Home Data-Driven Thinking Brand Beware: Navigating The Nuances Of First-Party Cookies
OPINION: Data-Driven Thinking

Brand Beware: Navigating The Nuances Of First-Party Cookies

By AdExchanger

SHARE:

Daniel Jaye headshotData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Daniel Jaye, CEO and co-founder at Aqfer.

As the world grapples with the impact of the coronavirus, businesses are struggling to figure out what life will look like once the pandemic is over. With COVID-19 creating delays and postponements, advertisers have learned that Google has no plans to postpone killing third-party cookies in Chrome. Third-party cookies are on the way out, but there’s confusion as to what extent first-party cookies can be used in this new era.

Browser-enforced privacy rules are bringing nuance to the previously held understanding of cookies and what was classified as “first party.” An inability to grasp these subtle differences could leave brands unjustly beholden to tech behemoths or severely injure access to their own first-party data, just as first-party data begins to accrue more value.

Much of the confusion stems from Apple’s Intelligent Tracking Prevention (ITP) and a class of cookies, issued at a brand or publisher’s behest, that were previously classified as “first party.” These cookies, written with JavaScript and often deployed on a brand’s owned-and-operated sites by a big tech player, such as Google or Adobe, are now considered unsafe and will typically be deleted after 24 hours. This limits a brand’s ability to connect consumers on their site to ad exposure beyond a single-day window, making accurate ad campaign measurement much harder.

Since these cookies have widely been considered first party up until now, this change has sown confusion across the ecosystem. Even sophisticated publishers and brand marketers are falsely under the impression that all first-party cookies now have a 24-hour shelf life.

That’s not the case, based on the ITP documentation and our own testing. Server-side first-party cookies, issued by an HTTP response, are still valid under ITP and are not subject to the 24-hour deletion rules that govern “client-side” cookies written by JavaScript code running in the consumer browser.

Why are these cookies allowed, but other “first-party” cookies are not? Think of it this way: If you received an incoming call from Bank of America, the standard safety practice is to not give out any sensitive information or account numbers. That is only to be done via an outbound call directly to your bank or credit provider. That’s basic safety against phishing.

Safari is acting much the same way. If a cookie is coming in via the HTTP request in a response from the server, then the cookie is coming from the first-party domain and not anywhere else on the web. It’s coming from the domain under the control of the publisher and/or the brand, and Safari is and will continue treating those cookies differently. Conversely, JavaScript on a webpage could and is loaded from many different parties on the web, allowing unanticipated data sharing.

The HTTP approach allows brands to recognize users outside of their site if they can read the first-party cookie in a third-party context. For example, if you have a server-side first-party cookie, you can determine if a consumer visits your site and then sees your ads later on.

Safari allows for a 30-day window for stitching together these kinds of interactions. With JavaScript cookies, brands have one day to make these connections. If they want to understand long-term exposure to ads, then they have to hope that the same consumers visit their website every day. For most brands, that’s just not going to happen.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Comic: Gamechanger (Google lost the DOJ's search antitrust case)
Daily News Roundup

Maybe Europe Will Break Up Google; Best Practices For Disclosing AI Ads

In short, server-side first-party cookies aren’t in danger, but the JavaScript approach is unsustainable, thanks to ITP. As marketers move to first-party data collection, they can use this opportunity to wrest back control of their off-site consumer engagement data. Consumers know they are engaging with a brand’s content, regardless of whether it is owned or paid media.

Browser changes impact the ecosystem; techniques such as server-side first-party cookies are sustainable, and they build on the solid policy foundation that the brand has a legitimate interest in data about its own interactions with consumers.

Follow Aqfer (@aqferinc) and AdExchanger (@adexchanger) on Twitter. 

Must Read

Jamie Seltzer, global chief data and technology officer, Havas Media Network, speaks to AdExchanger at CES 2026.
AI

CES 2026: What’s Real – And What’s BS – When It Comes To AI

Ad industry experts call out trends to watch in 2026 and separate the real AI use cases having an impact today from the AI hype they heard at CES.

Commerce

New Startup Pinch AI Tackles The Growing Problem Of Ecommerce Return Scams

Fraud is eating into retail profits. A new startup called Pinch AI just launched with $5 million in funding to fight back.

Comic: Shopper Marketing Data
Commerce

CPG Data Seller SPINS Moves Into Media With MikMak Acquisition

On Wednesday, retail and CPG data company SPINS added a new piece with its acquisition of MikMak, a click-to-buy ad tech and analytics startup that helps optimize their commerce media.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Marketers

How Valvoline Shifted Marketing Gears When It Became A Pure-Play Retail Brand

Believe it or not, car oil change service company Valvoline is in the midst of a fascinating retail marketing transformation.

AdExchanger's Big Story podcast with journalistic insights on advertising, marketing and ad tech
PODCAST: The Big Story

The Big Story: Live From CES 2026

Agents, streamers and robots, oh my! Live from the C-Space campus at the Aria Casino in Las Vegas, our team breaks down the most interesting ad tech trends we saw at CES this year.

Monopoly Man looks on at the DOJ vs. Google ad tech antitrust trial (comic).
antitrust

2025: The Year Google Lost In Court And Won Anyway

From afar, it looks like Google had a rough year in antitrust court. But zoom in a bit and it becomes clear that the past year went about as well as Google could have hoped for.

Popular

  1. AI

    This Startup Says Good Isn’t Good Enough To Win The AI Search Game

    Unusual, a new AI discoverability startup, analyzes how brands appear within AI search and provides suggestions on how to better rank.

  2. Comic: Revenue "Sharing" (starring Marck Zuckerberg and Sundar Pichai)
    Publishers

    Partnerize Wants To Reimagine Affiliate Attribution – And It Doesn’t Involve Clicks

    Traffic is down, but publisher content is still driving purchases. Partnerize’s new attribution model lets publishers see what’s working and strike fair compensation deals.

  3. Comic: Shopper Marketing Data
    Commerce

    CPG Data Seller SPINS Moves Into Media With MikMak Acquisition

    On Wednesday, retail and CPG data company SPINS added a new piece with its acquisition of MikMak, a click-to-buy ad tech and analytics startup that helps optimize their commerce media.

  4. Jamie Seltzer, global chief data and technology officer, Havas Media Network, speaks to AdExchanger at CES 2026.
    AI

    CES 2026: What’s Real – And What’s BS – When It Comes To AI

    Ad industry experts call out trends to watch in 2026 and separate the real AI use cases having an impact today from the AI hype they heard at CES.

  5. Joe Zappa, CEO and founder of Sharp Pen Media
    OPINION: Data-Driven Thinking

    Goodbye, Outcomes Era? Nah. In 2026, It’s Picking Up Steam

    argue the Outcomes Era is already fading, writes Joe Zappa. But the evidence suggests the opposite. The Outcomes Era isn’t receding; it’s accelerating.