Digital Compliance | GDPR | Online Marketing | Web Analytics

GDPR Update: Browser Cookie Blocking – The Current Situation

GDPR Browser Cookie Blocking

Over the last few years, we have seen an increased focus on user privacy online with reports of the US Presidential and UK Brexit votes being heavily influenced – both legally and illegally – by user targeting on Facebook. The 2018 rollout of the EU’s GDPR laws and people’s general feeling of unease that advertising is becoming ever more targeted at them increased awareness. In response to this, web browsers, like Firefox, Safari, and Chrome, have started to add protections against websites and tools tracking users online. These protections can be blocking cookies and/or scripts and is done in various ways from the very strict to not at all by different browsers.

In this post, we will take you through the current state for each of the most popular browsers and what impact this will have on your web analytics and advertising efforts. We start with the two browsers whose current protections are at the extreme ends.

The browsers we will look at in this post are

  • Safari (Apple)
  • Chrome (Google)
  • Firefox (Mozilla)
  • Edge (Microsoft)

Apple Safari

Current Situation

Apple has taken the strongest measures to prevent their desktop and mobile Safari browser users from being tracked. Their tracking prevention feature is called Intelligent Tracking Prevention or ITP. Apple has released various versions of ITP over the last few years each becoming stricter than the last.

The latest release from 2019 has blocked the setting of all third-party cookies. Third-party cookies those set by a domain other than the one the user is visiting. For example, when facebook.com sets a cookie on your browser when you visit a news site. This can occur because the news site wants to track the impact of their advertising on Facebook and so they have added the Facebook tracking Pixel to their site.

This might not be the biggest invasion of privacy if all this is all that was measured. The problem, at least as far as Apple is concerned, is that the facebook.com cookie will be the same one used for every site you visit that has the Facebook tracking Pixel and this is a pretty good percentage of sites. In this way, Facebook would be able to see your behavior across all of these sites and uses this information to target advertising. This is called Cross-Site tracking and is the core of what Apple is trying to prevent.

However, this is not the full extent of what has been enforced by ITP. As part of the protections, Apple restricted the longevity of all first-party cookies (those set on the domain of the site being visited) to seven days. This means that cookies which previously set with expiry dates 2 years after the cookie was created, like the Google Analytics user cookie, will now expire after just 7 days. If the cookie was set when the user arrived from a service known to do cross-site tracking, like Facebook, and the link was ‘decorated’ with a query string or fragment – this is the # or ? sometimes seen in URLs – then the expiry is after just 24 hours.

Impact

The impact of these changes on your digital analytics and advertising efforts are large when it comes to Safari users.

Your Google Analytics, or other digital analytics, setup will still function, and you will still see much of the data you are familiar with include visit, channel, event, and conversion data.

What is affected is the ability to track a visitor over time. The most obvious metric that this would affect is new vs. returning visitors. The GA persistent user cookie now expires after 7 days so if a Safari visitor returns to your site after 8 days, for instance, they will now be seen as a new visitor. This is not the biggest impact of these changes.

The largest effect is on measuring the success of your various marketing efforts. For many marketing channels, visitors do not convert into leads, customers, or the like on the first visit but rather on subsequent visits. The GA user cookie is usually able to tie the visit the user converted on back to the marketing channel that brought them to the site in the first place. With ITP, for Safari users, this is only possible if the conversion happens within 7 days of the first visit or in some cases within the first day.

As mentioned above, if the visitor arrived on your site from a domain that ITP considers to have cross-site tracking capabilities – Facebook, Google, or Twitter for example – and the URL leading to your site contained a query or fragment then the expiry period for cookies is just 1 day.

To make this clearer with a practical example. If a visitor searches on Google for your brand name and then clicks on a paid search ad you are running at the top of the search results page then all the cookies that are set when the page loads will be set to expire at the latest 1 day after the visit. However, if they had clicked just below on an organic search result the same cookies would expire after 7 days.

This means that unless the conversion happens within 24 hours of the visitor arriving from your advert the conversion will not be attributed in either Google Analytics or the advertising platforms measurement tool.

Additionally, as the first-party cookies only last for 1 to 7 days and third party cookies are completely blocked it means that remarketing is very difficult to do for Safari users.

Recap:

  • New vs. returning users no longer accurate
  • Attribution of conversions to initial channel only possible within 1 or 7 day
  • Remarketing difficult as cross-site tracking not allowed

Google Chrome

Current Situation

Google has taken a much more cautious approach blocking trackers that is the antithesis of Apple’s ITP. Google has acknowledged that privacy is important and announced their Privacy Sandbox. Unlike Apple their goal is twofold, to provide user privacy but also to support publishers (and advertisers).

In this vein, Google announced in January that third party cookies will be blocked but only within the next two years and not immediately. Additionally, they have proposed some measures for making fingerprinting more difficult.

The reason for Google’s desire to strike a balance between the privacy of users and the needs of publishers is that Google makes its revenue from advertising. This is not to say though that it is the wrong approach. Businesses on the internet, the major part of the internet, need to know whether their advertising and other marketing efforts, are effective. The future improvement of experiences on the internet may rely on this sort of measurement and Google believes that removing it entirely is too rash.

Impact

At this point, Google’s privacy efforts should have no major impact on your analytics or advertising efforts unless you make use of fingerprinting to identify individual users.  This may change as they roll out further features in the privacy Sandbox.

Mozilla Firefox

Current Situation

Mozilla Firefox has always prided itself on being open-source, free, and ethical. They have made user privacy a major part of their focus going forward. Their tracker blocking functionality is called Enhanced Tracking Protection and is similar to Apple’s ITP but is not as strict out the box.

By default, Enhanced Tracking Protection will block:

  • Social Media trackers such as the Facebook Pixel or LinkedIn Insights script.
  • Third-Party, Cross-site tracking cookies like Google’s Doubleclick cookies for instance.
  • These are trackers that attempt to circumvent the system by tracking users without cookies and scripts and instead create a unique ‘fingerprint’ by combining factors like the user’s location, hardware, browser type & version, operating system & version, and other factors.
  • Cryptominers: As the name implies these are scripts that attempt to utilize the user’s browser to mine cryptocurrency without the user’s express consent.

These are the Standard settings and as mentioned this Standard setting is set as the default. A Strict setting can be selected which will then block what Mozilla terms Tracking Content. These are pieces of website content that can include a tracking aspect. Banner advertising and embedded YouTube Videos are both examples of these. In the Standard setting, these are only blocked in Private Browsing Windows. The reason this is blocked globally only on the Strict setting is that removing this content may cause some site features to break.

Impact

The Google Analytics script and cookies are classified under the Tracking Content section and so are only being blocked in Private Windows or on the Strict Setting.

However, certain metrics in Google Analytics will not show data for Firefox users. These are the demographic and interest data that you must enable specifically in your GA profile. The reason this is not shown is that this data is not picked up by the GA tracking script but rather through the Doubleclick network and cookies. These are blocked on the Standard setting.

As for your digital advertising, it will be more difficult to conduct remarketing campaigns as the advertising providers are not able to follow Firefox users cross-site using cookies. However, understanding the impact of your advertising seems to be unaffected as Facebook, LinkedIn, Google, and other similar scripts are still being allowed to run.

Recap:

  • Most Google Analytics features still working except for demographic and Interest data
  • Conversion attribution still possible for advertising channels except those using third party cookies
  • Remarketing difficult as cross-site tracking not allowed

Microsoft Edge

Current Situation

Microsoft’s Edge browser has a tracking prevention program similar to that of Firefox. It uses the Disconnect list of trackers – Firefox uses this too – to split all trackers into different categories. It then has three levels of protection. The default level is called “Balanced” while the other two are “Basic” and “Strict”.

On the Balanced level, Cryptomining and Fingerprinting cookies and scripts are completely blocked while advertising and social trackers scripts are allowed to load but they do not have access to set cookies. Analytics trackers are allowed to run scripts and set cookies.

Impact

With regard to your digital analytics setup, the current Edge tracking prevention will have little impact. In its default setting it does not stop your analytics tools from setting their cookies nor does it limit the cookies longevity.

However, this could have a bigger impact with regard to your advertising efforts. When it comes to understanding the efficacy of your campaigns you will no longer be able to measure conversions in the advertising tool unless they occur in the session where the user was brought to the website by the campaign. You will, however, be able to measure and attribute to the correct channel or campaign, the conversions in later sessions in your analytics tool.

As advertising cookies are blocked by default remarketing again becomes more difficult if not impossible to Edge users.

Recap:

  • Analytics tools are unaffected
  • Advertising tools record conversions if conversion not in the first visit. Analytics tools can though.
  • Remarketing difficult as cross-site tracking not allowed

Conclusion

Over the last year, we have seen a strong focus both in the public sphere and, as a result, from browser providers on user privacy. Some providers have opted to implement extreme measures to protect user privacy and others are trying to balance the interests of the user with business interests.

These changes have meant that certain advertising activities such as remarketing have become more difficult to do or at least are only able to be done for a smaller audience. In the EU, with its strong privacy laws, remarketing had become very limited in any case.

Except Safari most analytics activities, and the measurement of the success of the advertising campaigns through analytics tools remains unaffected on most browser’s default settings.

It is important to remember that this is a changing landscape. Apple’s ITP has been through 5 versions since it was first introduced, and Google has said that it is actively developing its privacy program. What the future holds is uncertain but it is important to understand these changes and they are released and respond effectively to make sure you are getting the most out of your analytics and advertising online.

Do you need help with your measurement?

We cover a broad range of Web analytics topics, read more.