Usually, Internet users are tracked by attaching virtual labels to them. When visiting a website, a small text file with an identifier (also known as a cookie) is stored on the user's device. This allows the user to be identified during the visit, when the website is revisited later, or even on other websites, as long as the cookie is not deleted.
Cookies are used to track and record user activity. By now, Internet users have become more aware of cookies and have chosen to block them or configure their Internet browsers to no longer allow cookies. The GDPR has resulted in users inside having to give their consent to cookie-based tracking. This makes it more difficult for companies to track their users' activities when cookies are refused.
It is used to answer the following questions:
For companies that invest a lot of money in online advertising campaigns, it is also important to know whether their Google Ads campaigns are successful. Conversion tracking can be used to analyze which search terms and ads led to users filling out a contact form or ordering an item in the online store.
Since the ECJ's "Planet 49" ruling in 2019 common tracking methods may only be used with the prior consent of visitors. As a rule, such consents are requested via the Cookie-Consent in a banner.
Cookie Consent Banner are not only often quite annoying, but also frequently do not meet the legal requirements for effective consent. In addition, there is another crucial weakness: website analytics based on consent may only contain data from people who have actually consented. However, visitors often refuse consent, especially with legally compliant cookie consents that allow optional cookies to be rejected with a single click. As a result, their data is lost for analysis.
So, there are many reasons for a website analytics solution to be used without consent.
Traditionally, Internet users are tracked by attaching a virtual tag to them. When the user enters a website, a tiny text file with an ID is placed on their device (= cookie), and they can always be recognized during their visit, when they return to the website, or on other websites, as long as the cookie is not deleted.
It is also possible to perform cookieless tracking without fingerprints and without accessing data on the user's end device. However, the General Data Protection Regulation (GDPR) must be observed.
There are a few technical approaches to this:
Tracking by login: One possibility is to track and evaluate user inside activities via a login. The tracking data collected could even be linked to the data in the CRM database to combine online and offline data. However, such extensive data collection on an individual level could not be based on legitimate interest alone, but would only be permissible with consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. Transparent disclosure of the link to the CRM database is also required.
Tracking via URL extensions: Conversion tracking is of great importance for companies to measure the success of their paid advertisements. One way to do this is to carry an ID in the URL that marks the click on the ad. This makes it possible, for example, to determine the sales in the online store that were generated by the click on a Google AdWords ad. The evaluation can be carried out completely anonymously and would be harmless under data protection law, as long as no assignment to the buyer takes place.
Tracking based on supplied user inside data: It is also technically possible to perform tracking without cookies by collecting data transmitted by the user's device when the page is accessed. This includes, IP address, referrer, user agent.
Different variants of this technical approach are offered by Matomo, for example.
Depending on whether personal data is collected, it falls within the scope of the GDPR or not:
Allowed without consent as there is no personal reference: If an user is only "tracked" via simple parameters such as referrer and information from the user agent, no identification of the person is possible and there is no personal reference. The activities of a user or on a website can be reliably and anonymously evaluated without requiring consent. It would even be possible to recognize returning users if the data from the user agent were stored for a longer period of time.
Only when the IP address is included does a reference to a person arise again. In addition, the probability of identifying a person increases with the level of detail of the data collected.
Permitted without consent, based on an overriding interest: If the collected data has a personal reference, the GDPR allows processing based on an overriding interest pursuant to Art. 6 (1) p. 1 lit. f) GDPR. As long as the level of detail of the data collected remains manageable and there is no aggregation of the data by third parties (as is the case with Google Analytics), there might be some room for argument here. Otherwise, only consent remains as a legal basis.
Cookieless Tracking does not store cookies in users' browsers, bypassing the consent requirements of the General Data Protection Regulation. This means that users do not have to give explicit consent to track their behavior on the website.
Many companies still work with Google Analytics. This gives the impression that Google Analytics is a secure tool. In January 2022, the Austrian data protection authority defined the use of Google Analytics as not GDPR-compliant. If you value a privacy-compliant solution, you should use a cookieless tracking alternative to Google Analytics.
There are already several alternative solutions to Google Analytics that have their server locations in Europe and thus avoid the problem of data transfer to the USA. One of the best cookieless tracking tools on the market is Matomo.
Matomo is an open source platform, which means that the source code is freely available and companies have full control over their data. This is a great advantage, especially in times when data protection and data security are becoming increasingly important. Matomo allows companies to host their data on own servers, which reduces dependency on third-party providers and minimizes the risk of data leaks.
In addition, Matomo provides comprehensive cookieless tracking capabilities. It enables server-side tracking of user inside behavior, eliminating the need for cookies. By analyzing server-side events and data, Matomo can provide accurate and meaningful information about user behavior. This approach ensures not only high accuracy, but also compliance with data protection regulations.
Since Glasskube focuses on data protection compliance, we also use Matomo. For this reason, we have developed a Kubernetes Operator for Matomo. Would you like to learn more about it? Get in touch with us right now!
Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.