The purpose behind cookie consent banners is good. I am not a lawyer so cannot evaluate privacy laws but that purpose, privacy, is a good thing. This idea has led to the ePrivacy Directive and GDPR in Europe (with the ePrivacy Regulation still being worked on) along with similar legal approaches in other parts of the world.
These want to protect users’ privacy. Cookies can be used to identify and track individuals. Therefore, users should be able to decide if they are happy to have a cookie dropped on their browser, prior to this happening. The regulations refer to people receiving clear and complete information so this is an informed decision. And we get the banners asking for this permission.
Cookie Consent Banners are a lose-lose solution
While the intention is good, cookie consent banners are not working (in my opinion). People are not making informed decisions based on clear and complete information. It is a button to be clicked so you can view the website properly. Companies take advantage of this, using dark patterns to encourage acceptance of cookies. Not through informing people of the benefits but through design and layout.
If people are losing out through a worse online experience and still having their privacy rights infringed, does that mean companies are winning? No, they are not. Beyond the costs of implementing and managing consent platforms, not everyone accepts cookies so they lose out as well. Beyond just having inaccurate counts for users, page views and interactions, companies lose the ability to target individuals (although this is the point) and the ability to identify/diagnose website issues.
When website issues cannot be identified, they cannot be fixed.
Which means cookie consent banners and less data for website owners is also bad for people using the websites. They are more likely to encounter website bugs and flaws, meaning their online experience is doubly affected.
A Balanced Solution
I am biased here. I have always worked with Digital Analytics data, the Google Analytics, Adobe Analytics, AT Internets, etc of the world. I want this data back. At the same time, I do want to respect the privacy of the people (like me) who use websites.
What if, as a thought experiment, there was a solution which does both? Is there a level of Digital Analytics that could occur without consent being given?
In case you are in the #NoConsentNoTracking camp, would you be ok with a hit counter on each web page? Totally anonymised but still providing some level of useful information to the website owner. And if ok with this, what else are you comfortable with? Where is the line drawn?
I want to make it clear this blog post is hypothetical. I have no legal background and have not reviewed against GDPR or other privacy regulations. The UK ICO has been clear that analytics cookies are not essential. Although the French CNIL appears to consider anonymised tracking to have some merit.
Details of the Solution
The primary requirement is that users cannot be identified. The changes for this to happen are:
- No form of knowledge graph can be used to identify a user. For example, this rules out the use of Google Signals to identify users in GA4.
- Reduce the expiry of user cookies to 30 min. This means that users and sessions are very similar to being the same thing. Every user is forgotten after 30 min of inactivity.
- Anonymise the IP address so the last quadrant is masked. This would allow us to still identify the country of the person visiting the website (with known inaccuracies) but not to uniquely identify the user.
- No unique identifier can be recorded or used. That rules out web analytics cross domain tracking as a unique identifier is required. It also rules out websites using unique identifiers for their cross domain purposes e.g. Facebook campaign ID – these would need to be blocked from URLs.
- No personal information can be captured within the web analytics tool relating to the website visitor.
Note that I consider campaign tracking to be fine as long as individuals are not identified. So you can still record the channel, campaign, creative, keyword and social media post.
The other key requirement is that data cannot be exposed to other tools where it could be used for targeting individuals. Any data used for measurement, in any tool, is fine. That applies to web analytics tools but also to:
- UX tools – session recording and heatmap tools where no personal data is recorded.
- CRO tools – can run experiments but these must all be at session level. That means people will not remain in the same experiment variant across multiple sessions.
- Marketing tools – can measure behaviour to evaluate and optimise campaign effectiveness but cannot track individual users or use this data for targeting users/cohorts.
My scenario for enabling this within any tool would be a single configuration setting. Flick that switch and this is all enabled.
An improved SAAS solution would store all data in the country and/or jurisdiction of your choice. The best solution would be to store data on premise, so you have total ownership of your data. While Google Analytics is constantly pointed to as the example of where you don’t own your own data, I see any tool where the data is stored by a 3rd party as similar, whatever the T&C say. To note, I am personally comfortable with this, I just don’t see a difference between the companies doing it (in terms of impact on you & your data).
Measurement vs Tracking
One point that was brought up in discussions on this topic was the difference between measurement and tracking. I was originally confused by this, in my mind measurement is performed through web analytics tracking. However others use the term tracking to mean identifying and tracking individual users, web analytics tags are there to collect data.
Once that was explained to me, I like this definition. With the caveat I will find it difficult to stop calling all data collected to web analytics tools “tracking”. With regards to the original discussion though, these people were correct, what I want to do is measurement with zero user tracking.
A concern raised is that digital fingerprinting is still possible with the information being captured by default within web analytics tools to identify users. It feels difficult to get around this as there is potential for fingerprinting as soon as the user agent, browser version, IP address of a visitor are captured. I don’t have a good answer here.
While on the topic of digital fingerprinting, I keep seeing it suggested as the cookieless solution. I think this logic is rubbish, cookies are not the problem, identifying users is the problem. A digital fingerprinting solution that expires within each day is in line with my logic but it is also equivalent to a cookie that expires each day. A digital fingerprinting solution that lasts longer than one day is actually worse than the equivalent cookie, as the digital fingerprint cannot be deleted by the user and is more difficult to block.
What do you think, did I set my definitions at the right level? Is there anything included here that should not be captured in your web analytics tool without consent? Or the reverse side of it, do you think additional information could be captured while respecting privacy without consent?
Where is your line?