What are First-Party and Third-Party cookies and how do they affect your website’s GDPR/CCPA compliance?

 

First, what’s a cookie?

A cookie is a small piece of code that your website places on a user’s device when that visitor views your site.

 

Why are cookies important?

Cookies allow the site to recognize users and their specific browser once they return to the same site. Cookies keep track of user movements within the site, remember their registered login and preferences and customize their experience on the site. Most importantly, cookies are the technology that allows advertisers to tailor their marketing messages to potential customers. In fact, a 2020 study by Cornell University found that 99% of cookies are used to track users or to provide targeted advertisement.

 

What’s the difference between a 1st party cookies and a 3rd partycookies?

A 1stparty cookie refers to a cookie created by the website that a user is visiting. For example, if I have visited Amazon and it wants to create a cookie which will store my preferences while visiting that site, that will be a 1st party cookie.

 

Alternatively, 3rd party cookie is a cookie that’s created (usually by an advertising network) to store information for a domain which is not the principal domain name (the website in the address bar) that you’re currently visiting. These sites own some of the content, like ads or images, that you see on the webpage you visit.

 

Can you give me an example for each?

Let’s say a user is on a website, a.com. It’s an eCommerce business. The user puts something in their shopping cart. When the user comes back later, the site remembers them, and keeps their same items in the shopping cart. That’s the result of a 1st party cookie doing its job. The cookie was set by the same domain the user is on (a.com).

 

On the other hand, let’s say a user is on a.com, and the page they’re on contains an iframe from a different website (b.com). Cookies set by b.com accessed from an a.com page are 3rd party cookies. Accessing them from a.com is a cross-site request, this allows the site to track the user across multiple websites, and serve them ads wherever they go online.

 

What’s new with cookies?

Glad you asked! In early 2020, Google announced a new version of Chrome that would stop sending 3rd party cookies in cross-site requests unless they’re secured and flagged using an IETF standard called SameSite. Apple, at their developer conference in June 2019, announced a new version of Intelligent Prevention Tracking: the system that limits ad functionality on its native browser, Safari. The new version cracks down on 1st party cookies.

 

Does that mean 3rd party cookies going away?

Not necessarily. With this update, those cross-site requests sent by 3rd party cookies need a special type of security stamp called SameSite.Essentially, with this Chrome update, developers need to label third-party cookies in a certain explicit way. If they don’t, the cookies may not work inChrome. In short, this makes it harder for the “bad guys” to use cookies for nefarious purposes (e.g. stealing data and hacking websites).

 

How does this effect my website’s marketing?

These announcements are the next step in the constantly evolving data privacy landscape. From one perspective, as cookies become more limited, websites become less able to deliver personalized experiences to their visitors and customers. On the flip side, limiting cookies increases the safety of the internet and protects individuals’ privacy.

 

How does this effect my GDPR and CCPA compliance?

Google and Apple think your customers value privacy, so they’re making moves to protect it. Without a consent management technology on your website, your chances of protecting end-user privacy are very small, practically zero. To comply with the regulations governing cookies under the GDPR and CCPA you must:

  • Receive users’ consent before you use any cookies except strictly necessary cookies.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent received from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Failure to properly account for the cookies your website collects can result in huge financial penalties!

How to find out what cookies are set by your website

If you want to learn how to check what cookies are running on any website, follow this thorough guide www.clym.io/end-user-guide/how-to-find-out-what-cookies-are-set-by-your-website

How can Clym help?

The easiest way to get compliant today with the requirements of GDPR and CCPA is a compliance platform like Clym, which takes care of cookie consent management, data subject requests, document management and more! Visit our Pricing page to see how affordable GDPR and CCPA compliance can be!