Ad Tech & Ad Ops

Google’s SameSite Cookie Update: Everything You Should Know

On 4th February, Chrome launched its Version 80 and with it, the SameSite cookie update. Google however, rolled back the update in April because of essential websites facing stability issues amid the pandemic. These essential websites include banking, grocery delivery, medical, etc.

Google has now announced resuming SameSite cookie changes from 14th July with the release of Chrome 84.

This is in line with Google’s efforts to make online user experience more transparent and unintrusive. For the same purpose, in November 2019, Google committed to the development of a Chrome update that blocked heavy ads. Before that, in July 2019, Google rolled out the Chrome ad filtering update globally, in accordance with the Better Ads Standard.

The SameSite cookie update is intended to protect user privacy by explicitly labeling third-party cookies. Without labelling these cookies, they will cease to be functional in the browser. This could remarkably challenge publishers’ ability to generate revenue, with Chrome capturing approximately 63% share of browser users worldwide, as of December 2019.

Share of Chrome in the browser market
Source: statCounter

Understanding the SameSite Cookie Update

Currently, all third-party cookies by default are set to ‘SameSite=None’. However, with the SameSite cookie update in effect, website owners will have to explicitly declare a cookie’s state.

SameSite cookie attribute categories taken from web.dev
Source: web.dev

The SameSite attribute provides three different ways to define when and how cookies are fired under the categories: Strict, Lax, and None. The update has been set as default under the Incrementally Better Cookies policy proposed by the Internet Engineering Task Force.

  • Lax: If a publisher is using SameSite=Lax attribute for a cookie, it means that the cookie will be sent in the request header in both first-party and third-party context. For example, if a user ended up on a website through a link in their email, the cookie will still be sent in the header with ‘SameSite= Lax’ label in place. This SameSite cookie update is a default in Chrome 80, even if the attribute is not explicitly set.
  • Strict: If a publisher is using SameSite=Strict attribute, it means that cookies will only be sent to a header in a first-party context and will not be sent if the link is emerging from a third-party context. This needs to be set manually and is not a default in Chrome 80.
  • None: This was the default in Chrome 77 and allowed cookies to be sent across all third-party contexts without any restrictions. However, with the SameSite attribute in place, cookies set under this category will require labeling as ‘SameSite=None; Secure’. 

Why Has Google Rolled Out the SameSite Cookie Update?

Third-party cookies have become a recurrent subject of debate regarding how much they tend to compromise user privacy. There is a growing awareness amongst Internet users regarding incessant monitoring of their online activities. Needless to say, despite the user privacy concerns, third-party cookies have long served as the foundation for generating ad revenue using behavioral targeting. Regardless, Google is rolling out the SameSite cookie update to protect user privacy and provide a more open and transparent experience.

Another reason for the SameSite cookie update is to monitor and reduce CSRF activities online. Though Cross-Site Request Forgery has reduced in the last 10 years (5.27% of incidence rate in 2017), Google intends to improve user security against CSRF with this update. 

What Do Publishers Need to Do?

For publishers who mostly rely on third-party cookies to track a user’s online behaviour, this update may seem intimidating. But while there is still time, publishers need to tweak their systems to adapt to the SameSite attribute. 

Thankfully, unlike Safari ITP, third-party cookies under the SameSite attribute are not blocked by default. Instead, they need to be labelled as ‘SameSite= None; Secure’, thus limiting their use to only secure HTTPs connections. 

Here’s what publishers can do before the SameSite cookie update becomes functional: 

  • Publishers should immediately migrate their website to HTTPs pages that are secure, if that isn’t the case already.
  • If a publisher monetizes with third-party partners, they need to communicate and ask them if they have updated their cookies. If this isn’t implemented, Chrome 84 will cause revenue decline.
  • If a publisher uses tracking pixels on their website for retargeting, they should label those cookies to ‘SameSite= None; Secure’. Likewise, a third-party vendor who uses cookies on a publisher website should make the same change. If these changes are not implemented, Chrome 80 will not recognize your cookies, rejecting them immediately.

Additionally, publishers can also test the impact of the latest SameSite cookie update on their websites through these steps:

  • Type ‘chrome://flags’ in the address bar and click on Enter. 
  • Enable #same-site-by-default-cookies to check how their website is working under the impact of the recent SameSite attribute update. Further, implement the changes required before the actual update.

Is the End of Third-Party Cookies Imminent?

With Apple and Mozilla prioritizing user privacy above other aspects, Google is under immense pressure to implement similar measures. In early 2020, Google announced deprecation of third-party cookies in Chrome by 2022. Members of the digital advertising ecosystem will soon enter a cookie-free world. This calls for an immediate overhaul of revenue strategies within the ad tech industry.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.