Recent laws like
the European GDPR, the ePrivacy Directive, California’s CCPA and the upcoming
ePrivacy Regulations nudged browsers to join the cause of protecting user privacy.
With Safari ITP
and Firefox ETP leading the efforts, and Google recently joining, internet giants
are hard at work to come up with a uniform legal framework setup.
For businesses
using A/B testing tools and personalization who want to extend the time they
show a personalization or variation to the same person — for example, upwards
of 7 days — the best solution is moving to DNS over HTTP(s), also called a
CNAME setup, to set first-party cookies.
This is a controversial move. Read on (or watch the video below) to see why we recommend it and how you can use it (or not) properly.
What Do Browsers, Europe and the CCPA Want for Users?
In Europe,
setting cookies (even for analytics, A/B testing or personalization purposes)
without consent is a questionable practice, since some
of them contain personal data and that’s a BIG issue.
Browsers like
Safari and Firefox (and to a lesser extent, Chrome) also want to protect their
users from these types of cookies, which are used to build users’ profiles and
buying interests. This information will then be sold and used to target users
on other sites. The ad seller will make a higher profit on an ad placement with
verified intent vs on a plain ad impression. Ad industry leaders understand
that the way forward is less tracking and more ad placements that match user
intent on the page (by using content ad matching).
This shift is
significantly changing the online ad industry. We now have companies reach out with requests like:
“change your DNS for CNAME in this 2-minute job and we continue business as
usual”.
This practice
introduced the term CNAME Cloaking
and BAM, we are entering the dark side of the useful CNAME function. Ad
networks can hide behind a company subdomain and keep collecting personal
information and building profiles for higher ad revenue.
This is exactly
what browsers and European laws are trying to prevent.
Let’s talk about
the idea behind these laws and the browser technologies that are rolling out.
They are meant to offer transparency to website visitors and have them
explicitly agree to requests. They are also meant to prevent hidden data
collection and the creation of personalized profiles without the users being
aware of it.
The web is slowly
becoming a creepy place where a few large players know more about you than your
life partner.
Stop doing that! You need to stop giving ad networks so much access to your users’ data. Period!
Technology Hack or Permanent Battle?
You may see this
as a cat and mouse technology game that you can win, but all you’re doing is
postponing the inevitable.
In doing so, you
are limiting your other marketing efforts that are still considered safe.
Browsers or
privacy laws don’t want you to lose your conversion as a marketer once you are
shown an ad (even if it’s a month from now). They don’t mind you using a
universal login for multiple sites or using anonymous analytics on your site to
measure the impact. They mind, however, that you (or your provider, Google or
Facebook) snuck in tracking scripts everywhere to build user profiles at the
same time. Users wanted to log in, not share that they logged in with Facebook
and now would be pushed to +1 some ad category that had their interest. If you
do that, they will cut you off, but new initiatives will help you collect that
conversion (read on…)
Webkit, the organization behind ITP in Safari explain this in their Tracking Prevention Policy:
There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be an unintended impact. These practices include:
Funding websites using targeted or personalized advertising (see Private Click Measurement below).
• Measuring the effectiveness of advertising.
• Federated login using a third-party login provider.
• Single sign-on to multiple websites controlled by the same organization.
• Embedded media that uses the user’s identity to respect their preferences.
• “Like” buttons, federated comments, or other social widgets.
• Fraud prevention.
• Bot detection.
• Improving the security of client authentication.
• Analytics in the scope of a single website.
• Audience measurement.
When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.
However, we will try to limit the unintended impact. We may alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience. In other cases, we will design and implement new web technologies to re-enable these practices without reintroducing tracking capabilities. Examples of these include Storage Access API and Private Click Measurement.
I’m sure other
browsers share this idea.
Although their technology and speed of implementation might reflect their politics and vision, they are all working towards increasing transparency and opt-in of users in one or another. A useful tool to track all their efforts is Cookie Status by Simo Ahava.
CNAME as a Temporary Solution
When you use services like CookieSaver and TraceDock,
which pretend to give you back the “business as usual”, and the focus is on
what you “think you’re missing”, you
might miss the logic behind the new privacy laws and browser changes.
But be clear, some cookies you should keep off CNAME! It’s a new world where people choose if they want to give up all their privacy for comfort and opt-in and log-in. You can’t keep taking privacy away from people to meet your business goals. You cannot be that selfish anymore. You need to trust that by doing the right thing, your business will grow. Trust and measure….
Browsers like
Chrome and Safari are working on initiatives that will give you access to
personalized user information that the user approved. Some personalization will
be possible based on those (they’re still two years away).
Chrome and Webkit
(Safari) are working on technologies that allow you to get the ad conversions
back using an API. This means you’ll be able to keep doing some attribution and
even track conversions 3-60 days from the impression day.
The problem with
this is that the privacy laws are enforced now, while these alternatives are
not yet available.
Just because
CNAME may be an option right now to extend the tracking of ad networks and
allow them to build personal profiles, it does not make it a viable long-term
solution.
It’s the browsers intention to protect users from this. If you extend the life of cookies that allow building profiles of users on your site and retarget them elsewhere, or even worse, build user profiles and sell them… that is when browsers and third-parties will start building blocking lists for such dubious networks.
You should stop supporting any system that builds
personal profiles outside of your domain. This is what users, browsers and
privacy laws want. It’s what will bite you if you don’t. Be sure someone will expose your brand for doing this.
This practice
could also add a security risk to your website.
When you move ad
trackers that have a third-party cookie to a first-party cookie using CNAME,
this adds the risk that their scripts can read authentications and login
cookies of your users.
Most articles
about CNAME Cloaking focus on ad systems building profiles on users. We would
like to distance ourselves from this practice.
A/B testing and personalization tools have had first-party cookies for years. They have already been able to manipulate the entire site and login systems as part of the system they have. For those types of tools, nothing changes using CNAMEs except the experiences could be consistent for 30-60 days instead of 7 days.
Europe is working
on its latest drafts of the ePrivacy Regulations that allows placing cookies
for analytics and website optimization. This sends a clear signal that, from
now on, only essential cookies, like storage of login sessions or products in
shopping carts, also analytics and A/B testing for the benefit of the user,
will be allowed.
On 8 November
2019, the Finnish government issued a revised proposal for the ePrivacy Regulation
with some amendments.
Gaming Tech Law sums it up as:
The use of cookies (and similar files/tags) requires consent in general. However, the ePrivacy Regulation provides for numerous exemptions, including both already familiar exemptions (cookies necessary for communication or technical reasons) as well as new exemptions such as (certain forms of) analytics, security (incl. fraud prevention), software updates and execution of employees’ tasks as well as the further exemptions listed above.
For A/B testing purposes, you most likely don’t need consent and can place cookies without problem, as the latest draft of the ePrivacy Regulations (Nov 2019) statesin article 21a:
Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site, which always requires the consent of the end-user.
The ePrivacy Regulations draft focuses on the idea that tracking and analytics are allowed without consent, as long as they’re not used to build user profiles, as mentioned in article 17AA:
As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics of an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behavior of a specific end-user or to draw conclusions concerning the private life of an end-user. For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing.
What will the
final draft say?
We will have to wait for the final version of the Regulations and then for national laws to really start discussing the guidelines more in-depth. But the current ePrivacy Directive gives good hope for A/B testing. Paul Schmitt pointed out to me that even though the ICO (the UK privacy authority) and the CNIL (the French privacy authority) regulated that cookies for A/B testing and analytics needed consent, the CNIL’s latest guidelines (in French) from Github say otherwise. Here’s a translation:
Benefit from the exemption from consent, subject to a certain number of conditions, cookies used for audience measurement are exempt from consent. These conditions, as specified in the guidelines on cookies and other trackers, are (1) inform users of their use; (2) to give them the power to oppose it; (3) to limit the system to the following purposes only: audience measurement and A/B testing.
To summarize, both browsers and the privacy laws want the same thing. They are not here to stop your efforts to analyze users (on your site) or to do A/B testing to improve and optimize user experience.
No Cookies… Let’s Use Fingerprinting
Fingerprinting
means building a unique identifier by combining multiple properties that by
themselves are not unique to you, bypassing browser restrictions on cookies,
and even being able to track you across devices (it’s something cookies can’t
do).
Some of these
properties are your IP address, your operating system version, your browser
version, your computer language, your time, the size of your screen, the pixel
density of your screen, how fast your computer is, and the list goes on and on.
You may consider not using cookies at all for specific techniques. However, this does not mean you can forego transparency and privacy concerns hiding what you do to the individual visitors server-side or on the CDN edge. That is one reason we promote absolute transparency on testing and personalization efforts that are running on our site.
You might set up A/B testing on the edge without cookies (on Fastly),
but that isn’t transparent and can be frowned upon. Browsers are limiting the
information you are getting to make a hashed/unique experience for someone.
ePrivacy Regulations are clear — they allow no fingerprinting. Browsers and the privacy authorities will fight you even harder over fingerprinting than they would over cookies. Don’t go there.
More Transparency, not Less
Convert
Experiences is our A/B testing and personalization tool. It doesn’t allow
building user profiles using personal data by default.
We aggregate data
in reports and send warnings when segments become so small, they make users
identifiable or when we suspect personal data was added in fields where it
should not be.
Our tool is often
used by brands that care about compliance with all privacy laws worldwide. We
offer options where website owners can share a link or shortcut key to be
transparent about what experiences run on the website and what experiences
users are in.
We encourage our customers to build experiences that improve user experience and optimize the flow.
If you want to
build a better world, make forms better
and shorter. Browsers, users and the privacy laws support you on that. What
they won’t support is an A/B test where you snuck in an upsell checked by
default. Improve your properties and then there will be no problem being
transparent about it. A/B testing benefits
users and can be good for business, because you offer the best online
experiences.
So when you
install CNAME for your A/B testing tool, make sure your tool is not building
user profiles. Don’t use identifiers like gender, age, race and religion to
target (some tools – not ours – offer that). Don’t go there, it’s not worth it
and nobody wants this anymore.
Set up a CNAME for tools you trust. Don’t let them funnel information about your visitors to third-party sites and locations. You and you alone are responsible for what these tools store and do with the data. You can look at each tool and the tons of snippets they lift with the tool (you can use Collision — see image below). Setup CNAME only for a company where you have a signed DPA (Data Processing Agreement) — find ours here.
Now what?
I laid out all I
know about CNAME in this post — hope you found it useful and it shed some light
on this complicated topic.
Feel free to connect to me on LinkedIn or read
how we completely shifted towards a privacy focus
in 2018.
Look at how we deal with Privacy Shield, SCC, CCPA and our general efforts in this space.
I hope this
article made it clear how you can use CNAME in your efforts to extend your A/B
testing experiments from 7 to 30 days. Don’t buy CNAME tools that extend the
life of ad-cookies that build user-profiles, please.
Take a free trial of our A/B testing software, if you’d like to see how a privacy conscious tool runs. We (just like the ePrivacy Regulations) are convinced A/B testing is a positive method that can help validate businesses’ efforts in providing a better experience for users and not exploiting them.
