There isn’t one particular event or moment that single-handedly kickstarted the third-party cookie’s slow and steady death. That being said, privacy has played a large role in its demise.

Matt Prohaska, principal and CEO at programmatic consulting firm Prohaska Consulting, recalls a time in 2012 when a bunch of his friends were angry about one specific sock ad that was showing up in the right rail of their Facebook feeds—even after they’d all bought the socks. “Buyers and their agencies didn’t understand how to use their new toys properly to respect the consumer,” he said.

But consumer annoyance culminated into something more serious after the Cambridge Analytica scandal surrounding the 2016 US presidential election. In case you were off the grid at the time, Cambridge Analytica was a political consulting firm that got its hands on the private data of tens of millions of Facebook users via a quiz app, then reportedly used that information to send targeted, pro–Trump ads online.

Group Nine Media Chief Insights Officer Ashish Patel thinks Cambridge Analytica broke the data privacy conversation out of digital media circles and into the mainstream.

“That kind of nefarious use of simple questions on a Facebook personality test opened up the aperture to a lot of consumers on how your information could be leveraged in negative ways,” Patel continued, noting that the scandal showed how the seemingly small, everyday choices made on the internet can be used in different ways—some to our benefit, and some to our detriment.


Two pieces of legislation have also contributed to the third-party cookie’s demise.

General Data Protection Regulation, or GDPR, is a sweeping privacy law adopted by the European Union before the 2016 election that went into effect two years later. It’s a multi-faceted law that the EU says “imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”

The legislation includes several aspects that seek to minimize data collection from companies and make the process more transparent to users. Because cookies used to identify someone are considered a form of personal data, they’re subject to GDPR compliance, which partly explains why companies started posting “Accept Cookies” pop-ups on their websites a few years ago.

Similarly, the California Consumer Privacy Act, or CCPA, went into effect in 2020. Like GDPR, it’s a wide-ranging law that gives residents of the state the right to opt out of the sale of their personal information and, in some cases, the right to delete data collected from them. Other states, like Virginia, are passing similar laws.

Nathalie Maréchal, senior policy and partnerships manager at Ranking Digital Rights, an organization that advocates for privacy on the internet, said GDPR and CCPA “are really the results of a growing realization among the ordinary internet-using public, civil society organizations, and policymakers that the absence of meaningful privacy protections on the internet is bad for individual people and is bad for society.”

She added, “It’s worse, of course, for people who are already marginalized in society and have less power than others.”

Privacy-related legislation has come with its own set of issues, however. “One of the main issues, if not the main issue, with GDPR is that there’s not enough enforcement capacity,” Maréchal shared, explaining that companies in Europe and elsewhere have been able to violate the law “because there just aren’t enough cops on the beat.”

Plus, some argue that laws like GDPR have actually helped advertising behemoths like Facebook and Google. In 2019, a year after GDPR went into effect, the Wall Street Journal said the law pushed advertisers to “concentrate their digital ad budgets with fewer tech giants, whom they trust not to run afoul of the rules.”

Regardless, research suggests people have become increasingly uneasy about their online privacy and are making moves to protect it. A survey conducted in August 2021 by Harris Poll for Marketing Brew found that 73% of 1,901 US adults are “much more” or “somewhat more concerned” about online data privacy today compared to five years ago.

Additionally, 60% of respondents said they don’t think personalized advertising is ethical, while nearly three-quarters have taken steps to make it more difficult for advertisers to collect data about them.

Browser steps

On a more tangible level, browsers are responsible for the third-party cookie’s death.

In 2018, Firefox gave users “the option to block cookies and storage access from third-party trackers,” a move it said stemmed from its “mission of giving people control over their data and privacy.” The following year, Firefox blocked third-party cookies by default on its desktop browser and Android. Similarly, Apple’s Safari halted them by default last year.

But the real nail in the coffin for the third-party cookie arrived last year. In January 2020, Google said its Chrome web browser would stop supporting the cookie within two years, although the company recently extended the deadline to mid-to-late 2023.

Considering Chrome is the most popular browser—per figures from Statista, it held 68% of desktop browser market share as of September 2021—this announcement effectively killed off the cookie.

Sponsored by

Permutive logo

First-party data for the win. While third-party cookies may be going the way of the dodo, your reach doesn’t have to disappear with it. Permutive’s Audience Platform can help you leverage first-party data to connect directly with publishers in a privacy-safe way and reach your full audience. Book a demo today so you can prepare for the privacy-first world of tomorrow.

What’s replacing the third-party cookie?

an image of an ad for wedding bands next to an article about celebrity engagements

So, cookies are going away. Like prospectors mining for gold, solutions have flooded the zone, all competing to become the most heavily adopted replacement. And like the gold rush, the actual money to be made is in shovels and pick-axes, the tools used to find the gold, not the actual gold.

As of August, there were more than 100 different solutions, per research from MMA Global and Prohaska Consulting, stemming from media companies to ad-tech firms to Google itself. Most of them boast of helping marketers target people without leveraging the amount of data the cookie provided. Or at least get that data in a way that’s more transparent to users.

Some alternatives are gaining more traction than others.

So far, the options are “ethereal” and nothing is set in stone, Saqib Mausoof, an adviser at programmatic marketing consulting firm Unique, said.


Of course, Google wasn’t just going to stop making money from advertising. In 2019, Chrome rolled out Privacy Sandbox, an initiative to help advertisers reach the customers they want, while maintaining personal privacy for users.

One of Google’s proposed replacements for the third-party cookie is “Federated Learning of Cohorts,” or FLoC. Instead of targeting users on an individual level, Google will segment users by interest group—or “cohorts”—based on browsing history. So, if you’re a Mets fan who’s into jam bands, you’d be in one cohort. If you’re a baker who wants to travel to France, you’d be placed in a different one. And so on.

Google’s not crafting premade sections awaiting users. Instead, algorithms will create them. The company claims there are a few reasons why FLoC is a more privacy-centric way for advertisers to target people; for one, it says cohorts can be made up of “thousands” of people.

So, even though you might be placed in a cohort of, say, cheeseburger-loving amusement-park enthusiasts, an advertiser would theoretically have a hard time singling you out as one. Cohorts also change each week in response to a person’s browsing behavior.

It isn’t all rainbows and candy canes, though. The Electronic Frontier Foundation, a nonprofit that advocates for user privacy, called FLoC a “terrible idea” in a post earlier this year, arguing that companies like Google should stop trying to “reinvent” ad targeting and instead give it up altogether.

The organization also pointed out potential issues with FLoC, like the fact that it could make it easier for advertisers to conduct “fingerprinting,” a practice that involves combining different pieces of information about a user to create a distinguishable identifier. Put simply, a person’s FLoC cohort could end up being one of many pieces of data that helps paint a picture of who they are for advertisers.

Recently, even Google has admitted it might move away from cohorts and instead rely on “topics”—a much shorter list of interests, such as “beauty and fitness”—rather than cohorts. “Say, 256 topics as opposed to the roughly 30,000 cohorts,” said Google software engineer Josh Karlin at an Internet Engineering Task Force meeting in July.

In September, a Google spokesperson told Marketing Brew that nothing has been decided yet.

The Trade Desk

One of the biggest ad tech firms in the world, The Trade Desk, is spearheading an identity-based replacement called Unified ID 2.0.

How’s it work? UID 2.0—totally not a Star Wars droid—identifies users through their email address. When someone logs into a website with their email, an “anonymized version” of the email is created. According to The Trade Desk, it becomes “a string of numbers and letters” that can’t be traced back to the person’s email.

Obviously, The Trade Desk needs partners to pull this off, as the identifier doesn’t mean much if no one’s using it. So far, it’s got agencies like IPG and Omnicom Media Group on board. As far as publishers go, The Washington Post, BuzzFeed, Us Weekly, and Rolling Stone are a few that have thrown their hats in the ring. Others, like The New York Times, have said they’re staying away from UID 2.0 and similar identity-based alternatives.

“We don’t look favorably on solutions that in the end are still about a lot of data transfer about individuals’ online behavior in ways they don’t understand,” the Times’s then-SVP of products Allison Murphy told Digiday.

Of course, with these types of solutions, it’s up to publishers to ensure their audiences sign on if they want to see relevant ads, and therein lies the rub.

“You’re seeing pushback from certain publishers because all the burden is on them,” said Warren Lapa, CEO of Unique. “They own that incredibly important and valuable relationship with their customers, how that data is used, the permission and consent they get from their customers. They can’t jeopardize that relationship.”

Back to basics

FLoC and UID 2.0 might be the two most-talked-about cookie replacements. But, like we mentioned earlier, they’re far from the only alternatives.

Others include contextual advertising, which is basically how marketing worked before the internet. We’re kidding—kind of. Contextual advertising works by matching an ad with a publisher’s content.

For example, if you’re planning a long hike and you’re reading an article about trails in Tucson, you’ll see an ad for protein bars.

Some companies, like GumGum, use AI to scan content and deliver a relevant ad. On its own, this type of advertising doesn’t rely on first-party or third-party data, assuaging privacy concerns.

“Contextual has always worked. We just got really hooked on the audience bug for a bit,” said Krystal Olivieri, GroupM’s global chief innovation officer. “It’s logical. Contextual shouldn’t have gone anywhere. It did for a little while. So I just think it’s going to come back. I don’t think it’s going to be the only solution, but I do think it’s a nice complement.”

First come, first serve

First-party data is also playing a large role in the cookie-replacement game. While it takes different forms, first-party data is typically information that a company gets directly from someone, like their purchase history or address. There’s no middleman involved.

Publishers have swathes of first-party data from their audiences that they’re using to come up with their own solutions. For the most part, they know their audiences, have their emails and preferences, and can connect advertisers to them without needing as many intermediaries.

“I would be more concerned if I’m an advertiser and I don’t have a media property that reaches and engages people on a daily basis. But that’s the benefit that we have as publishers—that we have an audience that comes and visits us on our properties multiple times a month. And there’s a lot that we can do with that,” Patel said.

Vox Media, which owns sites like Eater, New York Magazine, and The Verge, came up with its own first-party data platform in 2019. Called Forte, Vox Media recently expanded Forte to Concert, its ad marketplace that includes publishers outside of its own walls. Local publishers like the Chicago Sun-Times are part of Concert, as well as national players such as Fortune.

“When Google first announced their plans, I think that everybody was uneasy. Personally, I’m really excited about it, because I think that we’ve made enough headway to be able to see the outline of the future,” Megan Walton, VP of revenue product at Vox, said. “We’ve had the chance to iterate on it. We’ve had the chance to get real data on it and really prepare ourselves.”

Going local

The Local Media Consortium is a group of news outlets with its own first-party data tool. Members, which include Gannett and the Atlanta Journal-Constitution, are testing NewsPassID, a “single sign-on” solution that spans publishers.

The hope is that NewsPassID will not only give smaller outlets more first-party to leverage, but also give advertisers an easier way to reach people across multiple publishers. Put another way, advertisers could more easily target sports fans around the country, not just ones reading the Tampa Bay Times.

Scott Cunningham is the owner of Cunningham.Tech Consulting and one of the individuals who helped devise NewsPassID. According to Cunningham, the technology helps eliminate what he refers to as the “tech tax,” or money that goes to ad-tech intermediaries rather than publishers.

“The first-party data that we’re collecting is not just released out to the supply chain, but we’re able to bundle and aggregate it, and then work our way up to the marketer,” he shared. “What we’re doing is we’re reconstructing this supply path throughout first-party data, and we’re bringing it right back up to them. And that actually squeezes out some of the ‘tech tax’ in the middle.”

Jay Stocki, data practice lead at Prohaska Consulting, expects to see other publishers band together to make the most out of their first-party data. “I would wager that we’re going to see multiple sorts of conglomerates put together of small- to medium-sized publishers who do some sort of co-op of their data. Now, what that looks like inside the new privacy rules, we can only speculate,” he said.

What’s next?

A cookie with a "no" symbol on it sitting in a crystal ball

Francis Scialabba

By the end of next year, third-party cookies—if all goes to plan and Google keeps its word—will leave Chrome. Until then, advertisers are scrambling to different versions of the aforementioned solutions, seeing what works and what doesn’t.

For the time being, Justin Scarborough, senior director of programmatic media at digital agency PMG, said marketers need to get comfortable with testing and sometimes failing, especially since many of these solutions aren’t yet “fully baked” or are still in beta.

“If I were a brand, I would keep going back to the notion of testing and diversification. When the future is unknown—or the future is being written as we speak—then you have to have a test plan and it has to be diverse. You can’t expect or hope that one single solution is going to be the end all be all.”

As the testing continues, marketers, agencies, publishers, and everyone in between are preparing for a mostly cookieless future—and imagining what it might look like.

Creativity’s comeback?

Some in the industry believe the erasure of third-party cookies will be a good thing for the copywriters and art directors of the world. Why? Without cookies, it will only become harder for marketers to know that someone looked at red lipstick, then serve that person an ad featuring a picture of red lipstick and hope for the best.

In other words, creatives will literally need to get creative if they want to capture attention.

“A lot of the ads are going to have to look a lot more like traditional non-digital ads did, where creative was much more of the driving force. You had to have great creative and strong branding to get attention,” Parker said, noting that marketers will likely end up doing more creative testing. “It’s easier to create an ad that somebody is going to be interested in if the content is something you already know they want. You’ve got to pique their interest otherwise.”

Olivieri agreed. “I think what this creates is a really awesome opportunity for more data-informed creative,” she said. “It’s the art of advertising and the art of media coming back.” It’s not just about serving an ad to the right person at the right time, but making sure the content within that ad is compelling enough to catch someone’s eye.

Ready or not

On the whole, marketers are ready to leave the cookie behind.

“Most of the brands that I, at least, speak to are not in a panic-induced state,” Olivieri said. “They’re eager and optimistic about what a future state could look like, whether it’s through different approaches or different types of solutions.”

That being said, they’re also ready to collect first-party data in ways they’ve never had to before. The more info they can get their hands on about their customers, the less they have to rely on outside data, solutions, and fixes.

“You’re going to see a lot of companies making offers to you to try to create a relationship in some way,” said Debbie Reynolds, founder, CEO, and chief data privacy officer of her own consulting practice.

It’s partly why brands like Cheez-It, Dunkin’ Donuts, and Panera are suddenly selling swag. And why brands ranging from McDonald’s to Taco Bell are investing in loyalty programs.

As far as publishers go, some are happy to see the cookie go. According to Patel, it’s helped open up “a new line of business that might not have been as prominent in the past.” He elaborated by saying that its death has spurred marketers to run different types of ads across Group Nine Media’s properties, which include The Dodo, Popsugar, and Thrillist.

“Historically in digital, all we were selling was media—just impressions, standard banners, clicks, and pre-rolls,” he said, adding that this was the case up until recently. Now, “sponsored content and sponsored editorial as well as custom content” is becoming more and more common.

Respecting privacy

At the end of the day, the loss of third-party cookies is supposed to make for a more privacy-oriented web. But privacy experts say it’s only one step of many needed; Maréchal said the shift to a “first-party paradigm” is an “improvement from a privacy perspective,” but not enough.

“When you have a company like Google that has insights into so many different aspects of a person’s life—both online and offline, increasingly—I don’t think you can argue that they’re really respecting your privacy when they’re able to combine your data from your Gmail inbox to your YouTube views to your physical movements as tracked in Google Maps, and so on and so forth.”

Reynolds thinks it’s “kind of crazy” that the industry has fixated on cookies to the extent that it has, as there are other ways that companies can get and share info about people online.

“I would say cookies are a mode of transportation—that’s probably the best way to put it—because that third-party data-sharing can happen in other ways,” she said, pointing to web beacons as an example.

While there might be a long way to go, the third-party cookie’s demise has forced the industry as a whole to not only reckon with the role it plays when it comes to online privacy, but also actively chart a path forward.

“Certainly, any time you change the way somebody has been doing something for a long time, it’s not the most exciting thing,” Travis Montaque, CEO of messaging technology company Holler, said. “There’s brands that are at all different stages of this process. But at the end of the day, people are still going to be selling stuff. And they’re going to figure out how to do it in a way that’s more respectful to consumers than the way they used to do it.”

Sponsored by

Permutive logo

First-party data for the win. While third-party cookies may be going the way of the dodo, your reach doesn’t have to disappear with it. Permutive’s Audience Platform can help you leverage first-party data to connect directly with publishers in a privacy-safe way and reach your full audience. Book a demo today so you can prepare for the privacy-first world of tomorrow.

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.