GDPR vs. Tracking


What data have you disclosed by accessing a website, which of it will be processed, which will be shared? This is supposed to make the GDPR not only transparent, but also controllable – by the user. And the sword of the GDPR is getting sharper and sharper – 4% penalty of annual turnover every company feels.

We regularly think for our customers about which functions and websites CAN be implemented GDPR compliant – this can vary greatly in individual cases, so you should not derive instructions from this article, but a pool of ideas that you can discuss with your data protection officer and technician. As part of our blog articles, no legal advice takes place.

Consent Management Tools

The user decides.

One way to comply with the GDPR is to use cookie-consent tools, such as Usercentrics – but they can have an impact on PageSpeed. At the same time, these tools reveal one thing above all:

Cookie Consent banners show by selecting the user which data a website operator would like to collect without a compelling reason.

And this compelling reason can also be the user analysis – just maybe not the same with countless cookies, over several platforms and completely glassy, as Google or Facebook would like to have for as accurate advertising as possible.

Similarly, many marketing agencies, departments or employees have to accept the following question:

Does the collected user data coincide with the evaluated user data or is there a strong mismatch here?

The construction of huge data heaps on suspicion of possible later use is no longer justifiable.

Matthias Bathke, Managing Director of straightvisions, recommends:

Trend: No consensus required

The recommendation is simple: if no data is collected, no consent is required.

Where data must be collected, usually not – it remains the obligation to provide information about the data protection page. Cookie banner adé. The whole thing is not a dogma: if data is absolutely needed, then it can be collected. All that is needed is simply a valid justification for this.

There are many examples of how to avoid the use of cookie banners:

  • Alternative service providers for user analysis that do not use cookies and gdpR comply with
  • Waiver of third-party content inclusion
  • Cache/tunnel via own server instead of loading via the user browser

Advantage: The website loads faster and collected data is justified.

No cookies, no problems?

Third Party Cookies Die Out

Sooner or later, third-party cookies will no longer play a role, but ad-supported providers, such as Google, will continue to want to segment traffic on a target group-based basis. Google does not want to create this through a technically similar alternative to cookies, but through a completely new approach: cohorts

The basic idea sounds good at first: Instead of more and more individual identification of users, Federated Learning of Cohorts (Floc) is basically trying to accomplish only one task: the classification of users by user clusters. Based on browser history, the user is assigned to a cohort that is propagated through an API.

We share the WordPress project’s criticism of the Floc feature: it is to be assessed as a security risk for the user, as the user can be assigned to a group even more than before and can be discriminated against accordingly.

Cookies can be deleted or rejected, the user cannot do much about the cohort feature. WordPress will disable Google’s Floc feature by default – whether Google can opt out at least one on the user side is unclear and currently unlikely.

Either way, tracking approaches via third party cookies have no future. In the future, tracking will be done either first-party, i.e. via the website operator, or, if it goes to Google, via cohorts.

And the performance?

Tracking providerPrimary purposeLoadingsize
Google AnalyticsGeneral user behaviour127ms20 KB
Yahoo Dot Tag (Gemini)General user behaviour 28ms7 KB
MouseflowStrokes2062 ms52 KB
FacebookRe-targeting278ms106 KB
LinkedinConversion tracking23ms7 KB
Bing General user behaviour 7ms8 KB
HotjarHeatmaps307ms76 KB

You always pay a price for tracking – due to increased loading times. High loading times lead to high bounce rates and low conversion rates. With tracking scripts, pay attention to how much they affect the performance of your website and use them when the evaluation is complete.

You benefit twice: avoiding unnecessary tracking not only reduces the complexity with regard to GDPR, but also improves the PageSpeed of your website.


Conclusion and recommendation

The war of data was started by the GDPR and so far it looks as if it will be decided in the interests of users.

From our point of view, it is completely exaggerated that the advertising industry would be completely on a blind flight without third-party cookies or cohorts. We consider the claim that a user or group of users to be identifiable across millions of websites to be incompatible with the GDPR.

Of course, this complicates activities such as retargeting or an almost incredibly accurate display of advertising – but who feels comfortable when data from Google Home, Gmail, Android, Google Search and through the use of Google Analytics or the Google Tag Manager almost every activity is recorded, classified and the user is identified.

For most websites, we have a clear recommendation to track only what makes sense and is actually evaluated.

Third-party services, such as Google Maps or Youtube videos, should be avoided, but alternative options should be explored.

Avoid third party cookies and try to design a website that does not require a cookie consent banner. With the right selection of tools and third-party providers, you have a faster website and improve customer satisfaction – because who wants to click away these annoying banners every time you visit the website.

Use your GDPR-compliant positioning to build trust with your users: You don’t need a cookie banner because you’re not a data octopus. Let your data protection officer advise you or contact us to help you achieve your goal.