Skip to main content
Blog » Latest Articles
Jun 26, 2024 Aksel Sabah

2024 Web Analytics: Privacy-Centric Browsers and Technologies

In the world of web analytics, there is a low-hanging fruit that has not caught everyone’s eye yet, and that is how browsers themselves are responding to the world of digital analytics vendors & technologies, which may even have little-to-no privacy benefits ranging to also vendors who place privacy on their top stop.

Apple’s Intelligent Tracking Prevention (A long player may be said) and a newly growing Privacy Sandbox initiative which still pends Q1 2025 to fully be in effect. In this blog, we will cover;

 

We enter an era of no 3rd party cookies, but before we enter into the discussion with Google’s Privacy Sandbox initiative and Apple’s Intelligent Tracking Prevention, there are some web practices that should already be adopted by a website owner, especially, for those in the GDPR and CCPA region and to those countries where privacy initiatives are in speed:

  • Obtain User Consent: Be transparent about data collection practices and obtain informed consent from users. This can be achieved through clear privacy policies and user-friendly consent banners. Do not bury consent options in legalese!
  • Understand the current web environment: The current web environment is in flux, with increasing privacy regulations and browser limitations challenging traditional website tracking methods. As we list all the facts that need to be known to build privacy-conscious tracking, we will talk more about Apple’s tracking prevention adventure and the newly buzzing Privacy Sandbox initiative.

  • Embrace Consent Management Platforms (CMPs): Consider integrating a CMP to manage user consent preferences across different tracking purposes (e.g., analytics, advertising). This allows users to have granular control over their data and fosters trust with your audience. Popular vendors include but are not limited to OneTrust, TrustArc, Cookielaw…

  • Do not believe the future of tracking is “cookieless”: No matter how many articles are read on the Internet, we are not leaving first-party set cookies alone and dry, it is only the third-party cookies that suffer a major blow. “Cookieless” tracking may be partially true but not an overall practice.

The tide has been turning for some time now. While the complete phase-out of third-party cookies with Google's Privacy Sandbox may not be in effect until Q1 2025, both Apple and Google have been releasing updates for years that chip away at traditional tracking methods.

Apple's Intelligent Tracking Prevention (ITP) has been progressively restricting third-party cookie functionality since its introduction in 2017. Similarly, Google's Privacy Sandbox has been evolving through various trials and iterations, foreshadowing the limitations we can expect in the coming year. This gradual rollout highlights the ongoing nature of the privacy battleground.

 

Apple ITP and Google Privacy Sandbox timeline

 

The rollout of these changes from Apple and Google seems to be directly linked to significant drops in campaign performance. Looking at your campaign data over the past two and a half years, there are sharp declines in effectiveness right after each new release. This has resulted in a situation where nearly half of the internet population is no longer available for targeting. It is surprising how silent everyone has been about these major changes. Agencies, publishers, even vendors – no one seems to be addressing the impact.

These changes are a big blow to campaigns that depend on borrowed data (3rd party data) and remind people about your stuff (re-targeting). Apple's Safari browser gave the cookie the boot after just a day, making it impossible to keep those reminders going. Currently, if you are paying to show ads to people who already visited your site, they are only seeing them on Chrome.

 

ITP Privacy Sandbox Browser privacy

To understand the impact of these changes on our most beloved web browsers, of course, our two favorite companies headline the change: Google with Privacy Sandbox, and Apple with Intelligent Tracking Prevention (ITP).

 

1. What is Privacy Sandbox?

In the past, website tracking relied heavily on third-party cookies that we gave consent from every website’s own consent banner. These cookies followed users across the web, allowing advertisers to build detailed profiles and target them with highly specific ads. However, this raised privacy concerns as we all know now.

The Topics API aims to replace this intrusive tracking method. Instead of cookies tracking individual users, Topics categorizes users into broad interest groups based on their recent browsing history.

Websites can then target advertising based on these groups, delivering relevant ads without revealing a user's specific browsing behavior. This offers a balance between user privacy and relevant advertising.

Here are some new features that developers of the ad platforms and website owners might be interested in, such as what Google calls "Private Advertising” APIs.

 

“Private Advertising” APIs

  • Topics API: The Topics API has completed the public discussion phase and is currently available to 99 percent of users, scaling up to 100 percent. It is likely Topics will be a key feature in a future Chrome update, later in late 2024 or even 2025.

  • Protected Audience API: This API facilitates remarketing and building custom audiences without relying on third-party cross-site tracking. This means you can still target users who have previously interacted with your website but in a more privacy-focused way.

  • Attribution Reporting API: This API allows you to measure the effectiveness of your ads without relying on cross-site tracking from third parties. This helps you understand how your ads are performing while protecting user privacy.

  • Private Aggregation API: This API enables the collection and analysis of data across different websites while keeping user information private. It allows for insights without revealing individual user details.

  • Aggregation Service: This service takes data collected by other APIs (Attribution and Private Aggregation) and combines it into a summarized report. This allows for analysis without revealing individual user details.

  • Shared Storage: This feature enables storing large amounts of data across different websites, but with privacy controls that restrict how the data can be accessed.

  • Bidding and Auction: This service moves calculations related to targeted advertising (Protected Audience) to a secure environment separate from the user's device. This protects user privacy while facilitating ad auctions.

  • SDK Runtime: This isolates software development kits (SDKs) used for advertising purposes, preventing them from interacting directly with the main app and potentially compromising user data.

 

Topics API of all gets all our attention, leaving our user identifications and placing us into topics:

Progress in the Privacy Sandbox (January/February 2022) | Google for Developers

 

Or the Attribution Reporting API, which in practice, sounds a lot like Apple’s SkAdNetwork (SKAN) for IOS apps, which we all know, disrupted IOS marketing to its core with IOS 14. Take a look here, a blog post from Julian Juenemann explaining what IOS14 had as an impact.

Here is what it claims:

The Attribution Reporting API gives access to different types of insights with two types of reports that can be sent to an advertiser or a third-party ad tech provider. These two types of reports can be used simultaneously and are complementary.

  • Event-level reports associate a particular ad click or view (on the ad side) with data on the conversion side. Conversion-side data is very limited, and the data is noised (meaning that for a small percentage of cases, random data is sent instead of real reports). This preserves user privacy by preventing the joining of user identity across sites. As an extra privacy protection, reports are sent with a delay.

  • Summary reports are not tied to a specific event on the ad side. These reports provide richer, higher-fidelity conversion data than event-level reports. A combination of privacy techniques helps reduce the risk of identity joining across sites.

At first glance, The Private Aggregation API shares many similarities with the Attribution Reporting API. Attribution Reporting is a standalone API designed to measure conversions, whereas Private Aggregation is built for cross-site measurements with APIs like the Protected Audience API and Shared Storage. Both APIs produce aggregatable reports that are consumed by the Aggregation Service back-end to generate summary reports.

Attribution Reporting associates' data gathered from an impression event and a conversion event, which happen at separate times. Private Aggregation measures a single, cross-site event.

The chrome://topics-internals page is available in Chrome on the desktop once you enable the Topics API. This displays topics for the current user, topics inferred for hostnames, and technical information about the API implementation. You can always also have the ability to opt out, which is nice, and very privately respected indeed.

As Google has now pushed out the release date for Privacy Sandbox from Q4 2024 to Q1 2025, the current timeline stands like this:

google-privacy-sandbox-timeline

 

 

How do we classify cookies in relation to Privacy Sandbox?

Launched in 2019, the Privacy Sandbox is an industry-wide effort led by Google to develop recent technologies that balance user privacy with the need for relevant advertising and content personalization. Here is a breakdown of its core objectives:

  • Phase Out Third-party Cookies: Similar to ITP, the Privacy Sandbox aims to phase out reliance on third-party cookies for tracking purposes. This aligns with growing user privacy concerns and stricter regulations like GDPR and CCPA.

  • Limit Covert Tracking: The initiative seeks to limit covert tracking methods that can compromise user privacy. This could involve fingerprinting techniques or other methods that create unique user profiles without explicit consent.

  • Partitioned Cookies: Partitioned cookies allow a site to mark that certain cookies should be keyed against the origin of the top-level frame. This means that if site A is embedded using an iframe in site B and site C, a partitioned cookie can have a different value in each. Do not use an iframe wherever possible still applies of course.

  • Strengthen Privacy on Both Web and Android: The Privacy Sandbox is not just for websites. Google is developing solutions for the Android platform as well, aiming to create a more privacy-focused mobile experience.


2. What is ITP?

As we have discussed what changes we will be expecting with Privacy Sandbox, ITP, or Intelligent Tracking Prevention, is Apple's multi-pronged approach to limiting website tracking within the Safari web browser.

It is a constantly evolving beast, so let us dissect its current effects on website tracking:

 

How do we classify cookies in relation to ITP?

Thankfully, ITP does not directly impact first-party cookies, which websites set on their own domain. These cookies are still functional for storing user preferences and session data within the specific website.

Here's where things get interesting. ITP enacts a two-tiered system for third-party cookies, significantly impacting website tracking capabilities:

  • 24-Hour Lifetime: For most websites, third-party cookies are now limited to a mere 24 hours. This severely restricts the ability to track user behavior across multiple browsing sessions. Imagine a user visiting a clothing website on Monday. By Tuesday, the third-party cookie used to track their browsing behavior (and potentially retarget them with ads) had crumbled to dust.

  • Seven-Day Exception: ITP offers a temporary reprieve for certain top-level domains (TLDs) associated with known website measurement companies. These TLDs currently enjoy a seven-day cookie lifespan. However, this exception list is subject to change, and Apple might tighten restrictions in the future.

 

Blocking Tracking Technologies: When a user activates private browsing mode in Safari, ITP throws up a virtual fortress. It actively blocks various tracking technologies commonly used by websites:

  • Third-party Cookies: As mentioned earlier, third-party cookies are blocked entirely in private browsing, effectively preventing any cross-site tracking attempts.

  • Tracking Pixels: These tiny, one-pixel images used to track user activity are also blocked by ITP in private browsing mode. This prevents websites from logging in to a user's visit and potentially building a profile based on their browsing habits. We all know well players such as the Facebook and LinkedIn pixels that might be eating up your privacy rights.

  • Local Storage and Session Storage: ITP also limits the functionality of Local Storage and Session Storage APIs in private browsing. These are methods websites use to store data locally on the user's device. While not completely blocked, ITP restricts what data can be stored and for how long, further hindering website tracking efforts.

 

Limiting Information Access: ITP makes it significantly more challenging for websites to track users across the web. Here is how:

  • Third-party Cookie Restrictions: As discussed earlier, the limited lifespan and potential blocking of third-party cookies significantly hamper attempts to track user behavior across different websites.

  • Blocking Fingerprinting: ITP also takes aim at fingerprinting, a technique where websites collect various browser and device details to create a unique user profile. ITP implements measures to limit the information websites can access, making fingerprinting less effective.

If you are wondering where in real life we can see hints of ITP, you might be familiar with the reference below:

Apple ITP notification privacy

 

ITP is constantly evolving. Apple regularly updates its privacy features, and future versions might introduce even stricter limitations on website tracking. As a website owner or marketer, staying informed about the latest ITP developments is crucial to adapting your data collection strategies and ensure compliance with user privacy expectations.

 

3. Server-side tagging through Google Tag Manager

We have established the limitations of traditional cookie-based tracking and the need for a privacy-centric approach. Enter server-side tagging, a game-changer in the world of web analytics.

But how does it work, and can you implement it yourself?

 

Demystifying server-side tagging

Instead of relying on browser-side scripts and cookies, server-side tagging leverages your server infrastructure to collect and manage user data. Here is the basic flow:

  1. User Visits Your Website: A user lands on your website as usual.

  2. Server-side Interaction: The user's browser communicates with your server, requesting the website content.

  3. Server Intercepts Request: Your server analyzes the request and identifies relevant user information (e.g., IP address, user agent). It can also access additional data stored on your server (e.g., user login information, past interactions).

  4. Server Fires Tags: Based on the collected data and pre-configured rules, your server triggers specific tracking tags. These tags can be from various analytics platforms or custom scripts designed for your specific needs.

  5. Data Sent to Analytics Platform: The server directly sends the collected data (often anonymized or aggregated) to your chosen analytics platform. Can be:
     
    1. Facebook
    2. Google
    3. Microsoft
    4. To your own unique BigQuery Project
    5. And any other server exchange you could dream of with a suitable API…

Benefits of server-side tagging

  • Bypassing Browser Restrictions: Server-side tagging works even when users have disabled cookies or ITP limitations are in place. This ensures you capture valuable data regardless of browser settings.

  • Enhanced Data Control: You have more control over the data collected on your server. You can decide what data to send to analytics platforms and anonymize or aggregate sensitive information to comply with regulations.

  • Improved Data Accuracy: Server-side tracking avoids limitations imposed by browsers on cookies and scripts. This can lead to more accurate and reliable data collection.

  • Flexibility for Complex Tracking: Server-side tagging allows for complex tracking scenarios using custom JavaScript code on your server. You can tailor data collection to your specific needs and website functionalities.

Setting up server-side tagging requires some technical expertise.

If you are ready to enhance your web analytics and privacy practices, we are here to help. Whether you need expert advice, tailored solutions, or want to explore how we can support your success, do not hesitate to reach out. Given the ever-evolving way of browsers, server-side is a hope to reach the next level of data collection in this new third-party cookie era.

 

4. What should we do as website owners and marketers?

Marketers need to stay ahead of these changes to keep their data collection and campaigns on point. With third-party cookies on their way out and privacy-focused tools like Apple’s Intelligent Tracking Prevention (ITP) and Google’s Privacy Sandbox coming in, it's time to adjust your strategies to stay effective and compliant.

Apple and Google's privacy updates have already caused a drop in campaign performance. If you're relying on third-party data and retargeting, it’s time to rethink your approach as these methods won't be as effective anymore.

Privacy regulations like GDPR and CCPA are getting stricter, so aligning your practices with these laws is more important than ever. Using Consent Management Platforms (CMPs) and getting clear consent from users can help build trust and keep you compliant.

Even though third-party cookies are being phased out, first-party cookies are still good to go. By using server-side tagging and other privacy-focused tracking methods, you can keep your data accurate and respect user privacy.

New tools like Google’s Topics, Protected Audience, and Attribution Reporting APIs offer fresh ways to target and measure ad effectiveness without compromising privacy. Marketers should get to know these technologies to stay ahead. Not relevant to the web, even though Apple is making headways in IOS with Ad Attribution Kit moving forward too. Privacy Sandbox is set to be introduced to Android apps as well.

To conclude, the way we track website visitors is changing. Browser updates like Apple's ITP and Google's Privacy Sandbox are making it tougher to rely on third-party cookies. This means marketers have to adapt.

Focus on what you can control, like first-party cookies and server-side tagging. New tools from Google aim to target users and measure ad success in a privacy-friendly way. Embrace change, learn about these innovative technologies, and your campaigns will keep on cruising. By respecting user privacy, you can still get valuable data and keep your marketing on point.

Published by Aksel Sabah June 26, 2024
Aksel Sabah