The 3rd Party Cookie Discussion

The 3rd party cookie discussion with Patrick Meier, Director of Programmatic Solutions at B2B Media Group.

Many cookies make it easier for users to use the websites, for example when they save information to fill out forms on the Internet or to place items in a virtual shopping cart and save them there. These are usually first-party cookies.

Third-party cookies ( if you want to read up on what makes the difference between 1st, 2nd and 3rd party cookies ), on the other hand, track the user across multiple websites and store extensive data, usually without the user noticing. That's why the discussion about data protection quickly comes up with third-party cookies. There is a lack of user anonymity due to tracking across multiple pages and third-party access to this data. Users usually also have no overview of where their data is stored, what happens to it and how long it is stored. Cookies are usually not deleted even if you close the browser. However, most browsers offer the option of deleting cookies, which may have to be activated manually.

To protect users, there are new regulations from all states, consumer protection organizations and even the first tech companies to better protect user data. However, these regulations run counter to the interests of advertisers and make it more difficult for publishers, for example, to refinance their content through personalized advertising. 

Many website operators, therefore, use little tricks to persuade the user to consent to the collection and processing of their data. Since most visitors are annoyed by cookie banners and want to click away quickly, the banners are designed in such a way that the user is offered a field to quickly click away from the banner, usually that of consent. For example, this field is designed to be larger or highlighted in colour. The rejection of cookies is often written in smaller letters or can only be achieved via the cookie settings.

More and more governments are currently trying to strengthen the privacy rights of website visitors. Laws and guidelines such as the CCPA, ePR or GDPR have been enacted for this. They all involve civil and/or criminal penalties for those who do not inform their users of the presence of cookies.

This also includes explaining what information is collected and where it is passed on. In addition, the user must be able to unsubscribe from tracking at any time. For advertisers, this creates tension between potentially high penalties and enormous opportunity costs if tracking is switched off completely.

There is mounting pressure on the industry from regulators, consumer protection organizations and consumers themselves. The term “cookie calypse” or “cookieless future” can often be read. As a result, many market participants from the technology industry have already declared that third-party cookies and the associated advertisements are no longer used. The Safari and Firefox browsers already block third-party cookies by default. Google has announced the end of third-party cookies in its Chrome browser, which currently has the highest market share among browsers, for 2023.

As a result, the large corporations are already working on new solutions, while smaller players may be weakened.



In Germany, the GDPR and the Telemedia Act (TMG) primarily apply with regard to data protection and cookies. 

According to the German supervisory authorities, consent to the correct data processing must be obtained regularly for the integration of tracking and/or targeting cookies. In addition, the data protection declaration must contain a reference to the individual tools that use the cookies (cookie policy). Violations can result in high fines.

However, Germany is also bound by the EU directives. So far, Germany has never correctly implemented the e-privacy directive applicable to the EU and there is no final clarity as to which regulations apply to websites. Website operators are currently legally on the safe side if they implement the opt-out solution in accordance with the Telemedia Act. The TMG is also the reason why people were sure that they already had a legal situation that did not make it necessary to implement the e-privacy directive.



Cookies are not expressly mentioned in the EU-DSGVO and therefore there are no clear regulations on data protection and corresponding cookie information but on the processing of personal data. The ECJ also ruled on October 1st, 2019 that explicit cookie consent must be obtained from the website visitor if the cookies are not absolutely necessary. This is also regulated in Art. 6 of the GDPR. If the data processing is absolutely necessary or if it is in the legitimate interest of the operator, the user does not have to give his consent.

Theoretically, companies could argue on the legal basis of the so-called "legitimate interest", which would then lead to a balancing of interests between advertisers and users, which is always associated with a high level of legal uncertainty. This reasoning will not be feasible for most companies, which is why a so-called opt-in/opt-out function is necessary. 

The E-Privacy Directive creates additional regulations. It is stipulated here that the user must expressly consent to his data being tracked. 


United States

While the use of cookies and personal data is regulated at a federal level in the EU, in the US some states have their own laws, while others offer no real protection to users. In January 2020, the California Consumer Privacy Act (CCPA) came into force in the USA, the most extensive form of data protection by far.

Consumers hereby have the right to request disclosure of the categories of specific pieces of personal information collected about them by the companies. You also have the right to request the deletion of your data and to object to the sale of the data to third parties. Just like in the EU, users must be informed about the nature, use and disclosure of the data collected.


What are the GAFA corporations planning?

There's plenty of debate and speculation as to what the Big Four are planning. From Google's now seemingly disbanded FLoC project with Google Topics currently taking its place, there's still plenty of conjecture circulating until the presumed end of third-party cookies in late 2023. In next week's blog, we'll discuss what the GAFA are planning and how it will impact your business.