[HN Gopher] How to track users for analytics in a privacy-first,... ___________________________________________________________________ How to track users for analytics in a privacy-first, cookie-less future Author : mattjstar Score : 27 points Date : 2021-06-16 20:49 UTC (2 hours ago) (HTM) web link (www.narrator.ai) (TXT) w3m dump (www.narrator.ai) | vec wrote: | > If you're unable to set a consistent cookie across your user's | many sessions (especially for a high retention business like | e-commerce), or your javascript conversion events (Google Tag | Manager for example) are being blocked, your user's historical | behavior will be extremely difficult to stitch together over | time. | | Yes, that is in fact the point. | | Look, I know there are strong financial incentives to build | individual user profiles and doing it this way may not violate | the letter of the law, but it sure as hell violates the spirit. | If we ask a user if they're willing to be tracked and they do | everything in their power to tell us no then I'm not sure how | comfortable we should be doing it anyway. | cedricd wrote: | Yeah, this advice looks targeted to companies that benefit | hugely from targeting their users. | | If I'm reading correctly it's basically saying 'once a user has | identified themselves to you, then you can go back and figure | out the steps they took before that' | | As a person, if a company knows what I did right before I | bought their product (say in that session) I think I'm ok with | that. If they follow me onto other websites or other devices | then that feels a lot more invasive. | mattjstar wrote: | Author here - we've been able to identify anonymous users pretty | consistently once they convert to becoming users. This talks | about our approach and how to do it, while still following all | the rules around tracking cookies, etc... | Y-bar wrote: | Why do you talk about consent with regards to cookies only? | GDPR deals with so much more with regards to tracking and | identifiable information. | | For example this quote from the article: "Add a unique | identifier to all urls on your site when you know who the user | is." | | I don't see how our legal would allow us to do this with | European customers without explicit opt-in consent since this | kind of tracking and data processing cannot be deemed a | legitimate requirement for the core function of the service. | | If the same service can be given to the visitor without the | unique identifier in the URL, then I see no way to avoid asking | for consent. | | https://gdpr.eu/recital-30-online-identifiers-for-profiling-... | cedricd wrote: | The identifier on the urls isn't meant to identify the actual | user I think. | | If you look at the examples given they're more like | identifiers to something else -- an order id or subscription | id. | | Wouldn't tracking something like an order (but not the user | directly) be ok with GDPR? | Y-bar wrote: | They are using (in the example) an order number as a proxy | to identify and track the actual user. From the article: | "Simply look up the user from the identifier, note the | anonymous id, and replace the anonymous id with a real user | in the data." | | At this point the tracking of the online identifier has | certainly passed the threshold into tracking an individual | for reasons not directly related to the service. | | https://gdpr.eu/article-4-definitions/ | | "1. 'personal data' means any information relating to an | identified or identifiable natural person ('data subject'); | an identifiable natural person is one who can be | identified, directly or indirectly, in particular by | reference to an identifier such as a name, an | identification number, location data, an online identifier | or to one or more factors specific to the physical, | physiological, genetic, mental, economic, cultural or | social identity of that natural person;" | | The order number in this case falls under "an | identification number" and "an online identifier" at the | very least. | | "2. 'processing' means any operation or set of operations | which is performed on personal data or on sets of personal | data, whether or not by automated means, such as | collection, recording, organisation, structuring, storage, | adaptation or alteration, retrieval, consultation, use, | disclosure by transmission, dissemination or otherwise | making available, alignment or combination, restriction, | erasure or destruction;" | | What is happening is at the very least processing, | recording, storing, dissemination, combination of that | data. | garciasn wrote: | A company may store both customer data and order data and | keep them under GDPR, because a particular customer | provided it knowingly. The important piece is when a | customer asks to be removed, the company must remove their | customer data (e.g. their name and address) but the order | information can remain orphaned in order to do analyses on | revenue, orders, etc. The right to be forgotten is ONLY | about customer data, not related anonymized identifiers | that tie back to the previous customer's order history. | ahmedelsama wrote: | Identity Resolution via warehouse is the future!!! I love this! | a13n wrote: | I mean at the end of the day whether you store it in the cookie | or the URL it's still persistent key value storage for tracking | purposes, so I don't see why the EU's stance would be any | different. It's effectively still a cookie. | | Some activities and cookies are allowed by GDPR without | requesting consent, and anonymous analytics (even google | analytics) is included in this, so you don't actually even need a | cookie banner to do what you're trying to do here... | | I think from a legal standpoint this is no better than cookies, | it doesn't change whether you need consent or not. | bgrgndzz wrote: | Well you can still track unique users without collecting PII. The | information sent with every web request by default is still | pretty useful. That's how we do it at | https://www.hockeystack.com, no need for all this work. | FridayoLeary wrote: | Will privacy be the future? I feel browser tracking will simply | become less relevant in the future. I can't explain why. I'm sure | of one thing though: the government will know more about us. | cjg wrote: | "Step 3 - Attribute anonymous page views to the user!" - not GDPR | compliant without consent for that. | oncethere wrote: | Is it hard in practice to figure out who the anonymous ids are? | I'm used to just having Segment identify calls. | mattjstar wrote: | Good question, the idea in the post is once you know who the | user is you make sure they load a page with a unique identifier | on it that you can use to identify them. | | As an example, think of a Shopify check out flow. Every user | has a unique checkout url. Once they purchase you can use that | checkout ID in your warehouse to join with the page view that | had the anonymous Id on it. So you'll have a page view with the | anonymous Id with a url with a unique checkout Id that you can | use to join to the ultimate identified user (assuming all your | page view and Shopify data are in one place, your data | warehouse). | | Let me know if I understood your question! | mjevans wrote: | An International GDPR seems increasingly necessary. Stop trying | to right size, hide prices, etc; just give straight good deals | and sell good products at good prices. | er4hn wrote: | So the overall concept of "shove a tracker value into the URL and | collate all interactions" makes sense - but how do you track if a | user is sharing a URL? | | Let's say that I'm on a desktop browsing a shopping site. I'm on | shopping.site/product/coolthing.html?tracker=12345. I share this | with my friend on a mobile device because it looks like something | of interest to them. | | Now how do you handle the other person having the same tracker as | the initial person? You end up with a scenario where two | different people, with different interests, are browsing the | site. Even if they convert you have situations along the lines | of: no conversions, person A converts, person B converts, both | convert. How do you handle this? | | With cookies the sharing of the URL would avoid this scenario | since cookies would be separated between people. | mattjstar wrote: | This could in theory happen, but in my examples I'm adding the | url right after someone converted -- paid for a subscription or | completed an order. Those are unlikely to be shared with | someone else (ideally). It's arguably more likely that the user | will share it with themselves on another device, in which case | the overall approach will work well. | | I should also point out that the url tracker isn't meant to be | persisted across page views. It's only done once at the moment | that the user identifies themselves to your service. | er4hn wrote: | Then I'm a little lost. I had thought a big part of this | (your "Stitch anonymous data to users once they convert" | picture and around it) was to be able to backtrack anonymous | users once they identify themselves. | | Even if they identify themselves via ordering something, is | it an unusual workflow to share a link after? For example "I | got this new coffee, I'm excited, here's the link to what I | ordered my friend!" | ahmedelsama wrote: | Well your tracking a user via the Anonymous id. Once you | see a link (checkout url, order link, form submission, etc) | you create a link. Now you have a list of cookies, their | linked email at a moment in time. Then you create a table | that has the cookie and who it maps to from a timestamp to | a timestamp. This is then used to update the past and | future identities. Think multi-user, multi-device in time. | | So in the example you gave, the user who opens that links | becomes tied to that cookie from the time they open the | order to the next linked event. This is really critical | because it will continue to stitch the users identity over | time. | | If link sharing is happening a lot, you can choose to not | use that linkage foe identity resolution. | | Does this help clarify the approach? | korethr wrote: | I'm mildly surprised cookie consent banners are only at 20%, | given how often I come across banners who's only option is "Yes, | I consent" | mjevans wrote: | I block the entire element, and if moderate actions aren't | enough will frequently just move on to other search results. | zild3d wrote: | I've found more often than not they can just be ignored? | bouzouk wrote: | We do it a bit differently (French company). Since the only | cookie that is endangered is the << third party cookie >>, it is | very much ok to store anonymous session information in a first | party cookie for all anonymous visitors. So we store page views | and utm there, and capture this data in the datawarehouse when | (and only when) there is a conversion. This is also working with | returning visitors (who most likely kept the first party cookie). ___________________________________________________________________ (page generated 2021-06-16 23:00 UTC)