Ask an Expert: How does Google’s SameSite cookies update impact call tracking?
Last week, Google officially instituted an update for publishers using the Google Chrome browser to update their code on third-party cookies to reveal how they function and track users across the web—or else Google will delete them. This change was made in order to improve security for Chrome users, because while third-party cookies are helpful for advertisers to track user behavior and preferences, they also open people up to malicious tracking and data leakage.
This change impacts anyone with a website, as Chrome browsers currently make up about 69% and 40% of the desktop and mobile market respectively. Website owners will now need to employ “SameSite” cookies, otherwise known as “first-party cookies,” which means they have been created and loaded from their own domain, and show that they are secure and over an https connection in order to continue to be used in a third-party context. Heads up: Google plans to eliminate third-party cookies entirely by 2022, which means fundamental changes are already underway for how digital marketers will be able to target and market to consumers.
There’s no doubt we’ll be continuing to monitor the impact of these cookie updates, but in light of the official move to SameSite cookies, we chatted with our development team to get some insight on how this transition impacts digital advertisers using the CallTrackingMetrics platform.
Does the move to SameSite cookies change how CTM tracks visitor activity?
It should not impact you. The only time this would have an impact in your use of CTM tracking is if you’re tracking session data over multiple domains—but because the typical use case for CTM tracking is to place our code on your domain directly, we rely on first-party cookies. There are some customers using our code over multiple domains, and for those use cases we have you covered by setting the “SameSite=None; Secure” attributions with our cookies. The main thing you need to do is be sure to use ssl when using our code over multiple domains which, in this day and age, you should already be doing anyway.
How does SameSite work with the CTM code?
SameSite is a browser function. The browser will or will not send cookie data depending on whether that cookie has first (a.k.a. SameSite) or third-party attributes. We specifically set the “SameSite=None; Secure” attributes in our own code because we want the cookie to still be sent in a third-party, yet proven to be secure, context. This allows us to continue to track activity while also showing Google that it’s via a secure method.
Is there anything I need to do differently to ensure I’m maintaining the same level of data collection and insight I had prior to this change?
Cookies with “SameSite=None” must also specify “Secure,” meaning they require a secure context. Therefore, in order for third-party cookies to continue to work, you’ll need to make sure your site is secure, i.e. you can access the site via https://subdomain.domain with a valid certificate.
For more technical information, we suggest exploring these articles from Google’s web.dev tutorial site: SameSite Cookies Explained and SameSite Cookie Recipes or checking out this explainer video from Google: