In order to understand the way we determine the provider value, it is important to know the difference between first-party and third-party cookies.
Data collected by third party cookies can be read by the third party on any website that includes a script from the third party, while the data gathered by a first party cookie can only be read by the website it originates from.
In the scan report the "provider" is stated as the domain name from which a cookie originates. To see which domain this is, we look at who is actually providing the exact script that sets the cookie. For first party cookies this will be the domain name of the current website. For third party cookies this will be the domain name of the embedded third party service setting the cookie.
Example with Google Analytics cookies _ga:
The _ga cookie is set by Google Analytics. Since this is a Google product you would understandably expect "Google" to be the cookie provider.
In this context "provider" implies which entity sets the cookie, not the author of the software that sets the cookie. The Google Analytics "_ga" first party cookie is set by your own domain, as you can see in this example from cookiebot.com:
If the cookies was set from a third party domain, like google-analytics.com, the provider of this cookie would be Google.
The provider of a cookie is determined by how the cookie is set:
- For 1st party cookies, the domain itself is considered the provider.
- For 3rd party cookies, the third party domain is considered the provider.
- When the script is loaded via a different tool into your website, for example a tag manager, it is possible that this tool will be stated as the provider for this cookie.