James Crooke, Rawnet's Technical Director, explores the impact killing third party cookies will have on Google Analytics.
 

Big news - Google has revealed plans to block third-party cookies across its Chrome browser by 2022.  Privacy is the fundamental reason behind it.

Users are demanding greater privacy - including transparency, choice and control over how their data is used - and it's clear the web ecosystem needs to evolve to meet these increasing demands.

 

Justin Schuh Director of Chrome EngineeringGoogle

While modern web browsers have allowed the user to disable third-party cookies for some time, Google’s announcement suggests Chrome will completely block third-party cookies in 2022 and Firefox, Safari et al. are all likely to follow suit given the technical changes involved. 

If you didn’t already know by now, it’s widespread for a website to put at least one or, in fact, as many as they want, harmless files on your computer, known as cookies.  Cookies might store information about your browsing session, what you looked at, your viewing preferences, what’s in your basket, etc.  Some websites use these solely to remember you when you go to make a return visit so that, for example, you don’t have to sign in again. Cookies that are set by and read by the website are classed as first-party cookies, and they’re a great way to make the UX more convenient.

On the other hand, third-party cookies are cookies set by a website other than the one you are currently on. For example, a website might have some JavaScript code to render a Facebook “Share” or “Like” button.  The code, written by Facebook, will do the rendering and, and some might say sneakily, store a cookie on the visitor's computer. Facebook can later access that cookie to identify the visitor and, rightly or wrongly, see which websites they visited across the web - like a network of nanny cams.

Funnily enough, the most habitual third party cookie setter is Google, specifically their  Google Analytics service, which website owners use to track their visitor's activity; such as session duration, browser usage, user origin, bounce rate, etc. of individuals using the site, along with the information on the source of the traffic.  

According to W3Techs, at the time of writing, Google Analytics is being used by 55.2% of all websites on the internet - which is quite ironic, given Google’s plans to block third-party cookies.  Google Analytics is a huge revenue generator for Google, so are they shooting themselves in the foot? 

Chrome's director of engineering, Justin Schuh, said Google intends to phase out support for third-party cookies "within two years." - does that timeframe give their Analytics division ample time to come up with a cookie-less tracking alternative, maybe using a server-side alternative or browser-fingerprint instead?  Time will tell, but Google is very much in control of how it will play out. 

Let’s be clear; Google Analytics isn’t really what sparked the debate on cookie privacy.  The discussion about online advertising and privacy revolves around cookies because they’re what support many predatory advertising models today, i.e. websites that let “adtech companies” put their own third-party cookies on the site that they then use to track you across other websites.

Despite what you might have been told by your tinfoil hat-wearing Aunt, Facebook doesn’t listen in on your conversations - they know that you’ve been on PetsAtHome.co.uk searching for dog food, which is why Pedigree Chum adverts show up on your Instagram timeline now - it’s all done using third-party cookies - and it’s these cookies that have raised privacy concerns for several years.

So we all get the “Big Brother-Esque cookie tracking me across the Internet” issue is a privacy concern. We most likely all agree it’d be a good idea to let people opt-out of that at the browser level, but Google Analytics, while also dropping those third-party cookies like they're hot, isn’t exactly doing any harm to users’ privacy; especially if it’s been implemented with IP address anonymisation.

The Information Commissioner's Office (ICO) in the United Kingdom, a public body which reports directly to Parliament, having previously said and demonstrated that it’s OK to have third party cookies and track users as long as you “warn them”, have recently changed their own (minds, again, and) cookie policy. Hence, all third party and/or unnecessary cookies are opt-out by default. Case in point, they now turn off Google Analytics by default and are saying you need to do the same.

Myth 2: Analytics cookies are strictly necessary so we do not need consent

Fact: While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.

 

The ICO

In my opinion, the ICO are somewhat undervaluing services such as Google Analytics, focusing on it from a single user's perspective, rather than thinking of how Analytics can improve the service of the website, or how/what the best way to present information or products to the users should be through A/B testing etc.. As such, Analytics could be argued to be essential for the delivery of a service and therefore don’t require consent under the "Cookie law".

At the very least, anonymised analytics are vital to running a successful website. From a developer's point of view, we use them to deliver the best experience, including resolving dead links (404 errors) and seeing where users don't do what you expected them to (edge cases) - all very important for Search Engine Optimisation (SEO).  By anonymising and aggregating the data before using it, we take all the necessary safeguards for privacy.

This data can also be used for service improvement like sales funnels, but when properly anonymised and aggregated, they are not "personal data" as defined under the GDPR. Therefore, the data would also fall out-of-scope from the Cookie law, with the caveat that you have to argue that the cookie is functional.

The legal boundaries exist, but the ICO offers just one opinionated interpretation. While the use of analytics doesn't benefit a single visitor directly, it does impact the group as a whole. Rather than advocating the use of non-personal data in analytics, they take a polarising position defending a single-time visitor's narrow viewpoint.

We get asked all the time what we think of the “Cookie law” and what we recommend - it’s tough to give a straight answer when the ICO themselves can’t make up their mind, and the Cookie law is complex and somewhat open to interpretation.  The main bone of contention for our clients is, “should we be using Google Analytics without the users' consent?” - as explained above; it depends on your interpretation of “necessity” really.

Currently, what are the alternatives to using Google Analytics - or any cookie-based tracking analytics for that matter?  It would seem server-side analytics are the way to go if you want to follow the ICO’s guidance to the letter. In fairness, server-side analytics software has come a long way since the days of Webalizer and AWStats - and maybe this is the way Google Analytics will go to get around their own cookie block?