Done with Cookie Banners? Matomo: Cookieless Tracking Without Consent
Since the beginning of 2020, the cookie banner has belonged to the internet like the chocolate biscuit to the claws of the Cookie Monster. Now the open-source web analytics platform Matomo has recently started promising to offer basic tracking without a banner. A serious alternative?
On May 28th of 2020, the Federal Court of Justice tightened up the General Data Protection Regulation once again. The basic principle of the regulation is "privacy by default" - in case of doubt, the more data protection-friendly variant applies. This did not stop the lottery provider Planet49 from offering technically unnecessary cookies pre-selected in the cookie banner. "Can't be done" - the Federal Court of Justice unsurprisingly stated - the ruling follows earlier bans on pre-filled checkboxes, such as when co-ordering newsletters in forms.
For all those who market their content with advertising tailored to user interests, the ruling caused great frustration. Since then, the strategy seems to be to make the alternative to "Accept all cookies" in the cookie banner as complex and confusing as possible in order to obtain the business-critical consent to advertising tracking. As a result, users are also increasingly annoyed by the collection of setting options.
Those who do not need to earn money with their content, but simply want to know how the website is being used, are caught between two fronts. Because until now, a cookie was set when user evaluation solutions were used. This made it possible to efficiently filter traffic from bots, to assign different visits to different marketing measures or to track how website visitors move through the offer. It didn't matter whether one used Google's Analytics service (where the analysis data is processed centrally in Google's data centre) or an open source tool like Matomo (where the data is stored decentrally on one's own or rented server). Cookies are actually a nice solution because they are relatively easy to control personal data, if only because they are easy for users to control, since they are stored on their computers - but this also makes them personalised. Tracking cookies are not technically necessary, their use is not predominantly in the interest of the users. In this respect, it is relatively undisputed that consent is required for such cookies - with the help of increasingly elaborate cookie banners.
Browser Fingerprints Instead of Cookies
What few know: Matomo offers an alternative method that can be used to collect basic visitor metrics without cookies. We are talking about browser fingerprinting or device fingerprinting. Every time a user visits a website on which a web analytics programme is running, it records various features of their browser programme, such as the operating system, the language or installed fonts, which the browser transmits without being asked every time a page is called up, by embedding a Java script code. From these characteristics, which taken together are sufficiently unique to represent a fingerprint of the user, the analytics programme calculates a visit ID. This allows Matomo to uniquely identify users on each subsequent visit. These visit IDs are not stored in the visitor's browser like a cookie, but on the server and can therefore be assigned to further visits with the same profile, but no longer directly to a person. These IDs are also deleted regularly, after one day at the latest.
And you don't need consent for that?
Yes and no. Of course, the browser fingerprint method can be configured in different ways. Among other things, IP addresses should be shortened to 3/4 or better half so that no personal data is collected, and visit IDs should be deleted after a maximum of 24 hours. According to Matomo, taking certain recommendations into account, the use of their user analysis does not actually require consent. And this is followed, among others, by none other than the Federation of German Consumer Organisations, as can be seen from their data protection statement. They should know - after all, they were the successful plaintiffs in the aforementioned ruling against Planet49.
This assessment is also indirectly confirmed by the State Data Protection Commissioner of Baden Württemberg in his Tracking FAQ. Here it is emphasised that above all the analysis of data across provider boundaries must be prevented. Matomo automatically includes the website address in the calculation of the visit ID, so that it is technically impossible to track usage behaviour across different websites. Therefore, it should not be a problem if you do not set up a Matomo server for each website individually, but rather use one installation of the analysis software for several websites, as we do.
Commercial break: In this way, we can offer a conversion of Matomo tracking to the new procedure without major installation and configuration effort and, above all, without the use of unnecessary hardware resources.
So what's the catch?
The core problem of the solution is that the data accuracy is lower. Above all, the setting that the fingerprints lose their validity after one day naturally makes the view of visits much less precise than with tracking with cookies that are valid for up to 180 days. We have been using Matomo in browser fingerprint mode on our own website for a good two months and have compared the new data with data collected using cookie mode from the same period last year (our traffic is relatively stable):
What we see there corresponds to what was to be expected after a changeover: More page views, because more visits can be recorded without requiring consent. An increase in visits, clearly above the increase in page views, because two visits were now counted due to the shorter valid IDs, whereas previously visitors could be re-identified for longer and were therefore counted as one visit. Accordingly, the average duration of a visit also decreases. The fact that the number of actions per visit decreases only slightly can be explained by the fact that during repeat visits, the same pages are typically called up again, which then does not count as a new action. Significantly shorter visits therefore do not necessarily lead to significantly fewer actions.
The interesting question was how many more page views are counted in the Browser Fingerprintig process. When we first measured the effect of cookie banners on page views when the de facto introduction of the consent requirement for tracking cookies took place in May 2018, we still warned of drops in measured traffic of around 30 percent. When we now measure around one and a half times as many page impressions with browser fingerprinting, this roughly confirms this estimate - this traffic is thus returned to the measurement without requiring consent.
Unfortunately, this does not mean that browser fingerprinting will capture 100% of all visits again. Fingerprints" can also be poorly recorded if visitors "put the gloves on" to their browser - i.e. either activate the "Do Not Track" function, use an adblocker or are in private surfing mode. Matomo can no more investigate these visits via fingerprints than by analysing the biscuit crumbs in the browser memory. According to the industry association BVDW, 25% of users in Germany use ad blockers, but not all of them filter all tracking scripts. If we assume that around 20% of visits make themselves invisible to tracking through one of these methods, this means that with the cookie method, perhaps just under half of the visits can still be analysed, while with browser fingerprinting, this base can at least be increased to over three quarters.
In addition to these obvious weaknesses, one can also find critical assessments of the legal security of this procedure on the internet (as in the case of this law firm) or references to even better setting options for Matomo, e.g. via the exclusive evaluation of log files (as in the case of this IT security firm). However, the articles state quite sweepingly that browser fingerprints are to be evaluated like cookies and equate data on the end device (cookies) with data about the end device. In addition, the articles are older and do not address the current configuration options in Matomo. And an exclusive evaluation of log files would be a technological step backwards that would lose much more significance than the switch to fingerprints.
Conclusion
The disadvantage of the more inaccurate measurement of visits with browser fingerprinting is offset by the advantage of a much broader database. This leaves the advantage of being able to dispense with annoying cookie banners under certain circumstances. This comes into question for all websites that do not require any further consent beyond the usage analysis or can also obtain this consent if necessary. Anyone who embeds YouTube videos or Google Maps, for example, would then have to place a banner over the content to be embedded and could use it to obtain consent once or (with a cookie) permanently. Those who place online advertisements would have to make do with the somewhat cumbersome home remedies of Matomo to measure success - the tools from Facebook and Google would need consent in any case.
Going this route could be worthwhile. Because the alternative is to continue playing the game with the increasingly intrusive and convoluted cookie banners. New lawsuits against the cookie banner mischief have already been announced - so this would definitely remain "exciting".
Interested in going cookie banner free? Talk to our consultants.
So langsam fällt bei mir der Groschen, warum Device Fingerprinting NICHT unter § 25 TTDSG fallen dürfte. Ich war lange anderer Meinung und hatte mich dazu festgehalten an „Zugriff auf Informationen, die bereits in der Endeinrichtung gespeichert sind“. Für mich waren die Daten, aus denen der Fingerabdruck gebildet wird, solche bereits im Gerät gespeicherten Daten. Aber man kann erstens diskutieren, ob die Gerätefaktoren, die in den Fingerabdruck einfließen, „gespeicherte Daten“ oder eher „Gegebenheiten des Endgeräts“ sind. Und zweitens kann man – und das überzeugt mich noch mehr – den Satz in Zusammenhang stellen mit der ersten Variante in § 25 TTDSG „Speicherung von Informationen in der Endeinrichtung“, was als Speicherung von außen gemeint ist, wie es beim Setzen der Cookies der Fall ist. Stellt man diesen Zusammenhang mit der ersten Variante im Sinne einer Nach- oder Unterordnung der zweiten Variante her, kann man die zweite Variante einschränkend so lesen, dass hier nur der Zugriff auf Informationen gemeint ist, die zuvor von außen gespeichert wurden. Diese einschränkende Auslegung des § 25 TTDSG erscheint mir adäquat, weil es doch ein deutlicher Unterschied ist, ob man auf allgemeine technische Daten eines Geräts schaut oder ob man dem Gerät seinen eigenen „Stempel“ aufdrückt und anschließend diesen Stempel abfragt. Oder wie Juri Maier mir schrieb: Es macht einen Unterschied, ob man das Kennzeichen eines Autos aufschreibt oder einen Peilsender an diesem montiert.