What is the Chrome SameSite update?

Sovrn Publisher Advocate // January 29, 2020

There’s been a lot of buzz on the internet recently surrounding Google’s upcoming SameSite update (also known as Chrome 80) to their Chrome browser. Now that Google has also announced they’ll eventually kill the third-party cookie entirely (which won’t happen until two years from now), the two issues have quickly become conflated in online conversation. It’s important to understand that these are not the same thing. They’re separate (but yes, cookie-related) topics. The death of the cookie, however, is a long way off, and the ramifications thereof are still unclear. Chrome 80 is the immediate topic at hand, so let’s look at the details of SameSite, and what this update means for you—the publisher.

Here’s what Google is doing:

As you may know, on February 4, Google plans to update Chrome in an effort to offer users a more secure experience. This new version is focused on the way in which cookies are set and shared—it’s primarily a security update focused on preventing bad actors from misusing third-party cookies. And, just like many businesses in the ad tech industry, we’re changing the way that our own cookies are set in response to these new standards.

As part of the Chrome 80 update, Chrome will set all cookies to “SameSite = Lax” by default, which means that these cookies cannot be shared cross-site (i.e. in a third-party context). Additionally, as of this release, third-party cookies (those with the SameSite field set to “None”) must be handled securely.

First and foremost, you’re not responsible for making changes to ensure Sovrn compliance. However, you may want to double-check and optimize your own settings before the Google update goes live on the 4th. That’s a conversation to have with your web developers.

Here’s what Sovrn is doing, and how it impacts you:

By January 31, Sovrn will begin setting the “SameSite = None” and “Secure” attributes on our third-party cookies. We will also be implementing an automatic HTTP to HTTPS redirect on all insecure requests, in order to ensure cookies are handled securely. 

The only potential impact of the changes we’re making is increased latency due to the security redirect. The best way to avoid that increased latency is to avoid the redirect entirely, and make your site fully secure (again, that’s a discussion to have with your web developer).

How you can prepare:

You may want to review the way you currently handle first party cookies on your site (by updating your set cookie attributes to either “Lax” or “Secure”), and confirm other vendors are making the required changes on their end. For more in-depth information on how to prepare, this article is a good place to start. Digiday has also published a WTF article with more useful context. Please note that any testing you perform may have real-time revenue impact on partners who have not finalized these changes, so we suggest that you strategize accordingly.

To be clear, we have no insight into or control over what other vendors may (or may not) do, so it’s always a good idea to get clarity from your partners

The last word:

In short, the SameSite (Chrome 80) update changes the way cookies operate within the Chrome browser in order to better protect users from bad actors.

However, Google does plan to eventually retire third-party cookies entirely. That change—which again, won’t occur for another two years—will certainly have ramifications for everyone. Unfortunately, it’s impossible to predict the future, and we’ve seen mixed reactions across the industry. What we do know is that, no matter what the next two years bring, we’ll be here to help you navigate the changes and continue to thrive. As always, if you have more questions, don’t hesitate to reach out to Support.

Want to learn more?

Share this article