On 4th February, Chrome is set to launch its Version 80 and with it, the SameSite cookie update. This will be in line with Google’s efforts to make online user experience more transparent and unintrusive. For the same purpose, in November 2019, Google committed to the development of a Chrome update that blocked heavy ads. Before that, in July 2019, Google rolled out the Chrome ad filtering update globally, in accordance with the Better Ads Standard.
The new SameSite update is intended to protect user privacy by labelling third-party cookies. Without labelling these cookies, they will cease to be functional in the browser. This will remarkably impact website owners’ ability to generate revenue, with Chrome capturing approximately 63% share of browser users worldwide, as of December 2019.
Understanding the SameSite Attribute
Currently, all third-party cookies by default are set to ‘SameSite=None’. However, with the SameSite update in effect, website owners will have to explicitly declare a cookie’s state.
The SameSite attribute provides three different ways to define when and how cookies are fired, as defined under the categories: Strict, Lax, and None. The update has been set as default under the Incrementally Better Cookies policy proposed by the Internet Engineering Task Force.
- Lax: If a publisher is using SameSite=Lax attribute for a cookie, it means that the cookie will be sent in the request header in both first-party and third-party context. For example, if a user ended up on a website through a link in their email, the cookie will still be sent in the header with ‘SameSite= Lax’ label in place. This is a default in Chrome 80, even if the SameSite attribute is not explicitly set.
- Strict: If a publisher is using SameSite=Strict attribute, it means that cookies will only be sent to a header in a first-party context and will not be sent if the link is emerging from a third-party context. This needs to be set manually and is not a default in Chrome 80.
- None: This is the current default in Chrome 77 and allows cookies to be sent across all third-party contexts without any restrictions. However, with the SameSite attribute in place from February, cookies set under this category will require labeling as ‘SameSite=None; Secure’.
Why is Google Rolling Out the SameSite Update?
Third-party cookies have become a recurrent subject of debate regarding how much they tend to compromise user privacy. There is a growing awareness amongst Internet users regarding incessant monitoring of their online activities. Needless to say, despite the user privacy concerns, third-party cookies have long served as the foundation for generating ad revenue using behavioral targeting. Regardless, Google is rolling out the SameSite attribute to protect user privacy and provide a more open and transparent experience.
Another reason for this cookie update is to monitor and reduce CSRF activities online. Though Cross-Site Request Forgery has reduced in the last 10 years (5.27% of incidence rate in 2017), Google intends to improve user security against CSRF with this update.
What do Publishers Need to do?
For publishers who mostly rely on third-party cookies to track a user’s online behaviour, this update may seem intimidating. But while there is still time, publishers need to tweak their systems to adapt to the SameSite attribute.
Thankfully, unlike Safari ITP, third-party cookies under the SameSite attribute are not blocked by default. Instead, they need to be labelled as ‘SameSite= None; Secure’, thus limiting their use to only secure HTTPs connections.
Here’s what publishers can do before the update becomes functional:
- Publishers should immediately migrate their website to HTTPs pages that are secure, if that isn’t the case already.
- If a publisher monetizes with third-party partners, they need to communicate and ask them if they have updated their cookies. If this isn’t implemented, Chrome 80 will cause revenue decline.
Additionally, publishers can also test the impact of the latest update in the SameSite attribute on their websites through these steps:
- Type ‘chrome://flags’ in the address bar and click on Enter.
- Enable #same-site-by-default-cookies to check how their website is working under the impact of the recent SameSite attribute update. Further, implement the changes required before the actual update.
Is the End of Third-Party Cookies Imminent?
With Apple and Mozilla prioritizing user privacy above other aspects, Google is under immense pressure to implement similar measures. Will a cookie apocalypse definitely happen? It’s hard to say. But consistent updates from Google and its competitors regarding protection of users from third-party cookies might indicate an eventual end to cookie-based tracking.
In August 2019, Google proposed the integration of a privacy sandbox that allows an environment where publishers are allowed ad targeting while maintaining user privacy. Adding to that, Google earns a major chunk of its revenue through advertising, which most likely would negatively affect their business. This might indicate that we might be entering a cookie-free world which calls for an immediate overhaul of revenue strategies within the ad tech industry.