Quick answer

Third-party cookies in 2026 are more constrained than five years ago but still active in Chrome, Edge, Opera, and Brave (by default in Chrome and Edge; blocked by default in Safari and Firefox). SameSite=None + Secure is required, partitioned CHIPS cookies are a migration path, and the Privacy Sandbox suite (Topics API, Protected Audience API) is proposed as a replacement — but adoption is partial, so third-party cookies still work for most existing trackers in 2026.

What a cookie actually is

A cookie is a name/value pair with metadata (Domain, Path, Expires, Secure, HttpOnly, SameSite, Partitioned) that the browser stores and automatically attaches to matching requests. There is nothing inherently tracking about a cookie — session cookies are fundamental to authentication. The tracking concern arises when a cookie is set by a domain other than the page the user is visiting.

First-party vs third-party

When you visit example.com, any cookie set by example.com is first-party. If example.com embeds a script or iframe from tracker.com and tracker.com sets a cookie, that cookie is third-party. Crucially, the browser attaches the tracker.com cookie on every page that embeds tracker.com — enabling cross-site tracking.

The SameSite attribute

SameSite has three values: Strict (never sent on cross-site requests), Lax (sent on top-level navigation only), and None (sent on all requests). Browsers default unspecified cookies to Lax since 2020. A third-party tracker cookie must set SameSite=None; Secure to work at all. Any cookie without an explicit SameSite attribute cannot function as a third-party cookie in 2026.

Partitioned cookies (CHIPS)

Chrome rolled out partitioned cookies through 2023-2025. A cookie set with the Partitioned attribute is stored per-top-level-site. Example: an embedded chat widget from chat.example.com on news.com gets a different cookie jar than the same widget on shop.com. The widget can still maintain session state on each site, but cannot correlate identities across sites. This is the "use case without tracking" fix for embedded widgets, SSO, and analytics.

The Privacy Sandbox suite

Chrome's Privacy Sandbox proposes API-level replacements for cross-site tracking use cases:

Topics API — the browser assigns coarse interest categories per user. Sites read the category, not the raw history.
Protected Audience API (FLEDGE) — on-device auction for remarketing without exposing user identity to ad networks.
Attribution Reporting API — ad-conversion measurement with differential privacy.
Private State Tokens — anti-fraud without cookies.

Adoption has been slow. As of 2026, Topics is widely piloted; Protected Audience is live on some ad platforms; third-party cookies still dominate the actual tracking ecosystem.

Why third-party cookies still work in 2026

Chrome originally announced deprecation for 2022, delayed multiple times. In mid-2024 Chrome shifted to "give users choice" rather than default-blocking. As of 2026, default-enabled for most users, prompts for some. Edge inherits Chromium. Brave and Firefox block by default. Safari has blocked by default since 2020 (ITP). Net effect: 60-70% of global browsing still permits third-party cookies by default in 2026.

What PrivacyGuard does

PrivacyGuard blocks third-party cookies at the network level on all sites. Blocks known tracker domains before the cookie request even fires. Strips SameSite=None cookies from request headers where the destination is not trusted. Breaks rare legitimate use cases (some embedded-widget SSO flows) — handled via a per-site allow list.

How Third-Party Cookies Actually Work (And Why They Still Exist in 2026)