Recently, AEPD has published a guide informing us that we can track website traffic without consent.
We have invested more than 3 hours re-reading this document, plus a meeting with a well-known expert at the intersection of privacy, marketing and tech: Sergio Maldonado CEO of PrivacyCloud and more than 2 hours written this piece of content.
Here, you’ll find what I’ve learned and what you can apply in your business:
Table of Contents
Track without consent:
Yes, you’ve read correctly; since 11th January 2024, you can track your site visitors without consent! This norm is opposed to regulations in the EU. But, sincerely, this regulation is as well opposed to Spanish regulation!
So, I think (personal opinion) that the future of web analytics started in France some years ago, and now Spain accepts no-consent for tracking purposes.
Do I agree with this resolution?
I have been developing SEALmetrics for over 1.5 years and developed my marketing attribution technology in 2014. I wanted to say that I’ve suffered all normative changes on my technologies for the last ten years.
In these ten years, I’ve never criticized or put in question or doubt about the regulations or regulators. However, some marketers and data analysts said regulators had no idea about tracking campaigns or digital business…. I assumed that regulators knew much more than me about citizens’ fundamental rights.
Regulators are doing a great job because they are fighting against the pressures of tech giant companies. I believe the most straightforward resolution for them was to give tech giant companies the reason. Instead, they create and adapt regulations and directives to protect our fundamental rights. However, these new regulations can hurt my business (sealmetrics.com).
AEPD has published a change that can shake the web analytics industry, at least in Spain.
I feel this change in the regulation hurts SEALmetrics. Because AEPD says that it’s the same as tracking with cookies, fingerprinting, or isolated hits, this is wrong!!! As you know, SEAL doesn’t track users. Why does AEPD consider that SEALmetrics can hurt users’ privacy?
Even thinking the AEPD regulation change hurts SEALmetrics, I have to say that I agree with this change in 85%.
Why? Keep reading:
What kind of technology can track without consent?
Wrooooong question 🙂
This is the GREAT POINT. Here is the key:
AEPD doesn’t focus on the technology (input). They focus on the reports (output).
You can track your website traffic without consent regardless of the technology that you’re working with:
- 3rd party cookies: Yes, you can track w/o consent.
- 1st party cookies.
- Server-side tracking.
- Local / Session storage.
It’s like AEPD says to the analytics market: It doesn’t matter your technology, it matters what information you’re going to see of users.
What are the conditions to comply with for tracking without cookies?
AEPD has understood that they will be one or more steps behind tech companies if they create a norm based on the type of technology or technology requirements.
I think AEPD has wisely created this directive once they have learned that (especially Google and Meta) Big Techs will always invest resources to keep tracking as much data as they can.
Let’s go into some examples from Google. How does Google keep tracking once users reject to be tracked? (rejecting cookies through the setup of the browser):
- Google Ads’ Enhanced Conversions.
- Conversion Linker.
- URL Passthrough (with consent mode v2).
- gad_source, gbraid, wbraid parameters
AEPD has learned that the technology limitations they regulate don’t matter; Big Techs always find a technology that can avoid the latest regulation. So, instead of focusing on tech, AEPD has focused on the output and the report.
You can track without consent only to check the reports that are completely necessary to manage a website. I repeat, manage your website; AEPD doesn’t talk about campaign performance or marketing reports….
Thanks to these reports, you can track without consent:
What say AEPD about the reports:
The AEPD considers that for the proper administration of an Internet site, only the following measurements are strictly necessary:
- Traffic page per page. (daily refresh)
- Referral traffic (internal or external). (daily refresh)
- Device, Browser, Screen size. (daily refresh)
- Load time. (hourly refresh)
- Time per page, bounce rate, scrolls. (daily refresh)
- Statistics of users actions: Clicks, selects,… (daily refresh)
- Geolocation (daily refresh)
As you can see, you cannot track in Real Time.
All web analytics solutions that show other reports (output) than the listed should ask for consent.
Let me repeat: All the reports that are not strictly necessary for the proper administration of an internet site must ask for consent.
These cookies or similar technologies that can work without consent should not result in the data being cross-referenced with other processing operations or in the data being transmitted to a third party, for example:
- Send Google Analytics data to Google Ads audiences: Consent is required.
- GA4 > Hubspot. Consent is required.
- Adobe Analytics > Salesforce. Consent is required.
- SEALmetrics > Google Ads. Consent is required.
The data you collect without consent can’t be synced/merged with other data.
You can’t work without consent if you’re going to track users cross-domain or cross-app.
Why Marketers will hate this regulation
- Basically, because marketers cannot track conversions per UTM without consent.
- Marketers can’t track revenue, conversions, or ROAs per source, medium, campaign, or term.
- They can’t sync analytics data with Google Ads to generate Audiences.
Minimum guarantees if you’re going to work with no-consent-required data:
- The lifespan of these cookies or similar technologies will be limited to a period that allows a meaningful comparison of audiences over time, as is the case with a duration of thirteen months, and will not be automatically extended on new visits;
- The information collected through these cookies or similar technologies will be retained for a maximum period of twenty-five months;
- The aforementioned lifespan and retention period will be subject to periodic review to be limited to what is strictly necessary.
Guarantees that you must ask a consentless analytics provider:
- Have a contractual commitment with the provider that meets the requirements of Article 28 of the GDPR, which explicitly states: a) The obligation not to reuse the collected data under any circumstances within the framework of the contract. b) Restrict the processing of data to the purposes previously established as strictly necessary.c) Comply with the guarantees established for serving multiple publishers. d) Ensure that any data transfer outside the European Union complies with the compliance conditions set out in the GDPR.
- Conduct and document an evaluation, either by itself or by an independent third party, on whether it is possible to configure and whether the tools provided by the provider are configured to ensure compliance with the requirements listed in the previous section.
How this regulation will affect Google Tracking Services:
I’m going to explain directly to the point:
GCLID Goal: Assign conversions to a Google click ID.
Track conversions by “source”, campaign, term, or whatever (GCLID) is not strictly necessary for the correct website administration, so requires consent.
Google Ads Enhanced Conversions:
Goal: Track Google Ads’ conversions when users reject cookies.
Track conversions by “source”, campaign, term, or whatever (GCLID) is not strictly necessary for the correct administration of a website, so requires consent.
Google Consent Mode v2:
Google CM v2 is a “suite” of tricks created by Google to keep tracking conversions and generate audiences when users reject to be tracked.
Google CM v2 helps Google to assign conversions to a GCLID and, on the other hand, create audiences thanks to FLoC, Topics API… Both goals are NOT included as a condition to track without consent!
The AEPD has achieved with only 5-page document, written easily understandable, to deactivate all the tracking and audience generator suite developed by Google through Consent Mode v2.
Why do I disagree with 15% of this change of regulation?
Because AEPD thinks SEALmetrics is tracking traffic in the same way that fingerprinting technology or cookie-based trackers.
SEALmetrics doesn’t track individualized users, so SEALmetrics can’t hurt the users’ privacy.
Having the same obligations as other tracking techs that are more intrusive to the users’ privacy than SEALmetrics is unfair to SEALmetrics.
We have been working on adapting SEALmetrics to this enormous change for the last few days. These were sincerely tough days because our entire 2024 road map was shaken drastically.
But we know we are in front of a huge opportunity to make the internet a place where our privacy will be more protected.
From SEALmetrics, we think all the regulations that protect users’ privacy, even when unfair to us, are good for the citizens and society. So, we aim to adapt as soon as possible to the new changes instead of wasting time screaming that it’s unfair.
Everything a marketer needs to know about privacy
The Newsletter for Privacy Marketers. A post a day.
Introduction to the Importance of Cookie Regulations: As the internet has grown, so too has the reliance on cookies. They track users’ online behaviors, preferences, and even their most personal...