WTF is Chrome’s SameSite cookie update?
On February, 4, Google is set to roll out a new Chrome update that promises a bunch of new features designed to make the browser faster and more secure — including a new approach to cookies.
The SameSite update will require website owners to explicitly state label the third-party cookies that can be used on other sites. Cookies without the proper labelling won’t work in the Chrome browser, which has 64% of the overall browser market, according to Stacounter.
What is the change?
Google first announced in May last year that cookies that do not include the “SameSite=None” and “Secure” labels won’t be accessible by third parties, such as ad tech companies, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.
Right now, the Chrome SameSite cookie default is: “None,” which allows third-party cookies to track users across sites. But from February, cookies will default into “SameSite=Lax,” which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.
Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
Mozilla’s Firefox and Microsoft’s Edge say they will also adopt the SameSite=Lax default.
Why is Google making this update?
Third-party cookies can make people vulnerable to malicious tracking, data leakage and can also make them susceptible to what are known as cross-site request forgery attacks. A user might click on a nefarious link in an email that allows a bad actor the ability to log into their banking website, for example.
“In order to move the web ecosystem to a more healthy place, we are changing the default behavior for when SameSite is not specified to automatically default to a more secure option rather than a less secure option,” said a Google spokesperson.
What do publishers need to do in order to get ready for February?
Publishers can begin testing whether their sites are affected by going to chrome://flags and enabling #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to see whether anything breaks. They should also migrate to HTTPS secure pages, if they haven’t done so already.
Google is encouraging publishers to review the alerts in their developer tools to check whether vendors, including ad tech and analytics providers, are setting or accessing third-party cookies on their sites without the correct labeling.
What are the risks?
Sometimes publishers use third-party cookies for logins and remembering user preferences when they should really be using first-party cookies, according to Kevin Joyner, director of planning and insight at digital marketing agency Croud. This tends to happen when a publisher owns a number of different websites and domains — so publishers looking to maintain single sign-ons spanning multiple domains would need to ensure their cookie configuration is compatible.
The biggest potential fallout could be for vendors who have built up cookie-reliant audience databases. Adobe, for example, has warned in a blog post that cookie matching might decrease for its Audience Manager customers as there’s a possibility some of its partners might not make the necessary changes in time.
“The issue is the new standard cookies will not be compatible with the old cookie,” said Joyner. “It means that marketing pool is suddenly useless.”
Is this the beginning of the cookieapocalypse?
Not quite. Experts are split as to whether the SameSite update is a precursor to Google further tightening its wider cookie policies, in a similar direction as Apple’s Intelligent Tracking Prevention and Firefox’s Enhanced Tracking Protection — not least as Google has an advertising business of its own to protect.
Chrome already offers users the ability to block third-party cookies and to clear all their cookies. The SameSite change should allow users more nuanced control of their privacy settings as first-and third-party cookies will be more accurately designated — so they can clear ad-tracking cookies but leave their on-site login details and preferences unaffected.
But further down the line, Google has already been hinting at what a cookie-free web might look like. At last year’s Chrome developer conference in November, Michael Kleber, a Google software engineer who works on privacy and tracking prevention in Chrome, spoke about shifting from cookies to “more right-sized APIs” that don’t allow for unfettered tracking of individuals across the web. Chrome is also exploring techniques such as federated learning of cohorts to continue to allow behavioral ads to work.
Member ExclusiveMedia Buying Briefing: DE&I measurement ‘is a bullshit fix,’ and other takeaways from Digiday’s Media Buying Summit
Feedback from those who do the hard work at media agencies revealed a lot of issues boiling under the surface of their day-to-day jobs, from DE&I shortfalls to massive confusion in the CTV space.
Kill Your Algorithm: Listen to the new podcast featuring tales from a more fearsome FTC
Kill Your Algorithm, a Digiday podcast special exploring the implications of a more aggressive Federal Trade Commission, delves into the agency's settlement with period tracking app Flo and why some think it wasn't tough enough.
Future PLC CRO on how its proprietary ‘secret weapon’ can help shoppers amid upcoming chaotic holiday season
Webby is "confident" the company will bring in more e-commerce revenue for its affiliate partners this year than the nearly $1 billion in sales in 2020.
SponsoredHow advertisers are navigating advanced TV and premium video convergence
Nicole Schumacher, vice president of product marketing, Xandr Advertisers have a number of priorities and considerations as premium video content for viewers evolves. Media types are converging as audience behaviors diverge, adding nuance and complexity to each phase of campaign workflows. It’s the age of innovation for all types of video advertising, including convergence — […]
Member ExclusiveMedia Briefing: How sportsbooks are placing bigger bets on sports media outlets
In this week's Media Briefing, media editor Kayleigh Barber looks at how sports betting companies are pushing more money to publishers.
As the FTC takes aim at tech giants, the regulator just lost key tech and data privacy leaders
The FTC has just nine technologists, and three recent departures could stymie its hiring goals.