Browser Tracking Preventions - Bypass with server-side tagging

For nearly three decades, cookies have been an integral part of the internet, establishing themselves as a crucial tool for user tracking. The information stored in a cookie, such as data about user behavior, forms an essential foundation for numerous marketing campaigns by companies. However, significant changes have occurred in recent years. Increased awareness of data protection and the growing desire of internet users to safeguard their data and privacy have led to extensive measures aimed at making the internet more secure and protecting personal information better.

With stricter data protection requirements, such as those mandated by the General Data Protection Regulation (GDPR), and the subsequent tracking preventions implemented by browsers that prevent unconscious tracking through cookies and other technologies, companies face new challenges. These developments have led to many traditional methods of data collection becoming less effective.

In this article, we explore the causes of these changes, highlight the problems that the new mechanisms create for companies, and discuss how these challenges can be addressed. We demonstrate how modern approaches, such as server-side tagging, can be used to respect privacy regulations while still gaining valuable insights for effective marketing strategies.

The Challenges of modern Marketing Strategies: How Browser Tracking Preventions present new tasks for companies

The introduction of browser tracking preventions poses a significant challenge for companies relying on data-driven marketing strategies. This situation needs to be viewed from two perspectives:

Company Perspective: Companies have a strong interest in collecting and analyzing their users' data. This information is essential for designing effective marketing campaigns that are specifically tailored to user behavior and preferences. The ability to draw from vast amounts of data enables companies to optimize their advertising efforts, thereby pursuing their commercial interests.
User Perspective: On the other hand, there are users who search the internet daily for information, products, and services. A large portion of these users find the increasing intrusion of advertisements annoying and respond by using browsers with integrated intelligent tracking preventions or by installing ad blockers. These tools are designed to prevent unwanted tracking and protect user privacy.

Impacts of Browser Tracking Prevention

Modern browsers have introduced mechanisms to protect their users, automatically detecting and blocking third-party tracking attempts. These preventions are often enabled by default and prevent data from being sent to known tracking provider domains. This makes data sharing with advertising partners, such as Google Ads, significantly more difficult, thereby limiting the data available for targeted advertising campaigns.

Consequences for Companies

The reduced availability of detailed user data makes it more challenging to create accurate marketing profiles and, consequently, to conduct effective targeted campaigns. Without specific data on user interactions and behavior, the effectiveness of advertising efforts decreases, as the communication becomes less personalized and potentially less impactful.

What are Browser Tracking Preventions?

Browser tracking preventions are advanced mechanisms in modern web browsers designed to protect user privacy. Their main goal is to shield users from covert data collection and unwanted tracking. These features are integral parts of browsers such as Safari, Firefox, Microsoft Edge, and Google Chrome, actively contributing to the security of user data.

What do Browser Tracking Preventions include?

These measures encompass a variety of techniques, including tracking protection, tracking prevention, anti-tracking, cookie blocking, and content blocking. Their main tasks include:

Identification and Classification of Domains: Browsers identify and classify domains that use known tracking mechanisms. These mechanisms are often designed to collect users' personal data without their knowledge or consent.
Limiting Storage Access in Third-Party Contexts: This measure prevents third-party scripts from accessing essential data that could be used to create cross-site user profiles. These profiles often form the basis for targeted advertising and other forms of marketing.
Restrictions on First- and Third-Party Cookies: In some cases, cookies may also be restricted, particularly if they are used for cross-site tracking purposes. Browsers can, for instance, shorten the lifespan of cookies or limit their functionality in certain contexts to prevent companies from creating detailed user profiles.

Figure 1: Introduction to Various Browser Tracking Preventions

Why were Browser Tracking Preventions introduced?

Browser tracking preventions were developed in response to growing concerns about the privacy and security of internet users. At the heart of these measures is the desire to prevent unwanted tracking of user behavior by third parties. These third parties often use tracking software in conjunction with cookies or similar storage technologies.

The difference between First-Party and Third-Party Cookies

Third-Party-Cookies

Definition: Cookies set by a third-party script that can be read across multiple domains.
Problem: Third-party cookies are often used by advertising networks and other services to track users across different websites. This form of tracking enables detailed profiling of user behavior, raising significant privacy concerns, as users are often unaware of the existence or use of these cookies.
Restrictions: Third-party cookies are now blocked by almost all browsers by default. The last major browser (Google Chrome) will end support for third-party cookies in early 2025.

First-Party-Cookies

Definition: Cookies set on the domain that the user is directly visiting. The cookie can only be read on the domain where it was set.
Usage: These cookies are central to many functions that enhance the user experience on a website. They help manage user sessions, store user preferences, and collect information necessary to provide website functions (e.g., shopping cart in an online store). However, they can also be used to create user profiles.

Prevention Measures by Browsers

To combat tracking through third-party cookies, browser manufacturers have implemented various measures:

Blacklists: Many modern browsers use blacklists to identify known tracking domains. Domains listed on these blacklists are automatically blocked, meaning their cookies and tracking scripts are not loaded.
Restrictions on Cookie Access: Browsers limit access to cookies in the third-party context to prevent trackers from creating comprehensive profiles without user consent. This often includes strict handling of cookie lifespans and access permissions.

The Phenomenon of Cross-Site Tracking

Cross-site tracking, where user activities are tracked across multiple websites, raises significant privacy concerns. This tracking typically occurs through central tracking domains that communicate with the websites the user visits. These domains use access to browser storage, particularly cookies, to create comprehensive user profiles. These profiles include data from all the websites the user has visited and are often created without the user's knowledge or explicit consent.

Legal Situation of Cross-Site Tracking with Third-Party Cookies

The practice of cross-site tracking often directly conflicts with modern data protection laws such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These laws require clear and explicit consent (opt-in) for the collection and use of personal data. The main issue with third-party tracking is that users are often not adequately informed about how and for what purposes their data is being used. This leads to several challenges:

Lack of Transparency: Users are often unaware that their activities across various websites are being tracked and data is being collected. This contradicts the transparency requirement mandated by data protection laws.
Missing Consent: In many cases, user consent is either not obtained at all or not in a manner that meets legal standards. Some websites hide their tracking practices in long and complicated privacy policies that are rarely fully read.
Uncontrolled Profiling: Creating comprehensive profiles of user behavior and preferences poses significant risks. Such profiles can be used for targeted advertising, which may be perceived as invasive or manipulative.

Why is this relevant when everyone is talking about the end of Third-Party Cookies?

In the current discussion about online privacy and data protection, the anticipated end of third-party cookies plays a central role. This topic is especially prominent in the context of Google Chrome, as this browser, despite the industry-wide shift towards increased privacy, has so far only taken small steps to restrict or eliminate third-party cookies. However, Google is not indifferent to privacy concerns; its initial efforts to enhance online privacy include the introduction of Google Consent Mode V2. More details can be found here: Google Consent Mode V2. The delay and different approach of Google compared to other browsers like Safari and Firefox, which have already implemented strict measures, are mainly due to Google's dominant market position and its deep entanglement with the advertising industry.

Many companies heavily rely on data-driven advertising enabled by third-party cookies. These cookies allow ad networks to track users across different websites and create detailed user profiles, which are crucial for targeted advertising campaigns. The restriction or ban of third-party cookies would thus necessitate profound changes in the strategies and methods of online advertising. Consequently, companies are increasingly turning to alternatives, which are often also problematic from a data protection perspective.

Alternatives to Third-Party Cookies

First-Party Cookies: As long as user tracking across multiple websites is not required, first-party cookies are sufficient to create a profile of the user for the currently visited website.

Fingerprinting: A technique that collects detailed information about a device to create a unique "fingerprint," such as a combination of IP address and browser metadata.

"UTM" Parameters: Using query parameters in a URL, information from different websites can be consolidated. By transmitting specific IDs via URL parameters, user profiles can be linked together.

Google Signals / Meta Enhanced Conversions: When it comes to advertising conversion tracking, specific user attributes can also be used to merge tracking profiles from individual domains. For example, Google uses "Google Signals," while Meta employs a similar technology.

Further impacts on Data Collection

In today's digital economy, data is a valuable currency for companies striving to optimize their online presence and develop targeted marketing strategies. However, due to stricter data protection requirements being implemented in many countries, companies can now only access data that visitors to their website provide through consent via cookie banners. This restriction significantly impacts how companies design and conduct their web analytics and advertising campaigns.

The role of Cookie Banners

Cookie banners serve as a direct interface between the website and the user, allowing the user to consent to data collection. This consent is crucial because, without it, no tracking cookies can be set, which are necessary for analyzing user behavior. Once consent is given, the collected data can be sent to analytics tools such as Google Analytics. These tools are capable of conducting comprehensive analyses that provide insights into the behavior of website visitors. Based on this data, companies can understand how users interact with their site, which content or products are particularly appealing, and how they can make their marketing campaigns more effective.

Influence of Consent Rates on Data Collection

Consent rates, meaning the percentage of users who agree to data collection, vary significantly between different countries.

Figure 2: Average consent rates for cookie banners in Germany and the USA

Entwickung Consent Rate EN

In Germany, for example, the average consent rate is about 55%, meaning nearly half of the potential data for analysis and marketing purposes is unavailable. In the USA, however, the consent rate tends to be higher, providing companies with more data and, consequently, deeper insights into user behavior. These differences can be attributed to cultural attitudes towards data privacy, varying legal frameworks, or the specific design and communication of cookie banners.

Effects on Marketing Strategies

For companies, the availability of data directly impacts the effectiveness of their online marketing strategies. With a higher volume of available data, advertising campaigns can be more precisely targeted to the interests and needs of the audience. Conversely, a lower amount of data due to low consent rates can lead to less targeted and thus less effective marketing efforts. This forces companies to find alternative methods of data collection or develop innovative approaches to succeed even with less data.

Overview of Browser Tracking Preventions by Firefox, Edge, Safari, and Google Chrome

Firefox Tracking Prevention: An Overview of Enhanced Tracking Protection (ETP)

Firefox

Enhanced Tracking Protection (ETP):

Firefox uses Enhanced Tracking Protection to provide users with better control over their privacy and data.

User Control: Users can choose between three levels of protection: Standard, Strict, and Custom.

In Custom mode, users can specifically select which types of trackers and scripts to block and add exceptions for certain websites.

Use of Disconnect.me Lists:

ETP uses Disconnect.me lists to determine which domains fall under tracking prevention.

Categories of Tracking and Blocking Measures:

Advertising: Third-party cookies are blocked.
Analytics: Third-party cookies are blocked.
Cryptomining: All third-party requests are blocked.
Fingerprinting: All third-party requests are conditionally blocked.
Social: Third-party cookies are blocked.
Example: Requests to social networks like Facebook do not send cookies.

Additional Restrictions:

Blocking Tracking Content: This not only involves removing cookies but also blocking all resource requests to domains listed on Disconnect.me.
Cookie Lifespan: Firefox deletes all stored site data (including cookies and browser storage) if the site is identified as a known tracker and has not been visited in the past 30 days.

Safari's Intelligent Tracking Prevention: A Comprehensive Overview

Safari

Use of Intelligent Tracking Prevention (ITP):

Safari employs Intelligent Tracking Prevention to offer users a high level of privacy while browsing.

User Control:

The functionality of ITP is not customizable by the user.
Users can disable ITP by turning off the "Prevent cross-site tracking" option in Safari's security settings.

Classification of Known Trackers:

Safari classifies "known trackers" using a Tracker Radar, which identifies domains capable of cross-site tracking. An algorithm running on the device determines individually which domains are considered trackers, resulting in a user-specific list of blocked domains.

Use of Machine Learning (AI):

Safari utilizes machine learning to classify which top domains potentially violate user privacy based on collected statistics.

Example of ITP Functionality:

On a first visit, a website loads an iframe from www.iframe-domain.com without immediate ITP intervention.
If the user subsequently visits multiple websites that all load data from the same domain, ITP classifies this domain as capable of cross-site tracking and activates corresponding privacy measures.

Treatment of Cookies:

Third-Party Cookies: Safari blocks all access to third-party cookies.

First-Party Cookies:

Safari deletes all forms of script-writable storage (including cookies, Local Storage, Session Storage, and IndexedDB) if there is no interaction on the website in the first-party context within seven days.
Cookies marked by query parameters or fragments in a URL and originating from a known tracker domain have a maximum lifespan of 24 hours.
Cookies set by the HTTP response header Set-Cookie in the first-party context are not affected by ITP and are not subject to any expiration restrictions.

Microsoft Edge Tracking Prevention: An Overview of Security and User Control

Tracking prevention Microsoft Edge

Use of Tracking Prevention:

Microsoft Edge offers built-in tracking prevention to protect users from unwanted tracking and other threats.

User Control:

Users can choose from three levels of protection: Basic, Balanced, and Strict.
The user interface allows users to view blocked trackers. Users can add exceptions for specific sites, allowing these sites to bypass tracking prevention.

Classification of Known Trackers:

Edge uses protection lists based on data from Disconnect.me to classify domains that use cross-site tracking functions or are otherwise deemed harmful. These lists help identify malicious resources and implement appropriate protection measures.

Blocked Categories and Mitigation of Tracking Prevention:

Edge blocks resources from various categories, including Advertising, Analytics, Content, Cryptomining, Fingerprinting, and Social Media. A unique feature in Edge is the mitigation of tracking prevention for companies that own multiple domains. If two domains belong to the same company, Edge may relax tracking prevention when one of these domains requests resources from the other.

Usage of the "Site Engagement Score":

Edge uses the "Site Engagement Score" to evaluate user engagement with a website. This score helps to adjust tracking prevention based on how actively a user interacts with a website. A high engagement score can result in certain protective measures being relaxed to ensure a better user experience.

Handling of Cookies:

Third-Party Cookies: Edge blocks third-party cookies for all domains that are on the trust protection lists.

First-Party Cookies: There are no restrictions on first-party cookies, which means they can be set and used normally as long as the website is not classified as harmful.

Future Privacy Changes in Google Chrome: An Outlook for 2024

Tracking prevention Google Chrome

Current Status and Future Plans: As of 2024, Google Chrome has not implemented specific tracking prevention measures comparable to those of other leading browsers like Firefox or Safari. However, this is on the verge of a significant change as Google expands its privacy policies and features to address growing user and regulatory concerns regarding privacy.

Introduction of Google Consent Mode V2: In March 2024, Google introduced Google Consent Mode V2. This enhanced version aims to strengthen user privacy through advanced settings for consent to data collection and processing. This mode enables website operators to better tailor the use of their websites to the preferences and privacy requirements of their visitors. More details on the specific features and benefits of Google Consent Mode V2 can be found in the corresponding blog post.

Phasing Out Third-Party Cookies: In early 2025, Google plans to "phase out" third-party cookies in Chrome. This announcement follows extensive industry discussions on the need to better protect user privacy while maintaining the functionality of websites that rely on advertising revenue.

Testing the New Tracking Protection Tool: Since January 4, 2024, Google Chrome has been testing a new tracking protection tool aimed at limiting cross-site tracking. In an initial test phase, this tool is randomly activated in 1% of all Chrome installations to evaluate its effectiveness and impact on user experience. This step is part of Google's broader efforts to strike a balance between user privacy and the commercial interests of advertisers.

Server-Side Tagging: Adapting Compliance in the Era of Stricter Privacy Regulations

Methods of data collection in digital marketing and web analytics can be broadly divided into two categories: client-side tagging and server-side tagging. Each method has its own characteristics, advantages, and challenges, particularly in terms of compliance with new privacy laws and browser policies.

Introduction to Data Collection Methodology: Client-Side vs. Server-Side Tagging

Client-Side Tagging:

Definition: Client-side tagging refers to the practice of executing small pieces of code, known as tags, directly in the user's browser. These tags capture user interactions and behaviors on a website.
Process: When a webpage loads, the tagging container is also loaded. This container triggers tracking codes that collect all interaction data and send it to web analytics services like Google Analytics.
Problem: The effectiveness of client-side tagging can be hindered by the increasing use of browser tracking prevention, which often blocks the use of third-party cookies necessary for data collection.

Server-Side Tagging:

Definition: Unlike client-side tagging, server-side tagging involves the use of a dedicated server between the client (browser) and third-party software.
Process: Requests from the browser are first sent to the dedicated server (e.g., a Google Cloud server). This server acts as an intermediary, forwarding the tracking data to tracking servers without being directly collected by third-party providers like Google.
Advantages: This method reduces dependency on cookies and mitigates the risk of data loss due to browser restrictions. Additionally, it offers enhanced control over data processing, including options for anonymizing user data.

Compliance and Data Protection

The shift from client-side to server-side tagging represents a significant adaptation in the context of increasingly stringent data protection laws. By moving data collection and processing from the browser to servers, companies can ensure compliance with privacy regulations such as GDPR. This approach minimizes the risk of capturing sensitive user data without explicit consent and enables more precise adherence to data protection requirements.

The Advantages of Server-Side Tagging

Reduction in the Visibility of Tracking Requests

Technique: In server-side tagging, tracking requests are sent from the website operator’s server instead of directly from the user's browser.
Advantage: Tracking scripts and requests are not executed in the browser, making them less susceptible to being blocked by ad blockers or browser settings that restrict tracking. This leads to more efficient data collection without interruptions from local tracking limitations.

Circumventing Cookie Restrictions

Technique: Data processing occurs on the server, so cookies and other identifiers that would normally be stored in the browser are instead managed on the server.
Advantage: This allows for the circumvention of third-party cookie restrictions, as relevant information remains on the server and can be used independently of local browser restrictions.

Improved Data Control and Privacy

Technique: Server-side tagging allows precise control over what data is collected and sent to third parties.
Advantage: This helps reduce the amount of personal data shared with ad networks and other third parties, improving compliance with data protection regulations such as GDPR.

Consistency Across Different Browsers

Technique: Since data processing is centralized on the server, differing browser policies regarding tracking and cookies do not affect data collection.
Advantage: This ensures consistent data on user activities, even if individual browsers have varying levels of tracking restrictions.

Effective Use of First-Party Data

Technique: Server-side tagging facilitates the effective collection and utilization of first-party data, which is considered safer and more acceptable under current privacy regulations.
Advantage: First-party data is often more accurate and reliable. Its use is less likely to be blocked by privacy tools, enhancing the quality and reliability of the collected data.