How Chrome 80 Will Affect Cookies & Cross-Site Tracking

February 3, 2020 Patrick Hillery

You may have seen the recent alerts in your Chrome Developer Tools informing you that some of your cookies may no longer work in the latest Chrome release: Chrome 80.

Chrome 80 will make a couple updates affecting how cross-site tracking via cookies will work. Here’s what you need to know:

Changes to Cookie Behavior in Chrome 80

A cookie’s missing SameSite attribute will default to Lax instead of None

The SameSite attribute for cookies determines whether cookies will be accessible on sites other than the domain from which they are set. This attribute can have one of three values:

  • Strict, which requires both the referring page and the destination page to be on the same domain as the cookie for the cookie to be sent
  • Lax, which only requires the destination page to be on the domain of the cookie for the cookies to be sent
  • None, which sets no requirements for where the cookie can be sent, allowing for cross-site tracking

Historically, if no value for the SameSite attribute was set, it would default to None. To tighten up security, Chrome 80 will now default to Lax, which means that cookies intended for cross-site usage whose SameSite attribute is not set will no longer function for cross-site tracking in Chrome. 

What you need to do

  1. Identify which cookies have an empty SameSite attribute (ObservePoint can help with this).
  2. For tags setting third-party cookies, work with your vendor to see if you need to update your code or if your vendor will be updating their servers to set the correct attributes so that cookies have their SameSite attribute set properly.
  3. For first-party functionality leveraging third-party cookies, work with internal stakeholders to make sure those cookies are set with the appropriate SameSite attribute.

Cross-site cookies (SameSite=None) not sent securely will be blocked

In addition to verifying that your cross-site cookies have the appropriate SameSite attribute, you will also need to verify that those cookies are flagged as secure and are only being sent over HTTPS. 

In this most recent update, Chrome 80 will block any cross-site tracking that is:

  1. Not flagged as secure
  2. Sent over HTTP instead of HTTPS

What you need to do

  1. Verify that your cross-site cookies are flagged as secure
  2. Verify that all calls to your vendor services are sent over HTTPS (ObservePoint can provide custom support here as well)

Side Effects of Chrome 80

If you’re not able to make these changes before the Chrome 80 update comes into play, then some aspects of your implementation that rely on cookies won’t function as expected. Here are some examples:

Broken remarketing campaigns

If the cookie that serves as a visitor identifier in your analytics tool doesn’t have its SameSite attribute set to None, then that cookie won’t be available on other sites for remarketing efforts.

Inaccurate campaign attribution

If you have several sites on different domains/subdomains and cross-site tracking is being blocked, then you might not be able to accurately attribute marketing efforts for visitors navigating from one site to another.

Change Happens. Use Automation.

The only constant is change. Today the issue is Chrome 80, tomorrow it will be something else. ObservePoint helps companies monitor for change and scan their sites for potential issues. If you would like to see ObservePoint in action, schedule a demo.

About the Author

Patrick Hillery

Patrick was a Consultant at Adobe for 8 years, spending the last couple of years working as one of the first Principle MSAs (Multi-product Solution Architects) where he attempted to learn and deploy the full Adobe Stack. During his tenure, Patrick also had the unique opportunity of consulting onsite at Dell and Facebook. Patrick has been at ObservePoint for over 3 years leading the Customer Success and Sales Engineering Organizations.

LinkedIn More Content by Patrick Hillery
Previous Article
ObservePoint Acquires Strala’s Technologies
ObservePoint Acquires Strala’s Technologies

Learn about ObservePoint's recent acquisition of Strala's three core technologies: Touchpoints, JourneyStre...

Next Article
Scalable Website Performance Monitoring through Automation
Scalable Website Performance Monitoring through Automation

Learn how you can set up automated monitoring of your website's page performance and receive notifications ...

Get a free 14-day trial with ObservePoint

Start Your Trial