
Alternatives to third party cookies
The elimination of third-party cookies has created new challenges and opportunities in the digital advertising space. Since their introduction in the 1990s, these tools have been essential for online ad targeting and personalisation. However, growing concerns about user privacy and strict legal regulations have prompted their replacement by alternatives that are more respectful of fundamental rights. This article analyses the main alternatives to third-party cookies, assessing their technical feasibility, legal implications and the applicable regulatory framework.
Legal context and legal relevance
The EU General Data Protection Regulation (GDPR) and similar legislation, such as the California Consumer Privacy Act (CCPA), have limited the use of tracking technologies that collect personal data without explicit consent. According to Article 6 of the GDPR, any processing of personal data must have a valid legal basis, with informed consent being one of the fundamental pillars. Furthermore, Recital 30 GDPR specifically mentions cookies, underlining the importance of transparency and user control over their personal information.
Against this backdrop, companies must seek alternatives that comply with the principles of data minimisation and privacy by design, avoiding infringing users’ rights and facing significant penalties.
1. First-party cookies
First-party cookies, set directly by the website visited by the user, represent an initial and simple alternative. Their main advantage is that they are limited to storing information relevant only to the specific domain, reducing the risk of illicit data transfers to third parties.
Although less invasive, own cookies are also subject to regulations such as the ePrivacy Directive and the GDPR. It is mandatory to inform the user of their use and to allow the user to refuse or manage preferences in an accessible way. Failure to comply with these obligations may result in financial and reputational sanctions.
Depending on the business model, their ability to personalise the user experience is more limited compared to third-party cookies. In addition, the data collected must be managed according to strict security policies to prevent unauthorised access.
2. Device fingerprinting
This technique collects unique device information, such as browser settings, IP address and screen resolution, to create an identifying profile. The advantage of fingerprinting is that it does not rely on cookies and allows tracking even when cookies are disabled.
Technically they are effective, but they also raise concerns about their compliance with the proportionality principle set out in the GDPR. Their use should be supported by a data protection impact assessment (DPA), considering the high risk of detailed profiling without explicit consent.
The lack of transparency and the possibility to circumvent user anonymisation tools, such as VPNs or private modes, make them controversial from an ethical and legal perspective.
3. Contextual targeting
Contextual advertising analyses the content of the website to display relevant ads without the need to track personal data. For example, a user visiting a technology blog will see ads related to gadgets or software.
This alternative is in line with the principle of data minimisation, as it does not involve the collection of personal information. However, in cases where own cookies are used to refine targeting, user consent will be required.
The accuracy of algorithms to determine contextual content may be a challenge, affecting the effectiveness of advertising campaigns.
4. Universal identifiers
Universal identifiers, such as Unified ID 2.0, create a unique profile by combining data such as encrypted emails and browsing behaviour. This approach allows for more accurate segmentation and a personalised experience across multiple platforms.
Despite their sophistication, these tools must meet high standards of transparency and consent. According to the GDPR, any data collection or processing must be informed, clear and reversible by the user.
Interoperability between different actors and the reliance on sensitive data require robust governance to prevent abuse and ensure the protection of users’ rights.
5. Privacy Sandbox
Developed by Google, the Privacy Sandbox groups users based on similar interests while preserving individual anonymity. This model is under development and promises a balanced solution between personalisation and privacy.
Its implementation will need to be compatible with existing regulations, ensuring that users can opt out and that the clustering process is transparent.
While promising, its adoption will depend on industry acceptance and Google’s ability to meet regulatory and consumer expectations.
Conclusion
Alternatives to third-party cookies must balance advertising personalisation with the protection of user privacy, in line with regulations such as the GDPR and the CCPA. Solutions such as own cookies, fingerprinting, contextual advertising, universal identifiers and Privacy Sandbox have varying technical and legal feasibilities.
To ensure their implementation, it is crucial to respect principles of transparency, informed consent and data minimisation, avoiding violations of fundamental rights and possible regulatory sanctions.

Desde que Carmen Araolaza empezó la carrera se familiarizó con el derecho tecnológico al haber estudiado Derecho + Especialidad TIC en la Universidad de Deusto.
Le apasiona el derecho digital, en concreto, el Comercio electrónico, la Propiedad Intelectual, la Protección de Datos, la Competencia y el Marketing Digital.