Ad Tech & Ad Ops

SameSite Cookie Update: Everything You Should Know

On 4th February, Chrome launched its Version 80 and with it, the SameSite cookie update. However, Google rolled back this update in April due to its impact on banking, e-commerce, medical information sites – considered as essential services.

Google has announced resuming SameSite cookie changes from 14th July with the release of Chrome 84.

Here are the updates Google rolled to make the online user experience more transparent and unintrusive:

The SameSite attribute can be used to control how cookies are used when a cross-site request is generated. Current behavior allows websites to share third-party data by default – leading to a greater possibility of user privacy leaks.

You may also like:

Understanding the Samesite Cookie

Currently, all third-party cookies are set to ‘SameSite=None’ by default. However, with the SameSite cookie update in effect, website owners will have to declare a cookie’s state explicitly.

SameSite cookie attribute categories taken from web.dev

Source: web. dev

The SameSite attribute provides three ways to define when and how cookies are fired: Strict, Lax, and None.

As per the Incrementally Better Cookies policy, “First, cookies should be treated as “SameSite=Lax” by default.  Second, cookies that explicitly assert “SameSite=None” in order to enable cross-site delivery should also be marked as “Secure”.”

AttributeWhat does it meanMode
LaxOnly first-party cookies to be sentNew default if SameSite is not set
StrictA subset of lax won’t fire if the incoming link is from an external site.
NoneCookie data can be shared with third parties/external sitesPrevious default; now needs to specify ‘None.’
SameSite Attributes

If a company owns multiple websites, then they can’t share data within the company unless the SameSite attribute is ‘None’. Basically, unless there is a domain match, cookies can’t be shared without proper permission.

Why Has Google Rolled Out the Samesite Cookie Update?

Third-party cookies are much talked about when it comes to user privacy. There is a growing awareness amongst users regarding constant monitoring of their online activities. 

Strategies to Tackle Cookie Demise

Despite the user privacy concerns, third-party cookies have long served as the foundation for generating ad revenue using behavioral targeting. Regardless, Google is rolling out the SameSite cookie update to protect user privacy and provide a more open and transparent experience.

Another reason for the SameSite cookie update is to monitor and reduce Cross-Site Request Forgery (CSRF) activities online. Though CSRF has diminished in the last ten years (5.27% of incidence rate in 2017), Google intends to improve user security against CSRF with this update. 

You may also like:

Samesite Cookie Changes and AdTech Industry 

SameSite cookie update affects ad tech vendors, publishers, advertisers, and anyone who is relying on cookies to target the audience. So everyone needs to do a bit of homework to stay in-game. 

The new SameSite attributes can be seen as an indication of increasing data privacy concerns. Considering the popularity of Google Chrome and its market share, ad tech vendors must reduce their dependencies on invasive 3P cookies. 

As of now, Chrome is not blocking these cookies by default. However, it does limit its users to HTTPS, secure connections, which gives Google the visibility into identifying third-party cookies and offer an easy opt-out option to users. 

As a user, here’s you can check the active cookies on your Chrome:

  • Go to your website > Right-click > Inspect
  • Navigate to Console to check the status of your SameSite cookies.

What Do Publishers Need to Do?

The impact of SameSite cookies will vary for each publisher. Regardless, you must read and educate yourself about this update.

Here’s what can be done, based on different publisher situations:

I. If you track users to allow retargeting to your vendors:

  • SameSite=None; Secure
  • This way, Chrome won’t reject the cookie requests
    • If you do nothing, then Chrome 80 (and beyond) will reject cookie requests.

II. If you only allow first-party cookies:

  • SameSite=Lax;Secure
  • This way, Chrome will only accept first-party cookie requests
  • If you do nothing, then Chrome 80 (and beyond) would have this setting by default.

III. Additionally, publishers can also test the impact of the latest SameSite cookie update on their websites through these steps:

  • Type ‘chrome://flags’ in the address bar and click on Enter. 
  • Enable #same-site-by-default-cookies to check how their website works under the impact of the recent SameSite attribute update. Further, implement the changes required before the actual update. 

Is the End of Third-Party Cookies Imminent?

With Apple and Mozilla prioritizing user privacy above other aspects, Google is under immense pressure to implement similar measures.

In early 2020, Google announced the deprecation of third-party cookies in Chrome by 2022. Members of the digital advertising ecosystem will soon enter a cookie-free world. This calls for an immediate overhaul of revenue strategies within the ad tech industry.

Check if Your Site is Compatible with Chrome 80

You can check the compatibility of your website within the developer tools console. This will help you make sure that your settings are configured for the new standard. 

Considering how the rollout of Chrome 84 is slow, you might come across a warning everything is working as it should.

Many services are using redundant cookies to meet the new standards. In other words, they are sending duplicate cookies that can conform to legacy settings and ensure compatibility with the latest standards. 

Wrap up

And this brings our guide to a close, folks. Here’s hoping you’ve learned plenty about Samesite cookies from all information we’ve thrown in throughout the post.

For publishers who are having trouble understanding SameSite updates, AdPushup can help. We have a team of ad optimization specialists who can assist you in adapting to the new update and ensure that it doesn’t negatively impact your ad revenue. 

Frequently Asked Questions: 

Q1. What are SameSite cookies?

The SameSite attribute allows publishers to declare if their cookies should be restricted to a first-party or not.

Q2. How can publishers set SameSite cookies?

Publishers can control SameSite cookies behavior in three different ways: Lax, Strict, and None. They can use Lax or Strict to limit the cookie to same-site requests or choose not to specify the attribute.

Q3. How can I test the new SameSite cookie defaults?

In the location bar, enter chrome://flags to access the flag configuration. Set the following flags to enabled:

  1. chrome://flags/#same-site-by-default-cookies
  2. chrome://flags/#cookies-without-same-site-must-be-secure

Q4. When do the new SameSite cookie changes roll live?

SameSite changes will become the default during the Chrome 80 rollout.


Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.