Google Chrome SameSite Cookies Update: What It Means
This post was co-authored by Tom Clinton and Daniel Oliver.
Google is rolling out a major Chrome browser update on February 4th that will require websites to provide additional information about third-party cookies and how they are used for other websites.
Failure to provide appropriate labels for third-party cookies will result in those cookies no longer working in the Chrome browser, which historically sets the standard for additional browsers as well.
Here’s everything that we know and how you can prepare for Chrome’s new cookie changes.
Why Are Cookies Important for Advertisers?
Cookies live on a user’s browser to carry persistent information from one page to the next, as well as from one site to the next.
Specifically for digital marketing, that persistent information that cookies carry is used across websites to target specific users, as well as to measure conversions for those users who are exposed to digital marketing campaigns.
For example, say a user clicks through a Google search ad to your website. That initial landing on your site will set a cookie that Google’s servers can access. This is useful for retargeting campaigns, as Google will be able to find that user across its advertising network and serve relevant ads to them. If the user revisits your site and converts, that cookie value from the first landing on your site from the search ad will be trackable by Google as a first touch conversion.
Additionally, Google may be able to use these cookies to anonymously track behavior across sites and domains to enhance retargeting.
What’s Changing?
Google announced last year that they would be changing how Chrome browser interacts with third-party cookies.
In the upcoming version of Chrome (with more browsers to follow), it will be required for cookies that need to be accessed by third parties (as in our example above) to declare that intention.
Specifically, these cookies will need to send the following value: SameSite=None; Secure
Other options of the SameSite parameter are SameSite=Strict and SameSite=Lax. Both of these values would restrict cookies to only be accessed by your website. This is useful for user-specific actions that are not intended to be used by other sites, i.e. logins, add to carts, newsletter sign-ups, etc.
These three values have historically been made available to developers, but unfortunately, they have not always been used, as the default behavior for not declaring a SameSite value has been to set the cookie to None, which would allow all parties (first and third) to use the cookie.
For cookies that do not declare SameSite=None; Secure, Chrome will default these to SameSite=Lax. This will restrict the cookies to only the specific site the user is currently on. It’s also important to note that Secure is required in order to set a cookie as SameSite=None or else Chrome will treat the cookie as Lax.
Other Companies Are Limiting Third-party Cookies
Note that this behavior is similar to the way that Apple’s ITP currently works in the Safari browser (though there are some tangential differences).
The change follows Google’s big announcement that they plan to “phase out” third-party cookies altogether within the next two years.
Next Steps: Correct SameSite Cookie Settings
For business owners and publishers, it’s important to be mindful of the change and make sure that your cookie settings are up-to-date on your website.
As it relates to digital marketing, ensure any ad tech vendors you are utilizing are updating any cookies they are setting on your site to include SameSite=None; Secure.
For more information on how you can test if your website will be affected by the change, you can check out Google’s original post on Chromium here.
Want to learn more?
Google Phasing Out Third-Party Cookies: What You Should Know
Developers: Get Ready for New SameSite=None; Secure Cookie Settings
You Might Be Interested In
