How to Track Your Website Visitors Without Breaking the Law
Do you want to learn if your website tracking is compliant with data protection laws? Read all about website tracking in this article.
If you're like most other online businesses, chances are that you track your users’ behavior on your website or app. You add trackers on your website which deliver data about users' behavior, you iterate and try new things, which eventually brings more money to your business. Data-driven business decisions are, quite often, the best business decisions.
The problem is that some of that data is personal data. It belongs to actual persons, and data privacy laws protect these personal data. These laws have some requirements you need to meet in order to track your users lawfully.
Website tracking is not illegal in and of itself. It is dependent on where you conduct business and how tracking is regulated. To assess whether your website is doing it correctly, you must first understand how you monitor your users, how you must track them, and what you must do to comply.
In this article, we will present you with:
- The most common ways of website tracking. You’ve heard about cookies, pixels, tags, and local storage. Here you’ll learn what they do in the background on your behalf and what responsibilities they bring to you. Learn more about cookies, how they work, and what you must do to comply with the EU cookie laws.
- Examples of each website tracking mechanism. You'll understand the tools you use to track your users, process their personal data, and deliver services to you.
- The legal requirements regarding website tracking. Tracking technologies work for you. You are responsible for the tasks they perform for you. As a result, you must understand your responsibility to your users in terms of the personal data you process.
- A simple way to comply with website tracking requirements. Because tracking technologies are generally standardized, current standardized solutions will assist you in conducting authorized and safe website tracking without incurring severe penalties.
What is Website Tracking?
Website tracking collects user activity data on a website or an app. Tracking aims to get insights into users' behaviors and desires.
When done properly, website tracking benefits both consumers and businesses. Some of the tracking purposes include:
- Understanding how users navigate the website to improve user experience
- Determining where users come from, what they do on the website, and what pages they read to understand what users need from the business
- Finding out which products a specific user has been interested in, and to target the same profiles all over the internet
- Remembering a user's preferences on the website (such as language preferences, font size, etc.) to offer a personalized experience
- Remembering the user login data for a smoother login the next time
- Remembering the contents of a customer's shopping cart while they shop on the website
- Helping the users to share your website content on social media
There are many other purposes of tracking. The possibilities tracking technologies offer nowadays are endless. In all cases, there are some benefits for the users, the website owners, or both.
Tracking activities frequently need the processing of users' personal data. After all, personalization would be impossible without the processing of personal data. As a result, trackers that gather and process personal data exist on websites. Many times, the tracking activities require the processing of users’ personal data.
When you track data that can be used to identify a person, you endanger that person and violate their online privacy. This is where data protection laws come into the picture. Still, before explaining regulations, we need to dive deeper into tracking tech and understand what it does and why legislation constraints your activities regarding improving user experience and advancing your marketing efforts.
How Does Website Tracking Work?
Tracking technologies follow website visitors in a variety of ways. New tracking methods emerge on a regular basis, but the most prevalent include cookies, pixels, IP tracking, tagging, local storage, and a few more.
When a user interacts with a website or an app, tracking technology may accomplish one of the following:
- Send a small textual file to their device
- Insert a small image on the screen
- Identify the IP address
- Identify device or browser data
This is by no means an exhaustive list. Website trackers continue to improve and discover ways around privacy laws. New tracking technologies will emerge all the time, but these will remain the most common for the foreseeable future.
They are designed to collect data from a device, browser, or other location and transfer it to a server for storage and processing. There, software processes the data. This is often the third-party tool you've been utilizing for website analytics, marketing, advertising, debugging, or other purposes. That tool also provides you with insights that are valuable for your business and your work.
Technologies used by websites to track visitors
Websites and apps use several different technologies to collect data for processing. They work in different ways, but ultimately, they all aim to collect data for processing.
The data controller can observe the device's attributes as well as the browser the user used to visit the website using digital fingerprinting.
Fingerprinting ensures the collection of data such as browser, operating system, version of the operating system, device type, font size, and similar data. While this data is not personally identifiable, it can be used to swiftly identify a person when combined with an IP address, which can then be linked to other personal data obtained from other sources.
Furthermore, digital fingerprinting enables the data controller and processor to track browser history and build a user profile based on the user's browsing habits.
Fingerprinting through a browser is sometimes referred to as browser fingerprinting, whereas fingerprinting through a device is referred to as device fingerprinting.
Cookies are the most widely used tool for tracking users via their devices. They are small text files sent by the website to the user's device in order to collect data.
If you have enabled cookie tracking on your website, and a visitor visits it, the cookies are sent directly to their device. They help servers in remembering the user by generating a unique ID for them. Cookies allow users to remember their choices and improve their online browsing experience in this way. The server saves and reads the data stored in a cookie when users first connect, and it is identified with an ID unique to the user and their device. The server recognizes who the user is when it reads the unique ID.
This is how cookies assist you in tracking user behavior.
Cookies may be placed on your website by third-party services such as Google Analytics, various remarketing tools, email management companies, and so on. These third parties, your data processors, will deliver cookies to your website or emails. All you have to do is configure their SAAS to transmit cookies at the relevant times.
Every cookie has been designed to track a specific user’s behavior and collect a specific set of data. There is no single cookie that can track everything. Each one has its own purpose.
Depending on the purpose, cookies can be:
- Preferences cookies track data about user’s preferences on the website, so they can be served with the preferred functionalities any time they visit the website,
- Advertising cookies track the user's internet activity, evaluate it, and provide insights into their interests. The website owner can then target such users with relevant information and turn them into clients much more easily, or,
- Analytics cookies track users’ website behavior, such as the pages they visit, how they travel around the website, the portions of the website they see, where they come from, and other data.
There are many types of cookies as there are tracking purposes.
Multiple parties are involved in cookie-enabled website tracking. Cookies may be sent to the user's device by any of these parties.
Depending on who sends the cookies, you’ll hear about first-party or third-party cookies. You may also hear about fourth-party cookies and supercookies.
Cookies abound on the internet. To track your users, you must first understand what the parties do to make compliance easier.
First-party cookies are those that your website delivers to the user's device without the involvement of any other party (as there are other parties on other types of cookies). The first-party cookies are set by the website’s web server.
These cookies often record information about your interactions with the website, such as login information, shopping cart information, language preferences, dark/light appearance mode, and other similar functions.
Third-party cookies are set when the user reaches your website, but these cookies do not belong to your website. They are the property of third-party vendors who have integrated with your website.
Third-party cookie senders include advertising networks such as Google's Doubleclick. If you have a fitness equipment website and have Doubleclick cookies enabled, their cookie will track your user as they go across the website. They will collect information about users' interests and give them adverts based on the processed personal data.
These cookies can help in collecting various types of information, such as the pages visited, whether the visitor purchased anything from the website, where they clicked, and so on. They would do what they are configured to do.
Simply put, you've given a third party permission to deliver cookies through your website. That is a third-party cookie.
Other Types of Cookies
All cookies are either first-party or third-party, however more types may exist. These are also first-party or third-party cookies (mainly the latter), although their names vary depending on their properties.
Second-Party Cookies. Technically, second-party cookies are third-party cookies. They are the cookies that your website shares with another website with which you have collaborated. Your website will collect the data they were designed to acquire, keep it on your website, and then send it to another organization with whom you have an agreement.
Keep in mind that most data protection rules now make this illegal.
Fourth-Party Cookies. Third parties can place more cookies on top of their third-party cookies. These are called fourth-party cookies.
They may set other cookies on top of their tracking cookies when they send them into your user's device.
Google also gives an example for these. Google's products include Doubleclick and YouTube. When you embed a YouTube video on your website, third-party cookies are used. However, Google may use third-party cookies to tell DoubleClick who has viewed your video. As a result, you may have DoubleClick cookies on your website without realizing it.
Supercookies. Cookies with a top-level domain or a public suffix are known as supercookies. Cookies with a specific domain name, such as secureprivacy.ai, are used. A supercookie will come from.ai rather than secureprivacy.ai.
Because supercookies pose a security risk to users, web browsers frequently disable them.
Zombie Cookies. As previously stated, cookies are stored in a folder on your device. With a single click, you can erase all of the cookies in that folder.
Zombie cookies attempt to avoid deletion by storing themselves in directories other than the one designated for them. They are hidden and collect personal data without the user's knowledge. Furthermore, the user cannot delete such a cookie quickly because they do not know where to look for it.
Zombie cookies are illegal under data protection laws worldwide.
Session vs. Persistent Cookies
You'll frequently see the comparison of session vs. persistent cookies on the internet.
The main difference between the two is that session cookies are only retained for the duration of the visitor's session on your website before being removed. Persistent cookies, on the other hand, are stored for a longer period of time, usually until the user deletes them.
Web Beacons (Pixels and Tags)
Web beacons track website visitors through the server.
The most common web beacons are pixels and tags. Pixels are used by the majority of social media platforms, including Facebook, Instagram, Twitter, Pinterest, Quora, and others. Tags are used by Google to track users.
However, pixels and tags work the same way. There is no significant difference between the two. Some data processors refer to them as beacon tags, while others refer to them as pixels, although they all perform the same function.
This pixel is often transparent, but it conveys vital information to the person who uses it: that a specific visitor has viewed a specific page or performed a specific action on the website. The pixel recognizes the URL and informs the data controller that the visitor has visited that page.
Facebook offers such a product (pixel) to businesses. When an eCommerce business owner employs the pixel, it is possible to determine which pages a certain user has visited. The store owner can then utilize that data to retarget the same person and persuade them to purchase the product.
For example, after the user has browsed the website's black shirt collection, the eCommerce store owner can retarget the same user and show them the same dress a few more times via sponsored advertising in the hopes that it will be enough to convince them to buy the shirt. Furthermore, website analytics data reveals that people who buy black shirts that look like navy shirts could be targeted with navy shirt ads too.
When you see the same black or navy shirt following you around the internet, know that you've been tracked by a pixel. It is commonly utilized since it helps online sellers in increasing conversions.
What Are the Legal Requirements for Website Tracking?
If you're asking why rules limit the use of tracking technologies when they provide so many benefits to everyone, the quick answer is because they infringe on online privacy. All of these advantages come at the expense of privacy.
In fact, data protection rules are unconcerned about technology. It is concerned with safeguarding people's fundamental rights, especially the right to privacy.
There is an abundance of personal data circulating around the internet. That data is constantly at risk of being compromised. Furthermore, there are corporations who continue to watch consumers' internet activities, sometimes just for their own profit, such as marketing and advertising. Tracking and analyzing advertising data typically results in sophisticated client profiles to whom products and services are later provided. That is an invasion of online privacy; thus, data protection laws safeguard internet users.
Also, that is the reason why it does not prohibit any tracking technology. It simply establishes restrictions for data processing. If you process personal data within limits, you can use any website tracker.
How Can You Legally Track Website Visitors?
When it comes to legal requirements for website tracking, data privacy laws take two different approaches:
- Require opt-in before beginning tracking, which means that if the user does not explicitly declare that they agree to the tracking, you must not track them;
- Require opt-out, which means that you are free to track them as long as they do not contact you to request you stop tracking them.
Simply put, if opt-in is required, you must not track users until they have given their consent to be tracked. Where simply opt-out is required, you can track users indefinitely until they ask you to stop.
Learn more about the difference between opt-in and opt-out.
Website Tracking Where Opt-In Is Required
In many circumstances, data protection legislation such as the GDPR, ePrivacy Directive, LGPD, Thailand PDPA, PIPEDA, and many more data privacy laws similar to the GDPR demand an active opt-in by the user for monitoring.
However, not every opt-in is valid under the GDPR and other laws. You need to ask users for tracking consent in a way that ensured the data processing was legal. Take a look at our Data Processing Agreement Guide.
The consent request for tracking has to be:
- Free. You must not make anything a condition of obtaining consent to track. Some websites refuse access to their material unless the visitor consents to tracking, which is illegal.
- Specific. Every tracking mechanism has a specific purpose. Some are used for analytics, others for marketing, and still others track users to improve the website's functionality. For any unique tracking purpose, you must seek explicit consent.
- Unambiguous. To give consent, the user must take action. Continued use of the website and browsing do not constitute permission. You must only begin tracking when the user hits the ACCEPT button.
In addition to the opt-in requirements, the GDPR requires you to provide users with the ability to opt-out of tracking as soon as they have opted in. This usually entails a simple and easy-to-access button in your privacy preferences for removing consent. Learn all about the GDPR cookie guidelines.
Data privacy laws such as Brazil's LGPD, Canada's PIPEDA, Thailand's PDPA, and South Africa's POPIA, to name a few, have the same or equivalent standards to the GDPR.
Aside from users’ consent, website owners can choose to track visitors based on their own legitimate interests.
Legitimate interests can be a thorny issue for many online enterprises. What constitutes legitimate interest has been subject to many interpretations on the internet, with the majority of them getting it wrong.
You should restrain from using this legal basis for data processing unless there are no other legal means to gather personal data. If you are certain that you must do so, make certain that you do the legitimate interests test appropriately.
In short, you need to ensure that your interests trump those of your users. You could, for example, utilize tracking tools to assure website security. However, when processing data for advertising reasons, you cannot rely on legitimate interests.
Read our in-depth article on legitimate interests as a legal basis for website tracking and data processing for more information.
Website Tracking Where Opt-Out Is Required
When all you need to ensure your users is the right to opt-out of tracking, you can employ cookies, pixels, and other trackers as soon as you inform them about it.
In practice, this means displaying a cookie banner and using the cookies at the same time. You don’t need to seek permission. You don't even have to consider legitimate interests.
However, if your users have the right to opt-out of the processing of personal data, you must comply with such a request.
The user would contact you and inform you that they want all of their data removed from your servers or that they no longer want you to process their data. You have no option but to comply with the request.
Note that you should confirm the requestor's identity. You don't want to handle the wrong person's personal information. This could be a data breach.
How Can You Comply with the Legal Requirements for Website Tracking?
To comply with the website tracking legal requirements, whether GDPR, LGPD, PIPEDA, CCPA, or others, you must first determine:
- Which data protection laws apply to your business,
- Which requirements are set forth in those laws, and
- What solutions can be employed to meet those requirements.
Since website tracking is automated, the only way to regulate it is through automation. Cookie consent solutions, such as Secure Privacy, are all you need to control how your website tracks visitors. You will easily comply if you have control over the tracking.
Secure Privacy solutions for website tracking incorporate the legal requirements of the GDPR, CCPA, LGPD, and other laws. It was designed to assure compliant tracking with a few mouse clicks.
How Does Secure Privacy Ensure Compliance in Website Tracking?
Secure Privacy solution gives you control over website tracking. If you need to wait until the user opts in, it will not allow cookies to be used before getting valid consent. But if you merely owe your users the right to opt-out of processing, it will display the privacy notice and use the cookies at the same time.
It is critical to configure two things correctly for compliant website tracking:
- When you deploy cookies and other trackers, and,
- The purposes of tracking and data processing.
If you have set this up properly, website tracking compliance will be easy to achieve and maintain. If you want to try it yourself, find the best plan for your organization and sign up here for a free trial.
Top GDPR-Compliant Analytics Tools: Safeguarding User Privacy in 2023
Learn about the complexities of using Google Analytics 4 in accordance with the EU's General Data Protection Regulation (GDPR). Explore the compliance issues, and steps to make GA4 GDPR compliant, and discover privacy-friendly alternatives that provide powerful website analytics while respecting user privacy and data protection laws.
- Europe GDPR
Understanding Compliance: Navigating CCPA Regulations with Google Analytics 4
Discover the compatibility of Google Analytics 4 with the California Consumer Privacy Act (CCPA). This article explores the CCPA compliance of GA4, outlines the obligations it imposes on businesses, and provides insights on how to handle CCPA requirements while using Google Analytics 4 for data collection and analysis. Learn about opt-out mechanisms, data retention periods, and consumer request obligations to ensure compliance with CCPA regulations.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance
Learn about the 10 principles of PIPEDA, the federal privacy law of Canada, and understand how to ensure privacy compliance for your organization. Discover key concepts such as accountability, consent, limiting collection, safeguards, and more. Get insights into the applicability of PIPEDA and how it compares to other data protection laws worldwide. Stay informed and protect personal data in accordance with Canadian privacy regulations.
- Canada PIPEDA