The development of alternative techniques to “third-party” cookies cannot be done at the expense of the right of individuals to protect their personal data and privacy, according to France’s Commission Nationale de l’Informatique et des Libertés (CNIL).

The commission has issued new guidance on what happens after third party cookies.

Data Protection Considerations:
  • The end of the use of third-party cookies does not mean that individuals will no longer be tracked on the web, in particular for advertising purposes. The actors of the advertising ecosystem will always be able to resort to alternative technologies allowing them to follow the navigation and the behavior of the users in order to target them for various purposes, and advertising in particular.
  • The development of alternative techniques to “third-party” cookies cannot be done at the expense of the right of individuals to the protection of their personal data and their privacy.
  • Their use must be done in compliance with the principles resulting from the regulations in force, namely the GDPR but also the ePrivacy Directive.
  • Alternative techniques to third party cookies rely on access to the user’s terminal equipment (smartphone, computer, etc.), to access information already stored in the equipment (advertising identifier, cohort identifier, browser setting data) or to enter information. It therefore requires consent.
  • Users must be able to choose freely and in an informed way: (a) to be the subject of a follow-up not strictly necessary for the provision of the requested service, for example to maximize the relevance of the advertisements presented with regard to their concerns at the time and, by adhering to the use of these tracers, to contribute to remuneration for a site or an application; OR (b) to refuse such follow-up.
  • It is essential to integrate, from the design stage, means allowing users to maintain control over their personal data;
  • It is also necessary to allow and facilitate the exercise of all the rights of individuals, through user-friendly interfaces, which is an essential component of the data protection approach by design (“privacy by design”) imposed by the GDPR.
  • Avoid the processing of sensitive data and ensure that the target groups they create do not lead to even indirect discrimination.
Overview of Alternative Techniques:

Certain techniques are used to allow circumvention of restrictions announced by browsers. Different methods are currently used:

  • Fingerprinting: identifying a unique user on a website or a mobile application using the technical characteristics of its browser.
  • Subdomain delegation: delegate the management of a sub-publisher domain to a third party via a redirect. This allows this third party to deposit, on the user’s terminal, cookies which will be considered as “first-party ” cookies and therefore avoid any blockages put in place by browsers.
  • Single Sign-On (SSO): allow connections to a large number of sites, applications or services via a single user account and a single authentication. This system is intended to facilitate user connection but above all allows the site or service group to have a global and consolidated view of the user’s navigation on all sites, applications or services. The account user becomes a tracker who follows the internet user during his navigation.
  • Unique identifier: allow a user to be tracked through the use of hashed deterministic data, collected during his browsing on the site. This technique can use the email address or an identifier provided by a user to connect to different online services in order to link these accounts and track the user in his use of these services.
  • Targeting via Cohort: avoiding targeting an individual by endeavoring to constitute a group of individuals with similar characteristics (center of interest, etc.), and which will be identified by a unique and persistent identifier, shared by all users of the same cohort and managed at the browser or operating system level.