While privacy laws are still a work in progress, the EU and Germany have made several statements about what is right or wrong. But the current state of regulation is unclear about what actually is permitted or has to be provided.
In the light of the EU GDPR (DSGVO in German) that kicks in on 25 May 2018, this article is even more important, because you can ensure that tracking will only happen when a user has not opted out or he/she consent to tracking. Also our method automatically honors DNT settings by the user and won’t bother any visitor if this settings has been applied. And now… please read on…
Xceptance takes the privacy of our users seriously. We decided to implement tracking and privacy for our website xceptance.com differently than what is usually seen on the market: we provide users with more choices, and we’re stricter about respecting your decisions, yet without pestering you with lots of button clicking.
Our Approach in a Nutshell
There are no clear rules in Germany and across Europe that define if the user has to actively agree to cookies (opt-in) or if he or she has the choice to decline cookie usage (opt-out). Cookies are just one issue of course, because analytics works even without cookies.
On Xceptance.com we decided to use an intermediate approach that does not require actions when you agree, but still gives you the time to make a decision.
Visiting our page initially doesn’t include any analytics. You have the possibility to choose to be part of tracking or not. We offer an opt-out option to the user but also ensure we don’t track anything before you make a decision.
Everyone is Welcome
We decided to let people visit our site even if they don’t want to be tracked. If visitors don’t agree to be part of our analytics we do not gather any data, but they can still browse and enjoy our entire site.
Your Preferences Matter Before You Even Get Here
Nearly every modern browser has the option to send a so called “Do Not Track” (DNT) flag. This flag provides the information that the user doesn’t want to be tracked, so tracking should be disabled. Nevertheless, most modern websites simply ignore this flag. This standard is barely used anywhere.
Xceptance.com uses this flag to get the user preference directly without further actions required by the user. It’s true that by using this approach, the collected information is a little off. For example, Internet Explorer (IE) has the DNT flag activated per default, so we probably won’t see many IE users in our analytics. But it is a choice to use IE, so we respect the DNT flag.
No Passive Tracking
Since those calls for the analytics libraries go against an analytics server, tracking is already possible. You’ll get a lot of meta information out of these calls, like IP, browser, etc. Fingerprinting is another secret code word here…
In our opinion, the most transparent approach is to suppress even analytics setup calls until the visitor has had the chance to decide.
To prevent data correlation across sites we use the open-source analytics system Piwik, which we host ourselves. Therefore, we can ensure that the data is not shared with anyone outside Xceptance.
The Sequence in an Overview
To summarize all of the above:
You arrive for the first time
- No cookies are sent.
- No tracking is done.
- If DNT is enabled, there is no question asked and the state of ‘no cookies’ and ‘no analytics’ is not changed with the next click.
- If you choose to opt out, we set a non-personalized cookie to remember your choice. This cookie lives 7 days.
- If you agree to tracking, we will track the current page immediately to collect the information about your visit and your first pageview. If you do not actively agree, we will miss the first pageview, because only the next page will have active tracking, after you decided not to opt out.
Your next click
- If you have not opted out and you continue to browse our web pages, you will be tracked with Piwik, our self-hosted tracking solution. We do not share tracking data with anyone. Nobody except us will ever know that you visited us, seen from an global analytics point of view (compare that to Google Analytics or Omniture).
You’ve been here before
- If you have visited us in the previous 7 days, we will remember your decision and we won’t bother you with the information box.
- If you cleared your cookies or your last visit is older than 7 days (which is sad, of course), we start over again and treat you like a first-time visitor.
Open Source is the Real Deal
It’s extremely important for us that our customers and visitors know they can trust us. All of the claims we’ve made here can be verified by taking a look at the open-source version of our webpage at:
Of course, feel free to reuse the code you find. It is all published under the MIT license.
The code base is really simple. For every visitor we check if he or she uses the DNT browser flag. If this is set, we skip tracking and cookies. If this flag is not set and it’s the first visit, the user gets a message displayed to agree or opt-out.
The code is in tracking.html and privacy-message.html. Check it out.
We Know That We Don’t Know
After changing our privacy handling to be as friendly as possible, our tracked visits per hour went down by about 50%. One may argue that this is a great loss of information, and it is.
But on the other hand we have a really high rate of users who don’t want to be tracked and we respect their choice. Also, by using some of our analytics data from the past, we see that about half of the information is gone, so we can extrapolate.
Or in other words: The trend is now our friend.
In short: We value your visit more than the information it creates.
For the German readers: A request to the government of Germany was published by the privacy officers of the Federal States of Germany to require always user acknowledgement before using cookies and similar technologies to gather user behavior data. This has to become written and defined law. Read more about it here: Keine Cookies ohne Einwilligung der Internetnutzer.
Media attribution: Privacy Please image by Josh Hallett under CC-BY-2.0. Google Analytics on Computer Screen by Blue Fountain Media under CC-BY-2.0. Internet Surveillance by Mike Licht under CC-BY-2.0. Closer Footsteps in the sand by Cheryl under CC-BY-2.0.