If you're a marketer or website owner, there's a good chance you use cookies on your website. Cookies are often required for websites to work properly and they can enhance the user experience.

However, not all cookies are created equal. Internet cookies can be grouped into two main categories: First and third-party cookies. There are different rules around how you might use each type of cookie. Furthermore, certain types of cookies trigger global privacy laws, and consent may be required before you can use them.

Cookie rules can be complex. To help you understand how to use cookies effectively, here's an overview of how cookies work, the differences between first and third-party cookies, and how you might obtain consent when required.



What are Cookies?

Cookies are small text files that are generated by web servers and contain various pieces of data. They're downloaded onto a user's computer, and when the user revisits that website, the server "reads" the cookie data and recognizes the user. This means the server can generate the specific content required to meet that user's preferences.

Some cookies are essential, while others are non-essential.

  • Essential cookies: Required for a website to work as intended. Examples include cookies that connect web servers, cookies that track too many "incorrect" password attempts, and cookies that remember login credentials so users can access their accounts.
  • Non-essential cookies: Useful, but not required for website functionality. Examples include advertising cookies and cookies that track a user's behavior across websites.

Now that we understand the basics, let's consider the two major classes of web cookies: First and third-party cookies. There are major differences in not only how these cookies are generated, but in what purposes they serve and whether you need consent to use them.

What are First-Party Cookies?

Whenever a user visits a website, the domain creates cookies, known as first-party cookies. These cookies are only accessible to the website publisher. They can't be used to track users across websites, and they're generally accepted as being essential for a website to work properly. This doesn't mean that all first-party cookies are actually essential, though, as we'll consider below.

Why Use First-Party Cookies?

There are various reasons why a website owner might use first-party cookies:

  • First-party cookies can improve the individual user experience by remembering preferences, such as internal bookmarks, font preferences, and language settings.
  • By using first-party cookies, website owners can better understand users' browsing habits across their website. They can use this data to improve the overall experience for every user.
  • Without certain types of first-party cookies, websites simply wouldn't work properly, or they would be very cumbersome to use.

Examples of First-Party Cookies

Common types of first-party cookies include those used for:

  • Storing and remembering login details
  • Retaining items in a user's wishlist or shopping cart
  • Remembering individual user preferences

Website owners should disclose if they use first-party cookies, although most users do expect to accept such cookies if they want a website to function as intended.

Here's an example of how this can be disclosed in a way that lets users know that without accepting such cookies, the website can't function. You'll note there's no option to turn these cookies off for this reason:

Cookie Notice with Necessary section highlighted

Are All First-Party Cookies Essential?

It's a common misconception that all first-party cookies are essential. While many are required for website functionality, others are desirable but not technically required for a website to function. Preference cookies, for example, are useful, but a website will work without them.

You should distinguish between truly essential first-party cookies and those which are less important.

Here's an example of how to clearly delineate between strictly necessary first-party cookies and those which are helpful but not technically essential:

Screenshot of Manage Cookie Consent Preferences

Unless a cookie is truly necessary for a website to function properly, it's not essential. It may however still be considered a first-party cookie, because it's generated by that particular website, has no cross-tracking functionality, and is designed to improve the user experience.

This is where it's important to distinguish between truly necessary first-party cookies and those which are highly useful but not technically essential.

Typically, there's no need to obtain consent to use cookies which are entirely necessary for a website to function properly. You have what could be considered a legitimate business reason for using them. This is because the user's refusal would mean you couldn't actually provide them with the web service.

The issue is more nuanced when we consider not strictly essential first-party cookies. This is because first-party cookies are capable of collecting personal data, and sometimes, you are required to get consent to collect such information.

Personal data is any information which may be used to identify an individual person. Obvious examples of personal data include names and login details, but less obvious examples, such as IP addresses, are also personal data.

The significance is that, the moment a website owner collects or processes any amount of personal data, they must comply with various global privacy laws. These laws often require you to:

  • Disclose your use of cookies using a Cookies Policy or Privacy Policy
  • Obtain consent to non-essential cookies (unless you can rely on another reason for collecting the data e.g. legitimate business interests)
  • Inform users of their right to reject non-essential cookies and how to amend their preferences

What are Third-Party Cookies?

Third-party cookies are placed on a user's device by advertisers, marketers, or other businesses. This means that anyone can create third-party cookies, not just the website or domain owner.

Consumers most commonly associate third-party cookies with advertising. This is because third-party cookies are often used for ad-retargeting, or cross-site tracking. Ad-retargeting allows marketers to track, or follow, users across websites. They do this to track behavior and generate ads for products they think the consumer will purchase.

However, third-party cookies have other legitimate (and helpful) business uses. The most notable are:

  • Social media sharing: Social media plugins use third-party cookies to enable users to quickly share content online. For example, someone might read a helpful blog post, or watch a fun YouTube video, and share it with their network. Third-party cookies enable this.
  • Live chat and chatbots: The chatbot uses cookies to record a conversation between the user and, say, a virtual assistant. These cookies are temporary, though, and should disappear at the end of a session.

Third-party cookies are always non-essential. And, in some cases, they can even be harmful. For example, identity thieves can use third-party cookie technology to harvest personal data.

The answer is often yes. Remember, third-party cookies are non-essential, so consent may be required. Here's a summary of what some of the major global privacy laws say about third-party cookies:

  • GDPR: If you collect personal data, or track user behavior, you should get consent unless a valid exception applies e.g. legitimate business interests.
  • CCPA: You don't normally need consent for third-party cookies. However, if you sell data to third parties, this must be disclosed and the user must have the chance to opt out.
  • COPPA: This U.S. federal law prohibits the use of identifying cookies unless there's express parental consent. In practice, this is hard to achieve, so you should not use cookies on websites aimed at minors.

As laws around non-essential cookies continue to evolve, it's best to err on the safe side and get express consent to third-party cookies.

To obtain express and meaningful consent, you must use tools such as clickable checkboxes, sliders, or banners, to obtain express consent (implied consent is not usually enough). A cookie consent notice is the standard way of doing this.

Here's an example:

TermsFeed Ghost - Live site with the Cookie Consent Notice Banner displayed

And another:

Cookie consent notice example with Cookie Policy highlighted

Note the Cookie Policy link highlighted in the second example. You should also create a Privacy Policy (or Cookies Policy) outlining your personal data practices and the types of cookies you use so that users are informed. You can include your cookie practices in your Privacy Policy. You don't need a separate Cookies Policy, although some businesses opt to do this. Whatever way you go, you can then link your Policy to your consent notice.

In your Policy, let users know what cookies are, how they are used, and how they can opt out. You don't have to list specific cookies you use, but rather can use cookie categories.

Here's an example of part of a Policy addressing cookies, what they are, how they are used, and what categories are used:

Generic what are cookies clause

And here's an example of informing users how they can disable or delete cookies even after being placed on their device:

Generic disable delete cookies clause

To obtain express consent, use interactive cookie banners or tools as mentioned above.

Your cookie banner should load the moment a user lands on your website. This ensures that no personal data is collected before they can consent to or reject cookies.

You can display the banner in the center, footer, or side of the screen, so long as it's obvious and clickable. Users should not be able to proceed further until they accept or deny cookies.

Do "Second-Party Cookies" Exist?

Yes, second-party cookies technically exist. However, they have a very specific purpose.

Second-party cookies are actually created from first-party data. They contain data collected by one company which is then transferred to another company. Typically, we see second-party cookies in data sharing agreements.

  • The website owner collects first-party data. The data reveals information about individual consumers, their browsing habits, and their preferences.
  • The website owner then shares this data with a (trusted) partner.
  • The partner company uses the data to deliver targeted advertisements.

Second-party cookies aren't very common, but they do exist, and some companies still find them useful.

Do Browsers Automatically Reject Cookies?

Every browser is different, but they all have one thing in common: They're making it increasingly difficult for companies to use third-party cookies. Let's briefly consider how the most popular browsers treat cookies:

  • Apple Safari: Apple Safari blocks many third-party cookies by default. It relies on "Intelligent Tracking Prevention," which prevents cross-site tracking for marketing, but still allows third-party cookies for e.g. payment processing and shopping carts.
  • Google Chrome: Google is currently testing how to block third-party cookies by default for Chrome users. The idea is to faze out third-party cookies and to stop them from tracking users from one site to another. This is based on the so-called "Privacy Sandbox" model which is still in a testing phase at the time of this writing.
  • Microsoft Edge: Microsoft Edge does not block third-party cookies as standard. Users must disable cross-site tracking cookies manually. However, Microsoft does plan to restrict third-party cookies by default in the near future.
  • Mozilla Firefox: Firefox disables third-party cookies by default. Users must opt in to accept third party cookies. Otherwise, the browser blocks all cross-site tracking.

Marketers and website owners should pay close attention to legal and tech developments as cookies are likely to be a popular topic of conversation for the foreseeable future.

Summary

Cookies are text files which are capable of collecting and transmitting data. They can be essential, meaning they're required for website functionality, or non-essential, meaning they're optional.

The two main categories are first and third-party cookies.

First-party cookies are created when someone visits a website. They can't track across websites and they're only visible to the domain owner. They're supported by all browsers and are usually but not always essential for website functionality.

Third-party cookies are created by different servers or domains from the one the user chooses to visit. They're usually for advertising purposes and can track users' browser behavior across websites. These are non-essential cookies and typically require consent before they can be used. Many browsers are taking steps to faze out or block third-party cookies entirely.

Business owners should summarize which cookies they use, why they use them, the type of data collected, and how users can opt-out of non-essential cookies in either a Privacy Policy or Cookie Policy. When consent is required, they should obtain express and informed consent using a cookie banner displayed prominently before any personal data is collected.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy