Is 2018 the Death of the Cookie?
I assume you’ve been hearing a lot about GDPR, which is new legislation used to define how companies should capture, store and process information about consumers. This new legislation is wide reaching, changing the way in which many companies operate and it can affect all departments that hold data from operations to sales, accounts and marketing.
There is still great amount of ambiguity and disagreement over how the GDPR legislation will be interpreted. There are questions raised over legitimate interest vs consent and what that means in a given situation – which is out of the scope of this article. Opinions and interpretations aside, each company will have to decide where they draw the line; often weighing up the need for information against the risk of fines (being a significant percentage of turnover).
For those of you with non-transactional websites and/or tough compliance departments, you may find that they go after your cookies; such as Google Analytics for monitoring site performance.
For those that do not know, Google Analytics code is added to a website to track how many times a page is viewed, how many unique visitors there are and what they do (and or do not do) when on the site. Using this information, you can make more informed decisions about your sites layout, design and usability to improve performance.
In the background Google Analytics drops a cookie on each visitor’s browser, so that it can identify new vs returning traffic. This cookie acts as a reference id, i.e. a key for that person.
Anonymization vs Pseudonymisation
Keys, account numbers and reference ids are widely used to protect user information. The idea being if you refer to “Charlie Brown at 123 Cartoon Street” who buys 3 bags of Peanuts, that is sensitive information about what a person has brought, whereas, if person 234 buys 3 bags of Peanuts it does not reference a person and is therefore less sensitive.
However, given that GDPR is just as interested as protecting the information from the company as in a data breach they have determined a difference between a totally unmatchable transactional record (anonymization), and one that could be (somehow) matched back to an individual (pseudonymisation).
In the table below we try to outline what this might look like:
Essentially, if you keep the ID field with the transaction details it is always possible to match that back to a customer. Therefore, to be truly anonymous you can only keep the very basic information:
Google Analytics cookies still represent an individual
Given that Google creates this user identity, the cookie reference number is classified as pseudonymisation rather than being anonymous; i.e. it still represents an individual. This is why some compliance teams are asking you to ‘kill the cookies’.
How much does Google really see?
For those of you familiar with Google, you may know that there is a “no PII” policy, or no personally identifiable information policy. You may also think that just because your dashboards are summarised everything is OK* (*check out the last section of this article regarding this point).
This is true, you may not be able to see the cookie or user information in your reporting access, however, the fact is that Google can.
In addition to the raw cookie data, Google can see if the person is logged into google and access their personal (Google) account information. Some of this is then provided back to you – such as the age and gender in the demographic profiles of your visitors in the standard GA dashboard.
Fear no more! There is a solution
Cookies are not the only way to track your sites performance…
Take for instance our tracking tool WebFusion. Whilst WebFusion has the capability to drop a cookie and tie this cookie back to an individual, it can also be customised to not drop a cookie and only take the data approved by compliance or other internal pressures.
This means that we can strip out the pseudonymisation links and only retain the anonymous data:
At a basic level, without any individual metrics at all, WebFusion can capture typical journeys and interactions on a site. This will give you the total number of visits, total number of page views, and the typical order in which people view content. In addition, we can still provide information such as source of traffic, device type (if you don’t consider this to be personal information), and much more.
Moreover, in cases where people have accepted the cookies to track them, we can deploy the cookie for the additional individual data capture.
It is not a problem for me, leave my GA account alone
The focus of this article is to help understand how GDPR and data classifications affect digital channels, as cookies are widely used by most digital platforms (not just google).
For many companies there is a reasonable enough business case to keep tracking cookies, especially if you have a retail site. However, your company will need to decide where to draw the line, for instance it may be when it comes to other types of cookies such as retargeting.
However, a word of warning, most media companies such as Google or Facebook do not solely use the cookies on your site for tracking. For example both the above companies use the same cookies for tracking and retargeting, so they collect information for profiling and to select people for retargeting.
In other (traditional) channels such as email and DM, most marketers are having to consider implementing third party processing agreements with CRM agencies or data bureaus who hold the data, and cleaning the data to ensure that only up-to-date and clean data is retained.
The legislation and purpose behind these projects in other channels are no different to those that are applicable to cookies. Given it is unlikely that you will be able to get a third-party processing agreement signed by the likes of Google, you will lack the fundamental control over this data that you have with your CRM and other databases. This could mean that digital is your greatest GDPR risk.
Whether you decide to kill your cookies or not in 2018. Our recommendation is to ensure that you have control over the data that your visitors are creating through the use of independent tracking tools such as WebFusion where the data is owned by you and never shared without your permission!