All Blog Posts

Cookie Control

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use cookies and online tracking of visitors from the EU.

If you think clearing your browser cookies is enough to prevent you from being monitored, think again.

Aug 26, 2021

The tracking industry is always coming up with new methods, and now it’s even possible to recognise users via hidden ultrasound signals in ads and browser shadow data.

There’s no cause for concern though, as Cookiebot consent management platform (CMP) scans your website for all types of tracking, and provides you with insight into which third-party services are monitoring your users and which locations in the world they send information to.

Tighter privacy protection regulations

The regulations on the use of cookies and similar tracking technologies will become significantly tighter in an upcoming EU ePrivacy Regulation. The first draft by the European Commission makes it clear that companies run the risk of being fined with an amount equivalent to 4 percent of their annual global revenue. User consent is still required, however with an emphasis on the fact that only cookies that are absolutely necessary are set before the user has given express consent.

The new regulations don’t only apply to cookies – they include all types of tracking technologies. A few types of first-party cookies for statistics are exempt from the regulations, but they do not under any circumstances exempt cookies that are set by third parties, e.g. Google Analytics.

The amendment is implemented as a regulation that succeeds the existing ePrivacy directive from 2009, the so called “cookie law”. It ensures that the regulations are consistent across all EU member states and that they also apply to companies in countries outside the EU, if their websites have visitors from EU member states. The final regulations are expected to gain legal force sometime in 2019. 

Cookiebot CMP already meets the requirements of both regulations, for instance by enabling the implementation of ‘prior consent’, by documenting the users’ individual consents and by making it easy for users to change or withdraw their consent, as required by the GDPR. The commission also suggests that users are offered the opportunity to regulate the extent of a consent across different types of cookies. This means, for instance, that it should be possible to opt out of marketing cookies while allowing preference and statistics cookies, which is already possible with the multilevel consent type of Cookiebot CMP.

Monitor where your customer data ends up

Whether data on your website users is sent to the EU, USA, Russia or China via embedded third-party services is important to know when complying with EU’s General Data Production Regulation. Cookiebot CMP therefore also registers IP numbers and the country in question, together with example values of the data sent from the website to the various third parties via cookies and other trackers. The information is available both in the monthly scanning reports from Cookiebot CMP and in the cookie data, which can be downloaded from the Cookiebot CMP Manager.

Cookiebot CMP listens to your website

Cookiebot CMP is the only cookie scanner on the market that is capable of listening to your website. Contrary to you and me, the scanner is able to register high-frequency sounds, which is what the tracking industry is currently using in their efforts to recognise users across devices. The tracking takes place by transmitting ultrasound in online ads, TV ads etc., which apps on your computer, mobile phone or tablet subsequently listen to. When a certain signal is received, your devices can be connected to you as a person, which is of great value for the tracking industry.

These kind of ultrasound beacons are now registered in Cookiebot CMP as audio trackers. The Cookiebot CMP Manager displays details on such trackers, including a picture of the sound-frequency profile.

Clearing cookies isn’t enough

Many companies, consumer organisations and agencies recommend users to clear their browser cookies every time they’ve used the internet, if they want to avoid being tracked. This method doesn’t only affect the usability, it also creates a false sense of security, as a copy of the cookie data can easily be stored in the browser in other ways, for instance by using the IndexedDB database technology, which is built into all of todays’ browsers.

Such shadow data is not necessarily deleted when deleting cookies from one’s browser. Since data in IndexedDB are associated with a domain in the same way as traditional third party cookies, the website and its embedded tracking services can unimpededly recreate the cookie data and recognise users during subsequent visits. As such, removing cookies has no real effect, other than causing users to lose the advantages of cookies, for instance not having to log in or saving preferences. Only by using the “incognito” mode in browsers will shadow data also be removed when the browser is closed.

Websites that use Cookiebot CMP with prior consent contribute to minimising unnecessary user behaviour, such as removing cookies and the use of ad blocker software etc., by offering the users an actual choice as far as tracking is concerned. At the same time, the Cookiebot CMP API ensures that all types of trackers, including IndexedDB, are blocked in accordance with the user’s consent, i.e. not just general HTTP cookies.

If you have a tech whiz or webhost with knowledge of XSLT, it is now possible to design your own cookie statement for your cookie declaration. Under the “Declaration” tab in the Cookiebot CMP Manager, you can choose between the standard layout or save an XSLT definition of the layout. Click the grey question mark at the top of the XSLT editor for an overview of the XML data fields that can be included in the declaration.

Redirect principles

Some websites redirect users to other websites when clicking links that directly refer to pages in the website’s own domain, although they actually redirect users to third-party websites. Cookiebot CMP registers all cookies that are set in the user’s browser during the entire redirect process, i.e. also on the third party landing pages, based on an observation that, in general, users believe that the links in question redirect to pages on the current website.