June 17, 2021
In an earlier guest article for HSLU, the author pointed out that the growing importance of data protection on the Internet will have a significant impact on digital analysis. In fact, current laws (such as the GDPR) as well as upcoming revisions (such as the revision of the Swiss Data Protection Act revDSG) require the installation of a so-called cookie banner. This is to ensure that people are not tracked without their explicit consent. But why exactly?
Data protection laws and guidelines are not aimed at tracking per se. And the vast majority of companies that use a tracking tool on their website do not do so with the intention of violating the will of the legislators.
Data protection and the associated laws are about the protection of privacy and the processing of personal data. Without wanting to delve into the legal details, this means that data subjects are granted various rights (e.g. right to information and right to be forgotten) and controllers are subject to certain obligations, in particular that under certain circumstances no processing of personal data may take place without the consent of the data subject. Consent must also be earmarked for a specific purpose. For example, it is not legal to use the email address collected when registering for a newsletter, for which the person has consented, for other marketing measures or analyses at a later date.
This makes it clear that, as already mentioned, it is not the tracking itself that is "prohibited" or regulated, but the associated processing of personal data, especially if this is then also disclosed to contract processors (the tracking tool) and/or abroad.
The attentive reader will now ask himself or herself:
"But where is the personal data? I'm only tracking anonymously? I'm not interested in knowing who exactly is on my website, I just want to measure and optimise the performance or effectiveness of my advertising measures?"
The problem lies in the fact that current and future laws can be interpreted in such a way that IDs stored in cookies - even randomly generated and at first glance anonymous ones - as well as IP addresses can or must be considered personal data. This is not because they directly describe the person, but because they allow, albeit in most cases only theoretically, a personal reference, and thus a certain behaviour on the website can be attributed to a person.
This makes the necessity of cookie banners and consent clear and, as a reminder, the real problem from the guest article mentioned above:
Since the visit to the website may not be tracked from the outset, two key aspects of digital analysis are lost:
Specialised companies such as zweipunkt AG in Basel know the problem described above only too well and regularly work out solutions with their customers to defend their legitimate interest in correctly measuring and optimising their own website. The following two approaches (together) make it possible to dispense with consent in principle.
Cookie IDs
In order to prevent cookie IDs set and collected by the tracking tool from allowing a personal reference, most tracking tools can be modified so that they do not set persistent cookies or temporarily store the generated IDs in session storage.
This means that a person receives a new ID for each visit, which is automatically deleted by the browser at the end of the visit. As a result, there is no longer any personal reference. The price of this measure is that you lose user-related metrics such as the number of visits, new/returning users and so on. However, this is certainly manageable in relation to the recovered information about the origin of a visit.
However, if user metrics are to be retained, there is another option. The ID is stored in local storage (persistent). Before tracking, however, it is anonymised using a one-way algorithm (e.g. MD5) and only this anonymised value is fed into the tracking tool. This means that the same person always has the same ID across visits, but the personal reference is broken, as the tracking tool has no way of tracing the ID received back to an ID that actually exists.
IP addresses
IP addresses are to the Internet as street numbers are to the post office; you cannot do without them as they are an integral part of all Internet communication. However, to prevent the tracking tool from receiving the IP address of the person being tracked, the tracking requests can be transmitted to the tracking tool via a so-called proxy. The proxy acts like a shield, as the tracking tool only ever sees the IP address of the proxy (always the same), which cannot be attributed to any person.
If a CDP such as Tealium Customer Data Hub is already in use, it can often take over the role of the proxy. This is often referred to as server-side tracking.
The approaches described above should by no means be understood as a free pass for any action with personal data, but rather as a means of protecting and respecting the personality of individuals as far as technically possible, as well as being able to demonstrate to the legislator that the necessary technical measures have been taken to fulfil the objective of data protection.
Nor does this mean that no cookie banner should be used at all, because consent is valuable and if it is given, the desired tracking tool can be used to its full extent and with the consent of the person concerned.
With this article, the author hopes to have provided useful information that can help in some cases to free oneself from the dilemma described without having to resort to ambivalent methods (e.g. fingerprinting).
