Hitchhiker’s guide to the end of the third-party cookie as we know it

Google’s planned cross-site tracking changes for Chrome are far from earth-shattering, and with a few safety checks, you should be good to go. Let’s take a look at what Google has planned and what folks in the ad tech and martech world need to do:

How Google Chrome’s privacy update affects ad tech

As of this month, Google has implemented a new secure-by-default model for cookies, enabled by a new cookie classification system.

This system will stop sending third-party cookies in cross-site requests unless the cookies are secure and flagged through SameSite, which is meant to prevent the browser from sending the cookie along with cross-site requests.

While SameSite is not a particularly new concept, this will be the first time a secure cookie flag will be a requirement for those using Chrome — not just a best practice, as it has been up until now.

Google implemented these new requirements with Chrome 80 on February 4 as the first step in a larger multi-year plan to phase out support for third-party cookies, leaving the ad tech and martech industry with just a few weeks left to make the necessary tweaks to ensure their cookies continue to function properly.

The Google Chrome update means a little change, but a lot of hype for ad tech 

Given similar changes that have already been made by browsers like Safari, this new update from Google is not something that should send advertisers into a panic.

If anything, these updates are part of the ongoing trend in creating more stringent policies regarding data and privacy.

While Google represents the most immediate change, Mozilla and Microsoft both have similar updates planned in the future. But while this may soon become the new norm, advertisers need to prepare now in order to avoid data loss and chaos later.

When it comes to privacy updates, fortune favors the prepared 

So, what steps should anyone in the ad tech industry take to make sure they aren’t caught unaware?

First, any organization that hasn’t already moved to HTTPS must do so before the changes go into effect, or risk having their cookies discarded by Chrome.

Second, any tech vendors that use tracking cookies will have to set SameSite cookie attributes with one of three values: “strict,” “lax,” or “none.”

A setting of “strict” means that a cookie will not work on any website other than the domain in which it was placed. A setting of “lax” allows cookies to be shared across domains owned by the same publisher, and a setting of “none” allows full third-party cookie sharing, providing other security requirements are met.

Today, “SameSite=None” is the default within Google Chrome, but as of February, developers have to manually enable “SameSite=None” in order for cookies to continue working.

If they do not, cookies will automatically default to “SameSite=lax,” and will cease working across all websites.

What’s the future of cookie-based tracking?

Given Google’s expressed intent to “make third-party cookies obsolete,” it’s clear that the industry needs to be prepared for a world without the ability to track users with third-party cookies.

As I’ve said before in the context of Apple’s ITP, the best way to future-proof your partnerships program is to take advantage of server-to-server tracking — in other words, APIs.

I believe APIs are the future of online tracking, and not just because they provide a way to circumvent browser policies.

When an advertiser can communicate directly with a tech platform without relying on a browser as an intermediary, it means better attribution and less sharing of user data — and that’s a win for everyone.

Matt Moore is a Product Marketing Manager at Impact, and he’s been in the affiliate and partnerships space for the last six years. He’s always on the lookout for a good story to tell or a good dog GIF to share.

Leave a Comment