SameSite Enforcement and the Decline of the Cookie


Dan Larden (pictured below), managing partner, product and partnerships, Infectious Media, exclusively covers the latest browser initiative set to take a bite out of the third-party cookie: Chrome’s enforcement of the SameSite cookie attribute.

The February 2020 enforcement of the SameSite cookie attribute on Chrome has the potential to break adtech in the short term, as many companies are not prepared for this change. But as it allows Google to give users the power to cleanly block tracking cookies, it may also signal the end of the third-party cookie.

Google is set to implement an update to how Chrome reads cookies on 4th February 2020, in which the browser will change how it interprets the SameSite attribute that can be appended to cookies. Up until now this has been set to assume all cookie data can be shared across domains, unless told otherwise. However, in February the default will be to assume that cookies are for the use on the site of origin only, so no data will be shared.

Dan Larden

Dan Larden, managing partner, product and partnerships, Infectious Media

According to Google, this has nothing to do with tracking, it’s about improving security against cross-site request forgery. Adtech developers can override this default by setting the attribute to SAMESITE=NONE on their tracking cookies. If they don’t, these cookies won’t share any data.

What this means for the buy-side

This was originally announced by Google in May 2019, but much of the industry has been slow to react. If cookies aren’t altered, this has the potential to spell trouble for advertisers as campaigns could become much less effective in February.

Only data from modified cookies will persist after the update, so the ad tech companies that are quickest to deploy will have the advantage of longer lookbacks on audiences.

We have spent some time auditing our partners on how they are addressing the change and have been surprised by the varying degrees of preparedness. We’ve had a range of publishers, and even a large social platform, that still seem confused about the nature of this update, and even who is responsible for modifying scripts. So far, even Google have not changed their tags, although we expect this to happen soon.
However, times like these can be a useful litmus test of supply partners. It clearly divides the technical savvy and future proofed solutions from the sales-driven networks who are only set up to fix breaks as they happen.

Third-party cookie apocalypse?

In the longer term, this update is compelling adtech and publishers to give full transparency into what is a cross-site tracking cookie and what isn’t.

With Chrome accounting for over 60% of browser usage worldwide, any changes here can have a dramatic effect. The key question remains, what does Google intend to do with this new information?

With the growing concern from consumers on data ownership, and with Apple and Mozilla gaining recognition for their privacy-first approach, Google is under increasing pressure to improve Chrome’s functionality or lose out to its rivals. The privacy sandbox that Google announced in August shows that this thinking is well underway.

For users who want to stop tracking, it is difficult to find the current setting in Chrome to block third party cookies, and it damages experience across mainstream sites. Google would be able to use the SameSite information to provide a tool for users to block only tracking cookies, without affecting online experience. Additionally, If Google made this the default setting on Chrome, adtech and publishers would face major disruption.

Working against this is that fact that Google makes most of its revenue from advertising, and defaulting to block tracking would negatively affect this business. Also, this would be seen as a majorly anti-competitive move, so adding to Google’s problems from regulators in the US and Europe.

What needs to be done

So, whilst this looks like another nail in the coffin of the cookie, perhaps it not the burial, yet.

For advertisers, in the short term they need to be on top of this change with their own site development teams, and more importantly, need to challenge third-party vendors on their readiness.

In the longer term, advertisers need to be readying themselves and their marketing for when cookies become defunct.