Chapter 3: Introduction to Technological Aspects of Privacy

Third-Party Data Collection and the Decline of Third-Party Cookies

Ad networks long used third-party cookies to track users across sites. Market and regulatory changes are shrinking this: the CPRA (effective January 2023) requires notice and an opt-out for third-party cookies, and Edge, Firefox, and Safari blocked them by default by end of 2022.

Ad networks historically set third-party cookies on devices to observe a user's activity across many sites and serve targeted ads. This is shrinking due to EU legal challenges, the California Privacy Rights Act (CPRA), and browser changes. The CPRA, effective January 2023, requires notice and an opt-out right for third-party cookies. By end of 2022 Edge, Firefox, and Safari blocked third-party cookies by default, with Chrome announcing it was in the process.

Opt-out, not opt-in

Note the mechanism: the CPRA requires notice and an OPT-OUT right for third-party cookies - consistent with the broader U.S. opt-out tradition rather than an EU-style opt-in consent.

Key terms - quick answers

What is “California Privacy Rights Act (CPRA)”?

A California law effective January 2023 that requires notice and an opt-out right for third-party cookies.

← First-Party Data Collection and Data Brokers Tracking Email Recipients and Cross-Device Tracking →