Conversion tracking and SameSite cookie updates

Popular web browsers are changing their default behavior of how cookies will be sent in first and third-party contexts. Their goal is to increase transparency, choice, and control. Users should be aware of how they are tracked, who is tracking them, and ways to control the information shared.

Chrome is rolling out the following changes in its default behavior (version 80 and beyond):

  • Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax. That is, they will be restricted to first-party or same-site contexts by default.
  • Cookies that are intended for third-party or cross-site contexts must specify SameSite=None and Secure.

Note: This also means cross-site or third-party cookies are restricted to secure / HTTPS connections only.

In Chrome web browsers (version 80 and beyond), cookies that do not include the SameSite=None and Secure attributes won’t be accessible by third parties. Latest versions of Safari, Firefox, and Edge have also been adopting these changes.

How this change impacts conversion tracking

Responsys Express conversion tracking will be affected in the following situations:

  • You use Responsys Express’s conversion tracking pixel and your email redirection link’s (response handler URL) base domain is different than your website URL’s base domain. For example, the conversion tracking cookie is considered a third-party cookie if your website’s URL is www.example.com and your Email Redirection Link’s URL is news.domain2example.com.

    Illustration showing difference between first-party cookies and third-party cookies.

  • Your website uses non-secure (HTTP rather than HTTPS) browser access, but your conversion tracking URL uses HTTPS. In this case, you must update your domain from HTTP to HTTPS.
  • You don't use HTTPS to call the Responsys Express conversion tracking URL.
  • You have an invalid SSL certificate installed for your branded domain.
  • You haven't installed a current and valid SSL certificate in Responsys Express for your branded domain.

If your Responsys Express instance is affected, you'll notice a steep decrease in email conversions in Insight Interactive Dashboard Reports. In some cases, no conversions will be tracked if your targeted recipients are using the latest browser versions of Chrome or Safari that already support the SameSite attribute.

Adapting to the SameSite cookie updates

Use the SameSite attribute

To alleviate this issue, Chrome introduced the concept of the SameSite attribute. With the SameSite attribute, website developers have the power to set rules around how cookies are shared and accessed.

Request an instance settings change from Oracle Support

If you are unable to update your response handler domains to match the main website or landing page domain (making the Responsys Express conversion cookie a third-party cookie instead of a first-party cookie), then Oracle Support can update your Responsys Express instance settings to set the attribute SameSite=None;Secure in the cookies as they are required in the third-party context. Cookies with this setting will work the same way as cookies work today. This will allow third-party cookies to track users across sites. To enable this setting for your instance, create a service request (SR) in My Oracle Support.

Important: For this settings update to work for your instance, your response handler and conversion landing page domain should be using HTTPS, because the Secure attribute ensures that the browser request is sent by secure (HTTPS) connection. Refer to the Questions you may have about the SameSite cookies update section for more information.

Questions you may have about the SameSite cookies update

Is the SameSite cookies update compatible with latest browser versions of Firefox, Safari and Edge?

Chrome implements this default behavior as of version 80. Firefox has them available to test as of Firefox 69 and will make them default behaviors in the future. Edge also plans to change its default behaviors. You can see the list of known incompatible clients on the Chromium site.

What if I have an HTTP page and need third-party cookies?

Ideally, sites should be upgrading to HTTPS and cross-site cookies will not be sent over a plain HTTP connection. Sites that rely on services making use of third-party cookies should ensure they are including those resources (scripts, iframes, pixels, and the like) through an appropriate HTTPS URL.

We highly encourage you to upgrade your web sites to HTTPS as soon as possible. Check your SSL certificate expiration and renew it on time. If you are using HTTP domain (Unsecure domain) and your instance is updated to use the SameSite attribute, then the following error will be shown in the browser: “This set-cookie had the secure attribute but was not received over a secure connection.” This issue will prevent the cookie from getting dropped, which will affect conversion tracking functionality.

What if my conversion landing page and the redirection URL are on same domain and in HTTP?

When both the main website and email tracking URL are on same domain and using HTTP, then they won't be impacted by the Chrome version 80 updates. The browser would still support third-party cookie tracking.

Are there any other useful resources online that can help me understand more about what the SameSite cookie update means?

You can refer to the following external articles regarding Chrome’s SameSite cookie update:

SameSite Updates (chromium.org article)

SameSite Frequently Asked Questions (FAQ) (chromium.org article)

SameSite cookies explained (web.dev article)

Learn more

Google Chrome 80 Cookie Change: Here’s what you need to know

Conversion tracking

conversion tracking, samesite cookie update