Third-Party Cookies can work with consent

The problem with Third-Party Cookies tracking is that many websites and vendors do not wait for valid consent to start tracking personal information. But when they do, and the consent is lawful, it's fine. It really is.


Third-Party Cookies tracking are great tools that provide auditability, transparency, and robustness. However, because of the unregulated and unfaithful use of their capabilities, as well as a well-thought-out anti-competitive bashing campaign, they’re now on the brink of becoming extinct.

Apple and Mozilla, who are not relying on Third-Party Cookie tracking for their advertising revenue, were the first to limit the reach of Third-Party Cookies tracking. Google, after carefully merging the Google account with the Chrome experience and designing an Advertising API called the Privacy Sandbox, was supposed to follow in 2024. It won’t be the case.

Third-Party Cookie Could Adapt to Survive

At Axeptio, even though we mostly deal with First-Party Cookie, we think that Third-Party Cookie are a tool worth saving. As long as they are used properly, they can generate value for advertisers, publishers, developers, and end-users.

What they currently lack to function in a privacy-minded world is built-in respect for user consent. A mode that would allow Third-Party Cookies to effectively work only when the user authorizes a given third-party domain to place a Third-Party Cookie on the visited domain.

CMPs to the Rescue

Google has built a basic API called the Consent Mode. This API expects that the CMP communicates consent signals through the dataLayer variable. These signals, only mapped to purposes for now, are then read by Google solutions (Analytics, Ads, etc.), that act accordingly.

The Consent Mode was the first sign of recognition from Google of the major responsibility of CMPs to act as a trusted third party, and the need for acknowledging a compliant consent collection.

Consent Mode is not a Chrome API, and consent is a notion that has been completely left out of the current version of the Privacy Sandbox. We believe there’s no better opportunity than the latest postponing of Third-Party Cookie deprecation to challenge this situation.

Consent at a Browser Level

We propose a very simple, yet effective approach, inspired by existing mechanisms: CSP and CORS. These mechanisms have annoyed the hell out of millions of web developers but have proven very lean and well-enforced. By enabling the first-party domain to declare which resources and which types of resources are allowed to load and execute, they act as the final boss that protects the user and the website from abuse.

Transposing the logic of CSP & CORS in consent terms would take the following steps :

Without any form of consent, Third-Party Cookie would not be able to stick, being marked as pending just like it is intended with the Privacy Sandbox.

With a CMP live on the website, the browser will expect an explicit consent signal to tell it what to do. Until the signal is received, no cookie will survive outside the tab context.

The explicit consent signal would contain the following information:

  • Allowed Third-Party Cookie domains
  • Allowed cookie names (optional)
  • Allowed HTTP Methods (for AJAX calls as well)
  • Grant Duration
  • A Canonical URL to the consent proof, stored in the browser history for auditing purposes

This domain-level consent would also help in building browser-level defaults for some Third-Party Cookies domains that a user will want to allow or block. It could even reduce the usage of CNAME cloaking if the browser takes care of DNS resolution, thus improving transparency and trust.

APIs residing in the navigator.consent namespace could allow for third-party and first-party CMPs to communicate these consent signals seamlessly, crafting a better experience for the user and the developer.

A Future-Proof Solution

Recognizing the role of consent at a browser level will also pave the way for privacy-enhancing technologies, such as our consent assistant Taste. Opening the navigator.consent APIs to extensions would result in a much more respectful and enjoyable experience, while providing control for individual preferences.

CEO & Co-founder - Axeptio


Related articles

Axeptio and Law 25: An essential Asset for Small Businesses

Axeptio and Law 25: An essential Asset for Small Businesses

Patricia Filiatrault is the founder of a web agency in Quebec that bears her name: PF Communications. She helps companies with their website and SEO projects, navigating the challenges of...
How Veepee Switzerland optimizes its user consent rate

How Veepee Switzerland optimizes its user consent rate

Veepee, Europe's leading private sales company, faces a twofold challenge in Switzerland, where the group has historically been present: to comply with the New Federal Act on Data...
The Impact of a CMP on Digital Performance: DroneXperts Case Study

The Impact of a CMP on Digital Performance: DroneXperts Case Study

DroneXperts, a leader in drone integration for businesses, offers tailored solutions for a variety of industrial applications. As a recognized brand in the industry, DroneXperts generates...