TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How will the changing environment shape cookie collection? Related reading: Will China’s new certification rules be a popular legal path for outbound data transfers?



The EU General Data Protection Regulation will transform the way businesses collate, store, process and analyze consumer data, including a long-favored tracking staple: the cookie.

As most companies are aware, the GDPR’s worldwide significance lies in its reach. It applies to any organization using the personal data of Europeans, wherever they are based, to ensure the customer’s privacy is placed front and center. But what many are unsure of is how the regulation will impact cookie collection.

So, in a post-GDPR world of increased consumer rights and stricter privacy laws, how can companies responsibly harness data insights to deliver the personalized experiences customers deserve, while adhering to updated data governance laws?

A quick cookie overview

It’s important to distinguish between the two forms of cookies. First-party cookies are obtained by the publisher of a website, whereas third-party cookies are set and/or retrieved by other technologies or advertising tracking on that site.

First-party cookies serve many useful purposes to brands and consumers alike, such as enabling users to purchase multiple items in one transaction. Disabling first-party cookies would mean that a consumer’s activity would not be connected as they moved between pages within a site, and each time they added a product, it would be treated as a new transaction. This is just one of the many cases in which first-party cookies are used for basic site functionality. Additionally, the tool can provide valuable insight into individual behavior on channels such as desktop, which makes it worthwhile for companies to obtain consent to use them.

However, third-party cookies can cause page load latency due to the added requests to use, which inevitably means a poorer customer experience and could also lead to higher charges for mobile users. These cookies are often the subject of data leakage issues as they are typically added to sites through piggybacks in which the site owner is unaware of the data tracking taking place. Similarly, cookies don’t cut it on mobile apps, meaning marketers will have to look elsewhere for insights. 

So, while third-party cookies hold limited application post-GDPR, especially on mobile, first-party cookies will continue to play an important role.

How will GDPR provisions impact cookie collection?

Let’s look at the aspects of GDPR set to most affect cookie collection, the definitions of personal data and consent, and examine what they mean for companies using EU data.

The GDPR stipulates that if cookies can be used to identify an individual, they are classed as personal data. This means cookies deployed for anything from analytics to advertising will be subject to the consent requirement, which includes data that companies have collected previously.

Gaining consent

Before companies can access data, they must gain unambiguous consent. So, no more "by accessing this website you accept …" notifications. Companies must send clear requests detailing why data is needed, as well as how and where it will be used, and await explicit permission.

The consent rule represents a seismic shift in digital advertising. Unless users voluntarily opt-in to cookie collection, providing explicit consent, companies have no right to retrieve their data. This stipulation will also be supported by the e-Privacy Directive and presents a challenge to third-party tracking in particular.

Third-party cookies can pose threats to data privacy and security, and restricting their use is a positive step to restoring trust in digital advertising. To ensure they can continue to glean the insights they require, organizations should ensure they are not solely relying on third-party cookies for tracking. Instead, they should focus on maximizing the value of their first-party data (many companies are sitting on a pot of gold of consumer insights) to deliver personalized experiences without comprising privacy and security.

The challenge of mobile

Cookies also present challenges to mobile data collection since their utility on mobile is very limited. Let’s take a closer look at the drawbacks.

Firstly, there’s the fact that cookies can’t transfer between apps and are unable to offer a holistic view of consumer activity. Secondly, many popular mobile browsers, like Apple’s Safari, block third-party cookies entirely (those typically used by tracking tools), rendering them useless. Finally, cookies often slow down webpages and have become a source of concern for privacy-conscious consumers. Hence, three in ten consumers delete their cookies monthly.

The tactics we can use moving forward

In comparison to the days of limited desktop computers, a multiplicity of devices and the ever-growing internet of things provide more data entry points than ever before. This has resulted in an increased emphasis on stitching, piecing together fragments of data to obtain a full picture. Utilizing just one tool — in this case, cookies — will only provide a fragmented view of a customer journey. Instead, organizations should seek to use a multitude of techniques, including location data, to gain a complete customer view.

Tag management, a tool to collect and track data between website or mobile app use, should also be an essential element of any digital strategy, while strictly adhering to the privacy rights of the consumer.

While the changing privacy regulations may mark the demise of the third-party cookie, the first-party cookie still plays a valuable role in delivering effective marketing campaigns. But customer centricity, consent, and a drive to create a holistic view of customer journeys remain the three factors at the heart of delivering effective customer experiences.

photo credit: wuestenigel Bite taken on a chocolate chip cookie via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Danny Koning • Jun 27, 2018
    Any thoughts on whether a pre-checked box for tracking cookies would be allowed considering privacy by default requirement (art. 25 GDPR)? Or does it have to be unchecked and actively checked by data subject c.q. the website visitor? Especially when those boxes aren't immediately visible when giving consent (but stashed in "more info" or equivalent deeper link).