Cookieless Tracking - Website Analytics without consent

What are cookies?

Usually, Internet users are tracked by attaching virtual labels to them. When visiting a website, a small text file with an identifier (also known as a cookie) is stored on the user's device. This allows the user to be identified during the visit, when the website is revisited later, or even on other websites, as long as the cookie is not deleted.

Cookies are used to track and record user activity. By now, Internet users have become more aware of cookies and have chosen to block them or configure their Internet browsers to no longer allow cookies. The GDPR has resulted in users inside having to give their consent to cookie-based tracking. This makes it more difficult for companies to track their users' activities when cookies are refused.

What's the analysis purpose behind tracking?

It is used to answer the following questions:

• How many visitors have visited my website?
• Where did they come from?
• How did they get to my website?
• How do they move around my website?

For companies that invest a lot of money in online advertising campaigns, it is also important to know whether their Google Ads campaigns are successful. Conversion tracking can be used to analyze which search terms and ads led to users filling out a contact form or ordering an item in the online store.

What is Cookieless Tracking?

Cookieless tracking is the collection and analysis of data about user behavior on websites without the use of cookies. In the traditional approach, cookies are stored in the user's browser and serve as identifiers to track their behavior on different websites. However, cookieless tracking uses other techniques to collect similar information without the need to store a cookie in the browser.

Since the ECJ's "Planet 49" ruling in 2019 common tracking methods may only be used with the prior consent of visitors. As a rule, such consents are requested via the Cookie-Consent in a banner.

Cookie Consent Banner are not only often quite annoying, but also frequently do not meet the legal requirements for effective consent. In addition, there is another crucial weakness: website analytics based on consent may only contain data from people who have actually consented. However, visitors often refuse consent, especially with legally compliant cookie consents that allow optional cookies to be rejected with a single click. As a result, their data is lost for analysis.

So, there are many reasons for a website analytics solution to be used without consent.

What are the methods for cookieless tracking?

Traditionally, Internet users are tracked by attaching a virtual tag to them. When the user enters a website, a tiny text file with an ID is placed on their device (= cookie), and they can always be recognized during their visit, when they return to the website, or on other websites, as long as the cookie is not deleted.

Even without setting cookies, a website operator reads various information from the user's device with the help of JavaScript. This information.

Fingerprinting

It is possible to perform tracking without cookies. In this case, the website operator reads various information from the user's device with the help of JavaScript. This information can be so detailed that it creates a unique "fingerprint". In this way, a user can be tracked across different websites and their behavior analyzed. It is legally irrelevant whether users are tracked via cookies or fingerprints. Consent must be obtained for both variants.

Cookieless tracking without access to the end device

It is also possible to perform cookieless tracking without fingerprints and without accessing data on the user's end device. However, the General Data Protection Regulation (GDPR) must be observed.

There are a few technical approaches to this:

Tracking by login: One possibility is to track and evaluate user inside activities via a login. The tracking data collected could even be linked to the data in the CRM database to combine online and offline data. However, such extensive data collection on an individual level could not be based on legitimate interest alone, but would only be permissible with consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. Transparent disclosure of the link to the CRM database is also required.

Tracking via URL extensions: Conversion tracking is of great importance for companies to measure the success of their paid advertisements. One way to do this is to carry an ID in the URL that marks the click on the ad. This makes it possible, for example, to determine the sales in the online store that were generated by the click on a Google AdWords ad. The evaluation can be carried out completely anonymously and would be harmless under data protection law, as long as no assignment to the buyer takes place.

Tracking based on supplied user inside data: It is also technically possible to perform tracking without cookies by collecting data transmitted by the user's device when the page is accessed. This includes, IP address, referrer, user agent.

Different variants of this technical approach are offered by Matomo, for example.

Depending on whether personal data is collected, it falls within the scope of the GDPR or not:

Allowed without consent as there is no personal reference: If an user is only "tracked" via simple parameters such as referrer and information from the user agent, no identification of the person is possible and there is no personal reference. The activities of a user or on a website can be reliably and anonymously evaluated without requiring consent. It would even be possible to recognize returning users if the data from the user agent were stored for a longer period of time.

Only when the IP address is included does a reference to a person arise again. In addition, the probability of identifying a person increases with the level of detail of the data collected.

Permitted without consent, based on an overriding interest: If the collected data has a personal reference, the GDPR allows processing based on an overriding interest pursuant to Art. 6 (1) p. 1 lit. f) GDPR. As long as the level of detail of the data collected remains manageable and there is no aggregation of the data by third parties (as is the case with Google Analytics), there might be some room for argument here. Otherwise, only consent remains as a legal basis.

What are the advantages of cookieless tracking?

Since some users refuse cookies or delete them regularly, cookieless tracking can lead to more accurate and comprehensive data. Analyzing device attributes and IP addresses can provide more reliable information for understanding user behavior.

Cookieless Tracking does not store cookies in users' browsers, bypassing the consent requirements of the General Data Protection Regulation. This means that users do not have to give explicit consent to track their behavior on the website.

In addition, the use of cookies is coming under increasing criticism, and it is foreseeable that future data protection regulations will further restrict the use of cookies. By implementing cookieless tracking are.

Which cookieless tracking tools are currently used?

Many companies still work with Google Analytics. This gives the impression that Google Analytics is a secure tool. In January 2022, the Austrian data protection authority defined the use of Google Analytics as not GDPR-compliant. If you value a privacy-compliant solution, you should use a cookieless tracking alternative to Google Analytics.

There are already several alternative solutions to Google Analytics that have their server locations in Europe and thus avoid the problem of data transfer to the USA. One of the best cookieless tracking tools on the market is Matomo.

Matomo is an open source platform, which means that the source code is freely available and companies have full control over their data. This is a great advantage, especially in times when data protection and data security are becoming increasingly important. Matomo allows companies to host their data on own servers, which reduces dependency on third-party providers and minimizes the risk of data leaks.

In addition, Matomo provides comprehensive cookieless tracking capabilities. It enables server-side tracking of user inside behavior, eliminating the need for cookies. By analyzing server-side events and data, Matomo can provide accurate and meaningful information about user behavior. This approach ensures not only high accuracy, but also compliance with data protection regulations.

Matomo does not set cookies, anonymizes IP addresses and does not use unique IDs or customer IDs in URLs. In addition, a waiver of cross domain tracking is necessary. However, Matomo should be mentioned in the Privacy Policy as well as the option to opt-out of Matomo should be given so that users inside have the opportunity to object to it.

Since Glasskube focuses on data protection compliance, we also use Matomo. For this reason, we have developed a Kubernetes Operator for Matomo. Would you like to learn more about it? Get in touch with us right now!