Preparing for Chrome 80 from an Analytics Perspective

Google have begun their introduction of Chrome 80. We guide you on how best to prepare for the update – What effect will the changes have on tracking?

In our most recent blog we discussed how the industry is moving towards tighter restriction on the use of third-party cookies.

Chrome 80 is the latest significant change concerning how third-party cookies are recognised. Google has begun rolling out the update (from Feb 4^th2020), but won’t be enforcing the new cookie classification until later in the month using a gradual approach and starting with a small user base. It alters default browser cookie settings, as part of Google’s approach to shoring up security vulnerabilities relating to the possible exploitation of browser cookies.

The technical details are covered below, the main change being that by default greater security to guard against CSRF (cross-site request forgery) will now be provided.

A common question we get asked at Lynchpin is how the changes to Chrome will impact tracking in popular analytics technologies such as Google Analytics (GA) or Adobe Analytics (AA).

The applicable changes relevant to tracking are described in detail here.

In summary, the key point is how cookies are handled in relation to their defined SameSite and Secure attributes.

“With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections”

So what does this mean exactly? And what impact does it have on your GA or AA deployments? Is this a recipe for disaster?

Probably not provided you bake your cookies using the following recipe changes. The Chrome 80 change involves two cookie attributes which determine where a cookie can be accessed:

Secure:

This attribute means that the cookie can only be accessed when using HTTPS (and not HTTP).

SameSite:

This attribute determines whether the cookie can be used in a third-party context.

There are 4 relevant values:

1. Lax

Only available if the cookie is first party (the cookie domain matches the browser domain)

In requests that come from another site if:

It is a safe method (e.g. GET request)
There is a top-level navigation from the user (e.g. clicking a link)

2. Strict

Only available if the cookie is first party (the cookie domain matches the browser domain) AND the cookie domain matches the referring domain

3. None

Cookie can be first party or third party

4. (no value)

in this case the browser will default to one of the above options –

which one is up to the browser!

Following Chrome 80 – the default SameSite setting has changed! This means that whilst before Chrome 80, this defaulted to None (third party access allowed), now this will default to Lax (first party access only)

So, Chrome 80 will block all third-party cookies unless they explicitly set SameSite=None and they are delivered via HTTPS.

This change may affect any tracking or tags that rely on third-party cookies and sites that are not on HTTPS will not be able to use third party cookies at all!

Some Analytics tracking using third-party cookies may not be able to identify visitors after the change, unless the cookie attributes are set correctly!

Google Analytics has always used first-party cookies, so should be fine.

Modern Adobe Analytics (using Experience Cloud ID Service) should also be fine.

Old Adobe Analytics (relying on third-party s_vi cookie) might be affected.

It’s essential then, that you take time to review how things are set up across your site(s). This change is just one of several happening across major browsers (e.g. ITP for Safari, Firefox tracking protection).

Of course, periodic health-checks for marketing technology are always a good thing! As we discussed in our previous blog, there is a shift in the digital analytics ecosystem that means aside from this short-term audit check, there is a latent demand for a defined strategy to underpin how digital analytics is deployed and managed. A recipe for success!

About the author

Gary Douglas

Gary Douglas has extensive experience in consulting to build data and analytics strategies and solutions for leading organisations across the UK, EU, and US.

Gary has helped businesses to transform their existing data and build new processes and workflows to enable businesses to scale their ambition through a data-driven mindset – increasing sales, reducing costs and supporting improvements to the customer experience.

Having worked both agency and client-side, and with significant experience in Financial Services organisations in the UK, Gary brings a practical knowledge of successful data and analytics structures.

Building on a PhD in particle physics, Gary understands the challenges from a C-level through to a practitioner-level view.

All author posts