Google's new third-party cookie update to roll out with Chrome 80

Recently, Google announced that it plans to phase out third-party cookies. Last week, Chrome 80 rolled out with a new set of cookie-blocking features first hinted at in May, 2019. While this change won't destroy third-party cookies, it will force marketers to make some adjustments or risk site disruptions.

What do webmasters need to do today to ensure that their website doesn't experience service issues?

What's changing

As part of Google's vision of a cookie-free future (well, as far as third-party cookies are concerned), Chrome 80 will enforce a secure-by-default cookie classification system via SameSite — an IETF-standard cookie attribute that controls cross-site cookie distribution.

While this won't spell the end of cross-site cookies, it does spell the end of cross-site cookies sent outside of top-level navigations.

Within the next few weeks (like most rollouts, this one will start small and grow fast), all cookies without a SameSite declaration will be set as SameSite=Lax cookies. This change won't impact the vast majority of websites, but it may impact any third-party ad tech cookies (like pixels) your site uses.

You can check in the console of your Chrome browser's developer tools to see if you have any conflicting cookies. If so, you should get a message like this:

The good news is that SameSite offers a robust defense against cross-site request forgery (CSRF) attacks for users.

Our current ad tech space is relatively hinged to third-party cookies. This is Google's first step in taking action against cookie abuse. Cookies without SameSite might be abusable by threat actors tricking users into clicking, allowing them to hijack authorized browsing sessions.

Of course, the bulk of the responsibility will be on ad tech companies to ensure that their pixels aren't utilizing cookies in a way that conflicts with SameSite configurations.

Let's talk about HTTPS — again

Despite Chrome flagging HTTP as "unsafe" back in 2016 and despite Chrome taking the ax to mixed content, a good chunk of the internet still runs on HTTP connections (including Baidu.com and Apache.org).

In another swipe at HTTP, third-party cookies labeled under SameSite (i.e., what's about to be every single third-party cookie on Chrome) will only run on secured HTTPS connections.

In other words, everyone should be using HTTPS if you're not already. It was the right time to switch three years ago. Now it's a necessity.

The Long Road to Cookie Freedom

As we reported in our recent look at Google's upcoming cookie ban, Google is serious about ridding Chrome of third-party cookies. Last week's update marks the first official step since the announcement, and we fully expect similar cookie changes being tacked onto Chrome updates in the future.

Google is still dead set on launching a privacy sandbox that will still give ad tech companies the means to explore and track user behavior without the privacy risks, but we don't yet know what that will look like.