1st and 3rd Party Cookies

First And Third Party - A False Dichotomy
The classification of so called 1st or 3rd party cookies is perhaps one of the gravest misunderstandings of cookies. To be clear the only technical distinction between cookie types is persistent (defined expiry) and session (which die at the send of the browser session). There can be no formal distinction between a cookie at rest being either 1st or 3rd party because such a determination is inherently subjective to the context in which the cookie is replayed. Every cookie may be replayed in either a first party or third party context. While it is true that some cookies tend to be replayed in certain contexts more than others, notable shifts in practices should make us closely examine how cookies are used and the data collectors relationship to the "first party" before we start using broad labels.

By way of common consensus cookies from .doubleclick.net are "3rd party" while cookies from .facebook.com are "1st party", and it may be true that a given consumer is more likely to visit www.facebook.com then www.doubleclick.net the distinction is still very complicated. By way of example most browsers will consider the DoubleClick cookie to be 1st party if the last time it was set it was set on a click event (which temporarily takes you to a DoubleClick site before redirecting you to the site of the advertiser) despite the fact that the user never truly visited their site. On the other side of the spectrum, people may knowingly visit a site like Facebook.com and have cookies (often ones that clearly identify you) and then encounter Facebook content on 3rd party sites triggering the sending of Facebook "1st party" cookies in a 3rd party context.

It is the reverse of this that has increasingly become the problem. By way of example if content from .facebook.com is embedded on www.wsj.com is the cookie sent to Facebook 1st or 3rd party? Today it is considered a 1st party cookie, despite the fact that it is in a 3rd party context. This has become exceedingly problematic as we all tend to share more information with traditional "1st parties" then we do with traditional "3rd parties".

A cookie's context is more important then how it was set
Indeed it is arguable that our expectations change with context, and while a consumer may have no issue with a cookie allowing for the absolute identification when they directly visit the site, they may be less comfortable allowing a 1st party to capture their identity when they happen across an ad for that 1st party on a given publishers site.