Third-party cookies are set on your computer from domains other than the one that you're actually on right now. For example, if I log into css-tricks.com, I'll get a cookie from css-tricks.com that handles my authentication. But css-tricks.com might also load an image from some other site. A common tactic in online advertising is to render a "tracking pixel" image (well named, right?) that is used to track advertising impressions. That request to another site for the image (say, ad.doubleclick.com) also can set a cookie.
Eric Lawrence explains the issue:
The tracking pixel’s cookie is called a third party cookie because it was set by a domain unrelated to the page itself.
If you later visit B.textslashplain.com, which also contains a tracking pixel from ad.doubleclick.net, the tracking pixel’s cookie set on your visit to A.example.com is sent to ad.doubleclick.net, and now that tracker knows that you’ve visited both sites. As you browse more and more sites that contain a tracking pixel from the same provider, that provider can build up a very complete profile of the sites you like to visit, and use that information to target ads to you, sell the data to a data aggregation company, etc.
But times are a changin'. Eric goes on to explain the browser landscape:
- Brave: Blocks by default
- Safari: "Intelligent Tracking Prevention" is more complicated, but it does block third-party cookies by default (February 21, 2019).
- Firefox: Blocks known-trackers by default (September 3, 2019)
- Edge: You can enable tracking prevention and pick a level. The "balanced" level in the middle still allows stuff like third party auth (June 27, 2019).
- Chrome: Blocking by default is coming (February 4th, 2020). Slightly different in that the cookies will set themselves as first-party only by default. Edge and Firefox plan to match the change.
The default stuff is the big deal, because all browsers offer some way to block third-party cookies. But of course, nobody actually does it. Jeremy:
It’s hard to believe that we ever allowed third-party cookies and scripts in the first place. Between them, they’re responsible for the worst ills of the World Wide Web.
2019 is the year we apparently reached the breaking point.