Understanding Google Chrome Cookie Changes with Cory Underwood

Earlier this month, Google announced a series of upcoming changes beginning with Chrome 80, which, among other updates, prevents cross-site tracking by default. This is primarily a security update, but also has ramifications for marketing — especially for advertising and remarketing. For this blog, I sat down with Cory Underwood — you’ll recognize him from our interview about Safari ITP and from his many articles on his own blog. We walked through Chrome’s changes and what that means for marketers and developers.

What is Chrome Doing?

Google has announced that Chrome will phase out third-party cookies over the course of the next two years in an effort to eliminate cross-site tracking while implementing a replacement technology. In the immediate release, Chrome is rolling out a SameSite attribute specification change that alters the default behavior for cookies set in Chrome.

Underwood explains, “Cookies can either be first-party or third-party based on how they get loaded onto their page and the context. And that can have some unintended scenarios because it enables an attack vector known as cross-site request forgery. So Google is hoping to address that by changing the default behavior.

The current behavior is to always share the cookies in all contexts, unless the programmer specifically sets something for that not to happen. So it’s an insecure/open default. What they’re doing is closing that off by making the default lax, so the developer would have to explicitly change the attribute for a cookie to be available across sites.”

To summarize, Google Chrome is changing the default behavior for set cookies to reduce cross-site tracking, limiting cross-site tracking to https sites only, and over the next two years killing third-party cookies altogether, while developing alternate tech for monetizing websites and maintaining advertising more securely.

What Are the Effects of Chrome’s Changes?

Chrome’s changes will affect a few different areas. Underwood says, “Where I really think it’s going to hit is things like third-party ad attribution, and unintentionally it’s going to impact third-party log in flows [using a login from one site to authenticate you on another site, eg using Google to log in in to Instagram] — which I know is something they’re working on. The concept is to prevent cookies from allowing you to be inadvertently tracked cross-site, and as a result of that the technology that has to function cross-site either has to be updated or it stops working.”

The biggest impact will be on those who depend on third-party cookies, which you are most likely to be using if you use tag management software, or if you do a lot of remarketing. Though, until third-party cookies are fully phased out, the impact will be minimal. In the meantime, Google is trying to improve the current standard. Underwood continues, “The one thing that I do think is important to realize is a lot of this stuff is what powers remarketing. And even if they fix it for the immediate term, if Google does proceed with phasing out third-party cookies within the next two years it’s a stop gap. So alternative tech would need to be developed to maintain that functionality, otherwise we’re going to see a large scale shift to how advertising and remarketing is done on the web.”

You can get in touch with Cory Underwood via Linkedin, at https://www.linkedin.com/in/cory-underwood-34612856/. To learn more about SiteSpect, visit our website.