SameSite, Chrome 80, and Analytics

On February 17th, Google Chrome will release version 80, which contains changes to the handling of cookies with cross-origin requests. The goal of this change is to mitigate Cross Site Request Forgery (CSRF) attacks, and in doing so will affect all cross-site (a.k.a. third-party) cookies that do not set a “SameSite” attribute. The result is that cookies without the SameSite attribute will no longer work for cross-site tracking purposes.

Because of this change, and changes other browsers have made to third-party cookies, Analytics will no longer be setting or using third-party cookies in our trackers. This change will not affect Analytics data in any way and is a win for the privacy of those who visit our customers’ websites. We expect to have most of our customers transitioned away from third-party cookies in the next few weeks, with the rest of our customers after that.

The details of and reasons for SameSite have been well documented elsewhere, so I won’t go into great detail about them here. In particular, Troy Hunt wrote an excellent piece about SameSite, CSRF, and why this is a good change for the internet as a whole. Briefly, fixing CSRF attacks makes the internet more secure, and previous methods of mitigating them were inefficient and prone to implementation errors.

Concerns around third-party cookies aren’t new. Some browsers already have mechanisms to restrict them, such as Firefox’s Enhanced Tracking Protection, and Safari’s ITP. Third-party cookies are commonly used by tracking code and analytics services, so how does this affect Analytics? Analytics has always relied on first-party cookies for metric calculations, but the standard tracker does attempt to set third-party cookies.   They were useful for our Data Pipeline customers and we experimented with some anonymized network-level analyses over the years. Those experiments never made it into Analytics, and first-party cookies proved to be a more useful and privacy-conscious data source.

As a content analytics company, we take privacy seriously.   Our mission is to help our customers understand and grow the audience for their content. To do that, we need to collect the most accurate data possible, and third-party cookies don’t provide that.