Google Chrome Update | SameSite Setting

Consumer privacy is at the forefront of digital advertising with new and increasing regulation. Apple implemented Intelligent Tracking Prevention (ITP) on its Safari browser, and Firefox blocks third-party cookies. In response, Google updated its Chrome browser in a rollout of version updates, which can have a large impact, as Chrome is one of the most popular browsers.

In 2020, Google released Chrome 80, which ended the sending of third-party cookies in cross-site requests, unless the cookies are secured and flagged using an internet standard referred to as SameSite. This change severely limits cross-site cookie sharing, affecting audience addressability including recognition, targeting, analytics, attribution, and more. Cookies that are not proactively labeled according to this standard do not function in Chrome (similar to Apple Safari’s Intelligent Tracking Prevention).

This change severely limits cross-site cookie sharing, affecting audience addressability including recognition, targeting, analytics, and attribution. Any cookies that are not proactively labeled according to the SameSite standard will NOT function in Google Chrome.

In short, a loss of revenue will occur if changes are not made to your settings, as your DSP targetable audiences will be greatly reduced.

What Should You Do?

Cookies that do not include the “SameSite=None; Secure” attributes will not be accessible across sites.

PubMatic labels cookies with a secure SameSite=None attribute. It is recommended that you adopt secure connections -- all implementations (header bidding, tag, server-to-server) should be migrated to HTTPS ensuring a secure synchronization URL for PubMatic when cookie synching.

For Publishers:

  • Integrated via Google Open Bidding, and Amazon TAM/UAM, tag-based integrations are not required as Google and Amazon already use secure URLs for PubMatic and we will ensure all calls are secure.
  • Using Prebid version earlier than 2.21 (link), please upgrade your version and reach out to PubMatic customer success representative.
  • Using OpenWrap version earlier than v17.0.0, please upgrade your version and reach out to PubMatic customer success representative.

For DSPs:

  • Ensure you are providing a secure pixel for user synching with PubMatic

For DMPs:

  • Ensure you are providing a secure URL(s) for user synching with PubMatic

Frequently Asked Questions

What is SameSite?

It is not a new concept, actually being created in the 1990s and being used as a best practice. SameSite prevents the browser from sending a cookie along with cross-site requests, mitigating risk associated with cross-origin data leakage and forgery attacks.

Typical settings for the value is SameSite=Strict or SameSite=Lax, however, Chrome requires a SameSite=None, along with secure attribute settings.

Why is SameSite Important?

“SameSite” attribute allows servers to assert that a cookie ought not be sent along with cross-site requests. This assertion allows user agents to mitigate the risk of cross-origin information leakage and provides protection against cross-site requests to ensure user privacy. 

When should I make these changes? 

It is recommended that these changes are made immediately. We do not want any of our clients and partners to have issues with synching and corresponding decreases in match rates for audience addressability.

What about other browsers?

Apple’s Safari already employs what it calls “Intelligent Tracking Prevention” and blocks the passing of cookies. Mozilla’s Firefox and Microsoft’s Edge plan on implementing the cookie classification model similar to Google’s Chrome. 

What is PubMatic doing to handle this?

PubMatic already labels the cookies with SameSite=None attribute

What action do I need to take as a Publisher?

Please ensure you’re using secure sync-up URL of PubMatic for Cookie synching. Publishers integrated via Open bidding and Amazon TAM/UAM don’t need to make changes as Google and Amazon are already using secure URLs for PubMatic.

What action do I need to take as a DSP?

Please ensure you’ve provided the secure sync-up URL to the account team at PubMatic.


⇧ Top

Do you have feedback on this document? Let us know: email us.

Table of Contents