The standard configuration of etracker neither sets cookies nor uses local storage. This means that cookie notices and consent dialogues can be completely skipped, as long as no other cookies are used that are not required. etracker Analytics cookie-less is also very helpful as a fall-back option, as we enable session tracking even without consent or in the event of cookie rejection.
With the standard etracker code, neither cookies are set nor local storage is used to conduct web analysis. Thus, according to our legal assessment, there is neither a “storage of information” nor an “access to information that is already stored in the end device of a participant or user” in the sense of Art. 5 para. 3 of Directive 2002/58 (“Cookie Directive”).
The following data is processed when the page is called up:
- the shortened IP address
- information on the terminal device used, operating system and browser
- geo-information up to city level
- the URL called up with the associated page title and optional information on the page content
- the website from which the accessed individual page was reached (referrer site)
- the subsequent pages that were called up from the called-up web page within an individual web page
- the length of time spent on the website
- further interactions (clicks) on the website such as search terms entered, files downloaded, videos viewed, items ordered.
Thus, only the web page data of web servers are used as well as information that the web browser transmits to the web server for retrieving web pages. This information is transmitted with each individual page request. However, unlike cookies and comparable technologies, no information is read from the memory of the user’s terminal device and no information is stored on this terminal device. The pseudonymous information makes it possible to link individual page views to related sessions. The linking with a time stamp prevents page views beyond a 24-hour time window from being linked to customer journeys or user profiles by means of this information.
Accordingly, it is not device fingerprinting according to the “Opinion 9/2014 on the application of Directive 2002/58/EC to the use of virtual fingerprints” of the European Data Protection Board. Art. 4 No. 1 GDPR explicitly mentions online identifiers in the legal definition of consent. However, the GDPR does not assume a personal reference for all online identifiers. Rather, it depends on the personal reference or the personal referenceability in the specific individual case (also Hanloser: Geräte-Identifier im Spannungsfeld von DSGVO, TMG und ePrivacy-VO Zeitschrift für Datenschutz (ZD) 2018, 213). Due to the small number of information elements as well as the explicit time limitation, it is excluded for all etracker products that “an individual person can be linked to this virtual fingerprint and thus be identified or made identifiable”. Furthermore, the information is not made accessible to third parties, the hash procedure used as well as the individual information is not disclosed. It is also not used for the “purpose of processing for the provision of personalised content and advertising, i.e. for direct communication with a specific person”, but for the aggregated statistical evaluation of website usage.
Even if one were to come to the conclusion that the session-based observation constitutes processing of personal data within the meaning of Art. 4 No. 1 of the GDPR, we believe that this processing would also be permissible without consent. As the restriction to the session does not allow the creation of personality profiles and the architecture of etracker does not allow the data to be linked to other data, we do not believe that there are any overriding legitimate interests of the data subject that outweigh the legitimate interests of the operator of the website in optimising its internet services to meet the needs of the user within the meaning of Art. 6 (1) f GDPR.
Only in the case of objection etracker sets cookies by default, which is to be classified as necessary. If such an objection cookie is present or if the do-not-track default setting is activated in the browser, no data will be collected by etracker, not even the information of the “user agent”.