The increased push for browser security over the last several years produced two standards – Google’s SameSite protocol and Apple’s Intelligent Tracking Prevention (ITP) – designed to prevent malign use of third-party cookies. One of the aftereffects of these changes is that good-faith actors like Adobe, and its Target (optimization) and Analytics (data collection) tools must conform to these requirements to ensure a consistent, clean data flow.
Apple introduced ITP in 2017 and amended it several times to prevent workarounds, forcing data owners to confront its effects. They can no longer greet this effort with a collective “meh,” because inaction likely leads to data loss and/or a skewed data set, since analytics tools employ third-party cookies, especially for cross site tracking.
Before discussing what Adobe tool owners must do to secure their data, the following is a brief explanation of the ITP and SameSite standards.
ITP
ITP blocks third-party cookies entirely in Safari and only permits first-party cookies created by the browser to survive for 24 hours. Adobe Analytics stopped dropping third-party cookies in Safari in March 2018, preventing any third-party cookie implementation from capturing data in Safari. In general, Safari allows third-party cookies to survive for 24 hours, but Adobe abandoned Safari support for third-party cookies altogether.
Without action, ITP will likely cause significant data repercussions within the Adobe ecosphere, though the solution here is clear – set first-party cookies via a server whenever possible.
SAMESITE
Google’s SameSite cookie protocol has less effect on Adobe’s data collection since Adobe serves its own cookies (Microsoft Edge and Firefox will also activate SameSite restrictions in the near future). SameSite requires developers to provide a safe harbor for third-party cookies by explicitly labeling them with the flags SameSite = “None” and “Secure.” The change is set to be rolled out incrementally starting on February 17, 2020.
What do data owners need to do to secure their Analytics and Target data?
For SameSite, no changes need to be made if the following is true:
- Adobe services are called using the https protocol. Adobe usually makes an automatic switch to https, but it can cause latency and data loss.
- Adobe owners are using the Experience Cloud Identity Service (ECID)
For ITP, using Adobe’s ECID with first-party cookies is strongly recommended, as described below.
ADOBE ANALYTICS
The one SameSite exception for Analytics is an instance where Adobe’s s_vi cookie is used across multiple domains. In these instances, Adobe sets the SameSite value of this cookie to “Lax,” which means Adobe owners must contact Adobe Client Care to relabel the cookie to SameSite = “None” and use the “Secure” flag.
Since Adobe no longer drops third-party cookies in Safari, a significant percentage of desktop data and up to half of all mobile data is lost completely for organizations with third-party Adobe implementations (Safari’s traffic share varies depending on the source). Those organizations should implement Adobe’s ECID service in a first-party context as soon as possible.
ADOBE TARGET
For the SameSite protocol, no action is necessary unless Target is tracking users across domains. In this case, Adobe is using third-party cookies. Target owners who track across domains must make sure their sites use the https protocol, and Target itself applies SameSite = “None” and “Secure” flags to its third-party cookies.
Target users should implement Adobe’s ECID service (version 4.3.0 or higher) and enroll in Adobe Analytics’ Managed Certificate Program, which implements a first party cookie, by contacting Adobe Customer Care. Otherwise, Target cookies will only survive for 24 hours.
