Third-Party Cookies: What They Are and What UK Businesses Should Do

Third-party cookies did not die. After years of warnings, deadline extensions, and regulatory pressure, Google confirmed in July 2024 that Chrome would not, after all, deprecate third-party cookies. Instead, users will be given the option to allow cross-site tracking. That decision significantly changes the conversation for UK businesses: the question is no longer “how do we survive without cookies?” but “how do we build a digital strategy that works whether users accept cookies or not?”

For SMEs in Northern Ireland, Ireland, and the UK, the practical implications are real. Around 40% of UK web traffic already arrives from Safari and Firefox, both of which block third-party cookies by default. Understanding how cookies work, what the regulatory picture looks like under UK-GDPR, and which alternatives are worth investing in is now a baseline business literacy issue, not a niche technical concern.

What Are Third-Party Cookies?

A cookie is a small data file that a website places on a visitor’s device when they browse. First-party cookies are set by the website the user is actually visiting: they remember login sessions, shopping basket contents, and user preferences. They are largely uncontroversial.

Third-party cookies are set by a domain other than the one the user is visiting. An advertising network, for example, might place a cookie on a news site, then read that same cookie when the user visits a retail site, building a cross-site picture of their browsing behaviour. That data powers retargeting campaigns, audience segmentation, and much of the targeted advertising infrastructure that digital marketers have relied on for the past two decades.

First-Party vs Third-Party Cookies: Key Differences

Google’s U-Turn: What Actually Happened

Between 2020 and 2024, Google repeatedly announced and then delayed the deprecation of third-party cookies in Chrome. The original deadline was 2022. It moved to 2023, then to 2024, and then to the first half of 2025. In July 2024, Google abandoned the deprecation plan entirely.

The reason was not technical. It was regulatory. The UK’s Competition and Markets Authority (CMA) had been scrutinising Google’s Privacy Sandbox proposals since 2021, concerned that replacing third-party cookies with Google’s own APIs would further entrench Google’s dominance in digital advertising. The CMA’s involvement made it impossible for Google to proceed on its original timeline without risking significant regulatory action.

The outcome was a shift in approach: rather than removing third-party cookies from Chrome, Google announced a “user choice” model. Chrome users will see a prompt asking whether they want to allow cross-site tracking. This is similar to Apple’s App Tracking Transparency prompt, which, when introduced in iOS 14.5, saw opt-in rates of around 25% among UK users.

The practical implication: even with cookies technically available in Chrome, a substantial proportion of users are expected to decline the prompt. Businesses that have built their entire measurement and targeting stack on third-party cookie data are facing a gradual but significant reduction in the data available to them.

Is the Cookieless Future Still Coming?

Yes, just more slowly and unevenly than originally planned. Consider the current state of UK web traffic:

• Safari (iOS and macOS): Blocks third-party cookies by default through Intelligent Tracking Prevention (ITP), which has been active since 2017 and tightened repeatedly since.
• Firefox: Blocks third-party cookies by default through Enhanced Tracking Protection (ETP), fully enforced since 2019.
• Chrome: Third-party cookies are currently active, and the user choice model is on the way.

For most UK SMEs, Safari and Firefox together account for a significant share of traffic. Third-party cookies are already ineffective for those users. The Chrome prompt will extend that gap further once it rolls out.

The honest advice to any UK business is this: regardless of what Chrome does, third-party cookies are a declining signal. Building your marketing measurement and audience strategy around them is a business risk.

UK-GDPR, PECR, and What Compliance Actually Requires

The UK’s data privacy framework adds its own layer to this picture. Under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), placing third-party cookies on a user’s device without their explicit consent is unlawful. The Information Commissioner’s Office (ICO) has published clear guidance: consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and vague “by using this site you agree” notices do not meet the standard.

The CMA’s involvement in the Google Privacy Sandbox decision also reflects a broader UK regulatory direction: scrutiny of tracking technologies and their market effects is increasing, not decreasing. Businesses that treat consent management as a box-ticking exercise, rather than a genuine part of their digital infrastructure, face both legal exposure and reputational risk.

A compliant approach requires a properly configured Consent Management Platform (CMP) integrated into your website. This is a web development task as much as a marketing one. For businesses running WordPress sites, integrating a CMP correctly, ensuring it fires before any analytics or advertising scripts load, and keeping it updated as regulations change, is something that requires technical implementation, not just a plugin installation. ProfileTree’s web development team regularly builds and configures compliant consent flows for SME clients across Northern Ireland and Ireland who need their sites to meet ICO standards without sacrificing user experience.

Alternatives to Third-Party Cookies

The shift away from reliance on third-party cookies is not a crisis. Several alternatives are already mature and well-supported.

First-Party Data

First-party data is information you collect directly from your own customers through your own channels: website behaviour, email sign-ups, purchase history, form submissions, survey responses, and account activity. It is more accurate than third-party data, fully consented, and not subject to browser restrictions.

Building first-party data capability requires investment in the right website infrastructure. Forms, gated content, newsletter sign-ups, and member areas all need to be designed and implemented correctly to collect and store data in a way that is both useful and compliant. The quality of this data depends heavily on the proposition: people share their details when they trust a brand and see a clear benefit in doing so. Content marketing plays a direct role here, providing the guides, tools, and resources that give people a reason to engage.

For SMEs in Northern Ireland and Ireland considering first-party data for the first time, a practical starting point is auditing the data you already hold in your CRM or email platform, identifying gaps, and then designing a website user journey that collects the information you actually need.

Contextual Targeting

Contextual advertising places ads based on the content of the page the user is viewing, rather than on their browsing history. A kitchen company advertising on a home renovation article is a contextual placement. It does not require any user-level data.

Contextual targeting has become significantly more sophisticated in recent years. Natural language processing enables ad platforms to understand page content in detail, moving beyond simple keyword matching. For businesses running digital marketing campaigns, building a strong SEO presence on topically relevant content creates more contextual ad placement opportunities. A business that produces consistent, authoritative content on its core topic is more likely to appear in relevant contextual ad environments.

Server-Side Tracking

Server-side tracking moves the data collection layer from the user’s browser to a server you control. Instead of a tracking pixel firing in the browser (where it can be blocked by ad blockers or browser privacy settings), data is sent from your server to your analytics or advertising platform. This approach is less affected by browser-based blocking and ITP.

Implementing server-side tracking typically involves configuring Google Tag Manager in server-side mode, setting up a server container, and routing your tracking tags through it. It is a technical implementation that requires web development expertise rather than a marketing configuration. Done correctly, it gives businesses better data quality and greater resilience against browser restrictions.

GA4 and Consent Mode

Google Analytics 4 was built with a privacy-first model. Its machine learning capabilities can model conversions and behaviour for users who have not consented to tracking, filling in gaps in the data picture without relying on individual-level cookie data. Paired with Google’s Consent Mode v2, which adjusts what data is collected based on user consent choices, GA4 provides a measurement framework that is both more privacy-compliant and more future-proof than Universal Analytics was.

Configuring GA4 correctly with Consent Mode requires attention to implementation detail. Many businesses have GA4 installed but have not set up Consent Mode, meaning they are not benefiting from the modelling capabilities and may not be fully compliant with their CMP setup.

What UK SMEs Should Do Now

The regulatory and technical picture is complex, but the practical actions are straightforward.

Audit your current setup. Check whether your consent banner is genuinely compliant with UK GDPR and PECR standards. Verify that no analytics or advertising scripts fire before consent is given. If your website was built several years ago and has not been technically reviewed, this is worth prioritising.

Assess your third-party cookie dependency. Identify which of your current tools rely on third-party cookies: your advertising platforms, retargeting tags, affiliate tracking, and analytics. Then ask what happens to your data and your campaigns if a significant proportion of your audience declines the Chrome consent prompt.

Invest in first-party data infrastructure. Consider what your website currently collects and what it could collect. Email marketing is the most straightforward starting point: a well-maintained email list, built on genuine opt-in, is one of the most resilient marketing assets an SME can have. A digital marketing strategy that maps out audience segmentation and email sequences alongside broader campaign activity helps businesses move from single-channel dependency to a more balanced position.

Build topical authority through content. Contextual targeting rewards businesses with strong, topically relevant content. An SME in Northern Ireland that publishes consistent, useful content about its sector is building the signal that makes contextual advertising more effective, while also earning organic search traffic. Content marketing and SEO work together here in a way that becomes more valuable as behavioural targeting becomes less reliable.

Consider digital training for your team. Many marketing managers in SMEs are working with tools and frameworks designed for a third-party cookie world. Understanding GA4, Consent Mode, first-party audience building in Google Ads, and the mechanics of privacy-compliant measurement is now a practical skill requirement. ProfileTree runs digital training programmes designed for business owners and marketing teams who need to get up to speed with these changes without a technical background.

The Privacy Sandbox: What It Is and Why It Still Matters

Even though Google is not deprecating third-party cookies, the Privacy Sandbox APIs it developed as alternatives remain in active development and are being incentivised by Google. Understanding the key APIs is a useful context.

Topics API: Instead of tracking individual browsing history, the Topics API assigns users to broad interest categories based on recent browsing. Advertisers can target these topics without accessing specific site-visit data.

Protected Audience API (formerly FLEDGE): Enables interest-based retargeting without exposing users’ browsing history to third parties. The auction runs on-device rather than on an ad server.

Attribution Reporting API: Provides conversion measurement data in an aggregated, privacy-preserving format, replacing the individual-level conversion tracking enabled by third-party cookies.

These APIs represent the longer-term direction of travel, regardless of the current cookie situation. Businesses and agencies that understand them now will be better placed when adoption increases.

How to Explain Third-Party Cookies to Clients

Most business owners understand that tracking happens online. Few understand how it works, and fewer still have a clear picture of what Google’s 2024 reversal actually means for their business. When a client asks what third-party cookies are or why they keep hearing about them, a clear, jargon-free explanation builds more trust than a technically accurate one.

The analogy that tends to land: imagine a loyalty card scheme shared between unrelated shops. When you buy something in a bookshop, the loyalty scheme records it. When you later walk into a sports retailer that uses the same scheme, the retailer can see that you recently bought books and adjust its display accordingly. You did not tell the sports retailer anything about your reading habits; the shared scheme did it for you. Third-party cookies work on the same principle across websites rather than within individual shops.

The follow-up question clients usually ask is: “So did Google stop doing that?” The honest answer is no, but the situation has changed. Third-party cookies still exist in Chrome, but a significant share of UK web traffic arrives via Safari and Firefox, which have blocked them for years. And Chrome is in the process of introducing a prompt that will give users the choice to opt out. The loyalty card scheme still exists; it is just that more customers are declining the card.

What clients actually need to take away from this conversation is practical: their website needs a properly configured consent banner, their advertising measurement should be reviewed, and investing in their own customer data (email lists, CRM records, first-party analytics) reduces their exposure to tracking restrictions, whoever introduces them. That is a conversation about digital strategy, not just about cookies.

For marketing managers briefing directors or senior stakeholders who are not immersed in the detail, framing it as a data ownership issue tends to cut through. Businesses that own their customer data directly are less dependent on third-party platforms and browser policies. Those that rely entirely on external tracking signals are at the mercy of decisions made by Google, Apple, and regulators, none of whom are primarily concerned with their marketing budgets.

Conclusion

Third-party cookies have not disappeared, but 40% of UK web traffic already comes from browsers that block them, and the Chrome prompt will further reduce reach. Any business whose digital marketing strategy depends entirely on third-party tracking is sitting on a fragile foundation. The practical fix is to invest in what you control: your own website infrastructure, your email list, your content, and a properly configured analytics setup. ProfileTree works with SMEs across Northern Ireland, Ireland, and the UK on exactly this kind of audit and rebuild. Get in touch to discuss your setup.

FAQs