A first-party cookie is set by the same domain shown in the browser's address bar — used for session management, authentication, preferences, shopping carts, and first-party analytics. Google Analytics' _ga is first-party — even though Google processes the data, the cookie itself is scoped to your domain. Third-party cookies are set by a different domain — an ad network or embed. First-party doesn't mean exempt from consent. Under GDPR and ePrivacy, a first-party analytics or marketing cookie still needs opt-in consent before firing — only "strictly necessary" cookies are exempt. Safari's ITP caps JavaScript-set first-party cookies at around 7 days, whatever the expiry.