First-party cookies are useful and largely harmless: they remember your login and your shopping cart. Third-party cookies are the surveillance kind, every page on the web that loads a Facebook button, a Google Analytics script, or an ad slot tells those companies you visited. Browsers are now blocking third-party cookies by default. The ad industry is replacing them with on-device tracking like Google's Privacy Sandbox, fingerprinting, and 'first-party data' partnerships.
How the trick works
Imagine you visit Amazon. Amazon sets a cookie, that's first-party. You visit Wikipedia. Wikipedia sets a cookie, first-party.
Now imagine both Amazon and Wikipedia load a Facebook social button. Each load includes a request to facebook.com, which sets a cookie. From Facebook's perspective: it just learned you're the same person on Amazon and on Wikipedia (because the cookie is the same). And on every other site that embeds a Facebook button. And on every other site that embeds a Google ad. Stitch all that together and you have a profile of every browsing decision you make.
That's third-party cookies. Not the cookie itself, the cookie set by a domain you didn't visit, embedded inside a page you did.
Why every browser is blocking them now
The privacy harm is so well-documented that every major browser has either blocked third-party cookies by default or announced plans to. Safari started in 2017 (Intelligent Tracking Prevention). Firefox followed in 2019. Chrome was supposed to in 2024; it dragged the timeline but is heading there.
The catch: the ad industry doesn't intend to give up tracking. They're building replacements.
What's replacing them
Three things, all of which most browsers don't block by default:
- Browser fingerprinting: harder to remove because the signals are functional. Read the explainer.
- Google Privacy Sandbox: an on-device behavioural profile (Topics API, FLEDGE / Protected Audience, Attribution Reporting) that builds an interest profile from your browsing and exposes it to advertisers. Marketed as privacy-friendly because the profile lives on your device, but the profile still exists.
- First-party data sharing: when you log into a site, that site shares its first-party data with advertisers via an API like CHIPS or via the publisher's ad-tech contracts. Less visible to you, but the result is similar.
What Dazr does
Third-party cookies are blocked by default. The Privacy Sandbox APIs (Topics, FLEDGE, Attribution Reporting, Shared Storage) are all disabled. Anti-fingerprinting is on by default. Tracking parameters in URLs (utm_*, gclid, fbclid) are stripped automatically. There is no first-party data Dazr would share with advertisers, because there is no Dazr ad business.