andersju
commented
6 years ago Whether a cookie is categorized as first-party or third-party depends on the "cookie domain". For cookies created by JavaScript code, the origin of the script is not relevant. It doesn't matter if it's loaded from allaccess.ch or google.com: in both cases, if the script is loaded by a page on allaccess.ch, it will be as if the cookie was set by allaccess.ch.
So when you visit allaccess.ch, the Google Analytics script analytics.js is fetched from google-analytics.com and executed by your browser in the context of allaccess.ch. When a cookie is then set by the script, the cookie domain will be allaccess.ch, meaning the cookie is never actually sent to Google: the cookie will only be sent in requests to allaccess.ch and nobody else.
You can verify this by opening Developer tools in Chrome or Firefox and then clicking on Application (Chrome) or Storage (Firefox) to check cookies:
More about GA cookies: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id ("By default, analytics.js uses a single, first-party cookie named _ga to store the Client ID")
When I test our site http://www.allaccess.ch, all cookies are declared as first-party cookies. However, some of these are created by Google services (analytics, tag manager), so I'd expect these to be listed under the third-party cookies section.