MDN has some great documentation on various web technologies, including on third-party cookies.
From those docs:
If the cookie domain and scheme match the current page the user is looking at (the URL shown in the browser’s address bar), the cookie is considered to be from the same site as the page, and is referred to as a first-party cookie.
If the domain and scheme are different, the cookie is not considered to be from the same site, and is referred to as a third-party cookie.
One way that third-party cookies can be set is
When a page embeds components from other sites, such as images or other documents embedded in
iframe‘s (often referred to as third-party content). As well as the original request for the component, these components may generate further requests that set more third-party cookies.
I noticed one potential example of this approach in this BBC article (what is nice is that in this example, the BBC article gives you the option to load the third-party content, rather than doing it automatically):
Another common scenario where third-party cookies can be set is
When a link is clicked on one site to navigate to another site.
One example of why a third-party cookie might be set when clicking on a link to another site is
you might have an affiliate link to a partner site and set a cookie when the user follows the link so that a reward banner can be displayed with a discount if a certain product is purchased or a commission can be paid back to the referrer.
In addition to the example shown above, another example of third-party content setting cookies is because
you might have a sign-in widget embedded on multiple different-but-related sites, which shares a cookie across all sites confirming that the user is signed in, so they don’t have to sign in again on each site.
This brings up an important point, which is called out at the top of the MDN article linked above:
Note: Third-party cookies are sometimes referred to as cross-site cookies. This is arguably a more accurate name, as third-party cookies imply ownership by a third-party company or organization. However, the behavior and potential issues are the same whether or not you own all the involved sites. For example, a site might access resources such as images from a different domain that they own.
RFC6265 – HTTP State Management Mechanism, is another useful resource for learning about third-party cookies. In particular, section 7.1 – Thirty-Party Cookies. Here is the first paragraph of that section for easy reference:
Particularly worrisome are so-called “third-party” cookies. In rendering an HTML document, a user agent often requests resources from other servers (such as advertising networks). These third-party servers can use cookies to track the user even if the user never visits the server directly. For example, if a user visits a site that contains content from a third party and then later visits another site that contains content from the same third party, the third party can track the user between the two sites.