But there’s a more pressing deadline looming that advertisers need to prepare for: SameSite. Beginning on Feb. 4, Chrome will stop supporting cross-site third-party cookie sharing by default.
Third-party cookies that aren’t secure – as in, accessed over HTTPS – and also properly labeled using the SameSite attribute, will no longer be readable across sites.
Google has framed the SameSite change as primarily a security measure to protect against cross-site request forgery attacks.
But in light of Chrome’s more recent announcement, it’s clear that requiring SameSite flags are also a precursor to the demise of third-party cookies.
SameSite feels like “a baby step toward a cookieless world,” said Nick Kaplan, director of programmatic at female-focused publisher SHE Media.
“Everyone has to address [SameSite] now to keep the pipes running properly,” Kaplan said, “but then we all really need to focus on what the new privacy-driven future looks like.”
In the same boat
SameSite lets Google easily identify third-party cookie trackers and see a cookie’s purpose, said Ken Weiner, CTO of GumGum.
Flagging cookies as “SameSite=strict” restricts all cross-domain sharing, while “SameSite=lax” will only allow sharing across domains that have the same top-level URL. As of Feb. 4, “lax” will become the default setting in Chrome for any third-party cookie without a SameSite flag.
The “Samesite=none” attribute is the most permissive, and the one every ad tech company is probably busily adding to its code right now. “None” allows third-party cookies to flow freely across domains, as long as they’re secure, thereby enabling the ad tech ecosystem to function as “normal” … for the moment.
Expect, for example, more granular privacy control mechanisms in Chrome 80, which is hitting in early February along with the new SameSite requirements.
In the blog post announcing Chrome’s intention to do away with third-party cookies, Justin Schuh, director of Chrome engineering, noted that SameSite will help “give users more precise cookie controls.”
With that in mind, it’s inevitable that Google will eventually block any cookie with the “SameSite=none” setting, GumGum’s Weiner said.
But the only thing for companies to do in the near term is to comply with the SameSite requirements.
“Google is forcing ad tech to accept SameSite by saying that cookies aren’t going to work without it,” Weiner said. “I guess you could call it a lily pad for ad tech on the way to the cookieless deep end … [but] ad tech is going to end up in that deep end sooner or later regardless.”
That’s why it’s up to ad tech to help itself. Over the next two years, the advertising industry will have the opportunity to weigh in on the proposals in Google’s Privacy Sandbox, a still nascent Chrome-led initiative to develop standards and tools to replace third-party cookies and enable safe data sharing.
In the interim, Google is implementing already-available web standards, such as SameSite, while the APIs in the sandbox start to take a more solid shape. But you can already start to see the dotted line between what exists and what’s to come.
One of the sandbox proposals, for example – the first-party data sets API – looks a lot like it could be the next generation of “SameSite=lax,” which, pointed out Victory Medium founder Zach Edwards, isn’t nuanced enough to enable first-party data sharing between different domains. A first-party data sets API would allow related domains owned by the same entity to share data between them.
For now, though, the SameSite update deadline is around the corner, and it can’t be ignored. Here are a few tips to keep in mind while you prepare:
Audit your cookies: It’s prudent for all players in the supply chain to conduct a review of the cookies they directly read and write themselves, said Cédric Vandervynckt, GM and EVP of web at Criteo, and to make sure that their partners do the same.
“If an ad tech partner does not implement the changes in time, the effectiveness of the cookie sync with that partner will be greatly reduced, along with the effectiveness of the partnership,” Vandervynckt said.
Get secure: But don’t forget that this isn’t just about cross-site data sharing, it’s about security. Adding “SameSite=none” to your code won’t work unless you also mark the cookie as secure.
“If you have a service that generates cookies that is available over both HTTP and HTTPS, forcefully redirect that service to HTTPS,” said SHE Media’s Kaplan.
Double check your work: If the SameSite flags aren’t implemented properly, there won’t be an error message to alert you of a problem. The cookies will simply fail without any indication that they aren’t working.
“Ad tech providers were forced by GDPR to review and be aware of all the cookies they drop, so the lists of cookies to check are already there – and, yes, checks need to be done manually,” said Andraz Tori, head of recommendations and data science at Outbrain. “The ‘failure mode’ here is silent, so no specific functionality will break if you don’t do your homework – cookies will simply get lost.”
Keep your eyes open: Beyond SameSite and Chrome’s third-party cookie bombshell, there are bound to be more changes between now and 2022, so strap in.
“Chrome has the lion’s share of traffic, which means that every change they make has the potential to impact the media business and the financial state of websites,” said Frances Giordano, associate director at MDC-owned agency The Media Kitchen. “How many more changes will there be down the road? That’s something we always have to be thinking about.”