Skip to main content
Beta: Front-End Checklist is currently in beta. Some issues are still being fixed. Thanks for your patience.
72.7k
PrivacyMedium

Avoid third-party cookies

Third-party cookies set by external domains track users across sites without their knowledge. Modern browsers are phasing them out, and regulations like GDPR and CCPA require consent before setting them.

Utilities
Quick take
Typical fix time 20 min
  • Third-party cookies are set by a domain other than the one the user is visiting — typically by ad networks, analytics, or embedded widgets
  • Chrome is removing third-party cookie support and all major browsers now block or restrict them
  • Use the Network DevTools panel to identify `Set-Cookie` headers from third-party domains
  • GDPR (EU), CCPA (California), and PECR (UK) require informed consent before setting non-essential cookies
  • Alternatives: first-party data collection, privacy-preserving analytics (Plausible, Fathom), server-side tracking
Why it matters: Third-party cookies enable advertising networks to build detailed behavioral profiles of users across every site they visit — without users being aware. Regulatory penalties for non-compliance with GDPR reach up to 4% of global annual turnover.

Rule Details

A cookie is "third-party" when it is set by a domain different from the page the user is currently viewing. A social media share button, an ad pixel, or an analytics script loaded from an external domain can all set third-party cookies.

Code Example

1. User visits news.example.com — page loads tracker.ad.com/pixel.gif
2. tracker.ad.com sets cookie: user_id=xyz789 for domain tracker.ad.com
3. User visits shop.example.com — page also loads tracker.ad.com/pixel.gif
4. Browser sends the same cookie to tracker.ad.com
5. tracker.ad.com links both visits to the same user profile

This works across any site that includes tracker.ad.com — building behavioral profiles without users knowing.

Why It Matters

Third-party cookies enable advertising networks to build detailed behavioral profiles of users across every site they visit — without users being aware. Regulatory penalties for non-compliance with GDPR reach up to 4% of global annual turnover.

Identifying Third-Party Cookies

Browser DevTools

  1. Open DevTools → Application tab → Cookies in sidebar
  2. Compare cookie domains against the current page origin
  3. Cookies from different domains are third-party

Network Tab Filter

Filter: third-party

In Chrome DevTools Network tab, the "Third-party requests" checkbox shows all cross-origin resource requests.

curl Audit

# Check for Set-Cookie headers from a page's resources
curl -sI https://tracker.example.com/pixel.gif | grep -i set-cookie

Common Sources of Third-Party Cookies

TechnologyCookie PurposeConsent Required
Google Analytics (GA4 Universal)Cross-site trackingYes (non-essential)
Facebook PixelConversion trackingYes
Google AdsRemarketingYes
Hotjar / FullStorySession recordingYes
Intercom / Zendesk chatSupport widgetMay be essential
YouTube embedsTrackingYes — use youtube-nocookie.com instead

Browser Blocking Status

BrowserStatus
Safari (ITP)Third-party cookies blocked by default since 2017
FirefoxEnhanced Tracking Protection blocks most third-party cookies
ChromeTransitioning to Privacy Sandbox; phased removal ongoing
EdgeTracking Prevention blocks third-party trackers

Alternatives to Third-Party Tracking

Privacy-Preserving Analytics

Replace Google Analytics with a first-party solution:

<!-- Plausible Analytics — no cookies, no cross-site tracking -->
<script defer data-domain="example.com" src="https://plausible.io/js/script.js"></script>
 
<!-- Fathom Analytics — GDPR compliant, no cookies -->
<script src="https://cdn.usefathom.com/script.js" data-site="ABCDEFGH" defer></script>

YouTube Embeds Without Tracking Cookies

❌ Sets third-party tracking cookies
<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>
 
✅ Privacy-enhanced mode — no tracking cookies until play
<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID"></iframe>

For your own cookies, prevent them from being sent in cross-site contexts:

Set-Cookie: session=abc123; SameSite=Lax; Secure; HttpOnly
# or stricter:
Set-Cookie: session=abc123; SameSite=Strict; Secure; HttpOnly
SameSite ValueSent on cross-site requests
StrictNever
LaxOnly top-level navigations (GET)
NoneAlways (requires Secure) — opt-in for third-party use

Under GDPR (EU) and similar regulations, non-essential cookies require prior, informed, freely given consent:

  • Consent must be obtained before the cookie is set
  • Users must be able to withdraw consent as easily as they gave it
  • Pre-ticked boxes or consent buried in T&Cs are not valid
  • Refusing consent must not prevent access to core functionality
Consent Banners Must Actually Block Cookies

A cookie consent banner that shows a notice but loads tracking scripts before the user accepts is not compliant with GDPR. Third-party scripts must not execute until consent is granted.

Standards

  • Use these references as the standard for the legal or product-facing privacy behavior that users actually experience.
  • Check the implementation against MDN: Third-party cookies before treating the rule as satisfied.
  • Check the implementation against web.dev: Preparing for the end of third-party cookies before treating the rule as satisfied.

Verification

Automated Checks

  • Test the affected flow in a production-like environment, not just local development.
  • Document any intentional exceptions explicitly.

Manual Checks

  • Inspect the final HTTP response or browser behavior to confirm the control is actually enforced.
  • Verify third-party integrations or embeds still work after the restriction is applied.

Use with AI

Copy these prompts to use with your AI assistant, or install the MCP server to use directly from Claude, Cursor, or Windsurf.

Check

Verify implementation

Open the browser DevTools Network panel and Application panel (Cookies section). Identify all cookies set by domains other than the current domain. Check for tracking pixels, analytics scripts, and advertising tags that set cross-site cookies.

Fix

Auto-fix issues

Audit and remove unnecessary third-party scripts. Replace cross-site tracking with privacy-preserving first-party analytics. Ensure any remaining third-party cookies are gated behind explicit user consent via a cookie consent mechanism.

Explain

Learn more

Explain what third-party cookies are, how they enable cross-site tracking, why browsers are blocking them, and how GDPR/CCPA regulate their use.

Review

Code review

Review server config, headers, forms, and integration points related to Avoid third-party cookies. Flag exact responses, cookies, or browser behaviors that violate the rule, and verify them against the effective production-like response.

Sources

References used to support the guidance in this rule.

Further Reading

Tools and supplementary material for exploring the topic in more depth.

Mozilla Observatory
observatory.mozilla.orgTool

Rules that often go hand-in-hand with this one.

Show a cookie consent notice

Websites that set non-essential cookies must obtain prior, informed user consent under GDPR, CCPA, and similar privacy regulations before cookies are placed.

Privacy
Blocked Tracking Links

Links and resources pointing to known tracking or advertising domains may be blocked by adblockers, breaking navigation and functionality for a significant portion of users.

Security
Link to your privacy policy in the footer

Websites that collect any personal data must publish a privacy policy and link to it prominently — this is a legal requirement under GDPR, CCPA, and most other privacy regulations.

Privacy
Implement a user-facing data deletion mechanism

Provide users with a clear way to request deletion of their personal data, fulfilling GDPR Article 17 (right to erasure / right to be forgotten).

Privacy

Was this rule helpful?

Your feedback helps improve rule quality. This stays internal for now.

Loading feedback...
0 / 385