Uh, what are cookies again?
Cookies are small data packets that are stored on a user’s device by websites and can perform a variety of tasks. For example, they track website interactions, save login status and personal settings such as language or design. They also allow user activities to be tracked across multiple pages and thus provide personalized advertising.
Depending on the domain that sets the cookies, a distinction is made between first-party cookies and third-party cookies:
First-party cookies are set directly by and for the website the user is visiting. These cookies are allowed by default by most browsers because they improve the user experience on a particular website.
Unlike first-party cookies, third-party cookies are set by external domains. For example, if you are on diconium.com and an embedded video from youtube.com stores a cookie for this domain on your device, this is a third-party cookie. These are mainly used for tracking and targeted online advertising, as they allow users’ surfing behavior to be tracked across different websites. They are considered questionable because they allow insights into the activities of users on numerous, thematically unrelated websites.
To summarize, first-party cookies improve the user experience on a particular website, while third-party cookies are mainly aimed at tracking and advertising across multiple websites, which is highly questionable from a privacy perspective.
Data protection and cookies
With the introduction of the General Data Protection Regulation (GDPR) in the European Union, the data protection authorities have reacted to the uncontrolled collection of data through cookies. The GDPR, which came into force in 2018, significantly changed the handling of cookies on websites. Cookies are now more strictly regulated. Before the GDPR, many websites could set cookies without explicit consent. Now the GDPR demands it:
1. clear information about cookie use.
2. explicit consent for non-essential cookies.
3. an option to withdraw consent.The focus is particularly on third-party cookies. The aim of the GDPR is to offer users more data protection and control over their data in the digital space. Therefore, websites operating in the EU or targeting EU citizens must strictly comply with these provisions.
Browser manufacturer and cookies
In recent years, browser developers have changed their policies and technologies in relation to cookies, motivated by data protection concerns and legal requirements such as the GDPR. Even the last browser that still allows third-party cookies by default plans to abolish them by the end of 2024. Google announced that it will end support for third-party cookies in Chrome by then and instead introduce the “Privacy Sandbox” – a bundle of technologies designed to protect user privacy while enabling targeted advertising.
The status of the various implementations is documented at https://www.cookiestatus.com/.
The tightening of data protection guidelines by authorities and the initiatives of browser providers to strengthen user privacy have a significant impact on the quality of tracking (see Figure 1) and are forcing the industry to break new ground. One of these is cookieless tracking.
Cookieless tracking
Cookieless tracking includes methods and techniques that collect data about users’ online behavior and activities without relying on the use of cookies. This classification often also includes methods that use cookies in a first-party context or only for a short period of time, e.g. to create a session, which is of course contradictory.
Cookieless tracking can be implemented in various ways:
Complete cookieless tracking (anonymous tracking)
Full cookieless tracking captures all website activity by default. Although no cookies are set by the tracker, traffic, marketing efficiency and user interactions can be recorded while maintaining data protection.
Cookieless tracking in combination with consented tracking
Once a user has given their consent, it is possible to switch from anonymous to consented tracking. In this case, the data collected is enriched with additional user and session information. With this approach and server-side session management, a session can also be tracked without cookies and assigned to the respective user after consent has been given.
Fingerprint
A technique that collects information about the user’s device, such as browser type, operating system, installed fonts and plugins, to uniquely identify users. Fingerprinting can be used to track users across different browsers, as it can also be based on characteristics that are device-specific. This method is therefore criticized by data protectionists.
- Client-side fingerprinting is a method of collecting information and characteristics of the end-user device (such as browser, operating system, installed fonts and plugins) to create a unique profile or “fingerprint” of the device. This fingerprint is used to recognize the user or device on subsequent visits, even if cookies are deleted or blocked.
- Server-side fingerprinting uses specific characteristics and patterns of browser requests to recognize and track users or devices. Rather than relying directly on data submitted by the client or user device, this approach allows identification to be performed even when client-side methods are limited or unavailable.
A combination of server-side and client-side technologies is often used to optimize the identification of users. The website “Am I unique” lists the various methods and evaluates them using a similarity rate.
ETag Tracking
A mechanism used by web servers to track changes to a website. It can also be used to track users, as ETag values are stored in the browser cache.
Behavior-based
tracking analyzes user behavior, such as click patterns, scrolling behavior and keystrokes. This behavioral data can be analyzed for patterns that make a user unique.
Identity Solutions
Identity solutions expand the possibilities of user identification by using both deterministic and probabilistic approaches to link user identities across a variety of channels and devices. They rely on data points such as hashed emails or anonymous identifiers to create a consistent user profile.
Conclusion
The market is looking for alternatives to data collection without cookies, with a focus on innovative technologies and processes to precisely determine user identities and create comprehensive profiles. Nevertheless, the issue of data protection will once again come to the fore with these new approaches. Browser manufacturers are already working on measures to restrict fingerprinting, and regulators are also viewing these practices with increasing skepticism. A new approach is therefore required. Trust is the key! It is important that users understand the added value they receive in return for providing their data. A well-thought-out strategy for first-party data is essential. Diconium is at your disposal as a consultant and advisor in all aspects of digital transformation and is happy to support you in the development and implementation of a comprehensive first-party data strategy.