What is the difference between first-party and third-party cookies, and why does it matter for privacy?
First-party cookies are set by the site you're visiting (low risk); third-party cookies are set by other domains (e.g. ad networks) and enable cross-site tracking (high risk).
* First-party cookies stay on one domain; one embedded third-party cookie tracks across sites. *
![]()
* One third-party domain tracks a user across two sites. — Tizio, CC BY-SA 3.0, via Wikimedia Commons. *
| First-Party | Third-Party | |
|---|---|---|
| Set by | The visited website itself | A different domain (e.g. ad network) |
| Scope | Only that domain | Usable across many sites |
| Purpose | Login, carts, settings | Cross-site tracking & profiling |
| Privacy risk | Lower | High |
A first-party cookie from shop.example can only be read by shop.example. A third-party cookie (say from ads.tracker.net, loaded on thousands of sites) is readable wherever that tracker is embedded — so it stitches your activity across the whole web into one profile.
This distinction is the foundation of every modern anti-tracking measure: browsers and laws target third-party cookies specifically, while leaving first-party functionality intact.
Go deeper:
Third-party cookies (Wikipedia) — the cross-site tracking mechanism, blocking and proposed replacements.