In this article, we will have a closer look at cookieless and server-side tracking and how this affects your website’s configuration regarding privacy laws. The main question that we will try to answer is;
Is cookieless tracking possible without consent?
What is Cookieless tracking?
With the current cookie-based technologies, tracking visitors on your website and cross-domain is done by settings third-party cookies in the user’s browser. Cookieless tracking is trying to navigate away from these cookies to enable tracking without storing data in the browser for which you need consent. Examples of this are a contextual approach based on fingerprinting or Chrome’s FLOC. Or using server-side tracking, for example, logging statistics directly from the server or using server-side APIs to interpret visitor’s behavior, similar to the Facebook Conversion API.
Cookieless means no more ‘Cookie Laws’?
This is where the Cookieless approach seems a valid option, which is undercutting cookie laws, and bygones are bygones…not really.
Calling the ePrivacy directive or GDPR mere “cookie laws” is focussing on the issue publishers are facing directly with their revenue model. Cookies, nor publishers were the focus of these privacy laws. It’s giving end-users control over their data.
Whatever technology will be used in the future, the focus of publishers will not change – which is the identification of users on the internet. The simple fact will remain that you will need to abide by legal principles to store and track (personal) data of your users. Independent of the technology used. This means a notification like a cookieless banner will exist, and consent as a common legal principle to be able to collect any data.
A look at 2023
Like Safari and other browsers before them, Chrome will drop support for third-party cookies in 2023, which is one year later than planned. They will most likely replace third-party cookie support with a so-called ‘privacy’ sandbox that uses contextual FLOC like data aggregation and the use of trust tokens to identify users cross-domain with even more precision and higher grades of security.
New technologies, like API trust tokens or server-side tracking will improve the accuracy of user identification and security. This will serve ad-tech providers more than anything, as end-user control over data is not debated in this one-sided agenda.
This delay in blocking third-party cookies is likely due to significant resistance by privacy authorities to the proposed new technologies. Current technologies like Google Consent Mode and TCF, whereby Google is a technical partner, the Transparency & Consent Framework is deemed to be a third-party or vendor itself, instead of just a tech provider by the Belgian authorities and should behave as is under the GDPR.
In the coming years, we will see how third parties, vendors, publishers, and other organizations where data is fundamental to its product and revenue will propagate new technologies, undermining not only privacy laws and trying to find wiggle room to gather data without consent, but negating any public response to control of personal data.
The fact is that both privacy and tracking will remain, maybe cookies will be overthrown by new technologies, but notifying your website visitors about the purpose of gathering data and leaving the choice ultimately to your visitor is here to stay.