Understanding Facebook's usage of first party cookie

Question

So previously I've thought that all advertising related cookies (eg. the cookies used by Facebook pixel) are third party cookies. However, with all the privacy related concerns (eg. Safari blocking third party cookies), I also found that Facebook has first-party cookie for FB pixel, as in FB can just get website owner to pass the first party cookies to them instead. So now FB is saying "You can now use both first- and third-party cookies with your Facebook pixel." (https://www.facebook.com/business/help/471978536642445?id=1205376682832142)

My question is if publishers (Google & FB) can just use first party cookies then what's the point of offering to have both 1st party and 3rd party cookies? Why don't they just have option to switch completely to 3rd party cookies?

Everyone talks about the benefit if using 1st party cookies instead, so I don't know what's the point of still keeping the 3rd party cookie option. Is there any benefit to it?

Answer 1

I don't know the answer to your question, but I have the same question, so I'd like to take a guess. Let's see if someone more in the know can critique my answer. The following are guesses:

Guess: Third party cookie tracking process

1. The user logs into Facebook.com on his/her laptop as user123. Facebook.com puts a cookie on his/her laptop that says user=user123 uses this laptop.
2. The user now visits another site, say anysite.com, anysite.com has Facebook Pixel installed, which reads the cookie that says user=user123 (it's allowed to read the 3rd party cookie because Facebook Pixel is loaded from Facebook.com even though the user is on the anysite.com website), and sends the information "user123 has visited anysite.com on date/time xyz" to Facebook.

So, Facebook now has tracked user123's activity based on the prerequisite that:

• user123 has logged into Facebook on his/her laptop
• Facebook has convinced anysite.com to install Facebook pixel

Importantly, the tracking of user123's visit to anysite.com occurred without user123 explicitly agreeing to it, or knowing the relationship between Facebook and anysite.com. All the user did was login to Facebook, and then separately visit anysite.com (perhaps much later).

Guess: First party cookie tracking process

1. The user logs into Facebook.com on his/her laptop as user123. Facebook.com puts a cookie on his/her laptop that says user=user123 uses this laptop.
2. On date x, the user clicks on a facebook ad or link to anysite.com. Because Facebook knows this laptop is used by user123, it redirects the user to anysite.com's landing page with a url parameter that says user=user123. anysite.com now sets a first party cookie that says "user123 has visited anysite.com on this laptop on date x".
3. Later, on date y, the user visits another page on anysite.com using the same laptop, Facebook pixel on anysite.com reads the first party cookie previously written that says "user123 has visited anysite.com" to note the user to visited anysite.com again is likely to be user123. It now uses clientside javascript to send "user123 has visited anysite.com on date y" to Facebook.

So, Facebook now has tracked user123's activity based on the prerequisite that:

• user123 has logged into Facebook on his/her laptop
• Facebook has convinced anysite.com to install Facebook pixel
• user123 has clicked a Facebook link or ad that redirects him/her to anysite.com

Importantly, the first party cookie flow is less powerful from a tracking perspective because the user had to click a Facebook link to anysite.com, where as in the third party case this was not needed.