The IT Law Wiki


A third-party cookie is

created by a website other than the one [a user is] currently visiting, most often a third-party advertiser on that site. Third-party cookies let advertisers determine whether an individual user is visiting multiple websites that display the advertiser's ads, and are often considered a privacy risk.[1]


"When a user visits a website that runs a third-party cookie, the host website instructs the user's browser to contact the third-party. The third party sends back whatever content the user's browser requested, as well as a cookie."[2] This interaction is displayed schematically below:


Third-party cookies "may include an advertising network or a company that helps deliver the ads you see. They may be used to deliver ads tailored to your interests. For example, if you read an article online about running, a cookie may be used to note your interest in running, and add that to a profile. And you may see coupons to save money on running shoes."[3]

Tracking users through cookies[]

While cookies themselves simply identify machines, Internet companies can use cookies as a proxy for a single user's online activities. An ad network's cookie might note, to use a fictitious example, that one unique user first visited "", then "" The ad network can read the webpage [[uniform resource locator]]s (URLs) and, of course, access the content on itself and infer that the user in question is interested in cooking. It can cross-reference that information with any other recent website visits by that user that it detected through its cookie network (say, a visit to ""). Knowing even only some of the user's browsing history can allow an ad network to conclude with a high degree of certainty that the user in question is a vegetarian. It can then use that information to deliver targeted advertisements to that user.

Data collection and advertising[]

Ad networks are the most prominent third-party cookie users because (a) they directly benefit from the collection of user information and (b) they have a built-in opportunity to deliver cookies every time they deliver an ad. Ad networks use the data they collect from cookies to target advertisements as precisely as possible to particular users, trying to infer as much information as they can about each user's location, interests, and demographic information. The more data these ad networks can collect from different websites on a particular user, the better the inferences they can draw.

The built-in opportunity to deliver a cookie stems from the fact that the host website's server has to contact the ad network every time it needs an ad. While the ad network does not deliver the advertisement itself — a distinction which will become vitally important in the context of malware — the host website's server's call to the ad network allows the ad network to place a cookie.

Ad networks are not the only companies that operate cookies across multiple websites. Data brokers like Acxiom and BlueKai, who collect information on consumers in order to facilitate the targeting of advertisements, have also contracted to place and access their cookies across multiple websites. Third parties can deliver a cookie because some part of the host website draws upon content from the third-party server. In the context of advertising, the third-party content requested by the host website is the advertisement itself. A call from the host website opens the door for a cookie to be placed by the third party whose content was called for. However, the third-party content displayed on the host website can be almost invisible — it is very often a single pixel on the screen. Because the host website requested some nominal amount of content from the third-party — even if the content is just a single pixel — the third-party can now deliver its cookie to the user's browser as well. Thus, data brokers or other entities that deliver no real content to the host website can still deliver cookies by contracting with the host website to place a single pixel on their website.


See also[]