惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
A
About on SuperTechFans
Stack Overflow Blog
Stack Overflow Blog
雷峰网
雷峰网
Microsoft Azure Blog
Microsoft Azure Blog
腾讯CDC
爱范儿
爱范儿
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 【当耐特】
V
Visual Studio Blog
有赞技术团队
有赞技术团队
U
Unit 42
D
Docker
小众软件
小众软件
F
Full Disclosure
I
Intezer
Scott Helme
Scott Helme
P
Privacy International News Feed
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
B
Blog
Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
S
Security Affairs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
Schneier on Security
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Threat Research - Cisco Blogs
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
H
Heimdal Security Blog
N
Netflix TechBlog - Medium
H
Hacker News: Front Page
P
Proofpoint News Feed
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
S
Schneier on Security

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Web Analytics and Consent
Carlo Cilent · 2024-03-12 · via Blog of Simple Analytics

Last week we discussed cookies and their regulation under EU law and mentioned how non-essential cookies require consent. These are the sort of cookies that power cookie-based web analytics services such as Google Analytics and Adobe Analytics. Today we will dig more into consent and what it means for web analytics specifically.

  1. What does cookie consent look like?
    1. Consent is unambiguous
  2. Consent is specific
    1. Consent is informed
    2. Consent can be withdrawn
    3. Consent is freely given
  3. What are the most common issues with consent?
    1. Deceptive banners
    2. Cookie walls
  4. Conclusions

Michelin chose Simple AnalyticsJoin them

Let's dive in!

Before we head in, let’s go through a high-level overview of consent and cookies:

  • Web analytics cookies always need consent because they are non-seential.
  • GDPR consent is only valid when it meets specific criteria: it is freely given, specific, informed, unambiguous, and possible to withdraw.

So: analytics cookies require consent, and this consent needs to meet certain standards. This means that your cookie banner needs to be designed a certain way. But there is more to it, and while most of the rules are uncontroversial, some are hotly debated in the legal community.

Let’s dive in!

In a nutshell, the GDPR’s requirement for unambiguous consent means that only active, opt-in consent is valid. There is no such thing as an implicit or opt-out consent under the GDPR.

The rule of opt-in consent has important consequences for cookie banners. A well designed cookie banner uses affirmative wording such as “I accept cookies” or “I consent to the use of cookies”. This is different from merely acknowledging or understanding that cookies will be used.

Additionally, a well-designed website does not write cookies until users make a choice. Ignoring a banner or clicking a “close” button to dismiss it never, ever constitutes or implies consent.

Consent is only valid when given for a specific purpose. This entails that consent must be granular: when the same cookies are used for multiple purposes, then you need multiple consents- one for each purpose.

In practice, the best way to collect granular consent is to use your web analytics cookies for web analytics only. This allows you to collect a separate consent for other cookies such as user authentication cookies, and to write essential cookies without user consent (which is absolutely fine under the law).

This requirement is intuitive: if I don’t know what I am consenting to, then I am not really consenting in any meaningful way. I do not necessarily need to understand all the tiny technicalities about your web analytics, but I do need to understand the facts that really matter for my decision: who takes my data, what data they take, for what purpose, and with what potential consequences.

In practice, this means that a cookie banner should:

  • Tell the user what the cookies are for.
  • Use clear, accessible, accurate language.
  • Tell the user with whom their personal data will be shared. For Google Analytics, this includes Google and its advertising partners.

This information needs to be concise and in plain English. In practice, it is usually a good idea to deliver the most crucial information through the cookie banner and link to a cookie policy with more in-depth information.

Consent is revocable. You should allow users to review their cookie preferences and easily opt out of any cookies they might have agreed to.

Please note that the withdrawal of consent sometimes comes with a request for erasure. In that scenario, you get a deadline for deleting all the data from the requestor. This means all the web analytics data that relates to their cookies and the unique ID they contain.

Most companies don’t think about this stuff when they set up their web analytics and have no clue what to do when they get a request for erasure. We can’t go into too much depth here, but an organization should, at the very least:

  • establish a clear procedure for handling requests
  • ensure it can easily retrieve and delete data from individual users. For web analytics, this means being able to filter data points by unique IDs.

The GDPR requires every consent to be freely given. This is why your hospital cannot collect consent to the use of your data as a requirement to provide health care, and why employers should refrain from having employees sign GDPR consent forms. You have no meaningful choice when witholding consent means dying or losing your job.

Two compliance issues have surfaced lately with web analytics. Deceptive cookie banners are found all over the Internet and try to nudge users towards accepting cookies they do not really want, while cookie walls require visitors to pay to get rid of cookies.

Both of these issues are fairly controversial in the privacy community. Let's see what the fuss is all about, and what it means for web analytics

Accepting cookies is always easy as pie, but rejecting them usually requires you to jump through hoops. This is a deliberate design choice: many banners nudge users into accepting cookies by making the rejection process to be as annoying, confusing and time consuming as possible. Visitors often give in because they don’t have the time or patience to figure their way out of every cookie banner they see.

Deceptive designs look like a good solution for websites. After all, the user clicked “I accept”, so everything should be fine. Right? Not quite. If consent was extorted through deception and exhaustion, then it is neither free nor unambiguous.

Thankfully, the European Data Protection Board took a stance against deceptive cookie banners. Its stance is not unanimous but is shared by the vast majority of enforcers. We are starting to see some serious enforcement, too.

Bottom line: if you really need to use cookie-based analytics, be on the right side of the law and make your cookies easy to reject. Make sure that the “reject all” button is clearly visible, clearly worded, and available on the first level of the banner’s interface!

(And yes, this means that many users will reject your cookies.)

Some cookie banners do not include a “reject all cookies” button and offer a different choice instead: users can either accept cookies, or sign up for a paid subscription that allows them to browse the site without cookies. In other words: pay with your money, pay with your data, or leave. These banners are referred to as cookie walls and are typically used by digital newspapers.

Cookie walls entail a commodification of personal data that a part of the privacy community considers undesirable at best and unlawful at worst. Proponents of cookie walls say that publishers cannot provide content for free and need ad revenue to keep up the work. Critics of cookie walls point to contextual advertising as an alternative source of revenue for publishers and observe that a fundamental right such as data protection cannot be commodified (they are right, by the way).

In practice, your mileage with a cookie wall may vary depending on your jurisdiction. For instance, cookie walls are used by many German news outlets because regulators tend to be somewhat lenient on that front.

We really dislike cookie walls, but if you really want to implement one, it might be prudent to wait for a while. Meta took a page from news outlets and implemented a pay-or-ok subscription schemes in an attempt to justify its aggressive surveillance-based advertising. European regulators will soon need to take a stance on Meta's approach, and once they do, their position on cookie walls will probably become clearer as well.

(By the way: pay-or-ok is a really big deal for the future on the GDPR! If you are curious about this crucial privacy topic, feel free to check out our blog on Meta subscriptions.)

Conclusions

Overall, consent rules for web analytics are fairly stringent in the EU. This creates a problem for cookie-based analytics: strategies that lead to good opt-in rates for cookies, are likely to violate the law. Websites are stuck between a rock and a hard place, as they have to choose between low opt-in rates or a compliance risk.

This is why many companies are moving towards cookieless analytics solutions. And we are proud to offer the most privacy-friendly one!

Simple Analytics is the cookieless web analytics solution that collects no personal data. This makes it trivial to comply with the GDPR and other privacy legislations. Our service is also easy to learn and navigate, thanks to our intuitive UI and handy AI assistant. If this sounds good to you, feel free to give us a try!