Chrome's SameSite Cookie Changes - What Do They Mean for Ad Tech?

Google rolled out a new Chrome update on February 4, 2020. The SameSite update will require websites to provide additional information about third-party cookies and how they are used for third-party websites.

In this article, we will explore SameSite cookies in detail. We will also discuss the impact of SameSite cookies on the ad tech industry. But before we delve deeper, let's go over what a cookie is.

For starters, a cookie is a simple text-based file that is commonly exchanged by sites with browsers. In the ad tech industry, cookies are used to track website activity and understand user behavior.

What is a Chrome SameSite Cookie?

The SameSite cookie first came into existence in 2016. The entire concept of this cookie is fairly simple, the attribute restricts third-party websites to either the first-party or same-site context. Thus, whenever a website requests something from the original source, the cookies won't be shared.

Because of this, SameSite limits the risk of information leakage and keeps the cookies secure. Publishers and ad tech vendors will have to assign a specific attribute to the SameSite cookie to identify if they should allow a cookie to be accessed by third-parties or not.

SameSite is making the headlines, all because of the recent update in which the Google Chrome 80 browser will enforce the first-party default on all cookies that don't have the set attribute. This will dramatically impact the companies that rely on third-party cookie requests.

SameSite Cookie Labels Explained

SameSite consists of three attributes:

• Lax: This one only allows first-party cookies to be accessed and sent. Attribute Specification: “SameSite=Lax;”
• Strict: This is a subset of lax which won't get triggered if the incoming link sprouts up from an external site. Attribute Specification: “SameSite=Strict;”
• None: This attribute signals to the browser that the cookie data can be shared with external and third-party websites. Attribute Specification: “SameSite=None;”

Let's understand what a SameSite cookie and its attributes are by using an illustrative example. Imagine that you run a lifestyle blog, and use cookie IDs to store user information. If your first-party cookies are set to “lax”, you will always be able to access the data.

However, if they are set to “strict”, you won't be able to access the data if the incoming link is from a third/external website. This means that if a user accesses your website from any other website, like xyz.com, you won't be able to read the cookie.

It is important to note that a “strict” attribute is rarely used by publishers, and is mostly deployed by financial websites and other institutions which need a higher level of security.

So what has changed with the update? Previously, if SameSite wasn't enabled, it was set to “none” by default. This allowed the sharing of third-party cookies automatically.

Changes in a Recent Chrome SameSite Cookie Update

The recent update introduced by Chrome has changed the way cookie files are accessed. Previously, all cookie files were loaded uninhibitedly by Chrome, regardless of the website they originated from and who is accessing them.

Although the entire process was simple, it definitely had some loopholes which posed big privacy concerns for users. This mechanism allowed advertising and analytics firms to track users when they surfed from one website to another, as cookies were loaded inside their browsers.

The introduction of Chrome 80 has changed all these aspects. Thanks to the update version 80, Chrome will only load cookies that were created and loaded by the same domain, known as first-party cookies or same-site cookies.

In the event that cookies are to be loaded from third-party domains, website owners will need to enable this setting inside their cookie headers manually. All cookies should include the “SameSite=None” and “Secure” labels to be accessible by third parties.

Will SameSite Cookie Changes Affect Ad Tech Brands?

This recent Chrome update has taken the security levels a notch higher. Thus, it can possibly affect ad tech vendors that use third-party cookies to track the activities of their target audience on the web. If they don't implement the proposed changes on their ad servers, they might end up losing access to the critical data that fuels their business.

All in all, this move by Google is an attempt to make users' data secure and private. As Chrome currently enjoys 63% share of the browser market, this update will encourage ad tech vendors to rethink their cookie policies.

SameSite Update Preparation Guideline for Publishers

In addition to ad tech businesses, publishers also need to prepare themselves for the change. We highly recommend that you audit, analyze, and update your SameSite cookie attributes to avoid declining results and revenue from your media buying and selling activities.

If you choose to remain silent and do nothing to address the change, your cookies will be set to the “lax” attribute by default. This way, they will remain restricted to first-party use in Chrome 80. As a result, you may see inconsistent cookie behavior across browsers, and console warnings in analytics.

Conclusion

As the Chrome SameSite cookie update is already rolled out, Chrome will start blocking the third-party cookies that aren't labelled according to the the new Chrome requirements. Thus, all cookies where “SameSite = None; Secure” label wasn't added aren't working.

In advertising, third-party cookies are a key source of data used for better audience segmentation and retargeting campaigns. Since most website owners monetize their sites by selling ad inventory to advertisers, we recommend that you prepare yourself for the Chrome SameSite cookie changes.

The good news is that Epom ad server has already updated its cookie-based functionality like cappings, unique user and conversion tracking algorithms to meet the new Google Chrome requirements. From our side, your ad campaigns are still intact. Now it's your turn to apply the changes and live happily ever after in the ad tech world.