Showing posts with label cookies. Show all posts
Showing posts with label cookies. Show all posts

Saturday, February 8, 2020

Review Adobe Experience Cloud ID Cookies on Google Chrome 80

Web Browser Cookies have long been the lifeblood of the digital marketing ecosystem. A cookie is a tiny text file used by a web browser that typically captures non-intrusive information about a browser (indirectly a user) such as logged in state, user preferences and anonymized or encrypted ids etc. A cookie allows companies to measure browsing patterns (pages visited, products bought), remembering products added to a shopping cart or simply personalizing user experiences that match previous patterns and behaviors. 

 As of December 2019, Google Chrome was the most popular web browser with a market share of 69%. Google recently released their newest Chrome browser version 80 which introduced clear guidelines around how cookies need to be set moving forward keeping in mind privacy regulations such as GDPR and CCPA. As an example, Safari now completely blocks 3rd party cookies from being set. Given that Google has advertising platforms which primarily leverage 3rd party cookies, there are still a few years left before Google completely phases out 3rd party cookies by 2022 which means we don't have a lot of time left. So, what does it mean for companies like Adobe which also rely on cookies for measuring user behavior using 1st party cookies and activating anonymous profiles on publishers using 3rd party cookies in the interim?

 In this post, I will review changes made by the Adobe Identity Service team to address cookie setting requirements in Google Chrome 80.  I will refer to this article written by the Adobe Identity service team and validate changes made by Adobe primarily around the Experience Cloud ID Service cookies. So let's dive in!

What is all the Fuss About?


Here, I'll cover exactly was has been changed by Chrome 80 and I've made a simple decision tree to depict what the change is in regards to the new cookie guidelines. At a high level, 3rd party cookies need to be secure with a SameSite attribute equal to "None". On the other hand, cookies without a SameSite attribute will default to "lax". 

In the next two sections, I'll do a quick pre/post comparison between Chrome 79 and Chrome 80 and review the Experience Cloud demdex cookie set in both versions.

The World Before Google Chrome 80


I'm first looking at Chrome version 79 and I've visited an Adobe customer website using the Experience Cloud Visitor ID Service.

I'll primarily focus on the demdex which is our 3rd party cookie that is most susceptible to deletion after this change. I previously wrote about migrating to the Visitor ID service where I've covered some of the cookies set by the ID service in more detail. The first thing we see is an error in the developer console specifically calling out the demdex cookie and stating that it's set without the SameSite flag.

The World After Google Chrome 80


In this section, I will show how the Google Chrome error for demdex went away after I updated my browser version and look at the site customer website in incognito mode.

Looking at what the developer console shows for the same customer website, we can see that the change was made by the Adobe ID Service (demdex) server side and the error went away. Please note that it DID NOT require a Visitor ID service version upgrade as the change was made server side. Having said that, it's always advisable to upgrade your ID service library to the latest version. 

Now looking at how the demdex cookie is now set as shown by Chrome 80, we can see that the cookie has both the SameSite=None and Secure values set with a TTL expiration of 6 months.

What is the Recommendation for 1st Party Cookies on Safari?


In this section I want to talk about the importance of leveraging a CNAME tracking server to measure your website activity in Adobe Analytics which is more of an issue post ITP2.1 in Safari (slightly going off topic). This Adobe article covers how we can use a CNAME to set a new s_ecid cookie that extends the AMCV cookie expiration to 2 years instead of 7 days which Safari enforces today (see below).

Please note that this requires ID service version 4.3.0 + to take advantage of this change to extend your visitor expiration to 2 years instead of 7 days on Safari.

 So, that's it! Hope found this helpful in understanding what changes were made by Chrome 80 and how Adobe is prepared to address any potential tracking issues as a result of this.
Posted by at No comments:
Labels: , , ,

Thursday, July 12, 2007

P3P - Do we really care about it?

P3P (Platform for Privacy Preferences Project) as it is commonly known is actually not known by the regular internet user. I was going through some Internet terminologies and came across this term in Wikipedia. It immediately struck me as an interesting topic and prompted me to share my own views. P3P is a standard introduced by the W3C (World Wide Web Consortium) for website to share/display their privacy policy to the general Internet users. There is tons of information on P3P on the Internet with all sorts of intricate details.
But do people know or feel the need for P3P? Personally, I think people should take it more seriously. I do know that third party cookie rejection rate has been at the highest during the past 3-4 years and it is high time that websites start feeling the need for introducing valid and sound privacy policies. Third party cookies are a piece of text/data placed on your machine that do not belong to the website you have visited. If you go to www.msn.com and you find an Omniture 2o7.net cookie on your machine, the 2o7.net cookie is the third party cookie tracking your browsing details in this scenario.

According to a WebTrends article posted in 2005, the cookie rejection rate was as high as 12-15%. So we can guess that figure should be between 20-25% in 2006-2007. The new versions of browsers like Firefox and IE7 aren’t helping matters either. The default settings in the Privacy tab of IE7 are designed to automatically block third party cookies that do not have a P3P policy. Look at the below screenshot.

So these points do prove that Webanalytics giants like WebTrends and Omniture are loosing a lot of valuable data as their cookies are being blocked more and more if the security setting of browsers is high. But this has been the trend since Web Analytics originated. One of the reasons why Google, MSN and Yahoo are successful in targeting their customers is because they have a login cookie placed on the user’s machine. If a hotmail customer is logged on to passport, it is really easier for Microsoft to show ads based on his previous browsing habits. This cookie can never be blocked unless the users chooses to block all the cookies. But if the user blocks all the cookies, he would not be able to login to his account. So it is possible that majority of the users will choose the defualt browser setting making it easier for other websites to place their cookies. It is always better for websites to have a TRUSTe Privacy Program which is a universal standard found in a privacy policy and for users it is a good practice to read the privacy policy of a website which can be checked by going to View -> Web Page Privacy Policy in your IE7 browser. The default setting in browsers will always allow cookies from companies having a Privacy Policy. A website having a valid privacy policy would also be worthy of the trust of users. Users should always shop online on portals having a TRUSTe Privacy seal in their Privacy policy.

It was a good practice for me to look around for information about P3P and believe that it is a positive step taken to make the users aware about what kind of data is being collected and how it could be attributed to their online behavior. Please feel free to add your opinions/criticisms.

Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)