We’re talking about data and analytics and The End of Tracking with Ben Weber, Digital Analytics Specialist.
We're talking about
-Cookies
-User privacy
-Data Regulations
-ITP
-Ad blockers
-Firewalls
-Impacts on tracking
1. Digital You Can Trust |
Trusted Conf 2019
Benoit Weber
September 2019
THE END OF TRACKING
2. Digital You Can Trust |
BEN
BENOIT WEBER
ANALYTICS SPECIALIST
Hi, my name is BEN.
❏ Educational background in software/research engineering.
❏ Specialised in Google Analytics, GTM
❏ Passionate about data governance and integrity
❏ Based in Da Nang, Viet Nam
Contact
❏ benoit@inmarketingwetrust.com.au
❏ https://www.linkedin.com/in/benoit-weber/
❏ +84 931503575
3. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
COOKIES OR NO
COOKIES?
4. Digital You Can Trust |
❏ Introduction
❏ User privacy & Data Regulations
❏ ITP, Ad blocker and Firewalls
❏ Exercise: Impacts on tracking
❏ Conclusion
AGENDA
5. Digital You Can Trust |
COOKIES &
TRACKING
Cookies are the keystone of tracking.
Cookies enable us to identify a user while collecting
information about him and his interactions on site.
Cookies are the primary tool that advertisers use to track your
online activity so that they can target you with highly specific
ads.
7. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
PROTECT &
RESPECT USER
PRIVACY
PREFERENCES
8. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
IMWT IS GLOBAL
&
DATA PRIVACY
REGULATIONS
TOO !
Example:
https://www.dlapiperdatap
rotection.com/
9. Digital You Can Trust |
GDPR
PRINCIPLES
ACCOUNTABILITYLAWFULNESS,
TRANSPARENC
Y & FAIRNESS
PURPOSE
LIMITATIO
N
DATA
MINIMISATION
DATA ACCURACY
STORAGE
LIMITATION
INTEGRITY &
CONFIDENTIALITY
01
02
03
04
05
06
07
GDPR REINFORCES SECURITY & PRIVACY OF DATA
11. Digital You Can Trust |
Natural persons may be associated with online identifiers
provided by their devices, applications, tools and protocols,
such as internet protocol addresses, cookie identifiers or
other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined
with unique identifiers and other information received by the
servers, may be used to create profiles of the natural persons
and identify them.
2 LINES IN GDPR ABOUT COOKIES (ONLINE TRACKING)
12. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
COOKIES FALL
UNDER THE
PECR
There are specific rules on
Consent
Information
Documentation
Service Access
Consent withdrawal
COOKIE = TRACKING
13. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
TYPES OF
COOKIES
NEEDED BY
MARKETERS
Session Persistent
First Party
Strictly
Necessary
Third
Party
Preferences Statistics Marketing
PURPOSE
PROVENANCE
DURATION
14. Digital You Can Trust |
WITHOUT CONSENT WE CAN’T MEASURE ROI
16. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
ITP 2.2 WANTS
TO JOIN THE
PARTY
17. Digital You Can Trust |
ITP CUTS COOKIES LIFESPAN TO 24 HOURS.
24h
Intelligent Tracking Prevention prevents advertisers and other technologies from
tracking and collecting information about users.
In Safari, with ITP 2.2, first party and third party cookie are now limited to 24
hours.
Example
● If Safari users do not convert within 24 hours after clicking on Google Ads
campaign, we won’t be able to attribute the conversions to our campaign.
● In GA, if the same user accesses our website from Safari 2 days in a row, he
will be perceived as 2 unique users
18. Digital You Can Trust |
OTHER BROWSERS ALLOW USER TO BLOCK COOKIES
TOO!
19. Digital You Can Trust |
47% OF USERS HAVE AN ADBLOCKER
AdBlockers offer the possibility of blocking GTM or specific javascript such as Google Analytics.
20. Digital You Can Trust |
FIREWALLS CAN BLOCK ANY SERVICE
Firewalls give you the ability to block DNS request from specific IP ranges or domain names.
Adding 1 rule to block the domain analytics.google.com would prevent Google Analytics to receive
data.
24. Digital You Can Trust |
WHO GETS THE CONVERSION?
PAID
SEARCH
SOCIAL
ORGANIC
SEARCH
DIRECT CONVERSION
DAY 1 DAY 2 DAY 3 DAY 4
NO COOKIE
ALLOWED
25. Digital You Can Trust |
WHO GETS THE CONVERSION?
PAID
SEARCH
SOCIAL
ORGANIC
SEARCH
DIRECT CONVERSION
DAY 1 DAY 2 DAY 3 DAY 4
NO COOKIE
ALLOWED
PAID SEARCH
SOCIAL
ORGANIC SEARCH
1 user with 4 sessions
NO CONVERSION
DIRECT
Each session = 1 user
NO CONVERSION
DIRECT
Each session = 1 user
NO CONVERSION
NO CONVERSION
26. DIGITAL MARKETING & ANALYTICS |
Digital You Can Trust |
PREPPING UP
FOR A POST-
COOKIE ERA
27. DELIVERED
BY EXPERTS
Our global team of expert consultants and
practitioners have been hand-selected from
thousands of applicants.
Digital You Can Trust |
29. We’re a global online marketing
agency managed from one of
the finest beaches on the planet.
Digital You Can Trust |
GET IN
TOUCH
Notas do Editor
Cookies are the keystone of tracking.
Cookies enable us to identify a user while collecting information about him and his interaction on site.
This enables us to a to calculate Return On Investment across our marketing activities.
Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser.
Cookies store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads.
Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.
A user visits your site for the first time
They are assigned a unique identifying tracking cookie
The anonymous visitor takes activity on the site
The activity is tracked and recorded: collected and sent to the tool
The user eventually converts
The visitor previous activity is assigned to the lead profile
When the visitor becomes a customer the conversion is attributed to a channel
The challenge of data privacy is to use data while protecting an individual's privacy
We (marketer) collect loads of information while users are navigating our sites.
And often, we just track users without asking for consent: well, since they don’t ask, we don’t tell. We forget to put the user’s first. A lot of the users used to give it away easily. So why not?
A lot has happened in the last couple of years (including data breach such as Cambridge Analytica), and users became more aware of the risks but also annoyed by the multitude of ads and retargeting they are subject to. They now are not only more protective and wants to know what we do with their data
Regulations and legislations are released across the world to help users and force companies to be more transparent on what data they collect and what they with it.
Gif: https://www.wired.com/story/wired-guide-personal-data-collection/
IMWT is global but data privacy regulations too. Our clients are around the world and their customers too.
We must be aware of each country regulations and advise our clients and tell them about their obligations.
We, as a marketing company, process, collect and control data.
It is our duty to respect these regulations and ensure that our clients respect them too.
Example of impacts for my stream: IMWT should never create a Google Analytics or Google Tag Manager container on behalf of our client. The responsibility falls upon us if we are the owners of the account.
https://www.dlapiperdataprotection.com/
https://www.privacypolicies.com/blog/privacy-law-by-country/
https://www.cnil.fr/en/rights-and-obligations
In all of the regulations across the world, I decided to take GDPR as example to show you the impact it has on tracking.
The General Data Protection Regulation is one of the most comprehensive data protection legislation that has been passed by any governing body to this point.
Since May 2018, GDPR entered into application. This set of data protection rules applies to any companies operating in EU.
The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
It reinforces the security and privacy of personal data of its customers and users, resulting in their trust. It allows people to have more control cover their personal data.
Source: https://gdpr.eu/
https://blog.signaturit.com/en/rgpd-data-protection-for-the-digital-era-in-europe
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
General Data Protection Regulation covers a lot but when it comes to regulations governing cookies (tracking), it is the Privacy and Electronic Communication Regulations (PECR) that takes over and that specify the privacy rights in relation to Electronic Communications. (including cookies)
https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
https://gdpr.eu/cookies/
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.
The regulations that concerns tracking are under the PERC which stands for Privacy and Electronic Communications Regulations
They implement ‘the e-privacy Directive’.
The e-privacy Directive complements the GDPR (general data protection regime) and sets out more-specific privacy rights on electronic communications including cookies therefore tracking.
There are specific rules on:
marketing calls, emails, texts and faxes; cookies (and similar technologies);
keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings
Under PECR, we must:
Receive users’ consent before you use any cookies except strictly necessary cookies.
Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
Document and store consent received from users.
Allow users to access your service even if they refuse to allow the use of certain cookies
Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
Source: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
https://gdpr.eu/cookies/
In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.
Duration
Session cookies – These cookies are temporary and expire once you close your browser (or once your session ends).
Persistent cookies — This category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.
Provenance
First-party cookies — As the name implies, first-party cookies are put on your device directly by the website you are visiting.
Third-party cookies — These are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.
Purpose
Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.
What is ITP? Who heard of it? Don’t be afraid of saying you did not hear of it.
Who know what ITP stands for?
Intelligent Tracking Prevention is the privacy feature developed by Webkit, an open source browser engine which is used by Safari, Mail, and many other Applications on macOS, iOS, and Linux.
Facebook and Google: first-party cookies
Google Ads: Third Party cookie
Intelligent Tracking Prevention is Apple's initiative in the Safari browser (through Webkit) that is intended to prevent advertisers and other technologies from tracking and collecting information about users.
Apple has already released a couple iterations of ITP over the past few years (since 2017).
Previous iterations of ITP affected only third-party cookies, but then the major advertising platforms moved from third-party cookies to first-party cookies to mitigate ITP third-party restrictions.
Since ITP 2.1 (March), it concerns all types of cookies. ITP 2.1 was cut down to 7 days, ITP 2.2 cut it down to 24 hours.
Previously GA limit was 2 years, now for safari users, it is cut down to 24hours.
ITP 2.2 cuts the first-party cookie’s lifespan from seven days to one day.
https://webkit.org/blog/8828/intelligent-tracking-prevention-2-2/
https://www.riseinteractive.com/blog/safari-itp-update
https://metrictheory.com/blog/how-apples-intelligent-tracking-prevention-version-2-2-impacts-marketers/
https://headerbidding.co/intelligent-tracking-prevention-itp/
https://webkit.org/blog/category/privacy/
MacOS Mojave 10.14.5 & iOS 12.3 include the updated version of Intelligent Tracking Prevention 2.0: This was the most recent update by WebKit and it removes the 24-hour window previously granted for first-party cookies to track users across the web.
If you have the ability to block IP ranges or domain names through a firewall, then blocking Google Analytics for your whole network is another option. I generally avoid blocking services by IP addresses since the IP addresses can change without notice or multiple services might use the same IP address. If your firewall can block DNS requests to specific domain names, then adding a rule to block the domaingoogle-analytics.com and www.google-analytics.com would prevent Google Analytics. Keep in mind that Google Analytics is loaded over HTTPS, after the DNS request you most likely won’t be able to block the request unless you block IP ranges or if the server uses SNI.
https://geekthis.net/post/block-google-analytics/
System admins can use Firewalls to prevent certain domain from collecting data. It is not uncommon to have tools such as Google Analytics to be cut off at a network level.
Users can add ad blockers in their browsers. These ad blockers are usually targeting advertising and marketing platform but adblockers offer feature that enables to block tracking (such as Gostery). There are also option to outright Google Analytics or Google Tag Manager.
Cookie consent, intelligent tracking prevention and other browsers cookie handlers are preventing us from measuring properly user behaviour over multiple sessions.
After filtering out some users, how much do we actually see in our analytics? How much can we trust what we see, analyse and report on?
Traffic
Audience
Personnalisation
Attribution & conversion
Source: https://rickdronkers.com/blog/im-working-with-tracedock-to-improve-your-data-accuracy/
As a publisher, you can’t find your way out of the safari’s ITP alone. We need the industry to work together and devise a workaround (also a long-term solution) as soon as possible. But that doesn’t mean there’s nothing you could do. We see two ways as of now.
There are always workaround (server to server tracking, cookieless tracking) but IMWT and industry should embrace this change. should also advocating adoption of the only tracking method that cannot be interfered with by browsers, privacy and ad-blocking extensions, or even operating systems.
a. Prepping up for a Post-Cookie Era
b. Mitigating the Impact: workaround?
c. Help us help you
https://www.simoahava.com/analytics/itp-2-1-and-web-analytics/
https://headerbidding.co/intelligent-tracking-prevention-itp/
https://medium.com/adobetech/safari-itp-2-1-impact-on-adobe-experience-cloud-customers-9439cecb55ac
https://helpx.adobe.com/analytics/kb/adobe-analytics-anditp.html
https://www.simoahava.com/analytics/itp-2-1-and-web-analytics/
https://headerbidding.co/intelligent-tracking-prevention-itp/