Google Will Limit Cross-Site Tracking In Chrome By Default Starting In February

Is Google planning its own version of Safari’s Intelligent Tracking Prevention?

Never say never.

Google is less than two months away from instituting a policy change within the next iteration of Chrome that will severely limit cross-site cookie sharing, and most ad tech companies seem blithely unaware.

Starting Feb. 4, and to coincide with the release of Chrome 80, Google Chrome will stop sending third-party cookies in cross-site requests unless the cookies are secure and flagged using an internet standard called SameSite.

Chrome first announced its plan to develop a secure-by-default model for handling cookies back in May at the Google I/O event.

Cookies that aren’t proactively labeled according to the standard will cease to function in Chrome, and all cookie data that was generated prior to being flagged will no longer be accessible – aka, the sooner you set, the sooner you can get back on track.

“For those that don’t make the deadline, their third-party cookies will break,” said Ratko Vidakovic, founder of ad tech consultancy AdProfs, “which means everything that relies on those cookies will break: audience recognition, analytics, attribution – you name it.”

Not the same-old SameSite

SameSite isn’t new. The concept of a secure cookie flag has existed since the late ’90s, but it’s never been a requirement in Chrome, only a best practice.

The SameSite requirements are part of a larger batch of changes focused on security that Google is making to create what it refers to as “incrementally better cookies.”

Google said it’s getting more aggressive with SameSite to prevent insecure data sharing across domains and cross-site request forgery, which is when hackers manipulate authenticated cookies into taking unwanted actions, like generating fake clicks.

In the short-term, ad tech companies and publishers that haven’t already will be forced to move to HTTPS. If they don’t, their cookies will be discarded by the browser.

But there are potentially wider implications for anyone that does retargeting or relies on third-party iFrames.

“Basically, they’re screwed,” said Zach Edwards, chief data officer at MetaX.

“For the last 22 years, the default has been to allow data, like third-party cookies, to flow across domains – that’s how the whole internet works,” Edwards said. “After February 2020, the default becomes not allowing that transfer to happen in Chrome unless specific cookie flags are set.”

Wave the flag

Developers, or whoever is responsible for maintaining a company’s code base, will now have to set SameSite cookie attributes in Chrome with one of three values: strict, lax or none.

Specifying a cookie as “SameSite=Strict” allows no cross-site sharing. That cookie won’t work anywhere else other than on the domain it was dropped on. “SameSite=lax” is less restrictive, and allows a site to share cookies across domains owned by the same publisher.

“SameSite=none” enables full-on third-party cookie sharing, as long as it’s secure.

Today, SameSite=none is the default in Chrome, and lets the ad tech ecosystem function.

As of February, SameSite=Lax will become the default for developers that don’t proactively enable SameSite=none.

As long as ad tech companies and publishers with proprietary technology label their cookies as SameSite=none, nothing will change – for now.

But once all of the cookies and pixels firing in Chrome have declared their purpose, Google will know exactly which cookies are sharing data across sites. Armed with this knowledge, there’s nothing – other than anticompetitive concerns – stopping Google from creating a privacy tool that would allow users to remove all third-party cookie tracking without deleting functional cookies, like stored passwords.

“I wouldn’t say this puts Chrome into Firefox or Safari territory, so it’s not the cookie Armageddon, but it does lay the groundwork for something that’s on par,” said Dan Larden, managing partner of product and partnerships at Infectious Media. “It’s another nail in the coffin, but not necessarily the burial.”

Hot button

But what would a “no third-party tracking” button actually look like in Chrome?

There’s no need to speculate. Just download Canary, the development version of Chrome where Google tests out beta features before general release; visit “chrome://flags;” and enable the experimental “removing SameSite=none cookies” feature.

Then open an incognito window, and there it is: a toggle called “Block third-party cookies” that, when turned on, will disable browsing activity across different sites from being used to personalize ads.

If Chrome activates this feature for its users, they will have an easy way to opt out of cross-site tracking.

“I wouldn’t be surprised if you could turn tracking on and off in Chrome by, maybe, 2021,” said Mathieu Roche, CEO and co-founder of ID5.

But right now, there’s a countdown to Feb. 4, which is when ad tech companies, publishers and anyone whose business involves the dropping of pixels will have to add SameSite flags to their cookies or risk breaking their corner of the internet.

Ready … or not

So, why isn’t the industry all over this?

Google hasn’t publicized the coming changes enough, Edwards said, because it doesn’t want to be perceived as the second coming of ITP.

“They don’t want articles written about them that they’re gutting the availability of third-party data, so they’re doing things quietly and they’ve only got a few people on their Chrome outreach team talking about this,” he said. “When things break in February, Google’s answer will be, ‘We gave people tons of time, we’ve been talking about this,’ but they’ve only been talking about it very, very softly.”

To be fair, though, the SameSite changes aren’t a secret.

Google told AdExchanger that it started reaching out to its partners directly about SameSite and the incrementally better cookies initiative in May through phone calls, over email and via in-person meetings and group events to explain the announcement and remind them that the Chrome 80 release is around the corner.

Google also posted a series of blogs, dev notes and reminders between May and October.

Some of the larger ad tech players, including Rubicon and The Trade Desk, took notice and set their SameSite cookie flags early. But a lot of folks still aren’t ready.

Female-focused digital media network CafeMedia, for example, ran a test on a few of its sites in mid-November and found that nearly all of the ad tech companies it works with either hadn’t set the SameSite variable correctly or hadn’t set it at all, said Paul Bannister, CafeMedia’s EVP of strategy.

CafeMedia reached out to the laggards and all of them claim that they’re “working on it,” said Bannister, who noted that CafeMedia is handling the SameSite situation for its publisher partners.

Still, publishers shouldn’t expect that SameSite cookie settings are going to magically take care of themselves, Edwards said. Put your head in the sand, and your site isn’t going to work properly after Feb. 4.

“Publishers need to audit all of their core user experiences to find out what cookies are going to break and then proactively determine what they’re responsible for and what their partners are responsible for,” Edwards said. “My biggest piece of advicde would be: Don’t assume that your partners are just going to take care of this for you.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

5 Comments

  1. Hey John - respectfully, ya'll aren't even close to ready. You linked to a blog post with 95% not ready 3rd party cookies, and one of your core partners was notified by *me* about the SameSite changes less than ~2 months ago, thus I know you aren't being accurate-- and your core marketing partner still hasn't updated their pixels, and therefore your non-adtech (but email/crm marketing) data will still break.

    Also, OpenX.net has ~1,548 subdomains, MANY of which are used by your clients to get around 3rd party data restrictions due to CNAME mapping. I also checked out several of those, and no surprise that many of those pixel infrastructures may have a subdomain mapped to openX but the cookies aren't flagged properly -- so across your clients that were so important that OpenX built subdomain CNAME mapping for them, those client aren't ready either.

    And FWIW, it's easy to see what the largest/most valuable OpenX publishers are, like SFGate.com/Hearst -- and even that site isn't ready and the openX cookie has SameSite error flags and breaks on the change....

    To all the folks in ad tech still sending 1:1 emails, doing calls, meetings, trying to "let your partners know" - that's not working. Please everyone stop with the blog posts from 8 months ago, and the whispering of MBAs and Lawyers, and get your engineers, project managers and budget analysts to actually, factually look at what has been done, and once you've done that, I'm 10000000000% confident that every day between now and February 4 will actually be a fire drill, and not a rhetorical lesson in market reassurance.

    sincerely,
    Zach

    P.S. great article, thanks everyone for being involved in trying to fix this! we're @ metax.io w/ questions

    Reply
  2. @John Swan - I'd agree with you on the Publisher side. That said, it's hard to see how the AdTech vendors playing 100% in the programmatic retargeting space aren't going to be severely impacted.

    Reply
  3. Google hasn’t publicized the coming changes enough, Edwards said, because it doesn’t want to be perceived as the second coming of ITP. I'd agree with you on the Publisher side.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>