All You Need to Know About: SameSite Cookie Attribute
Protecting customer privacy and improving overall security is becoming a higher priority for businesses. Today’s consumers think twice before offering their email addresses or phone numbers, even if it means missing out on an exciting deal. Users want to be aware of how they are tracked, who is tracking them, and how their information is being used. For companies, most of their intellectual property is online, and it only makes sense to protect those assets from hacks, forgery, etc.
Google Chrome, along with other web browsers like Firefox, Safari, and Edge are constantly updating their settings to enhance privacy and security measures. One of the latest developments in this direction introduced by Google is the Samesite Cookie Attribute.
What is Samesite Cookie Attribute?
Samesite Cookie Attribute is a new security feature that prevents cross-site request forgery. In layman's terms, it prevents browsers from sending cookies along with cross-site requests. The attribute tells browsers when and how to fire cookies in first or third-party situations. It also allows web developers to declare if they should restrict their cookies to same-site or first-party.
Originally announced in 2016, it is another sign of Google being proactive amidst growing privacy and security concerns. Additionally, it is a step towards reducing the browser’s reliance on potentially invasive cookies. The search engine’s goal with this new rollout is to increase transparency, control, and choice over how businesses collect and utilise consumer data.
Currently, a lot of websites integrate multiple external services for the purpose of advertising, retargeting, content recommendations, third-party widgets, social embeds, etc. When people browse the web, these external services typically store cookies in the browser. These cookies then deliver a personalised experience.
How is this done?
Well, ever wondered how Facebook ads automatically start displaying the same shoes or holiday home that one was eyeing on a different website? The reason behind this is cookies that allow cross-site requests.
A more malicious application of cross-site requests and forgery, and the one that Google is trying to protect consumers from, is when an unassuming user clicks on a link that automatically gives hackers access to personal details like bank accounts.
All in all, Google’s aim with SameSite Cookie Attribute is to make web browsing safer for all parties. The default setting for all browser cookies will be a more secure one. However, users can still control if they want first-party cookies enabled and save time associated with re-entering passwords, logins, etc.
What implications does Samesite Cookie have for Marketing?
The digital marketing world thrives on incoming data to deliver personalised experiences to customers. Most inbound marketing strategies use external cookies to target their audience with products and services. The new SameSite Cookie Attribute can disrupt this!
A stitch in time is to act quickly.
So, if you are a marketer or publisher, you need to audit, analyse, and update your cookie settings. This will help you avoid any diminishing revenues from Chrome.
If you don’t act quickly, then Chrome will set the cookie preferences to default, which is SameSite=Lax. This will do two things: first, the cookies will be limited to first party-use in Chrome 80, and second, marketers can expect some inconsistent data from the browser.
If the preferences are set to SameSite=Strict, then no cookies will be shared with any third-parties and all incoming third-party cookie requests will be rejected. Only the site that sets the cookie will have access.
If developers want to allow for external access, then they need to change the cookie setting to SameSite=None. However, even when the SameSite=None attribute is selected, an additional Secure attribute must also be used so that the cross-site cookies can be accessed only over HTTPS connections.
No Documentation on Cookie Sets?
If you don’t have documentation on what cookies are set, then go to Chrome’s developer console.
Here you can identify what potential issues you might be facing. The console has messages/warnings on which cookies are at risk.
You can also go to Applications → Storage → Cookies to get a list of all cookies on your website and check their labelling.
Here is the official documentation from Google Chrome to give you a quick start.
Marketer working with Ad Platform?
If you, as a marketer or small business owner, are working with an advertiser or an online ad platform (Facebook, LinkedIn) directly, it is likely that there are cookies on your users and pixels on your pages.
In this case, ask the advertiser to update the SameSite attribute to “None” to send cookies via first-party and third-party requests from your website. Along with that, also select the “Secure” label to ensure that the cookies are sent over HTTPS connections.
In Short
Google is taking more ownership over its development and working towards creating a safe web browsing experience for all. The latest update on SameSite Cookie Attribute further reduces the browser’s reliance on third-party cookies and sets the tone for the company’s pledge to make all cookies obsolete by 2022. In a time where privacy and security are of topmost concerns, the new attribute is a step forward in the right direction.
If your inbound marketing strategy heavily depends on cookie-segmented data and users, then it is time to make a change. Get in touch with TransFunnel’s team of inbound, marketing, and web development experts and we will establish the best digital plan for you!
