Google Chrome Will Penalize Non-HTTPS Websites This Month. Are You Prepared?
A new update this month will result in a warning message being served to anyone attempting to access a non-HTTPS website that collects private data. Here’s what you should know.
At the end of January, Chrome users who reach a website that requests a password or credit card information will be presented with a “Not Secure” message next to the URL in the browser bar.
Studies show that this will discourage users from providing their information on these sites, so you better believe it: if your website isn’t secure, your campaigns may be affected.
While most advertisers set up HTTPS long ago, affiliates may not have seen it as important… until now.
Google stated that the current setup, in which HTTPS websites are given a green “Secure” tag, does not make it obvious enough that non-secure (HTTP) websites are unsafe. This new update will put it right in their face, causing many to second guess their intention to buy your product or service.
For now, this will only affect websites that attempt to collect data, but Google will soon extend this to all “old-school” HTTP sites regardless of their function.
You probably saw this coming…
This update is in line with Google’s mission to improve user experience across all their products. Google search has already started penalizing mobile websites that serve interstitials, which has caused quite a stir in the community.
Google has been pushing the benefits of HTTPS for years, so this update makes sense. It’s no secret that sites with secure certificates have been getting an SEO boost since 2014. It was only a matter of time until Google forced everyone to comply.
When you consider past updates that penalized PBNs, duplicate content, keyword stuffing, backlink schemes and other grey/black hat SEO techniques, it becomes clear that Google wants to kill anything disruptive to the user’s ability to retrieve the information they’re looking for (and to safely submit their information back).
In all previous cases, those who predicted or reacted quickly survived the changes – and many even benefitted from them. We expect the same story here.
Is this a bad thing?
Only if you ignore it!
Most will see this as a hassle. Some will see it destroy their conversions, and they might not even know why. Affiliates work hard to create a sense of confidence. A big warning sign built into the browser that basically tells people they’re in an unsafe place is about as bad as it gets when it comes to keeping trust through to the conversion point.
As many affiliates know, building confidence is a great way to power sales and improve traffic quality. Google penalties are the threat here, not HTTPS itself. You can still collect the same information as before; it just can’t be snooped on. And your users will be more confident while completing offers because they’ll see the “Secure” tag. Plus, many publishers already run their sites on HTTPS for the SEO boost. It’s a good thing overall.
What happens if I don’t act?
If you’re requesting sensitive information (i.e. credit card numbers and passwords), you’ll be penalized with a clear indicator that the website is not secure, which will almost certainly kill your campaign and negate all the effort it took to build.
The first rollout will look like this:
But before long, the messages will become even more frightening to the user – even if the page does not request sensitive information:
Can I ignore this update?
Probably not, but it depends on your traffic source. If you make use of a website, then the answer is a pretty straightforward no. Chrome is used by more than half of all internet users (market share is over 55% and growing). That’s not a small slice… that’s most of the pie!
This will affect any web property that allows users to submit sensitive data, including prelanders, PBNs, offer pages, pops… all of it.
Even if only one page on the entire domain requests information, the entire site will likely be flagged as “Not Secure”.
But I’m not a spammer! Do I still have to update?
Yes – this has nothing to do with spam. The update is about secure connections and data transfer, not the quality or purpose of the websites in question.
Even if you aren’t running any offers that require credit cards or passwords, you can bet that the HTTP red flag monster is already hiding under your bed… and you’d hate to wake up with a busted campaign because Google decided to slap you on the wrist out of nowhere.
I just found out about this. It’s too late for my campaign, but can I save my domain?
Yes – you just need to get up to date. The first step is to get secured (there’s no avoiding that), then check Search Console for remaining red flags.
Once you’ve cleaned up and are confident Google will play nicely with your site, you can request a manual review. Google will put you back in good standing if you’ve done everything properly.
How do I set up HTTPS?
There are many ways to ensure your server is secure. It’s free and easy in most situations. Check with your hosting provider or head over to Let’s Encrypt, a free, open-source service that offers HTTPS certificates.
For a more detailed walkthrough on migrating your site, check out SEJ’s writeup or read about Google’s reasoning behind the change.
Our AMs are aware of the upcoming Chrome update and can provide hands-on support – just ask!