Are 3rd-Party Cookie Alternatives GDPR-Compliant?
Privacy & Compliance | March 23, 2023
The CNIL has identified four primary alternatives to third-party cookies. Commonly used to circumvent the blocking of third-party cookies: fingerprinting, unique identifiers, single sign-on (SSO), and cohort-based tracking.
What is Fingerprinting?
Fingerprinting, or browser fingerprinting, is the process of differentiating between users based on the technical characteristics of the web browser they are using. Typically, the hardware used by the user will give a certain amount of information to the browser, such as operating system, screen size, and IP address, that allows the browser to display the website correctly. This information, when parsed correctly, can be used to identify individuals and track their behavior. Log files may also be used to identify visitors to a network or website.
What is Single Sign-On Tracking?
Single Sign-On (or “SSO”) is not strictly a tracking technology but has evolved to accommodate such use cases in recent years. In a single sign-on service model, users are able to log into a single portal, which gives them automatic log-in access to a multitude of websites or applications. For users, this presents several benefits in terms of security and convenience–the most obvious being that users must only present one set of credentials for access, rather than memorizing separate credentials for hundreds of websites.
However, SSO systems also present a secondary benefit to the system owners: they give an overall and consolidated view of users’ browsing on all the websites, applications, or services using the SSO platform the user account becomes a tracker that follows the user during his/her browsing.
Google and Facebook, the global leaders in online advertising, offer two of the most popular free single sign-on options on the internet.
What are Unique Identifiers?
Unique identifiers, also known as mobile ad ID (MAID), are anonymized deterministic hashed data that is assigned to individual devices. For example, The Identifier for Advertisers (IDFA) is an anonymized unique identifier assigned by Apple to a user’s device that allows applications to track user behavior across other apps or websites. This is typically done for the purposes of ad targeting and personalization.
Unique identifiers are often used in combination with fingerprinting, one being used to enable the other.
What is Cohort-based Targeting?
In light of regulations like the GDPR, and a general shift away from third-party cookies, advertising stakeholders, such as Apple or Google, are developing what the CNIL calls “cohort-based targeting systems.” According to the CNIL, these solutions, such as Google’s Privacy Sandbox, “aim to reproduce the current possibilities of cookies in the context of targeted advertising, while attempting to implement limitations in order to reduce the intrusive nature of these practices.”
These limitations could mean avoiding targeting individuals by instead targeting groups with similar characteristics, providing only aggregated results to advertisers (without view to individual data), or obfuscating certain operations, such as ad auctions, from advertisers, to keep individual data anonymous.
Google’s current approach to cohort-based targeting, known as the Federated League of Cohorts (FLoC), works by identifying groups of individuals with common browsing behaviors and characteristics and assigning those users to a “cohort.” Each cohort will have a unique and persistent identifier, which is stored on the user’s browser. The browser would then communicate the cohort ID via API to websites. In this manner, site owners and advertisers would only receive information about cohorts, and not about individual users and their behavior.
.In principle, this cohort-based targeting is less invasive than current techniques utilizing third-party cookies, but the CNIL warns that further evaluation is necessary to ensure that such techniques uphold user privacy and data minimization requirements. Particularly, the DPA identifies the re-identification of users as a risk.
What is the CNIL’s Guidance on Alternative Tracking Technologies?
First and foremost, the CNIL guidance states that “the development of alternative [sic] to third-party cookies must not be made at the expense of the Internet user’s right to protection of their personal data and privacy.”
In essence, that means that using these alternatives is not a valid excuse to skirt the spirit of the law regarding user consent for tracking. The use of these techniques must not only be GDPR compliant, but also compliant with the ePrivacy Directive, an EU law focused on protecting privacy and personal data in electronic communication.
Consent is Required, Even Without Individual Targeting
These regulations guarantee the protection of not only private communications and data, but also access to terminal equipment, such as smartphones and desktop computers.
Because the techniques outlined above all rely on access to the user’s terminal equipment in order to gain access to information already stored in this equipment (such as advertising or cohort-based identifier) or to record information into it, in the same way as for cookies, the CNIL has identified user consent as a crucial requirement of their use.
According to the CNIL, these operations “require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service directly requested by the user.”
And where consent is required, it must be solicited in a manner compliant with the GDPR, i.e, users must be able to choose freely and in an informed manner whether they want to consent to or reject such tracking.
The Bottom Line
In short, “tracking for advertising purposes, when based on browser or terminal information, must rely on the informed choice of the Internet user, regardless of the technique used.” Therefore, the CNIL’s guidelines and recommendations on cookies and other tracking devices also apply to the use of these techniques.