Discussions

Google Chrome 80 Cookie Change: Here’s what you need to know

Preethika Kalyanasundaram-Oracle
edited May 2, 2022 6:11AM in Responsys

Chrome 80 updates may have an impact only on your conversion tracking. If you are using Responsys's conversion tracking feature and your response handler is the same as that of your website domain then there is no action needed. If your response handler is different than that of your website, then you will notice your conversions not getting tracked anymore.

Introduction

The Chrome 80 release, scheduled for February 2020, changes the default cross-domain (SameSite) behavior of cookies. This change enhances security and privacy but requires customers and partners to test conversion tracking that rely on cookies. More information can be found in Chromium blog.

What is the change?
Google first announced in May last year that cookies that do not include the “SameSite=None” and “Secure” labels won’t be accessible by third parties, in Chrome version 80 and beyond. The Secure label means cookies need to be set and read via HTTPS connections.

Right now, the Chrome SameSite cookie default is: “None,” which allows third-party cookies to track users across sites. But from February, cookies will default into “SameSite=Lax,” which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.

Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher. Mozilla’s Firefox and Microsoft’s Edge say they will also adopt the SameSite=Lax default.

How do you test if your sites are affected?
Website developers managing your brand website can begin testing whether their sites are affected by going to chrome://flags and enabling #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to see whether anything breaks. They should also migrate to HTTPS secure pages, if they haven’t done so already.

Google is encouraging to review the alerts in their developer tools to check whether vendors, including ad tech and analytics providers, are setting or accessing third-party cookies on their sites without the correct labeling.

What does it mean for conversion tracking?

Cookies won’t work for non-secure HTTP browser access. Ensure that your domains are hosted in HTTPS. If you are using first party cookie with chrome 80 there will not be any issue with the conversion tracking. But if a recipient clicks on a link which is generated from abc.com and lands on a conversion page residing in xyz.com then the conversion wouldn’t be traced as the cookie is considered as a third-party cookie which will be blocked by chrome browser.

However, if brands use domains such as email.abc.com(Brand1) and email1.abc.com then the conversion will be successful as the cookie will be dropped on .abc.com domain. Customers should assess their own implementations and practices regarding how cookies are implemented. Specifically, iFramed components in browser operation could be impacted and should be examined for compatibility with the updated Google Cookie SameSite requirements.

Image 1: When an external resource on a web page accesses a cookie that does not match the site domain, this is the cross-site or third-party context

pastedImage_0.png

Image 2: When a resource on a web page accesses a cookie that matches the site the user is visiting, this is the same-site or “first party” context.

pastedImage_0.png

Update:

Google is temporarily rolling back Chrome's SameSite cookie requirements as they want to provide stability of the services during the COVID-19 outbreak. Links with detailed information are listed below:

https://www.theverge.com/2020/4/3/21207248/chrome-samesite-cookie-roll-back-update-privacy-settings

https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html

Post edited by OIT Integration User on
Tagged: