What do we talk about when we talk about tracking and analytics?
In the age of digital sales, data is king. Having personal, behavioural, and demographic data about your customers allows you to make data-driven and customer-centric decisions in your business.
This is where data tracking comes in. By tracking your customers' activities online, you can better understand them, improve the overall customer journey as well as better understand the impact of your marketing investments. Marketing is typically interested in audience sizes, browsing behaviours, engagement and conversions.
Aggregated customer data can be used for example for:
Retargeting in your marketing channels
Bringing business insights to your organisation
Doing marketing channel attribution
Personalising web and app experiences
Optimising conversions across customer journeys
Cookies are the main technical mechanism we use for tracking customers. They are small snippets of data that websites place on a user's device to remember information about their visit and activity. This allows the website to remember the user's preferences, login status, and other information that can improve the user experience and provide targeted advertising. Cookies can also be used to track users' activities on the website, such as what pages the user visits and what links they click on.
There are also non-cookie options for tracking customers, mainly server-side tracking. It is a method of tracking user activity on a website or app where the data is collected and processed on the server instead of on the user's browser through cookies. With rising privacy concerns, more and more companies are moving in this direction. It allows companies to process data more responsibly and prepare for the looming death of third-party cookies.
Tools used for tracking customer data online tend to rely on third-party cookies. Marketing platforms such as Meta, Google, and TikTok, as well as CRM and experience providers like Salesforce, HubSpot, and Adobe, track behaviours, such as form submissions, conversions, and specific events primarily through third-party cookies.
However, as third-party cookies disappear, it will be more difficult for marketing platforms to do attribution, and their algorithms will have a much harder time deciding which user is most likely to convert, potentially undermining their business models. While workarounds are actively being studied, this will likely have a big impact on the digital marketing industry as a whole.
In tandem with tracking goes analytics. Google Analytics is the most popular web analytics tool, but we have seen the emergence of challenges such as Matomo, Piwik PRO, and Snowplow following the decision of several EU countries to view Google Analytics as non-GDPR compliant.
Fondia, what are the legal implications we should take into account when tracking and analysing customer data?
As stated above, cookies can be a very useful tool when they are used for a legitimate purpose, such as performance or analytics. However, cookies and other similar tracking tools have the potential to seriously intrude on Internet users’ privacy by tracing the activities of the users and collecting information stored on their devices.
Given that using cookies sometimes consists in an intrusion of users’ private sphere, their use needs to comply with privacy laws. Privacy laws relating to cookies aim to ensure the protection of fundamental rights and freedoms of the public when they make use of publicly available electronic communication networks. The legal provisions applicable to cookies apply thus to any storage of information on a user’s device as well as any access to information already stored on the device and apply regardless of whether the information stored or accessed contains personal data.
What data protection principles should guide the tracking and analytics of customers’ data?
One of the main principles of privacy is that you cannot collect more personal data than what is necessary to achieve a specific, predetermined purpose. With this principle in mind, you must ask yourself why you need to process your website’s visitors’ data, which data you need to collect, and how long you need to retain the data. You are not allowed to start processing personal data without first having defined a legitimate purpose. Most of the time, cookies are used for technical, preference, analytical, or marketing purposes.
So, how can we manage cookies and consent compliantly in practice?
Users must be provided clear and precise information about the use and purpose of the cookies, and they should have the option to refuse to have a cookie placed or access information stored on their terminal equipment. Having the option to say no to cookies means that the user’s consent is needed before any cookies (except cookies that do not need consent) are placed or access information on their device, even if no personal data will be collected. The ePrivacy Directive states that the required consent must correspond to the consent as defined in the GDPR. The GDPR defines consent as a freely given, specific, informed and unambiguous statement or clear affirmative action.
In practice, this means that:
Users must receive the required information about the cookies used as soon as they are asked to make their choice about cookies.
The consent obtained must be documented and stored.
Clear and positive action is needed from the user to signal their consent, meaning that a pre-ticked box or stating that continuing scrolling on the page is equivalent to consent is not compliant.
Dark patterns should be avoided (For instance, the buttons “accept” and “refuse” should be of the same size, for instance).
Finally, it is a good practice to ask users to renew their consent regularly, for instance, every 6 months.
There are two exceptions to the consent requirement: if the cookies are strictly necessary for providing a service explicitly required by the user (e.g., for providing a chatbot only when the user actively clicks to open it or keeping track of items placed in a shopping cart), or in case of cookies solely used for carrying out the transmission of a communication over a network (e.g., a cookie whose sole purpose is identifying one of the servers). The French data protection authority has stated in a recommendation that cookies strictly for performance purposes may not require consent as long as they serve to produce anonymous statistical data only, do not track an individual across several domains, and are not transferred by the website owner to any other recipient.
What are the risks companies face when failing to comply with these requirements?
The European privacy advocacy group NOYB (founded by Max Schrems) has recently lodged 226 complaints across the European Union against websites allegedly presenting deceptive cookie banners. The European Data Protection Board has launched a special taskforce to coordinate the responses of the national authorities that are responsible for the enforcement of national laws applicable to cookies. The result of the taskforce was published in January 2023 and the cases are still pending.
Also, you need to bear in mind that in case you are deploying cookies provided by a third party on your website, you must be aware of the personal data you are disclosing to those third parties. You may be considered a data controller regarding that personal data and will in that case need a data processing agreement in place with the processor. You are still responsible for obtaining the users’ consent to the use of third party cookies.
What’s coming next in the sphere of data protection?
As the ePrivacy Directive dates from 2002, the European Commission has proposed a new regulation concerning cookies in order to take into account technology evolutions and harmonise the Member States’ national laws who have implemented the ePrivacy Directive in different manners. The new ePrivacy Regulation was supposed to be adopted in 2018, at the same time as the GDPR, but its adoption has been postponed. The new ePrivacy Regulation will have a broader coverage than the ePrivacy Directive and will address, amongst others, browser fingerprinting and create stricter protections for metadata.
The Digital Services Act, a European Union regulation that was adopted in 2022, has created new obligations for online platforms, with an emphasis on very large online platforms having more than 45 million users in the European Union, such as Facebook or Twitter. The Digital Services Act requires, for instance, the platforms to ensure that users have been disclosed certain information when presented with advertisements, including the main parameters used for targeted advertisements based on profiling, such as the main profiling criteria used. The Digital Services Act also requires online platforms to ban advertisements based on profiling when it includes the processing of special categories of personal data and advertisements based on profiling when the user is a minor.
How to get started?
Understanding customer tracking and analytics is crucial to any company looking to provide stellar experiences and sell efficiently online. Yet, equally as important is taking into account your customers’ privacy.
Fondia’s experienced team within data protection will support you in all data protection and privacy related matters. We can provide legal advice on both EU-level legislation like GDPR and ePrivacy and specific national data protection legislation, related, for example, to work life privacy.
Columbia Road's experts are ready to help you build and implement a compliant and effective strategy for digital sales.