In order to understand the way we determine the provider value, it is important to know the difference between first-party and third-party cookies.
Data collected by third party cookies can be read by the third party on any website that includes a script from the third party, while the data gathered by a first party cookie can only be read by the website it originates from.
In the scan report the "provider" is stated as the domain name from which a cookie originates. To see which domain this is, we look at who is actually providing the exact script that sets the cookie. For first party cookies this will be the domain name of the current website. For third party cookies this will be the domain name of the embedded third party service setting the cookie.
Example with Google Analytics cookies _ga:
The _ga cookie comes from Google Analytics, which is a Google product and, understandably so, you expect "Google" to be set as the cookie provider. However, a first party cookie can be set by scripts served from a third party domain - e.g. Google Analytics "_ga" first party cookie is set from a third party domain "google-analytics.com". The provider of this cookie will depend on how the script was implemented in your website:
- When the Google Analytics script is added inline, the domain itself is considered the provider.
- When the script is loaded via a different tool into your website, it is possible that this tool will be stated as the provider for this cookie.