Tracking unique visitors without cookies(inmargin.io)
inmargin.io
Tracking unique visitors without cookies
https://inmargin.io/blog/tracking-unique-visitors-without-cookies
18 comments
What if we just don't track people? Crazy idea, I know...
I'm sure someone in the ad industry will tell you that the internet is powered by ad revenue, it's what keeps it free and open, what makes services better.
I thought the internet was powered by paying your ISPs bill
It's powered by paying your ISPs bills as much as the restaurant bill is paid by what you spent in car/public-transport commute to the restaurant.
"The Internet" is paid for by my ISP bills. "Websites" are paid for by advertising people trying to track my every move when they don't need to
I'm not in the advertising business, but people want free shit and don't want to pay for it. How do you suggest it get paid for if not advertising?
There are other business models, it depends on what you're building. For a while almost everything coming out of SV was destined to be advertising real estate. Now I think there's more interesting businesses going on. We'll keep strip mining attention to push plastic trinkets into container ships, certainly. Probably no stopping that.
For plastic trinkets, at least 3D printing has this recycliability to it. PLA-only prints can be broken down into PLA filament with the right machinery. It's not home desktop machinery, but the theory is there.
Does advertising absolutely need to track people? Advertising existed for a long time without having to know exactly who would look at the ad
Constant tracking isn't necessary for advertising, it's a choice. So is hiding the extent of this tracking from the user. If the user doesn't understand the full scope and impact of the "payment" then the business model is akin to loansharking. Those people also take the deal without realizing it will cost them a finger.
How many fields obscure the form of payment, the amounts, the methods when you purchase a good or service? You're oversimplifying and glossing over the real issues.
If it was as simple as "you must pay" and nothing else mattered, then any form of payment would be justifiable.
How many fields obscure the form of payment, the amounts, the methods when you purchase a good or service? You're oversimplifying and glossing over the real issues.
If it was as simple as "you must pay" and nothing else mattered, then any form of payment would be justifiable.
For tracking uniques, why can’t we just set a “first_visit=false” cookie if not present on first request? The number of new unique users is then the number of requests that came in without that cookie in whatever time window. Expiration timeline left as an exercise for the reader (month, week, whatever).
This zero-entropy cookie cannot be linked to a specific person and would not require consent under any privacy law I think.
This zero-entropy cookie cannot be linked to a specific person and would not require consent under any privacy law I think.
I think the blog author is misinformed about the session id? If you use that for marketing purposes, you need cookie prompt. The GDRP says only necassary cookies, if you also reuse the login cookies for purposes. It's not longer necassary right?
Otherwise it'd be so blatant loophole, you can only use cookies for their intended purposes and not reuse for them other purposes. I remember some details when i needed a way to prioritize user traffic via cookies, since lots malicous traffic dont have cookie storage, as long i didnt retain the cookie ID used for load balancing, as all information would be lost on reboot of haproxy process. I didnt need cookie prompt, but if i also used that for other purposes like visitor tracking, then I'd need cookie prompt even before setting the cookie.
Im not lawyer, but thats how I understood.
Otherwise it'd be so blatant loophole, you can only use cookies for their intended purposes and not reuse for them other purposes. I remember some details when i needed a way to prioritize user traffic via cookies, since lots malicous traffic dont have cookie storage, as long i didnt retain the cookie ID used for load balancing, as all information would be lost on reboot of haproxy process. I didnt need cookie prompt, but if i also used that for other purposes like visitor tracking, then I'd need cookie prompt even before setting the cookie.
Im not lawyer, but thats how I understood.
Same thing I was thinking. I personally don't track unique visitors on my blog, just random sessions where you can't identify unique users, which allows me to not show a banner. If I were to use this technique I'd have to show a banner
Next up: Stabbing people without a knife.
If you are tracking people without a lawful basis (e.g. consent), you are violating the GDPR. It doesn't matter if you use cookies. (The article does mention this towards the end.)
If you are tracking people without a lawful basis (e.g. consent), you are violating the GDPR. It doesn't matter if you use cookies. (The article does mention this towards the end.)
It's not (just) GDPR and TFA mentions that as soon as they move on from Cookies, ie point 2 on local storage:
"This buys you nothing. Article 5(3) of the ePrivacy Directive".
They clearly have a product to sell but the article seems balanced and offers a good list of commonly used/proposed techniques that are not quite compliant.
As you alluded, there're more lawful basis than consent, one of most common ones being technical necessity to mitigate abuse.
"This buys you nothing. Article 5(3) of the ePrivacy Directive".
They clearly have a product to sell but the article seems balanced and offers a good list of commonly used/proposed techniques that are not quite compliant.
As you alluded, there're more lawful basis than consent, one of most common ones being technical necessity to mitigate abuse.
Right, but even if you have a lawful basis for processing the data to collect aggregate statistics (which the article mentions), the GDPR still doesn't allow you to process the data for unrelated purposes such as advertising, which is usually what cookie banners are about. If you're using cookies strictly to implement the expected functionality of the service, there's no problem to begin with - you don't need any banners in that case.