The most important questions and answers about the cookie topic

PIA Group | HORIZONT - 2020-01-07

The e-privacy regulation is one of the great specters of the advertising industry. However, the tightened data protection legislation is still a long way off. Accordingly, there is great uncertainty among advertisers as to what is right or wrong under the law. In his guest article for HORIZONT Online, Dirk Kall, Managing Director at PIA, aims to shed light on this issue - with the most relevant questions and answers.

First published by HORIZONT | A guest article by Dr. Dirk Kall

For almost three years now, the EU has been discussing the e-privacy regulation. But after the EU Parliament strengthened the Commission's legislative proposal in autumn 2017, there was a two-year period of radio silence. On 22 November 2019, another agreement on a draft for a new type of regulation presented by the Council Presidency failed again. For advertisers, it now means waiting even longer and worrying about what a future regulation will look like and to what extent the cookie will still be allowed. At the moment, every website implements cookie request and tracking differently - from detailed to very general queries. This is a clear sign that there is great uncertainty among advertisers about what is right under the legislation. This is why it is important to have answers to the most relevant questions.

Back to Basics: the Cookie

The cookie, or rather the data stored with the help of (marketing) cookies, is the basis for personalised online advertising - without this code snippet, there would be much greater wastage. In addition to marketing cookies, there are also technical cookies that are necessary for the website to function. The best example is an online shop where a user adds selected products to the shopping cart and continues to browse the site before making a purchase. The cookie uses a unique ID to store the respective shopping cart and the items it contains for the respective user.

There are three different types of cookie tracking: full tracking, anonymous tracking based on the current session and no tracking at all. With the former, a visitor cookie is set for the website visitor. Each device is thus clearly identified. The advantage is that this cookie remains. This means that if the visitor calls up a website on the same device again, the new call of the website is assigned to the already known visitor. This enables the website operator to analyse the behaviour over several visits.

A so-called session ID is used for anonymous tracking. Neither the IP address nor personal data such as the visitor's order or customer number is stored and the data collected is automatically deleted as soon as the user leaves the website. This means that anonymous tracking is not subject to the provisions of the DSGVO and potential e-privacy regulations. An opt-in by the user is not required here. However, the data is only collected and allocated within a session. There is no relationship between two sessions on a device. No permanent cookie is created, only a session ID is used. In contrast, no tracking at all means no stored data that provides information about user activities. Thus no activity of the website visitors is recorded.

From theory to practice: data protection compliant tracking

In reality, however, the implementation is not so easy, as there are no clear guidelines for the query (e.g. info banner) of website visitors on cookie use due to the lack of an e-privacy regulation. The so-called ECJ Cookie Judgement of October 2019 provides guidelines for the opt-in for setting marketing cookies, but these are not yet national legislation. One thing is certain, however: The user must always be informed about the use of any kind of cookie - including non-marketing cookies and be able to object to this.

In addition, he must explicitly agree to the use of marketing cookies. In practice, the following process has proven itself in relation to the various forms of tracking: A customer visits an online shop for the first time. This means that anonymous tracking based on the current session is possible, as it is not subject to the regulations of the DSGVO. No visitor cookie is created. At the same moment the new visitor gets a cookie banner displayed. So he has two possibilities: He agrees, full tracking is possible and a visitor cookie is set. Or he clicks it away. Thus the tracking remains anonymous and only within the session. However, website operators should also give users the opportunity to object to this. As a rule, the "Do not track" is found on the data protection page and can be activated there by the website visitor with a click. A "Do not track" cookie is then set, which completely prevents tracking. Alternatively, site operators can also integrate the objection option directly into the cookie banner.

Anonymous surfing vs. personalised approach: relevance and effectiveness

Some users completely disable tracking. But most of them simply click the banner away to see the content of a page undisturbed. Therefore many people ask themselves how good session data is with anonymous tracking. For most analyses, session-based data is completely sufficient, for example for the analysis of click paths or the checkout process. Marketing measures can be evaluated in a standardized way according to last click, which is usually sufficient for a comparison of the effectiveness and efficiency of channels and campaigns used. However, multi-touch attribution across multiple visits and channels can no longer work across the board as it used to, if the legal framework is strictly interpreted. But: Only the future e-privacy regulation will finally determine what is still allowed in online marketing and what is not.

However, I do not believe in exclusively anonymous tracking. However, where there is no consent of the user (Consent), there will have to be anonymous tracking and thus largely unpersonalized advertising. All advertisers basically have the same opportunities. Unless the ad is placed in a closed network with preset content. In that case, the big tech companies outside the EU would indeed have an advantage. However, promoting this cannot be in the industrial policy sense of the legislative EU.

"It is quite rightly said that the effectiveness of advertising depends on its relevance. And it is significantly higher if the provider knows who is getting the advertising.

However, it is quite rightly stated that the effectiveness of advertising is determined by its relevance. And it is significantly higher if the provider knows who is getting the advertising played out. To do this, advertisers need user data, which is available without identification but not on a personalized level for the entire user journey. Purely anonymous tracking means: Despite existing technologies, the advertising industry is falling back into the Stone Age. It is often forced to place purely environmental ads that perform worse and are therefore more expensive. Nobody wants that. Not even the users. All studies show that personalised advertising is much more effective and accepted than standard advertising. Especially as the latter would also be reflected in an increase in the number of digital advertising spaces due to the lower effectiveness. And the users certainly do not want that either.

The advertising industry in search of cookie alternatives

Contextual or even location-based targeting offer an alternative to playing out advertising without cookies. There are also other ways to store data permanently on a device, for example by using local storage. Here, information on user behavior is stored locally in the browser. The advertiser usually does not have access to it. The storage of data in local storage is subject to the same legal basis as cookies, so consent is also required here.

It is undisputed that alternative tracking strategies will become more important in the near future. Activities range from browser-specific Advertising IDs (assigned by the end device used, it is sent to advertisers in order to display advertising in a personalized way) to the use of digital tokens for each user (a kind of session ID that assigns several website visits to one user).

The 'cookie wastage': first-party vs. third-party cookies

Basically, a distinction must be made between first-party and third-party cookies. In the first-party area, cookies are still very stable in use. The so-called cookie loss, the loss of traffic as a consequence of the new regulations on user content, is not yet a problem here. This is only one side of the coin, however, because without collected content no tracking cookies should be set and used. Since purely session-based, anonymised evaluations are still possible, however, there are no major disadvantages for the providers with first-party cookies.

When using third-party providers and third-party cookies, the loss of traffic is already a major challenge, for example when measuring the success of advertising. The large providers solve this by switching to first-party tracking, which is much less sensitive. However, this does not allow all evaluations to be carried out in the same form. A further challenge is posed by classic retargeting or behavioural targeting. Here we have seen a decline of about ten percent of the addressable range due to the latest Firefox browser update with standardized third-party cookie blocking. The short-term solution here is to switch to providers with log-in information and opt-in by their users, and to use cookie-free app traffic to display banners.

In addition, we will see data-based offers from marketers possibly more 'in their own silo' again. In the future, marketers will increasingly be able to offer their own targeting on their websites (Owned & Operated).

The future of the cookie

In my opinion, cookie-based advertising outside the closed networks will remain the means of choice for the time being. However, the DSGVO requires the consent of the user. This, however, on a level that is (bearable) for both sides - provider and user. For the future of e-commerce and marketing, it remains to be seen what exactly the future e-privacy regulation will actually contain. However, it is high time that all providers prepare themselves now - if they have not already done so - for all eventualities.

One thing is certain: Where there is no consent from the user, in future there will have to be anonymous tracking and thus largely unpersonalised advertising. Because of the lower effectiveness, more digital advertising space will be created, which will make ads more expensive and increase the lead of the large US tech companies. 

In principle, online marketing will, of course, continue to exist on a significant scale even after the introduction of an e-privacy regulation of whatever form. The only question is how both the advertising companies and the users will adapt to the new laws. However, we can still only speculate here. In any case, the current situation serves neither one side nor the other and should be ended by politicians as soon as possible.

Share this article