Google Chrome Cookie Policy 2020

Background

In order to protect user data and prevent malicious attacks, Google Chrome 80 will rollout automatically to users, starting 4th February 2020, with a restriction in how third-party cookies can be used across different websites.

 

Impact

This SameSite restriction requires cookies to contain two attributes in order to be used across different websites: SameSite=None and Secure. Without these attributes the cookies cannot be used on different domains than that set on the original website. This means:

  • Cookies labeled with SameSite=None and Secure will continue to be accessible across websites by default, provided cookies are being accessed from secure servers
  • Cookies that are not labeled with SameSite=None and Secure will not be available across websites, which would prevent them from being used for cross-site tracking

 

Improve Digital support for this update

All cookies owned by Improve Digital have been updated to support the latest Google Chrome changes. Improve Digital cookies set before the update was released have also been updated with the new attributes.

 

What publishers should do to support this update

  1. Ensure that first-party cookies used on websites are updated to support the two attributes.
  2. Check third-party cookies managed by vendors and partners and contact them to update if necessary.
  3. Ensure that all calls to Improve Digital are secure, including any server endpoints or tags. For OpenRTB integrations the attribute secure:1 must be included in ad requests (if not included it is assumed to be insecure). Prebid and Prebid Server adapters do not need to be updated, although it is advisable to run the latest version.
  4. Test websites before February 2020 to ensure compatibility using Chrome Developer Tools: right-click the page and go to Inspect, then go to Console and check for warnings, for example:

    Screenshot_2020-01-15_at_13.29.53.png

    This screenshot shows:
    - warnings that some cookies are being called via http: these calls should be changed to https://
    - others do not have the SameSite attribute: these cookies should be updated by the cookie owner.
  5. It is also advised to move websites to https:// secure pages where possible, as this has become a standard for the web and provides more security to users.

 

Incompatible browsers

Some user agents are known to be incompatible with the SameSite=None attribute. The full list is available on the Chromium Projects website. In most cases where the user agent is not compatible with the enforced cookie attributes, cookies will be set to SameSite=Strict, prohibiting cookie use on different domains. Most of these cases are addressed in browser or OS updates. Users should always be sure to have the latest browser and OS updates to ensure correct cookie handling.

FAQs

  • Why do I see the following warning in my Chrome console?

    Screenshot_2020-03-03_at_12.09.59.png

    This warning is related to the Improve Digital publisher console. To workaround this, verify the website settings in an Incognito browser session, or any other browser where that is not logged in to an Improve Digital platform.