Cookieless tracking

by Katrin Nebermann

In marketing media, terms such as ‘cookiecalypse’ or ‘cookiegeddon’ are used when it comes to restrictions on the use of cookies. One thing is certain: The end has been heralded for certain cookies and their use is strictly regulated by law. However, allusions to the end of the world are not only greatly exaggerated, but also simply wrong. This is because solutions for web analysis and conversion tracking have long existed that do not require cookies and still provide a sound database. In this article, we explain the technical and legal background, what is possible with cookie-less tracking and what needs to be considered.

How well do cookies still work for tracking?

Cookies only fulfill their purpose if they are stored in the browser, i.e. if they are not blocked. But that’s not all, because the storage duration or runtime is also important. The latter is no longer determined solely by the cookie setter, but is increasingly restricted by the standard browser settings. The storage and runtime restrictions vary from browser to browser and depend heavily on the cookie type and classification of the tracking service. The website cookiestatus.com provides a good and up-to-date overview. Apple is most restrictive with Safari and Intelligent Tracking Prevention (ITP), which shortens the expiry of cookies to one day if the user has followed a link with known tracking parameters. This makes it increasingly difficult for browsers to analyze customer journeys beyond a very short time window.

Tracking cookies only after valid consent

The ePrivacy Directive at EU level and the national Telecommunications Telemedia Data Protection Act (TTDSG), which comes into force on 01.12.2021, require explicit, informed consent that is equivalent to refusal before non-essential cookies are set. As these cookies do not provide the user with any direct advantage and enjoy a rather poor reputation, the majority of users reject their use, provided that the option to reject them is compliant with data protection regulations, i.e. not made more difficult or hidden.

Regulatory authorities have already spoken out clearly against so-called nudging and dark patterns in content design and are increasingly taking action against violations. Consumer protection organizations such as the Federation of German Consumer Organizations (vzbv) and noyb by Max Schrems are also focusing on this topic. Max Schrems even takes a systematic approach and uses automated processes to check and warn cookie banners. The TTDSG also provides for additional penalties and centralized prosecution of violations.

As the etracker Consent Benchmark Study shows, consent not only reduces the database, but also distorts the data collected. The bias arises from the fact that consent rates vary considerably depending on the source of origin and campaign. However, efficient campaign management is not possible without sufficient and reliable data.

Cookie-less and consent-free tracking

Companies would do well to adapt to the post-cookie age as quickly as possible and switch to cookie-less tracking. However, this alone is not enough! Although the topic of cookie consent is the focus of reporting, the requirements that must be met under current legislation in order to enable tracking without prior consent demand far more than just not using cookies. This involves the question of what happens to the data as part of tracking and what type of data is processed where. Simply switching to cookie-less tracking is therefore not enough.

Instead, companies must ensure that they use solutions that meet all the requirements for legally compliant tracking without opt-in. This is the only way they can reliably evaluate usage behavior and campaign performance.

All of this must be complied with so that the interests of the end user do not prevail and the obligation to obtain consent can be waived:

TTDSG:

• Kein Einsatz von Analyse-Cookies (funktionale Cookies bei einem Opt-Out oder Nutzung des Local Storage zum Puffern von Tracking-Übermittlungen sind hingegen in Ordnung)
• Kein Auslesen von Identifikatoren wie Geräte-IDs, IMEI-Nummern, Mac-Adressen oder Werbe-IDs

GDPR:

• Kein Fingerprinting und ähnliche Technologien zur auf Dauer ausgelegten Wiedererkennung
• Kein Datentransfer in unsichere Drittländer wie die USA
• Keine Weitergabe oder Nutzung durch Verarbeiter selbst
• Keine Zusammenführung über Websites unterschiedlicher Anbieter und z.B. Anreicherung von soziodemografischen Daten aus anderen Quellen des Verarbeiters
• Re-Identifikation muss ausgeschlossen sein bspw. mittels Verknüpfung zu Nutzerkonten des Verarbeiters
• Kein Mouse- bzw. Session-Recording

Consent mode does not protect against the obligation to consent

With the so-called Consent Mode, Google offers the possibility to react to the consent or rejection in Consent and to transmit the Consent status to Google. If marketing and analysis cookies are rejected, Google states that it only provides aggregated and non-identifying measurement values. However, this does not prevent data being transferred to the USA. Whether all other requirements for freedom of consent are also met, particularly with regard to the use of the data by Google itself, remains unclear and has not yet been confirmed by the supervisory authorities. Until then, the resolution of the data protection conference on Google Analytics, which always requires prior consent, applies regardless of the mode used.

Thus, although the consent mode in Google Analytics may allow compliance with the TTDSG guidelines with regard to the use of cookies, it does not exempt you from the obligation to give consent in accordance with the GDPR.

What does cookie-less tracking do?

Cookies are used to assign individual measured interactions such as page views or click events and goals such as orders, registrations or inquiries to a visit and various visits in turn to a visitor. As a rule, a visit is understood as a series of interactions of a visitor between which there was less than 30 minutes interruption or between which the tab or browser was not closed. Since certain information transmitted via the browser is constant within a visit, but differs between different users, it can be used instead of cookies to assign interactions to a visit. The various pieces of information are combined to form an identifier (using a hash process). If the measured interactions are linked to the same identifier, they are assigned to a visitor or a visit.

This procedure therefore does not require any “storage of information in the end user’s terminal equipment or access to information that is already stored in the terminal equipment”^.1 This means that the consent requirement under Section 25 of the Telecommunications Telemedia Data Protection Act (TTDSG) no longer applies.

However, in order to meet the requirements of the General Data Protection Regulation (GDPR) on legitimate interest, only the anonymized IP address of the visitor may be used for the identifier and it must be prevented that the identifier causes a longer duration of recognition. To ensure this, a random value that changes daily can simply be added to the encryption.

The functionality is illustrated schematically in the following diagram using a visitor with three visits over two days:

This means that with cookie-free and consent-free tracking, the following specific analyses are not possible beyond the daily limit:

• Anzahl von (eindeutigen) Besuchern und Besuchshäufigkeit im Zeitraum
• Unterscheidung zwischen neuen und wiederkehrenden Besuchern
• Längere Customer Journeys und Marketing Attribution

In practice, however, this is not a serious disadvantage, because the recognition of a visitor by means of cookies for longer periods than 24 hours is made impossible by individual browsers as described above and always requires consent. In this respect, longer-term analyses using cookies are generally only possible to a very limited extent in practice.

In order to operate campaigns efficiently when using purely cookie-less tracking, even for longer customer journeys, and to optimize bidding strategies not only for clicks, there is another solution: control based on predictors within the respective visit for later conversions. Such predictors can be: the length of stay, the number of page views, product page views, interaction with configurators for cars, for example, or calculators, e.g. for loans. A positive side effect is that there is usually significantly more of this data available than for the final conversion actions, which means that algorithms can learn more quickly and bring about optimizations.

There are no restrictions with regard to all other visit-related analyses. This includes, among other things:

• Erfassung der Herkunft mit Referrer-URL und ggf. Kampagnen-Parametern
• Seitenaufrufe und Zuordnung zu Bereichen anhand der URL-Struktur
• Audio- und Video- sowie externe, mailto- und Telefon-Linkaufrufe, Downloads und individuelle Klick-Events
• Scroll-Events pro Seite: 0-9%, 10-24% usw.
• Formular-Interaktionen inklusive Fehler je Formularfeld
• Eingesetzte Geräte und verwendete Browser inklusive Spracheinstellungen
• Gesuchte, angesehene, gemerkte, in den Warenkorb gelegte und bestellte Artikel

To summarize:

The future belongs to cookie-less tracking.

Because it has many advantages:

• Es ist eine der Bedingungen, um rechtskonformes Tracking ohne Consent zu ermöglichen.
• Es wirkt Consent-bedingten Datenverlusten und -verzerrungen entgegen.
• Es kann Website-Betreibern und -Besuchern nervige Cookie-Dialoge ersparen.
• Es macht unabhängig und resilient gegen Cookie-Einschränkungen der Browser-Anbieter und -Plugins.

---

^{1Telecommunications Telemedia Data Protection Act}(TTDSG) § 25

Disclaimer

These statements do not constitute legal advice and cannot replace individual legal advice. They are a professional discussion and summary of the topic. If necessary, we will be happy to put you in touch with a specialist lawyer.