Google Chrome will be making updates to Chrome 80 on 4th February. Many website owners are starting to ask about this as it could mean that 3rd party cookies (basically all media tracking tags) can be stopped from being passed when a user visits a client’s website. However, this is not completely true.
What is the update that Chrome 80 are introducing?
Google Chrome holds 49% of the UK browser market, making them the largest player in that space. ‘Samesite’ is the update that Google is making within the new release of Chrome 80. In 2019, Safari launched a similar defence system to combat cookie dropping on Apple devices, and despite some loss in mobile traffic, the change had minimal impact on media reporting. The Chrome change is a robust defence against some of the main cross-site request forgery (CSRF) attacks. Basically, stopping fraudulent information leakage from your website. However, for this to take effect, your developer needs to setup the ‘samesite’ values (which requires coding) within your website.
As an example:
If someone is on Facebook and is reading an article that you have posted, a Facebook cookie would be dropped. Say the person then clicks on the article to navigate to your website where the blog article lives; historically the cookie would be carried over from the Facebook post to the website so that you can understand how people navigate your content across sites. However, by allowing the cookie to carry from the first site, you are also allowing any other cookies that may have been discreetly dropped to carry over as well. So, in the example above, if Facebook decided to be dodgy and drop their own cookie, as well a bunch of 3rd party cookies that want to collect your customers’ information in order to call them and sell them PPI, then this update will stop things like that from happening.
There are two different ways in which you can protect yourself against these types of “attacks”. This will require developer resource.
- The first is to set the ‘samesite’ value on your site to ‘strict’. This prevents any 3rd party cookies from being passed over to your website. This obviously isn’t ideal for media tracking, because we/you cannot tell which channel someone came from when visiting the site, and it will prevent the chance of seeing site navigation data from within the media platform.
- A reason where a company may want to use ‘samesite=strict’ is on transactional pages where personal information is being collected. A standard media cookie would not legally collect any of that data, but other dodgy cookies could.
- The second is to set the ‘samesite’ value on your site to ‘lax’. This allows 3rd party cookies to be carried from external sources to your website. However, it will have restrictions, in that if a cookie has been identified as CSRF-prone then the cookie will still be stopped. So, there is some level of security that is provided to stop fraudulent data leakage.
The site can use a range of ‘lax’ and ‘strict’ values dependent on the pages you are happy to have external sources tracking, and those you are not. So, you may decide to have a ‘lax’ value for most of the website, and then have a ‘strict’ value for the card payment page.
What if I just do nothing?
If you decide to do nothing about this and do not update your website in any way, then the default will be set to ‘lax’ by Chrome.
The easiest way to manage the cookies and help Chrome to identify them as dodgy or not-dodgy, is to ensure that you have implemented a CMP (consent management platform). This is a way for a website to collect explicit consent on which cookies visitors want to accept and which they do not. If all of the cookies that are expected to be passed are included within the CMP, then Google is less likely to stop them from passing through to your site (unless they have specifically identified them as fraudulent, in which case they may still be blocked – but that is a good thing).
What does this mean for your working relationship with All Response Media?
Our Tag4ARM will not be impacted by the update. We ensured that it was updated last year to prevent any tracking gaps during the transition to Chrome 80.
If you decide not to act upon this, it should have no impact on the big volume driving digital media channels we use here at All Response Media, such as Google, Facebook, etc. However, if you are using a 3rd party display media supplier, such as Quantcast, then contact All response Media so that we can make sure that they will continue to perform as normal.
- Behavioural targeted display suppliers need to be checked to ensure that profiling and targeting are not impacted by the update.
- The same is true of contextually targeted media suppliers, so All Response Media will get updates on the potential impacts for your media and targeting accuracy.
- Finally, double check thoroughly with ARM before using online press-based suppliers. Although they use first party data to generate audiences, their tracking can often deliver lots of ‘dodgy’ cookies to client sites due to the nature of the organic content ads. When reading an online press site, you can have lots of cookies dropped from different companies who are tracking the performance of their own content. But many advertisers on these sites can be spammy and therefore have a higher risk of delivering fraudulent cookies through to your website, according to Google. Although it shouldn’t impact targeting and reporting, it puts you at a higher risk of CSRF attacks.
Important to note
This update is something that can be handled by your web developer. This is not something that All Response Media can support with in updating the relevant sections of your website. If you need additional support in making these web updates, we would advise reading the following link: https://web.dev/samesite-cookies-explained/ which outlines the potential changes you can make to your site to make the best use of the ‘samesite’ update. Although we will understand the issue, we cannot offer client-by-client developer support unfortunately.
Read more information on our digital services.