Are you ready for Google Chrome’s SameSite update?

There’s a lot going on with ad tech and some (understandable) visions of the apocalypse. It’s worth recapping on the SameSite cookie changes, and clarifying what this does – and doesn’t – mean. And with the change starting to take effect from the week of 17th February (rolling out with Chrome 80 Stable), it’s important to make sure you aren’t going to be losing any tracking functionality.

This blog post was updated on 3rd February to reflect the revised launch timeline from Google.

As an industry, we need to improve the security and privacy of how we track, identify and target audiences. Change can (and will) come from many different places: from governments and ad platforms to operating systems, browsers, ad blockers etc. Change will also come from simple iterations that have small but immediate effects to initiatives that will ultimately define the next decade of advertising data standards. 

Google realises its responsibility to enact change

Google has started to get very busy with this, which is unsurprising. Their speed of progress shouldn’t be seen as a reluctance to change (what with Apple’s ITP starting over a-year-and-a-half ago). I personally think they have taken their responsibility as the market leader in both the browser, mobile operating system and search engine spaces very seriously. They are such a pivotal player in this with, ultimately, the most to lose. So being methodical, logical and measured is the only approach. 

They have already announced a number of changes they are starting to consider for the future (see our article on their recent announcement regarding their “…path towards making third party cookies obsolete” here.) but it’s an older announcement (from May 2019) that is about to become reality with the “SameSite” cookie labelling that Google Chrome is to roll out on 17th February 2020.

What is ‘SameSite’ cookie labelling and what does it do?

The update on 17th February mainly improves the security of Chrome as a browser by addressing vulnerability to cross-site request forgery through the setting of the SameSite attribute for cookies.

Cookies carry attributes or labels, and one such attribute is named “SameSite”. Currently, by default, the value of this attribute is assumed by the web browser to be “SameSite=none” and this allows for cookies to be accessed across websites, and so to facilitate cross-site tracking. With the Chrome update releasing on 17th February, this default setting will be changed to “SameSite=Lax” which does not allow the cookie to support cross-site tracking. The cookie can function mainly as a first-party cookie, meaning it can be accessed only by the domain that matches the domain in the browser URL bar. 

Third-party cookies will now necessarily, explicitly require the label “SameSite=none”. In addition to this, any cookies labelled as “SameSite=none” also need to be labelled “Secure” ( i.e.SameSite=None; Secure) and this has the effect of enforcing secure (HTTPS) access to the cookie.

OK, so what does it mean for you – and your digital advertising?

Different sectors will have different experiences with publishers being more likely to have the most work to do, as their sites may be deploying third-party ad tech and also setting their own third party cookies. The first thing to do is to understand the impact by reviewing your current cookie set. Below is some advice on how you might go about checking things:

If you don’t have documentation on what cookies are set (and with what labels) then Chrome’s developer console is what you need to use in order to see what potential issues you might be facing. The console has messages/warnings on which cookies are at risk, like those shown in the example below. 

Alternatively, you can check under the Application > Storage > Cookies for a list of all cookies set on your site and use the SameSite and Secure columns to confirm requirements with more granularity.

Be sure to check all your site to ensure that none of your cookies has any labelling issues and therefore everything is acting as you need it too.

Once you know what cookies are being set, and what label values are in place, it’s time to start updating. Firstly, I would always recommend reading the official documentation from Chrome, found here. Aside from that, we’ve collated some examples and the recommended actions to help guide you.

You can read the official documentation for more information here.

To find out more about the SameSite update and how Croud can help you prepare, get in touch.

by Chris Ford
29 January 2020



Related posts