Do you want to learn if your website tracking is compliant with data protection laws? Read all about website tracking in this article.
If you're like most other online businesses, chances are that you track your users’ behavior on your website or app. You add trackers on your website which deliver data about users' behavior, you iterate and try new things, which eventually brings more money to your business. Data-driven business decisions are, quite often, the best business decisions.
The problem is that some of that data is personal data. It belongs to actual persons, and data privacy laws protect these personal data. These laws have some requirements you need to meet in order to track your users lawfully.
Website tracking is not illegal in and of itself. It is dependent on where you conduct business and how tracking is regulated. To assess whether your website is doing it correctly, you must first understand how you monitor your users, how you must track them, and what you must do to comply.
Explore more privacy compliance insights and best practices
In this article, we will present you with:
Website tracking collects user activity data on a website or an app. Tracking aims to get insights into users' behaviors and desires.
When done properly, website tracking benefits both consumers and businesses. Some of the tracking purposes include:
There are many other purposes of tracking. The possibilities tracking technologies offer nowadays are endless. In all cases, there are some benefits for the users, the website owners, or both.
Tracking activities frequently need the processing of users' personal data. After all, personalization would be impossible without the processing of personal data. As a result, trackers that gather and process personal data exist on websites. Many times, the tracking activities require the processing of users’ personal data.
When you track data that can be used to identify a person, you endanger that person and violate their online privacy. This is where data protection laws come into the picture. Still, before explaining regulations, we need to dive deeper into tracking tech and understand what it does and why legislation constraints your activities regarding improving user experience and advancing your marketing efforts.
Tracking technologies follow website visitors in a variety of ways. New tracking methods emerge on a regular basis, but the most prevalent include cookies, pixels, IP tracking, tagging, local storage, and a few more.
When a user interacts with a website or an app, tracking technology may accomplish one of the following:
This is by no means an exhaustive list. Website trackers continue to improve and discover ways around privacy laws. New tracking technologies will emerge all the time, but these will remain the most common for the foreseeable future.
They are designed to collect data from a device, browser, or other location and transfer it to a server for storage and processing. There, software processes the data. This is often the third-party tool you've been utilizing for website analytics, marketing, advertising, debugging, or other purposes. That tool also provides you with insights that are valuable for your business and your work.
Websites and apps use several different technologies to collect data for processing. They work in different ways, but ultimately, they all aim to collect data for processing.
The data controller can observe the device's attributes as well as the browser the user used to visit the website using digital fingerprinting.
Fingerprinting ensures the collection of data such as browser, operating system, version of the operating system, device type, font size, and similar data. While this data is not personally identifiable, it can be used to swiftly identify a person when combined with an IP address, which can then be linked to other personal data obtained from other sources.
Furthermore, digital fingerprinting enables the data controller and processor to track browser history and build a user profile based on the user's browsing habits.
Fingerprinting through a browser is sometimes referred to as browser fingerprinting, whereas fingerprinting through a device is referred to as device fingerprinting.
Cookies are the most widely used tool for tracking users via their devices. They are small text files sent by the website to the user's device in order to collect data.
If you have enabled cookie tracking on your website, and a visitor visits it, the cookies are sent directly to their device. They help servers in remembering the user by generating a unique ID for them. Cookies allow users to remember their choices and improve their online browsing experience in this way. The server saves and reads the data stored in a cookie when users first connect, and it is identified with an ID unique to the user and their device. The server recognizes who the user is when it reads the unique ID.
This is how cookies assist you in tracking user behavior.
Cookies may be placed on your website by third-party services such as Google Analytics, various remarketing tools, email management companies, and so on. These third parties, your data processors, will deliver cookies to your website or emails. All you have to do is configure their SAAS to transmit cookies at the relevant times.
Every cookie has been designed to track a specific user’s behavior and collect a specific set of data. There is no single cookie that can track everything. Each one has its own purpose.
Depending on the purpose, cookies can be:
There are many types of cookies as there are tracking purposes.
Multiple parties are involved in cookie-enabled website tracking. Cookies may be sent to the user's device by any of these parties.
Depending on who sends the cookies, you’ll hear about first-party or third-party cookies. You may also hear about fourth-party cookies and supercookies.
Cookies abound on the internet. To track your users, you must first understand what the parties do to make compliance easier.
First-party cookies are those that your website delivers to the user's device without the involvement of any other party (as there are other parties on other types of cookies). The first-party cookies are set by the website’s web server.
These cookies often record information about your interactions with the website, such as login information, shopping cart information, language preferences, dark/light appearance mode, and other similar functions.
Third-party cookies are set when the user reaches your website, but these cookies do not belong to your website. They are the property of third-party vendors who have integrated with your website.
Third-party cookie senders include advertising networks such as Google's Doubleclick. If you have a fitness equipment website and have Doubleclick cookies enabled, their cookie will track your user as they go across the website. They will collect information about users' interests and give them adverts based on the processed personal data.
These cookies can help in collecting various types of information, such as the pages visited, whether the visitor purchased anything from the website, where they clicked, and so on. They would do what they are configured to do.
Simply put, you've given a third party permission to deliver cookies through your website. That is a third-party cookie.
All cookies are either first-party or third-party, however more types may exist. These are also first-party or third-party cookies (mainly the latter), although their names vary depending on their properties.
Second-Party Cookies. Technically, second-party cookies are third-party cookies. They are the cookies that your website shares with another website with which you have collaborated. Your website will collect the data they were designed to acquire, keep it on your website, and then send it to another organization with whom you have an agreement.
Keep in mind that most data protection rules now make this illegal.
Fourth-Party Cookies. Third parties can place more cookies on top of their third-party cookies. These are called fourth-party cookies.
They may set other cookies on top of their tracking cookies when they send them into your user's device.
Google also gives an example for these. Google's products include Doubleclick and YouTube. When you embed a YouTube video on your website, third-party cookies are used. However, Google may use third-party cookies to tell DoubleClick who has viewed your video. As a result, you may have DoubleClick cookies on your website without realizing it.
Supercookies. Cookies with a top-level domain or a public suffix are known as supercookies. Cookies with a specific domain name, such as secureprivacy.ai, are used. A supercookie will come from.ai rather than secureprivacy.ai.
Because supercookies pose a security risk to users, web browsers frequently disable them.
Zombie Cookies. As previously stated, cookies are stored in a folder on your device. With a single click, you can erase all of the cookies in that folder.
Zombie cookies attempt to avoid deletion by storing themselves in directories other than the one designated for them. They are hidden and collect personal data without the user's knowledge. Furthermore, the user cannot delete such a cookie quickly because they do not know where to look for it.
Zombie cookies are illegal under data protection laws worldwide.
You'll frequently see the comparison of session vs. persistent cookies on the internet.
The main difference between the two is that session cookies are only retained for the duration of the visitor's session on your website before being removed. Persistent cookies, on the other hand, are stored for a longer period of time, usually until the user deletes them.
Web beacons track website visitors through the server.
The most common web beacons are pixels and tags. Pixels are used by the majority of social media platforms, including Facebook, Instagram, Twitter, Pinterest, Quora, and others. Tags are used by Google to track users.
However, pixels and tags work the same way. There is no significant difference between the two. Some data processors refer to them as beacon tags, while others refer to them as pixels, although they all perform the same function.
Pixels, as the name implies, are trackers that appear on a website as a pixel on the screen. The pixel is added to the web page via a Javascript code. When a visitor visits the page, it is downloaded along with the pixel.
This pixel is often transparent, but it conveys vital information to the person who uses it: that a specific visitor has viewed a specific page or performed a specific action on the website. The pixel recognizes the URL and informs the data controller that the visitor has visited that page.
Facebook offers such a product (pixel) to businesses. When an eCommerce business owner employs the pixel, it is possible to determine which pages a certain user has visited. The store owner can then utilize that data to retarget the same person and persuade them to purchase the product.
For example, after the user has browsed the website's black shirt collection, the eCommerce store owner can retarget the same user and show them the same dress a few more times via sponsored advertising in the hopes that it will be enough to convince them to buy the shirt. Furthermore, website analytics data reveals that people who buy black shirts that look like navy shirts could be targeted with navy shirt ads too.
When you see the same black or navy shirt following you around the internet, know that you've been tracked by a pixel. It is commonly utilized since it helps online sellers in increasing conversions.
If you're asking why rules limit the use of tracking technologies when they provide so many benefits to everyone, the quick answer is because they infringe on online privacy. All of these advantages come at the expense of privacy.
In fact, data protection rules are unconcerned about technology. It is concerned with safeguarding people's fundamental rights, especially the right to privacy.
There is an abundance of personal data circulating around the internet. That data is constantly at risk of being compromised. Furthermore, there are corporations who continue to watch consumers' internet activities, sometimes just for their own profit, such as marketing and advertising. Tracking and analyzing advertising data typically results in sophisticated client profiles to whom products and services are later provided. That is an invasion of online privacy; thus, data protection laws safeguard internet users.
Also, that is the reason why it does not prohibit any tracking technology. It simply establishes restrictions for data processing. If you process personal data within limits, you can use any website tracker.
When it comes to legal requirements for website tracking, data privacy laws take two different approaches:
Simply put, if opt-in is required, you must not track users until they have given their consent to be tracked. Where simply opt-out is required, you can track users indefinitely until they ask you to stop.
Learn more about the difference between opt-in and opt-out.
In many circumstances, data protection legislation such as the GDPR, ePrivacy Directive, LGPD, Thailand PDPA, PIPEDA, and many more data privacy laws similar to the GDPR demand an active opt-in by the user for monitoring.
However, not every opt-in is valid under the GDPR and other laws. You need to ask users for tracking consent in a way that ensured the data processing was legal. Take a look at our Data Processing Agreement Guide.
The consent request for tracking has to be:
In addition to the opt-in requirements, the GDPR requires you to provide users with the ability to opt-out of tracking as soon as they have opted in. This usually entails a simple and easy-to-access button in your privacy preferences for removing consent. Learn all about the GDPR cookie guidelines.
Data privacy laws such as Brazil's LGPD, Canada's PIPEDA, Thailand's PDPA, and South Africa's POPIA, to name a few, have the same or equivalent standards to the GDPR.
Aside from users’ consent, website owners can choose to track visitors based on their own legitimate interests.
Legitimate interests can be a thorny issue for many online enterprises. What constitutes legitimate interest has been subject to many interpretations on the internet, with the majority of them getting it wrong.
You should restrain from using this legal basis for data processing unless there are no other legal means to gather personal data. If you are certain that you must do so, make certain that you do the legitimate interests test appropriately.
In short, you need to ensure that your interests trump those of your users. You could, for example, utilize tracking tools to assure website security. However, when processing data for advertising reasons, you cannot rely on legitimate interests.
Read our in-depth article on legitimate interests as a legal basis for website tracking and data processing for more information.
When all you need to ensure your users is the right to opt-out of tracking, you can employ cookies, pixels, and other trackers as soon as you inform them about it.
In practice, this means displaying a cookie banner and using the cookies at the same time. You don’t need to seek permission. You don't even have to consider legitimate interests.
However, if your users have the right to opt-out of the processing of personal data, you must comply with such a request.
The user would contact you and inform you that they want all of their data removed from your servers or that they no longer want you to process their data. You have no option but to comply with the request.
Note that you should confirm the requestor's identity. You don't want to handle the wrong person's personal information. This could be a data breach.
To comply with the website tracking legal requirements, whether GDPR, LGPD, PIPEDA, CCPA, or others, you must first determine:
Since website tracking is automated, the only way to regulate it is through automation. Cookie consent solutions, such as Secure Privacy, are all you need to control how your website tracks visitors. You will easily comply if you have control over the tracking.
Secure Privacy solutions for website tracking incorporate the legal requirements of the GDPR, CCPA, LGPD, and other laws. It was designed to assure compliant tracking with a few mouse clicks.
Secure Privacy solution gives you control over website tracking. If you need to wait until the user opts in, it will not allow cookies to be used before getting valid consent. But if you merely owe your users the right to opt-out of processing, it will display the privacy notice and use the cookies at the same time.
It is critical to configure two things correctly for compliant website tracking:
If you have set this up properly, website tracking compliance will be easy to achieve and maintain. If you want to try it yourself, find the best plan for your organization and sign up here for a free trial.
Schedule a call to learn more
