For several weeks now, pretty much the entire digital industry has been in turmoil. Why? Because Google announced that as of 2022 the Chrome browser will no longer support third party cookies. Since then, new guest contributions, comments and opinions have been added on news sites and blogs daily and everyone shares the unanimous opinion: The cookie is dead, the end is near, billions of dollars in sales will slip through our fingers, save yourselves! But do we really have any reason to bury our head in the sand?
What happened so far…
Users want more privacy. And to meet this wish, Mozilla (Firefox) and Apple (Safari) have already changed their browsers.
The feature “Intelligent Tracking Prevention” (ITP) blocks all third party cookies by default from iOS 11 and MacOS 10.13 on Safari. But ITP also has an influence on First Party Cookies (especially in all versions from ITP 2.1.) – since many providers set first party cookies with tracking functions as a workaround. First Party Cookies are now deleted after seven days – without exception. In some cases that period is even reduced to 24 hours. This occurs when First Party Cookies are combined with the so-called Link Decoration. Google and Facebook, for example, used this. A link that leads the user to the page (e.g. from a newsletter) receives a unique identifier that is stored by the target page in a First Party Cookie. Once a page with the Facebook pixel or Google tag is then loaded, these tracking mechanisms search for the First Party Cookie, drag the click ID and send it to Facebook or Google. In this way, a user’s visits to the website can be tracked until the third party cookie has expired. With the new ITP version this too is over. Check out the WebKit website, on which ITP in Safari is based, for more information.
A similar situation applies to the “Enhanced Tracking Protection” (ETP) of Mozilla Firefox. Since September 2019, known third party tracking cookies are blocked by default. Currently, third-party cookies from over 1,000 companies – based on blocking lists of the Mozilla partner Disconnect. Users who continue to agree to have their user behavior seamlessly tracked can undo this in the settings and enable tracking cookies. However, users can also follow a very strict procedure and manually block all third party cookies. More information can be found on the Mozilla blog.
So now Google is following suit – and outbidding Mozilla and Apple directly on severity. From 2022, Google wants to block all third party cookies without exception – users will then have no chance of subsequently allowing them themselves. And if the market leader is blocking, then even the last one in the industry will notice and the panic begins. Although it’s really only about third party cookies – all cookies are lumped together for farewell currently. But more about that later. Because an important Chrome innovation has already been rolled out – and it hardly plays a role in the debate:
A real cause for action: The SameSite Update
Since February 4th, 2020, Google has been rolling out an update that directly affects website operators – and hardly anyone has mentioned it. Even though here we’ve got a real reason to act – otherwise everyone who uses cookies will have a problem. It is about the so-called SameSite Update.
Website operators can set cookies on their domain and then, so to speak, allow them to read this cookie on a foreign domain themselves. The properties with which they are set have been treated very negligently up to now. Until now, the Chrome Browser automatically assumed the value “None” if no SameSite property was set in the cookie. This allowed the cookies to be read.
As of February 4., “Lax” is now automatically inserted if the property is not set. This means that the cookie can only be read from the domain from which it was set. Consequently, these cookies can no longer be read from a foreign domain and, for example, user behaviour can no longer be tracked.
If you want to prevent this, you should explicitly set the SameSite property “None” for all cookies that have not yet been correctly filled with properties. This requires the domain of the cookie to match that of the requesting script. This way the cookie contents can still be accessed.
In addition, the cookies must be given a “Secure” flag (requests are then only sent via HTTPs). This requires quick action – and a correct placement of the cookies. Once all this is done, there is no reason to panic anymore.
Why the panic over cookies is overrated
As mentioned above, in the current debate about Google’s plans, two different types of cookies are lumped together. Google does not block all cookies without exception, but third party cookies. And this will start in 2022 and only when there are attractive alternatives. So throwing your ahnds up in horror now is perhaps a bit premature. Let’s think about what we can achieve in two years! Two years – with the rapid development of new technologies, that’s still an eternity. So, dear digital industry: pull yourself together!
It’s true, cookies won’t be the future, but if third party cookies are eliminated, retargeting becomes history. Unless an alternative is found. But it has to be completely new – because Google, for example, has already indicated that the enthusiasm for fingerprinting is also limited.
So instead of running around like headless chickens, how about sitting down, rolling up your sleeves and promoting new innovations?
Even if we at trbo are not working with third party cookies at all: We are definitely looking forward to the exchange of new solutions and completely new ideas for the user approach of the future. Because if we want to address customers across different channels, we need a solution. So let’s work on it!