Cookie-less, shmookie-less. What's the big deal.
Cookie-less: can we just get over it?
"We need to find a cookie-less solution"
"We don't want to rely on consent"
"We want to avoid those banners"
I've been hearing this non stop for the past year from every single start up or scale up I've been working with. Every single one.
And with the death of the cookie looming everyone that is anyone is promising cookie-less.
It's everywhere.
No more cookies! But don't worry, we can track your users anyway. Better yet, use us and you don't have to show a cookie banner anymore as, you guessed it, we don't use cookies.
🙈
Let's get real, shall we?
No cookies is great and all but when did we think that that was the solution to the problem?
When did think that when we get rid of cookies we don't need consent?
Let's start at the beginning.
Privacy and data protection laws go way back. I'm going to avoid the full history lesson here but we do need to go as far back as the ePrivacy Directive, aka the Cookie law or PECR.
It came into play way before the GDPR and was mostly aimed at telco companies. It essentially covered all public electronic communication networks such as phone, fax, sms, and email. No, not the ones within your office network or inter office phones but all the ones that left the office, everything that was public.
But in regards to "cookies" - note that they never mention the word cookie - this is what the Directive has to say:
It states the following in Article 5(3)
"...storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing..."
And then in Recital 17 (also know as the preamble para 17) it mentions how we could potentially get consent:
"... Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website."
Now the fun bit. It's a directive. Not a regulation.
Why do we care? Because it means that each country within the EU get's to implement it according to the guidelines of the Directive, they make it their own.
They can make it stricter, but not less so.
For example, the UK PECR (what they call it instead of ePrivacy Directive) states in regulation 6:
(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b)is given the opportunity to refuse the storage of or access to that information.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a)for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
In short it means that if you place a cookie, or any other type of tracking tech such as fingerprinting you need to:
Say that cookies will be set
Explain what those cookies will do
Get consent to store (and later access) those cookies on the device
I say "cookies" but remember, this applies to all information being stored or accessed on the user terminal equipment. That means it covers everything from:
fingerprinting
cookies
local shared objects
tracking pixels
beacons
...
Interestingly the EDPB (that is the European Data Protection Board) just released some guidelines on this. And they went all out. They decided that everything is considered storage or access, well pretty much everything. They even included URL parameters and IP addresses ( unless the IP address does not originate from the terminal equipment of a user).
*these will be open to public comments before being formally adopted. There are some concerns as to if the EDPB has the jurisdiction to set these guidelines AND guidelines are not regulations.
So what does this come down to in the end?
If you want to track or collect any data (we are not talking personal data yet!) online you will need consent. The exception being anything that is necessary to run the site, or necessary due to a contract.
Wondering what the GDPR says about all this? Plenty providing when what ever is being tracked or accessed is personal data. We won't get into details here but, in short, cookies (or other trackers) can be considered personal data as the information they hold could be linked to a unique identifier to build a profile on a users. If the cookie being placed is personal data then the GDPR applies and you need to make sure you have your legal basis sorted.
Ok, now that's over with.
You get the idea. It's a bit complicated but back to cookie-less tracking.
No matter how savvy you are it's going to be a hard-fought battle to get your self out of scope of the ePrivacy directive. Because, regardless of what tech you are using, it is still considered storing and accessing something within the terminal equipment (aka device) of the user.
Some of the solutions get you out of scope of the GDPR but not the ePrivacy Directive.
Why?
Because they aggregate data to a point where it is not considered personal data anymore.
Or they don't collect data that could be personal data.
Or they make sure that they only collect data that can't be linked to a unique id, so again, not personal data.
But they are all still tracking a user. They are all still accessing information from the device. And most are also storing something in local storage.
So yes, they might be cookie-less. But who cares?
It's not about cookies.
More importantly, it's about the user. The person on the other end. Maybe even you.
If I say don't track me - then don't track me. Regardless of if it is with cookies or not. I clearly don't want you to take my information and apply it whatever model or analytics you have.
Some interesting reads (somewhat) related to the above:
The ICO sends warning letters to get cookie banners sorted. Aka make sure you have a Reject All button there.
The newly published guidelines on ePrivacy Article 5. What is actually covered when they say any "storing of information, or the gaining of access to information already stored"
The EU Commission on what they mean by Cookes and similar technologies
The ICO explainer on Cookies and similar technologies.
WTF or FTW?
WTF.
I mean for real. It's not just cookies. It's not about coming up with that super cool solution to do what the user clearly said they didn't want to have done. It's about the person at the other end.
Now, if you were to communicate properly, you'd probably be fine. And the person would probably allow for some tracking.
Consider this:
You are using a GDPR friendly analytics tool to understand basic site usage such as page views, country, time on site, and maybe some basic campaign information. Nothing personal here. Nothing that gives away who they are. Nothing that is profiling the user. It's just information to understand what is being read, and what not, on your site. What button is being clicked on, and what not. Most people would probably be fine with that - there is no "me" being tracked here after all.
Or you are collecting it all: stitching behaviour, returning vs new users, order ID linked to the transactions, assigning user IDs. You've made the decision that you need this information to be able to run your business (and that is totally OK). But then you are collecting not just data, but personal data. You are determine to understand what "I" and doing. Not what we are doing on aggregate. You want to profile "me". You want to be able to target "me".
They are both analytic tools but with their own set up. They both have a different purpose. They have a different objective. Both are valid and needed in different scenarios. Make you decision and then communicate to your user so they can decide.
Most importantly, honour their decision.
Don't suddenly say - oh it's cookie-less so we don't need to tell them we are tracking them (or do we?).
Siobhan 🤓
P.S: want to figure out what your start up or scale up can do instead of cookie-less and respect your users choice while still getting what you need to grow? Book in a Power Hour and we'll hash it out.