[HN Gopher] How to track users for analytics in a privacy-first,...
___________________________________________________________________
How to track users for analytics in a privacy-first, cookie-less
future
Author : mattjstar
Score : 27 points
Date : 2021-06-16 20:49 UTC (2 hours ago)
(HTM) web link (www.narrator.ai)
(TXT) w3m dump (www.narrator.ai)
| vec wrote:
| > If you're unable to set a consistent cookie across your user's
| many sessions (especially for a high retention business like
| e-commerce), or your javascript conversion events (Google Tag
| Manager for example) are being blocked, your user's historical
| behavior will be extremely difficult to stitch together over
| time.
|
| Yes, that is in fact the point.
|
| Look, I know there are strong financial incentives to build
| individual user profiles and doing it this way may not violate
| the letter of the law, but it sure as hell violates the spirit.
| If we ask a user if they're willing to be tracked and they do
| everything in their power to tell us no then I'm not sure how
| comfortable we should be doing it anyway.
| cedricd wrote:
| Yeah, this advice looks targeted to companies that benefit
| hugely from targeting their users.
|
| If I'm reading correctly it's basically saying 'once a user has
| identified themselves to you, then you can go back and figure
| out the steps they took before that'
|
| As a person, if a company knows what I did right before I
| bought their product (say in that session) I think I'm ok with
| that. If they follow me onto other websites or other devices
| then that feels a lot more invasive.
| mattjstar wrote:
| Author here - we've been able to identify anonymous users pretty
| consistently once they convert to becoming users. This talks
| about our approach and how to do it, while still following all
| the rules around tracking cookies, etc...
| Y-bar wrote:
| Why do you talk about consent with regards to cookies only?
| GDPR deals with so much more with regards to tracking and
| identifiable information.
|
| For example this quote from the article: "Add a unique
| identifier to all urls on your site when you know who the user
| is."
|
| I don't see how our legal would allow us to do this with
| European customers without explicit opt-in consent since this
| kind of tracking and data processing cannot be deemed a
| legitimate requirement for the core function of the service.
|
| If the same service can be given to the visitor without the
| unique identifier in the URL, then I see no way to avoid asking
| for consent.
|
| https://gdpr.eu/recital-30-online-identifiers-for-profiling-...
| cedricd wrote:
| The identifier on the urls isn't meant to identify the actual
| user I think.
|
| If you look at the examples given they're more like
| identifiers to something else -- an order id or subscription
| id.
|
| Wouldn't tracking something like an order (but not the user
| directly) be ok with GDPR?
| Y-bar wrote:
| They are using (in the example) an order number as a proxy
| to identify and track the actual user. From the article:
| "Simply look up the user from the identifier, note the
| anonymous id, and replace the anonymous id with a real user
| in the data."
|
| At this point the tracking of the online identifier has
| certainly passed the threshold into tracking an individual
| for reasons not directly related to the service.
|
| https://gdpr.eu/article-4-definitions/
|
| "1. 'personal data' means any information relating to an
| identified or identifiable natural person ('data subject');
| an identifiable natural person is one who can be
| identified, directly or indirectly, in particular by
| reference to an identifier such as a name, an
| identification number, location data, an online identifier
| or to one or more factors specific to the physical,
| physiological, genetic, mental, economic, cultural or
| social identity of that natural person;"
|
| The order number in this case falls under "an
| identification number" and "an online identifier" at the
| very least.
|
| "2. 'processing' means any operation or set of operations
| which is performed on personal data or on sets of personal
| data, whether or not by automated means, such as
| collection, recording, organisation, structuring, storage,
| adaptation or alteration, retrieval, consultation, use,
| disclosure by transmission, dissemination or otherwise
| making available, alignment or combination, restriction,
| erasure or destruction;"
|
| What is happening is at the very least processing,
| recording, storing, dissemination, combination of that
| data.
| garciasn wrote:
| A company may store both customer data and order data and
| keep them under GDPR, because a particular customer
| provided it knowingly. The important piece is when a
| customer asks to be removed, the company must remove their
| customer data (e.g. their name and address) but the order
| information can remain orphaned in order to do analyses on
| revenue, orders, etc. The right to be forgotten is ONLY
| about customer data, not related anonymized identifiers
| that tie back to the previous customer's order history.
| ahmedelsama wrote:
| Identity Resolution via warehouse is the future!!! I love this!
| a13n wrote:
| I mean at the end of the day whether you store it in the cookie
| or the URL it's still persistent key value storage for tracking
| purposes, so I don't see why the EU's stance would be any
| different. It's effectively still a cookie.
|
| Some activities and cookies are allowed by GDPR without
| requesting consent, and anonymous analytics (even google
| analytics) is included in this, so you don't actually even need a
| cookie banner to do what you're trying to do here...
|
| I think from a legal standpoint this is no better than cookies,
| it doesn't change whether you need consent or not.
| bgrgndzz wrote:
| Well you can still track unique users without collecting PII. The
| information sent with every web request by default is still
| pretty useful. That's how we do it at
| https://www.hockeystack.com, no need for all this work.
| FridayoLeary wrote:
| Will privacy be the future? I feel browser tracking will simply
| become less relevant in the future. I can't explain why. I'm sure
| of one thing though: the government will know more about us.
| cjg wrote:
| "Step 3 - Attribute anonymous page views to the user!" - not GDPR
| compliant without consent for that.
| oncethere wrote:
| Is it hard in practice to figure out who the anonymous ids are?
| I'm used to just having Segment identify calls.
| mattjstar wrote:
| Good question, the idea in the post is once you know who the
| user is you make sure they load a page with a unique identifier
| on it that you can use to identify them.
|
| As an example, think of a Shopify check out flow. Every user
| has a unique checkout url. Once they purchase you can use that
| checkout ID in your warehouse to join with the page view that
| had the anonymous Id on it. So you'll have a page view with the
| anonymous Id with a url with a unique checkout Id that you can
| use to join to the ultimate identified user (assuming all your
| page view and Shopify data are in one place, your data
| warehouse).
|
| Let me know if I understood your question!
| mjevans wrote:
| An International GDPR seems increasingly necessary. Stop trying
| to right size, hide prices, etc; just give straight good deals
| and sell good products at good prices.
| er4hn wrote:
| So the overall concept of "shove a tracker value into the URL and
| collate all interactions" makes sense - but how do you track if a
| user is sharing a URL?
|
| Let's say that I'm on a desktop browsing a shopping site. I'm on
| shopping.site/product/coolthing.html?tracker=12345. I share this
| with my friend on a mobile device because it looks like something
| of interest to them.
|
| Now how do you handle the other person having the same tracker as
| the initial person? You end up with a scenario where two
| different people, with different interests, are browsing the
| site. Even if they convert you have situations along the lines
| of: no conversions, person A converts, person B converts, both
| convert. How do you handle this?
|
| With cookies the sharing of the URL would avoid this scenario
| since cookies would be separated between people.
| mattjstar wrote:
| This could in theory happen, but in my examples I'm adding the
| url right after someone converted -- paid for a subscription or
| completed an order. Those are unlikely to be shared with
| someone else (ideally). It's arguably more likely that the user
| will share it with themselves on another device, in which case
| the overall approach will work well.
|
| I should also point out that the url tracker isn't meant to be
| persisted across page views. It's only done once at the moment
| that the user identifies themselves to your service.
| er4hn wrote:
| Then I'm a little lost. I had thought a big part of this
| (your "Stitch anonymous data to users once they convert"
| picture and around it) was to be able to backtrack anonymous
| users once they identify themselves.
|
| Even if they identify themselves via ordering something, is
| it an unusual workflow to share a link after? For example "I
| got this new coffee, I'm excited, here's the link to what I
| ordered my friend!"
| ahmedelsama wrote:
| Well your tracking a user via the Anonymous id. Once you
| see a link (checkout url, order link, form submission, etc)
| you create a link. Now you have a list of cookies, their
| linked email at a moment in time. Then you create a table
| that has the cookie and who it maps to from a timestamp to
| a timestamp. This is then used to update the past and
| future identities. Think multi-user, multi-device in time.
|
| So in the example you gave, the user who opens that links
| becomes tied to that cookie from the time they open the
| order to the next linked event. This is really critical
| because it will continue to stitch the users identity over
| time.
|
| If link sharing is happening a lot, you can choose to not
| use that linkage foe identity resolution.
|
| Does this help clarify the approach?
| korethr wrote:
| I'm mildly surprised cookie consent banners are only at 20%,
| given how often I come across banners who's only option is "Yes,
| I consent"
| mjevans wrote:
| I block the entire element, and if moderate actions aren't
| enough will frequently just move on to other search results.
| zild3d wrote:
| I've found more often than not they can just be ignored?
| bouzouk wrote:
| We do it a bit differently (French company). Since the only
| cookie that is endangered is the << third party cookie >>, it is
| very much ok to store anonymous session information in a first
| party cookie for all anonymous visitors. So we store page views
| and utm there, and capture this data in the datawarehouse when
| (and only when) there is a conversion. This is also working with
| returning visitors (who most likely kept the first party cookie).
___________________________________________________________________
(page generated 2021-06-16 23:00 UTC)