Home Privacy Chrome Is Killing Cookies – But SameSite Still Needs To Be Updated

Chrome Is Killing Cookies – But SameSite Still Needs To Be Updated

SHARE:

By 2022, third-party cookies will be obsolete in Chrome.

But there’s a more pressing deadline looming that advertisers need to prepare for: SameSite. Beginning on Feb. 4, Chrome will stop supporting cross-site third-party cookie sharing by default.

Third-party cookies that aren’t secure – as in, accessed over HTTPS – and also properly labeled using the SameSite attribute, will no longer be readable across sites.

Google has framed the SameSite change as primarily a security measure to protect against cross-site request forgery attacks.

But in light of Chrome’s more recent announcement, it’s clear that requiring SameSite flags are also a precursor to the demise of third-party cookies.

SameSite feels like “a baby step toward a cookieless world,” said Nick Kaplan, director of programmatic at female-focused publisher SHE Media.

“Everyone has to address [SameSite] now to keep the pipes running properly,” Kaplan said, “but then we all really need to focus on what the new privacy-driven future looks like.”

In the same boat

SameSite lets Google easily identify third-party cookie trackers and see a cookie’s purpose, said Ken Weiner, CTO of GumGum.

Flagging cookies as “SameSite=strict” restricts all cross-domain sharing, while “SameSite=lax” will only allow sharing across domains that have the same top-level URL. As of Feb. 4, “lax” will become the default setting in Chrome for any third-party cookie without a SameSite flag.

The “Samesite=none” attribute is the most permissive, and the one every ad tech company is probably busily adding to its code right now. “None” allows third-party cookies to flow freely across domains, as long as they’re secure, thereby enabling the ad tech ecosystem to function as “normal” … for the moment.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Because Chrome ushered in a new normal, and there will be big changes to come before 2022.

Expect, for example, more granular privacy control mechanisms in Chrome 80, which is hitting in early February along with the new SameSite requirements. 

In the blog post announcing Chrome’s intention to do away with third-party cookies, Justin Schuh, director of Chrome engineering, noted that SameSite will help “give users more precise cookie controls.”

With that in mind, it’s inevitable that Google will eventually block any cookie with the “SameSite=none” setting, GumGum’s Weiner said.

But the only thing for companies to do in the near term is to comply with the SameSite requirements.

“Google is forcing ad tech to accept SameSite by saying that cookies aren’t going to work without it,” Weiner said. “I guess you could call it a lily pad for ad tech on the way to the cookieless deep end … [but] ad tech is going to end up in that deep end sooner or later regardless.”

That’s why it’s up to ad tech to help itself. Over the next two years, the advertising industry will have the opportunity to weigh in on the proposals in Google’s Privacy Sandbox, a still nascent Chrome-led initiative to develop standards and tools to replace third-party cookies and enable safe data sharing.

In the interim, Google is implementing already-available web standards, such as SameSite, while the APIs in the sandbox start to take a more solid shape. But you can already start to see the dotted line between what exists and what’s to come.

One of the sandbox proposals, for example – the first-party data sets API – looks a lot like it could be the next generation of “SameSite=lax,” which, pointed out Victory Medium founder Zach Edwards, isn’t nuanced enough to enable first-party data sharing between different domains. A first-party data sets API would allow related domains owned by the same entity to share data between them.

SameSite advice

For now, though, the SameSite update deadline is around the corner, and it can’t be ignored. Here are a few tips to keep in mind while you prepare:

Audit your cookies: It’s prudent for all players in the supply chain to conduct a review of the cookies they directly read and write themselves, said Cédric Vandervynckt, GM and EVP of web at Criteo, and to make sure that their partners do the same.

“If an ad tech partner does not implement the changes in time, the effectiveness of the cookie sync with that partner will be greatly reduced, along with the effectiveness of the partnership,” Vandervynckt said.

Get secure: But don’t forget that this isn’t just about cross-site data sharing, it’s about security. Adding “SameSite=none” to your code won’t work unless you also mark the cookie as secure.

“If you have a service that generates cookies that is available over both HTTP and HTTPS, forcefully redirect that service to HTTPS,” said SHE Media’s Kaplan.

Double check your work: If the SameSite flags aren’t implemented properly, there won’t be an error message to alert you of a problem. The cookies will simply fail without any indication that they aren’t working.

“Ad tech providers were forced by GDPR to review and be aware of all the cookies they drop, so the lists of cookies to check are already there – and, yes, checks need to be done manually,” said Andraz Tori, head of recommendations and data science at Outbrain. “The ‘failure mode’ here is silent, so no specific functionality will break if you don’t do your homework – cookies will simply get lost.”

Keep your eyes open: Beyond SameSite and Chrome’s third-party cookie bombshell, there are bound to be more changes between now and 2022, so strap in.

“Chrome has the lion’s share of traffic, which means that every change they make has the potential to impact the media business and the financial state of websites,” said Frances Giordano, associate director at MDC-owned agency The Media Kitchen. “How many more changes will there be down the road? That’s something we always have to be thinking about.”

Must Read

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

HUMAN Raises $50 Million To Build A Deterministic ID For Attribution

HUMAN plans to build a deterministic ID from its tracking of more than 20 trillion digital signals per week across 3 billion devices, which will aid attribution for ecommerce.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.