Web browsers (including Chrome, Firefox, and Edge) are changing their behavior to enforce privacy-preserving defaults. There is a cookie attribute name SameSite, which allows developers to explicitly declare the intent of a cookie’s scope. It is not widely used. To enforce stricter coding practices and preserve user's privacy, these browsers will be changing the default behavior of these to be SameSite=LAX.
What is the SameSite Attribute?
The three settings for the SameSite attribute are:
-
SameSite=Strict
The SameSite=Strict value will only allow first party cookies to be sent. This setting is good for user actions like login credentials, but the cookie will not be sent on the initial request to the webpage.
-
SameSite=Lax
The SameSite=Lax setting will allow the user to maintain a logged in status while arriving from an external link. This works well for things like transferring a promotional code as it is sent in these top-level navigations.
-
SameSite=None
This is used to communicate that this cookie is intentionally shared in a third-party context. Developers must now opt-in to allowing third party scripts on their sites. When SameSite=None, an additional attribute Secure must be included.
For further reading, see SameSite Cookies Explained.
Effect on OneTrust Cookies
The first-party cookies by default will be treated as SameSite=Lax. Additionally, OneTrust has updated the first-party cookies to add this attribute. No action is required for these changes to occur..
Cookies Affected:
OptanonConsent
OptanonAlertBoxClosed
eupubconsent-v2
The third-party euconsent-v2 cookie has been updated to SameSite=None and Secure as this cookie should be used in the third-party context to relay a user’s consent to other Universal Consent & Preference Management Providers. Failing to update this cookie will result in your cookies being rejected by the browser. If you are using this cookie, you must republish the script for this change to occur.
To ensure that the changes have been made, inspect your euconsent-v2 cookie and ensure that SameSite=None; Secure after republishing the script.
Configuring the SameSite Attribute
If you implement the OneTrust Cookie Consent in such a way that requires the SameSite attribute to set to none and the Secure attribute set to"true", such as through an iFrame, this is doable. You will need to reach out to your consultant or contact OneTrust Support using the Create a Case web form. Once the configuration is set, you will need to re-publish your script to see the change take place.
