Are Browsers Pushing for a Cookieless Future?26th May 2020 –
With Safari ITP and Firefox ETP leading the efforts, and Google recently joining, internet giants are hard at work to come up with a uniform legal framework setup.
For businesses using A/B testing tools and personalization who want to extend the time they show a personalization or variation to the same person — for example, upwards of 7 days — the best solution is moving to DNS over HTTP(s), also called a CNAME setup, to set first-party cookies.
This is a controversial move. Read on (or watch the video below) to see why we recommend it and how you can use it (or not) properly.
What Do Browsers, Europe and the CCPA Want for Users?
In Europe, setting cookies (even for analytics, A/B testing or personalization purposes) without consent is a questionable practice, since some of them contain personal data and that’s a BIG issue.
Browsers like Safari and Firefox (and to a lesser extent, Chrome) also want to protect their users from these types of cookies, which are used to build users’ profiles and buying interests. This information will then be sold and used to target users on other sites. The ad seller will make a higher profit on an ad placement with verified intent vs on a plain ad impression. Ad industry leaders understand that the way forward is less tracking and more ad placements that match user intent on the page (by using content ad matching).
This shift is significantly changing the online ad industry. We now have companies reach out with requests like: “change your DNS for CNAME in this 2-minute job and we continue business as usual”.
This practice introduced the term CNAME Cloaking and BAM, we are entering the dark side of the useful CNAME function. Ad networks can hide behind a company subdomain and keep collecting personal information and building profiles for higher ad revenue.
This is exactly what browsers and European laws are trying to prevent.
Let’s talk about the idea behind these laws and the browser technologies that are rolling out. They are meant to offer transparency to website visitors and have them explicitly agree to requests. They are also meant to prevent hidden data collection and the creation of personalized profiles without the users being aware of it.
The web is slowly becoming a creepy place where a few large players know more about you than your life partner.
Stop doing that! You need to stop giving ad networks so much access to your users’ data. Period!
Technology Hack or Permanent Battle?
You may see this as a cat and mouse technology game that you can win, but all you’re doing is postponing the inevitable.
In doing so, you are limiting your other marketing efforts that are still considered safe.
Browsers or privacy laws don’t want you to lose your conversion as a marketer once you are shown an ad (even if it’s a month from now). They don’t mind you using a universal login for multiple sites or using anonymous analytics on your site to measure the impact. They mind, however, that you (or your provider, Google or Facebook) snuck in tracking scripts everywhere to build user profiles at the same time. Users wanted to log in, not share that they logged in with Facebook and now would be pushed to +1 some ad category that had their interest. If you do that, they will cut you off, but new initiatives will help you collect that conversion (read on…)
Webkit, the organization behind ITP in Safari explain this in their Tracking Prevention Policy:
There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be an unintended impact. These practices include:
Funding websites using targeted or personalized advertising (see Private Click Measurement below).
• Measuring the effectiveness of advertising.
• Federated login using a third-party login provider.
• Single sign-on to multiple websites controlled by the same organization.
• Embedded media that uses the user’s identity to respect their preferences.
• “Like” buttons, federated comments, or other social widgets.
• Fraud prevention.
• Bot detection.
• Improving the security of client authentication.
• Analytics in the scope of a single website.
• Audience measurement.
When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.
However, we will try to limit the unintended impact. We may alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience. In other cases, we will design and implement new web technologies to re-enable these practices without reintroducing tracking capabilities. Examples of these include Storage Access API and Private Click Measurement.
I’m sure other browsers share this idea.
Although their technology and speed of implementation might reflect their politics and vision, they are all working towards increasing transparency and opt-in of users in one or another. A useful tool to track all their efforts is Cookie Status by Simo Ahava.
CNAME as a Temporary Solution
When you use services like CookieSaver and TraceDock, which pretend to give you back the “business as usual”, and the focus is on what you “think you’re missing”, you might miss the logic behind the new privacy laws and browser changes.
But be clear, some cookies you should keep off CNAME! It’s a new world where people choose if they want to give up all their privacy for comfort and opt-in and log-in. You can’t keep taking privacy away from people to meet your business goals. You cannot be that selfish anymore. You need to trust that by doing the right thing, your business will grow. Trust and measure….
Browsers like Chrome and Safari are working on initiatives that will give you access to personalized user information that the user approved. Some personalization will be possible based on those (they’re still two years away).
Chrome and Webkit (Safari) are working on technologies that allow you to get the ad conversions back using an API. This means you’ll be able to keep doing some attribution and even track conversions 3-60 days from the impression day.
The problem with this is that the privacy laws are enforced now, while these alternatives are not yet available.
Just because CNAME may be an option right now to extend the tracking of ad networks and allow them to build personal profiles, it does not make it a viable long-term solution.
It’s the browsers intention to protect users from this. If you extend the life of cookies that allow building profiles of users on your site and retarget them elsewhere, or even worse, build user profiles and sell them… that is when browsers and third-parties will start building blocking lists for such dubious networks.
You should stop supporting any system that builds personal profiles outside of your domain. This is what users, browsers and privacy laws want. It’s what will bite you if you don’t. Be sure someone will expose your brand for doing this.
This practice could also add a security risk to your website.
When you move ad trackers that have a third-party cookie to a first-party cookie using CNAME, this adds the risk that their scripts can read authentications and login cookies of your users.
Most articles about CNAME Cloaking focus on ad systems building profiles on users. We would like to distance ourselves from this practice.
A/B testing and personalization tools have had first-party cookies for years. They have already been able to manipulate the entire site and login systems as part of the system they have. For those types of tools, nothing changes using CNAMEs except the experiences could be consistent for 30-60 days instead of 7 days.
European ePrivacy Regulations are Following Browsers
Europe is working on its latest drafts of the ePrivacy Regulations that allows placing cookies for analytics and website optimization. This sends a clear signal that, from now on, only essential cookies, like storage of login sessions or products in shopping carts, also analytics and A/B testing for the benefit of the user, will be allowed.
On 8 November 2019, the Finnish government issued a revised proposal for the ePrivacy Regulation with some amendments.
Gaming Tech Law sums it up as:
For A/B testing purposes, you most likely don’t need consent and can place cookies without problem, as the latest draft of the ePrivacy Regulations (Nov 2019) statesin article 21a:
Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site, which always requires the consent of the end-user.
The ePrivacy Regulations draft focuses on the idea that tracking and analytics are allowed without consent, as long as they’re not used to build user profiles, as mentioned in article 17AA:
As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics of an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behavior of a specific end-user or to draw conclusions concerning the private life of an end-user. For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing.
What will the final draft say?
We will have to wait for the final version of the Regulations and then for national laws to really start discussing the guidelines more in-depth. But the current ePrivacy Directive gives good hope for A/B testing. Paul Schmitt pointed out to me that even though the ICO (the UK privacy authority) and the CNIL (the French privacy authority) regulated that cookies for A/B testing and analytics needed consent, the CNIL’s latest guidelines (in French) from Github say otherwise. Here’s a translation:
Benefit from the exemption from consent, subject to a certain number of conditions, cookies used for audience measurement are exempt from consent. These conditions, as specified in the guidelines on cookies and other trackers, are (1) inform users of their use; (2) to give them the power to oppose it; (3) to limit the system to the following purposes only: audience measurement and A/B testing.
To summarize, both browsers and the privacy laws want the same thing. They are not here to stop your efforts to analyze users (on your site) or to do A/B testing to improve and optimize user experience.
No Cookies… Let’s Use Fingerprinting
Fingerprinting means building a unique identifier by combining multiple properties that by themselves are not unique to you, bypassing browser restrictions on cookies, and even being able to track you across devices (it’s something cookies can’t do).
Some of these properties are your IP address, your operating system version, your browser version, your computer language, your time, the size of your screen, the pixel density of your screen, how fast your computer is, and the list goes on and on.
You may consider not using cookies at all for specific techniques. However, this does not mean you can forego transparency and privacy concerns hiding what you do to the individual visitors server-side or on the CDN edge. That is one reason we promote absolute transparency on testing and personalization efforts that are running on our site.
You might set up A/B testing on the edge without cookies (on Fastly), but that isn’t transparent and can be frowned upon. Browsers are limiting the information you are getting to make a hashed/unique experience for someone.
ePrivacy Regulations are clear — they allow no fingerprinting. Browsers and the privacy authorities will fight you even harder over fingerprinting than they would over cookies. Don’t go there.
More Transparency, not Less
Convert Experiences is our A/B testing and personalization tool. It doesn’t allow building user profiles using personal data by default.
We aggregate data in reports and send warnings when segments become so small, they make users identifiable or when we suspect personal data was added in fields where it should not be.
Our tool is often used by brands that care about compliance with all privacy laws worldwide. We offer options where website owners can share a link or shortcut key to be transparent about what experiences run on the website and what experiences users are in.
We encourage our customers to build experiences that improve user experience and optimize the flow.
If you want to build a better world, make forms better and shorter. Browsers, users and the privacy laws support you on that. What they won’t support is an A/B test where you snuck in an upsell checked by default. Improve your properties and then there will be no problem being transparent about it. A/B testing benefits users and can be good for business, because you offer the best online experiences.
So when you install CNAME for your A/B testing tool, make sure your tool is not building user profiles. Don’t use identifiers like gender, age, race and religion to target (some tools – not ours – offer that). Don’t go there, it’s not worth it and nobody wants this anymore.
Set up a CNAME for tools you trust. Don’t let them funnel information about your visitors to third-party sites and locations. You and you alone are responsible for what these tools store and do with the data. You can look at each tool and the tons of snippets they lift with the tool (you can use Collision — see image below). Setup CNAME only for a company where you have a signed DPA (Data Processing Agreement) — find ours here.
I laid out all I know about CNAME in this post — hope you found it useful and it shed some light on this complicated topic.
Look at how we deal with Privacy Shield, SCC, CCPA and our general efforts in this space.
I hope this article made it clear how you can use CNAME in your efforts to extend your A/B testing experiments from 7 to 30 days. Don’t buy CNAME tools that extend the life of ad-cookies that build user-profiles, please.
Take a free trial of our A/B testing software, if you’d like to see how a privacy conscious tool runs. We (just like the ePrivacy Regulations) are convinced A/B testing is a positive method that can help validate businesses’ efforts in providing a better experience for users and not exploiting them.