In the past half decade, there have been huge shifts in the land of personal data and privacy. There have been numerous legal as well as technological evolutions. Both for analytical and advertising purposes, digital professionals rely on collecting and linking personal data. Consequently, these evolutions can have a solid impact on day-to-day operations. By outlining and grouping these evolutions, this article can provide three potential solutions you should consider.
A brief, yet non-exhaustive overview, below.
- The adoption & introduction of GDPR.
- National courts banning tools like Google Analytics & Meta tracking pixels based on GDPR.
- Schrems II: Personal data not allowed to be sent to the US.
- Monster fines for tech giants.
- A new German cookie law.
- Apple introduces/strengthens ITP & ATT: Facebook tracking pixels in Webkit browsers & iOS applications are blocked by default.
- New privacy-focused browsers such as Brave, Vivaldi.
- Widespread use of privacy extensions like Ghostery or Privacy Badger.
When we group all these evolutions by their potential solution, we are left with three clusters. This makes it a lot easier to grasp, and manageable.
1. A broader interpretation of 1st-party cookies
Technically, cookies are small pieces of text placed in a browser, allowing each page view to be assigned to the same device. Although recent rulings make some distinction, GDPR considers cookies to be personal data. And because the ePrivacy Directive requires that one asks permission for using personal data, cookie banners have become the default way of being compliant.
Modern tracking solutions have started using other ways to identify devices/users. Placing a piece of text in the localStorage, or browser fingerprinting. A recent ruling by a German court ruled that these practices are not allowed either, or only in a very limited form.
- You can opt for very limited browser fingerprinting, such as the Piwik tracker in strict privacy mode.
- You submit to a consent mechanism such as a cookie banner. For those users who don’t give consent, you switch to the above, or a tracking solution where you don’t count users or sessions.
2. A ban on personal data outside the EU
There are several legal grounds for storing data outside the EU (Articles 44-50 of GDPR). Proven to be very popular was Privacy Shield, which relied on Article 45. This agreement between the EU facilitated data transfers across the Atlantic. However, according to a recent ruling by the European Court of Justice (Schrems II), the Privacy Shield is not lawful, as data privacy of European citizens can not be guaranteed in the US, which isn’t particularly known for respecting privacy. *ahem* Edward Snowden *ahem*
What about other countries?
Although not yet explicitly stated, tools that send their data to countries such as India, Russia or China are also likely to be non-compliant, indicated by a study for the European Data Protection Board. The only countries where data can be transferred to are: Andorra, Argentina, Guernsey, Faroër, Isle of Man, Israel, Japan, Jersey, New-Zealand, South-Korea, Switzerland, the UK and Uruguay.
So, what are the EU and the US doing to replace Privacy Shield?
Despite the verbal agreements on the Trans-Atlantic Data Privacy Framework, there is not yet a binding regulation in place that facilitates transfers of personal data from the EU to the US, on the grounds of article 45.
Since there currently us no legal ground for these kinds of data transfers, tools such as Google Analytics and the Facebook tracking pixel are not compliant with European law.
Regarding analytics, the answer is quite simple: use a European vendor such as Matomo, Piwik Pro, Fathom or Plausible for analytics purposes. If you’re working within a large organization, reskilling people can take some time. But you should know that the jump from Universal Analytics (UA) to Piwik Pro is comparable to the jump from UA to GA4.
For advertising purposes, there is currently no solution, unless you are willing to take the compliance risks. Read more about that in the section below.
3. Blocking of third-party technologies
A lot of browsers, VPNs and even operating systems block requests to third-party servers (such as Facebook & Google), preventing them from setting cookies in their response. In other words, tracking via the conventional method is increasingly inaccurate. An intervention that received a lot of attention was the introduction of Apple’s App Tracking Transparency (ATT).
One of the most recurrent complaints comes from marketers, whose conversion data in Meta’s business manager is no longer trustworthy and actionable. For them, this has three main consequences:
- campaigns cannot be adequately evaluated;
- segmentation & retargeting is incomplete;
- lookalike audiences are less accurate.
To reiterate: there is no technical solution with a legal basis. Sending personal data to U.S. parties is currently prohibited. Full stop.
However, if you are willing to face the compliance and reputational risks: blocking of tracking can be circumvented through server-side tracking. This can be implemented in several ways.
- The simplest way is to use a module of your CMS or ecom platform (Shopify, Lightspeed and WordPress can communicate directly with the Meta servers).
- Use server-side Google Tag Manager, and mask the endpoint behind a CNAME (also not fool proof) or host the container on your own server.
It’s clear that the work of digital professionals is increasingly made difficult by legal and technological evolutions. This article proposes three actions you should take:
- Ask consent, or work with a limited browser fingerprint
- Use a European digital analytics solution
- Decide on the trade-off between compliance/reputation and marketing