How to Track Your Website Visitors Without Breaking the Law
Website tracking is not illegal per se. It depends on where you do your business and how tracking is regulated there. Read all about website tracking here.
If you run your business like most other online businesses, chances are that you track your users’ behavior on your website or app. You add trackers on your website, they deliver to you data about users’ behavior, you iterate and try new things, and that eventually brings more money to your business. Data-informed business decisions are, quite often, the best business decisions.
The problem is, that some of that data is personal data. It belongs to real persons and it is protected by the data privacy laws. These laws have some requirements you need to meet in order to track your users lawfully.
Website tracking is not illegal per se. It depends on where you do your business and how tracking is regulated there. To determine whether you do it properly on your website, you need to understand how you track your users, how you need to track them, and what you need to do to comply.
In this article, we will present you with:
- The most common ways of website tracking. You’ve heard about cookies, pixels, tags, and local storage. Here you’ll learn what they do in the background on your behalf and what responsibilities they bring to you. Learn more about cookies, how they work, and what you must do to comply with the EU cookie laws.
- Examples of each website tracking mechanism. You’ll understand how the tools you use actually track your users, process their personal data and deliver services to you.
- The legal requirements regarding website tracking. Tracking technologies work on your behalf. You are liable for the work they do for you. That is why you need to understand your obligations to your users regarding the personal data you process.
- A simple way to comply with website tracking requirements. Since the way tracking technologies work is mostly standardized, there are existing standardized solutions that will help you conduct website tracking lawfully and safely, without risking huge penalties.
What is Website Tracking?
Website tracking is the practice of collecting data about users' activities on a website or an app. The purpose of tracking is to get insights into users’ behaviors and desires.
When done properly, website tracking brings benefits for both users and businesses. Some of the tracking purposes include:
- How users navigate the website in order to improve user experience
- Where do users come from, what do they do on the website, and what pages do they read, in order to understand what users need from the business
- What products a specific user wants has been interested in, in order to retarget the very same user all over the internet
- To remember user’s preferences on the website, such as language preferences, font size, and so on, in order to offer a personalized experience
- Remember the user login data for a smoother login the next time
- Remember what is in the customer’s shopping cart while they still shop around the website
- To help users share content on social media.
There are many other purposes of tracking. The possibilities tracking technologies offer nowadays are endless. In all cases, there are some benefits for the users, the website owners, or both.
Many times, the tracking activities require the processing of users’ personal data. After all, a personalized experience would be impossible without the processing of personal data. As a result, websites abound with trackers that collect and process personal data.
When you track data that can identify a person, you put that person at some risk and intrude on their online privacy. This is where data protection laws come into the picture, but before explaining regulations, we need to dive deeper into tracking tech and understand what it does and why legislation puts constraints on your activities regarding improving user experience and advancing your marketing efforts.
How Does Website Tracking Work?
Tracking tech follows website users in several different ways. New methods of tracking appear all the time, but the most common remain cookies, pixels, IP tracking, tagging, local storage, and a few others.
As soon as a user gets in contact with a website or an app, the tracking technology may do any of the following:
- Send a small textual file to their device
- Insert a small image on the screen
- Identify the IP address
- Identify device or browser data
This is not an exhaustive list. Website trackers keep improving and finding workarounds around privacy laws. You will hear about new tracking technologies all the time, but these will remain the most common ones for the times to come.
They are designed to collect data from the device, browser, or elsewhere and send it to a server for storage and processing. There, the data is being processed by software. In many cases, this is actually the third-party tool you’ve been using for website analytics, marketing, advertising, debugging, or another purpose. That tool also provides you with insights that are valuable for your business and your work.
Technologies that websites use to track visitors
There are several different technologies that websites and apps use to collect data for processing. They work in different ways, but ultimately they all aim to collect data for processing.
Digital fingerprinting allows the data controller to see the characteristics of the device and the browser the user has used to access the website.
Fingerprinting ensures the collection of data such as browser, operating system, version of the operating system, device type, font size, and similar data. While this data is not personal per se, it can easily identify a person by combining it with the IP address, which can be further related to other personal data collected from other sources.
Moreover, digital fingerprinting allows the data controller and processor to track the browser history and create a user profile based on what that user has browsed.
Sometimes fingerprinting by the browser is called browser fingerprint, while the one by the device is called device fingerprint.
Cookies are the most common mechanism for tracking users through their devices. They are small text files that the website sends to the user’s device to collect data.
If you have enabled cookies tracking on your website, when the visitor lands on your website, it will fire the cookies straight to their device. They help servers remember the user by creating a unique ID for them. This is how cookies are helpful for remembering users’ preferences and improving their web browsing experience. The data stored in a cookie is created by the server when they first connect, and it's labeled with an ID unique to the user and their device. When the server reads the unique ID, it “knows” who the user is.
That is how cookies help you to track users’ behavior.
In most cases, your website places cookies by using third-party services, such as Google Analytics, various remarketing tools, email management providers, and so on. These third parties, which are your data processors, will provide your website or even emails with the cookies. All you need to do is just set up their SAAS to send the cookies at the appropriate time.
Every cookie has been designed to track a specific user’s behavior and collect a specific set of data. There is no one cookie to track it all. Each one has its own purpose.
Depending on the purpose, cookies can be:
- Preferences cookies track data about user’s preferences on the website, so they can be served with the preferred functionalities any time they visit the website,
- Advertising cookies track what the user browses around the internet, analyze that data, and provide insights about their interest. Then, the website owner can target such website visitors with targeted content and convert them into customers much easier.
- Analytics cookies track users’ behavior on the website, including the pages they visit, how they move around the website, which parts of the website they see, where they come from, and other data.
There are many types of cookies as there are tracking purposes.
In the cookie-enabled website tracking, there are multiple parties involved in the process. Each of these parties may send cookies to the user’s device.
Depending on who sends the cookies, you’ll hear about first-party or third-party cookies. You may also hear about fourth-party cookies and supercookies.
The internet abounds with cookies. If you track your users, you need to understand what the parties do to comply easier.
First-party cookies are the cookies that your website sends to the user’s device without any other party being involved (as there are other parties on other types of cookies). The first-party cookies are set by the website’s web server.
These cookies usually store information related to your interaction with the website, such as login information, shopping cart information, language preferences, dark/light appearance mode, and similar purposes.
Third-party cookies are set when the user reaches your website, but they do not belong to your website. They belong to third parties integrated with your website.
Advertising networks, such as Google’s Doubleclick, are good examples of third-party cookie senders. If you have a website for fitness equipment and have Doubleckick cookies enabled on your website, their cookie will follow your user as they navigate through the website. They will gather data about users’ interests and will serve them with ads tailored according to the processed personal data.
These cookies can help in collecting various types of information, such as the pages visited, whether the visitor bought something from the website, where did they click, and so on. They would do what they are configured to do.
Simply put, you have enabled a third party to send cookies through your website. That is a third-party cookie.
Other Types of Cookies
All cookies are either first-party or third-party cookies, but you may hear about other types as well. These are also either first-party or third-party cookies (mostly the latter), but sometimes they are called with other names due to some characteristics they have.
Second-Party Cookies. Technically, second-party cookies are third-party cookies. They are the cookies that your website shares with another website you have partnered with. Basically, your website will collect the data they were designed to collect, they will store it on your website, and then send it to another company because you have such an agreement with them.
Keep in mind that this is illegal under most data protection laws nowadays.
Fourth-Party Cookies. Third parties can place more cookies on top of their third-party cookies. These are called fourth-party cookies.
Basically, when they fire their tracking cookies into your user’s device, they may place other cookies on top of them.
Google has an example for these as well. Both Doubleclick and Youtube are Google’s products. When you embed a Youtube video on your website, it uses third-party cookies. However, Google may place fourth-party cookies to inform DoubleClick who has watched your video. That way, you also have DoubleClick’s cookies on your website, probably without being aware of it.
Supercookies. Supercookies are cookies coming from a top-level domain or a public suffix. Ordinary cookies come from a specific domain name, such as secureprivacy.ai. A supercookie will not come from secureprivacy.ai, but from .ai.
Web browsers often block supercookies due to being a security concern for users.
Zombie Cookies. As we mentioned above, there is a folder on your device dedicated to hosting cookies. You can delete all the cookies from that folder with a click.
Zombie cookies try to circumvent the deletion by placing themselves in folders other than the one intended for them. They are placed in a hidden location and collect personal data without the user knowing about that. Moreover, the user cannot easily delete such a cookie because they don’t know where to look for it.
Zombie cookies are illegal under data protection laws worldwide.
Session v. Persistent Cookies
Finally, you’ll often notice the session v. persistent cookies comparison on the internet.
The only difference between the two is that the session cookies are stored only during the visitor’s session on your website, and then they are deleted.
Persistent cookies, on the other hand, stay for longer, usually until the user deletes them.
Web Beacons (Pixels and Tags)
Web beacons track website users through the server.
The most common web beacons are pixels and tags. Most social media platforms, such as Facebook, Instagram, Twitter, Pinterest, Quora, and others, use pixels. Google tracks users via tags.
However, pixels and tags work the same way. There is no significant difference between the two. Some data processors call their beacon tags, others call them pixels, but they do the same job.
This pixel is often transparent but sends important information to the person that uses it - that a specific visitor has visited a specific page or did a specific action on the website. The pixel tracks the URL and tells the data controller that the visitor has visited that page.
Facebook provides businesses with such a pixel. If an ecommerce store owner uses the pixel, it can tell what pages a specific user has seen. Then, the store owner can use that data to retarget the very same user and convince them to buy the product.
For example, if the user has looked around the black shirts collection on the website, the ecommerce store owner can retarget the same user and show them the same dress a few more times via sponsored ads hoping that would be enough to make them buy the shirt. Moreover, if the website analytics data shows that users who buy black shirts also like navy shirts, they could target them with navy shirt ads as well.
When the same black or navy shirt follows you all around the internet, you’ll know that you have been tracked by a pixel. It helps online sellers increase conversions, therefore it is widely used.
What Are the Legal Requirements for Website Tracking?
If you have been wondering why the laws put constraints on the use of tracking technologies when they bring so many benefits for everyone, the short answer is that they intrude on online privacy. All these benefits come at the price of privacy.
In fact, data protection laws do not care about the tech. It cares about protecting people’s fundamental rights, including the right to privacy.
There is an abundance of personal data circulating around the internet. That data is under constant threat of a breach. Moreover, businesses keep tracking users’ activities on the internet, sometimes only for their own benefits, such as for marketing and advertising. The tracking and processing of advertising data usually lead to creating complex customer profiles to whom products and services are offered later on. That is an intrusion of online privacy, hence data protection laws protect internet users.
Also, that is the reason why it does not forbid any tracking technology. It just sets out limits for data processing. You are free to use any website trackers as long as you process personal data within the limits.
How to Track Website Users Lawfully?
When it comes to legal requirements for website tracking, data privacy laws take two different approaches:
- Require opt-in by the user before starting with the tracking, which means that if the user does not explicitly say that they agree to the tracking, you must not track them, and
- Require opt-out, which means that you are free to track them as long as they do not contact you to request you stop tracking them.
Simply put, where opt-in is required, you must not track users before obtaining their consent to be tracked. Where only opt-out is required, you can freely track users until they ask you to stop.
Read more about opt-in v. opt-out.
Website Tracking Where Opt-In Is Required
Data protection laws such as the GDPR, ePrivacy Directive, LGPD, Thailand PDPA, PIPEDA in many cases, some Canadian provinces’ laws, and many other data privacy laws similar to the GDPR require an active opt-in by the user for tracking.
According to the GDPR and other laws, every opt-in is not valid. You need to ask users for tracking consent in a certain way that would make the data processing lawful.
The consent request for tracking has to be:
- Free. You must not condition the giving consent to track with anything. Some websites do not allow access to their content unless the visitor consents to the tracking, but that’s illegal.
- Specific. Every tracking mechanism has a specific purpose. Some have analytics purposes, some marketing, others track visitors to improve the functionalities of the website. You need to obtain specific consent for each specific purpose of tracking.
- Unambiguous. The user has to take action for giving consent. Staying on the website and browsing does not mean consent. You have to restrain from tracking until the user clicks on an ACCEPT button.
In addition to the opt-in requirements, the GDPR requires you to allow the user to opt-out from the tracking as easily as they have opted-in. In most cases, this means an easy-to-reach button for withdrawing consent in your privacy preferences center. Learn all about the GDPR cookie guidelines.
Similar to the GDPR, data privacy laws such as Brazil LGPD, Canada PIPEDA, Thailand PDPA, and South Africa POPIA, to name a few, have the same or similar requirements.
Aside from users’ consent, website owners can opt for tracking visitors based on their own legitimate interests.
Legitimate interests are a slippery slope for many online businesses. What legitimate interest is has been subject to various interpretations on the internet, but most of them got it wrong.
You should restrain from using this legal basis for data processing unless there is no other reasonable way to collect personal data lawfully. If you are sure that you have to do that, make sure you do the legitimate interests test properly.
In short, you need to ensure that your own interests override your users’ interests. For example, you could use some tracking technologies to ensure website security. But, you cannot rely on legitimate interests when processing data for advertising purposes.
For more, read our in-depth article on legitimate interests as a legal basis for website tracking and data processing.
Website Tracking Where Opt-Out Is Required
In practice that would mean showing them a cookie banner and firing the cookies at the same moment. You don’t have to wait for consent. You don’t have to think about legitimate interests either.
However, if your users have the right to opt-out of the processing of personal data, you must comply with such a request.
The user would reach out to you informing you that they want all their data deleted from your servers or that they simply don’t want you to process their data anymore. You have no choice but to conform to the request.
All you need to do in the meantime is to verify the identity of the requester. You don’t want to handle the personal information of the wrong person. That may be a data breach.
How to Comply with the Website Tracking Legal Requirements?
To comply with the website tracking legal requirements, whether it is GDPR, LGPD, PIPEDA, CCPA, or any other requirements, you need to determine:
- What data protection laws apply to your business,
- What are the requirements set out in those laws, and
- What are the solutions to those requirements.
Since website tracking is automated, you can control it only by automation means. Cookie consent solutions, such as Secure Privacy, are all you need for controlling how your website tracks visitors. If you have control over the tracking, you will comply easily.
Secure Privacy solutions for website tracking compliance have the legal requirements of the GDPR, CCPA, LGPD, and other laws implemented into the software. It has been made to ensure compliant tracking with a few clicks.
How Secure Privacy Ensures Compliant Website Tracking?
Secure Privacy solution gives you control over the tracking. If you need to wait until the user opts in, it won’t let cookies out before obtaining valid consent.
If you owe your users only the right to opt-out of processing, it will show them the privacy notice and fire the cookies at the very same moment.
For compliant website tracking, it is essential to set two things properly:
- At what moment do you fire cookies and other trackers, and
- The purposes of tracking and data processing.
If you have set this up properly, website tracking compliance will be easy to achieve and maintain. If you want to try it yourself, find the best plan for your organization and sign up here for a free trial. Contact us today.
6 updates You Need to Know about LGPD in 2022
There have been updates regarding the LGPD. Learn what is new on the Brazilian Data Protection Law here.
How to Track Website Visitors Based on Your Legitimate Interests
Legitimate interests are one of the most widely misunderstood concepts in data protection. Many businesses rely on them to process users' data, but often they do it unlawfully and violate the GDPR or another applicable data privacy law.
How to Track Your Website Visitors Without Breaking the Law
Website tracking is not illegal per se. It depends on where you do your business and how tracking is regulated there. Read all about website tracking here.