You may have seen the recent alerts in your Chrome Developer Tools informing you that some of your cookies may no longer work in the latest Chrome release: Chrome 80.
Chrome 80 will make a couple updates affecting how cross-site tracking via cookies will work. Here’s what you need to know:
Changes to Cookie Behavior in Chrome 80
A cookie’s missing SameSite attribute will default to Lax instead of None
The SameSite attribute for cookies determines whether cookies will be accessible on sites other than the domain from which they are set. This attribute can have one of three values:
- Strict, which requires both the referring page and the destination page to be on the same domain as the cookie for the cookie to be sent
- Lax, which only requires the destination page to be on the domain of the cookie for the cookies to be sent
- None, which sets no requirements for where the cookie can be sent, allowing for cross-site tracking
Historically, if no value for the SameSite attribute was set, it would default to None. To tighten up security, Chrome 80 will now default to Lax, which means that cookies intended for cross-site usage whose SameSite attribute is not set will no longer function for cross-site tracking in Chrome.
What you need to do
- Identify which cookies have an empty SameSite attribute (ObservePoint can help with this).
- For tags setting third-party cookies, work with your vendor to see if you need to update your code or if your vendor will be updating their servers to set the correct attributes so that cookies have their SameSite attribute set properly.
- For first-party functionality leveraging third-party cookies, work with internal stakeholders to make sure those cookies are set with the appropriate SameSite attribute.
Cross-site cookies (SameSite=None) not sent securely will be blocked
In addition to verifying that your cross-site cookies have the appropriate SameSite attribute, you will also need to verify that those cookies are flagged as secure and are only being sent over HTTPS.
In this most recent update, Chrome 80 will block any cross-site tracking that is:
- Not flagged as secure
- Sent over HTTP instead of HTTPS
What you need to do
- Verify that your cross-site cookies are flagged as secure
- Verify that all calls to your vendor services are sent over HTTPS (ObservePoint can provide custom support here as well)
Side Effects of Chrome 80
If you’re not able to make these changes before the Chrome 80 update comes into play, then some aspects of your implementation that rely on cookies won’t function as expected. Here are some examples:
Broken remarketing campaigns
If the cookie that serves as a visitor identifier in your analytics tool doesn’t have its SameSite attribute set to None, then that cookie won’t be available on other sites for remarketing efforts.
Inaccurate campaign attribution
If you have several sites on different domains/subdomains and cross-site tracking is being blocked, then you might not be able to accurately attribute marketing efforts for visitors navigating from one site to another.
Change Happens. Use Automation.
The only constant is change. Today the issue is Chrome 80, tomorrow it will be something else. ObservePoint helps companies monitor for change and scan their sites for potential issues. If you would like to see ObservePoint in action, schedule a demo.
About the AuthorLinkedIn More Content by Patrick Hillery