{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

In the UK the deadline for compliance with the EU cookie law has come and gone and either you worked like crazy to get your site reconfigured to be in compliance or you decided to wait it out and see what happened. (Lots of us are still waiting).

But are you ready for the next deadline?

For those of you who have implemented a solution and collected your consumer’s consent regarding cookies you may not know that there is another deadline coming on or around the 26th of June. The date by which at least 35% of third party cookies will have been deleted.

It seems like storing the cookie preference in a cookie may not be the best solution, but are their other options? Yes, Device ID.  

With Device ID a website owner gets to have the value exchange discussion with a consumer just once and then to store their preference in a way that doesn’t get deleted every time a consumer clears their cookies.

A recent ComScore study shows that 28% of first party and 37% of third party cookies are deleted after 1 month.  

If you are storing your consumer’s expressed “cookie preference” in a cookie, that means that for some 30% of your users you are going to have to go through the process of asking for their permission all over… and again in another 30 days… and again…  You get the idea.

When websites speak to consumers about the data collected, how the data is used and shared we can take this opportunity to explain to the consumer the value we bring in exchange for the data we collect.  

The value may be a better experience on the website where your consumer’s favourite sports teams are remembered or favourite product types are used in advertising or the value may be that the consumer doesn’t have to pay to access your great multi-media content because it is paid for through advertising revenue.  

The point is that there must be some perceived value by the consumer in order for them to agree to allow us collect data.

Having this value exchange discussion once is good. It helps us build our relationship with our consumer and can lead to greater loyalty and trust.

However, if websites ask the consumer the same question every 30 days or every time the consumer deletes all of their cookies the consumer will eventually get tired of being asked. And even if they don’t write to you and complain directly, you can bet they are thinking to themselves, “I’ve already told these guys it’s OK to collect my data and use cookies! – Why do they keep asking me?!?

It seems like storing the cookie preference in a cookie may not be the best solution but there are other options. 

Some e-commerce sites, publishers and ad networks are looking to Device ID technology as a possible alternative.

Device ID is a new technology allowing websites to identify devices on a persistent basis meaning that even if a consumer deletes all of their cookies, clears their Flash and HTML5 local storage the Device ID can reliably be generated each time.

Once a website has a persistent Device ID then you have the opportunity to store the consumer’s cookie preference and associate it with the Device itself on a persistent basis. rather than to store it in a cookie. As a website owner you get to have the value exchange discussion with a consumer just once and then to store their preference in a way that doesn’t get deleted every time a consumer clears their cookies.  

Using Device ID to store a consumer’s cookie preference isn’t only good for business, it’s good for the consumer too. The consumer is assured that the business won’t forget their preference, that websites won’t repeatedly interrupt their browsing experience to ask permission to collect data and use cookies and the business is able to get on with the job of delivering great content to consumers without having to stop them and ask permission every time the cookie consent is deleted.

Using Device ID to store a consumer’s cookie preference is only one use of this great new technology. Over the next few months I’ll be writing other articles discussing how eCommerce, online publishers and ad networks are using Device ID to bring more value to their consumers, customers, advertisers and partners.

So when you are reviewing your current or future plans to implement a cookie law compliance solution make sure you are thinking about the best way to store the consumer's expressed preference:  Device ID.

Troy Norcross

Published 20 June, 2012 by Troy Norcross

Troy Norcross is VP Strategy and Business Development, Europe at BlueCava and a contributor to Econsultancy. 

1 more post from this author

Comments (24)

Comment
No-profile-pic
Save or Cancel
Niranjan Sridharan

Niranjan Sridharan, Digital Auditor at ABC

Nice article but too many Rrs' in "thirrd" Troy! I hope you are doing well?(Met you at the last Seth Godin Meetup day..)

Cheers,
NJ

P.S feel free to delete this comment after correction!

about 4 years ago

Avatar-blank-50x50

Richard Beaumont

The problem with device ID, or browser fingerprinting as it is also known is that some people find it even more intrusive - in effect it also bypasses their ability to control their privacy.

The article also doesn't look at why people are clearing their cookies - to get rid of unwanted tracking.

If websites, as they should be, enable people to prevent tracking they don't want, through cookie opt-out mechanisms, then they won't feel a need to keep deleting cookies - because the only ones in there should be the ones they are happy with.

People don't actually like deleting all their cookies, because it also means they can lose their logins and personalisation do want. However they do it because the value in removing unwanted tracking is worth it.

So, sites should give people control over their privacy, then they will trust them more, which will work out better for all.

about 4 years ago

Avatar-blank-50x50

Riaz Kanani

I'm with Richard here - finding a workaround to storing visitor information is not the solution and will only lead to bigger issues later either by further legislation (maybe on server side personal data).

Maybe adding a message around "why am I seeing this again?" is an option, which explains why this can happen.

Though with most companies using informed consent, I sense consumers will be trained pretty quickly to ignore the overlay and continue browsing.

The real solution is to have more detailed privacy options in the browser. ie. dont delete my logins, my cookie preferences, tracking cookies.

about 4 years ago

Avatar-blank-50x50

Rufus Bazley, Marketing Manager at Private Company

I have to agree; find a "work around" is just hiding from the problem and not finding an actual solution.

You need to start looking at why this has come around and what issue it is actually trying to correctly only once you know that can a actual solution be found.

I’ve always believe with the ePrivacy law it's been about not wanting to be stalked on the internet by re targeting ads and things like this as well as concerns over not knowing how much detail companies are keeping on you and sharing with other companies, this is what needs to be addressed not a work arounds otherwise you'll end up like the SEO's black hat community trying to find a hole before it's closed.

about 4 years ago

Avatar-blank-50x50

Edwin Hayward

Surely if another technology comes along that provides the same (or greater) tracking capability that cookies offer, the legislation is simply going to be amended to encompass it?

about 4 years ago

Avatar-blank-50x50

mark heseltine

What is "Device ID"? It's not something that sticks out in my mind as having been mentioned in ICO guidance. If it is, as I suspect, a reference to the iOS UDID, I think this approach would be problematic for a couple of reasons
(a) it breaks the model of the web standards, being a hardware/OS-specific. An alternate approach for web browsers not presenting Device ID is still required
(b) The device ID is probably constitutes personally identifiable information (PII), which must be taken into consideration if you plan to use it
(c) As others have said, it side-steps the intent of the EU cookie directive, which is precisely to allow people to control what data about them websites store and track
(d) Storing the information server-side adds considerable work and expense over storing configuration settings in a cookie.

It would be useful if the ICO gave clear revised guidance as to whether websites need to refresh settings every 30 days, for the problems you've outlined.

about 4 years ago

Avatar-blank-50x50

Mike O'Neill

If by "Device ID" you mean browser fingerprinting this is well known to be far too inacurate to identify the device if it is based on IP address and request headers. Anything based on storing data in the browser, for example JavaScript files that send back identifying info like installed fonts, is already covered by the PECR requirement for informed explict consent. And many of these techniques, for example the Panopticlick EFF example, relied on session cookies to connect up the returned data.

There is no problem with using a cookie to store a visitor's agreement to cookies, as long as the necessity (for the placement of a "compliance" cookie) is explained in the cookie policy.

The law was designed to give citizens the choice whether to be tracked, not create ridiculous technical road blocks for web publishers. Many of these are finding that complying with the law is straightforward using the right tools and there is no need to deny consumers a choice with illogical and irritating "implied consent" or pointless inactive placebo banners and pop-ups.

about 4 years ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Device ID is still a tracking solution that will be tracking a browser, so should more than likely fall under the banner of “similar technologies” in the ICO guidance. This legislation was introduced because of the perceived lack of transparency and control that the user has, over how they are tracked on the web.

The internet users need to be educated about the positive impact tracking has on their browsing experience or they could end up making the wrong choice. Let’s face it, some consumers might not like the feeling they are being watched and without knowledge of the benefits they are getting, the choice will probably be “do not track”, because they know no better.

Also, if you look at the language used to describe some sorts of tracking, the word “intrusive” often comes up. How many are going to agree to that? “Yes give me some of those intrusive cookies please”, I can’t see that being the popular choice!

Measurement and targeting are a vital part of online marketing, improving response for the marketer and browsing experience for the user. Without consumer transparency, we won’t be able to build trust and that will ultimately affect how the user will view all web tracking, whether it is Device ID or cookies.

about 4 years ago

Troy Norcross

Troy Norcross, Digital Strategy and Innovation / Principal at SER Associates

Thanks for all the great comments. It's obvious that this is a topic that people feel strongly about.

I’d like to clarify a few points.

• Device ID can be referred also to as Device Fingerprinting. This is not a biometric fingerprint from one of your digits – but instead a unique identity associated with any device capable of running JavaScript.
• Device ID is a solution to store a consumer’s preference for ePrivacy in a persistent way. By storing it in the Device ID it doesn’t get lost or forgotten and this is good for the consumer and good for the business.
• Device ID is not a solution to “work around” the cookie law. While Device ID is not technically subject to the UK Cookie Law as written (Device ID neither stores nor accesses information from a consumer’s device) the technology is not intended as a wholesale replacement solution for Internet cookies.
• Device ID (from BlueCava) is compliant with the Do-Not-Track option within some browsers and also offers consumers a way to opt-out directly from the BlueCava website. Consumers always have a way to opt-out from Device ID being used for tracking.

I 100% support the idea that websites should communicate more openly with consumers about the data they collect, how that data is used and how the data is shared. Websites have an opportunity to build better trusted relationships with their visitors by explaining the quid-pro-quo for collecting information and receiving advertising in return for great content. And once a consumer has given their consent then websites should use the best technology available to store that data persistently – Device ID.

Considering that cookies are deleted on a regular basis for all kinds of different reasons, Device ID is proven to be more than accurate enough to be of real benefit to websites who choose to implement the technology.

Device ID is not a workaround for the cookie law legislation. It can make your current implementation work more effectively to the benefit of both website and consumer.

about 4 years ago

Avatar-blank-50x50

mark heseltine

Troy, thanks for clarifying what you mean by "Device ID".

I see after a bit of a google search that you are combining various pieces of data you can get via Javascript to generate a (hopefully) unique ID for a user's device.

This sounds like an interesting approach although intuitively it looks like it owuld be prone to collisions, for example where a number of employees are accessing a site from a standard build PC, I'd expect their configuration to be the same and therefore their Device ID to be the same.

I can't seem to find anywhere that says specifically on what data is this BlueCava Device ID based? Can you please clarify this.

Also, this June 26 deadline you mention, I've had a bit of a scour around and I can't seem to find anyone else talking about it (most importantly the ICO). Can you please point to the guidance you refer to.

about 4 years ago

Rob Mclaughlin

Rob Mclaughlin, VP, Digital Analytics at Barclays

I want to remind you guys about the cookies, and similar technologies' phrase which is used consistently by the EU and the ICO. Whilst the ICO confused things by nick naming it the 'EU Cookie Law' is always refers back to the fact that this is the 'e-Privacy Directive' and does not solely relate to cookies.

@Troy your fictional new deadline, whilst funny to me and those who get your point, will no doubt cause some sweats - nice way to make friends!

about 4 years ago

Ivor Morgan

Ivor Morgan, Personal

@Troy - you say "Device ID neither stores nor accesses information from a consumer’s device", how then does it communicate the user's privacy preferences to the server?
Also, you use tags in pages as well as client-side javascript. I assume you notify the user that the javascript is being installed. Do you also explicity point out the purpose of the tag?
You talk about identifying visitors 99% of the time. How does DeviceID separate little Johnny's preferences on the family computer in the lounge from Mum's or Dads's preferences when they use the same computer?
Finally, exactly how is DeviceID not a "similar device" as @Rob Mclaughlin and @Tim Roe have indicated?

about 4 years ago

Avatar-blank-50x50

Holly Mcfee

I could be wrong here, but doesn't the 'deadline' just refer to the fact that 26th June is 30 days after the ePrivacy directive came into play.... So, the cookies set by the deadline will either expire or are going to be deleted...

about 4 years ago

Avatar-blank-50x50

Emma Harvey, Managing Director at Numiko

Essentially this is an advert for Troy's product, and the idea of a 'deadline' is misleading.

Yes - if you were daft enough to use a time-based cookie to store preferences, it will expire. If your consumers are savvy enough to delete their cookies - you'll need to ask them again.

about 4 years ago

Troy Norcross

Troy Norcross, Digital Strategy and Innovation / Principal at SER Associates

Again - more great comments:

@Mark H. - There are more than 30 different browser parameters which are accessible via JavaScript. Device ID technology varies between vendors (@Emma - there are multiple Device ID vendors - not just BlueCava) And yes - my 26 June deadline is "relative" rather than literal. By 26 June up to 30% of cookies will have been deleted.

@Rob - You're right - there is reference in the ICO guidance to "similar technologies". I think the more important point I'm trying to make is that Device ID is not intended as a way to circumvent the law - but instead a way to make compliance more effective for both businesses and consumers.

@Ivor - Our Device ID solution does not store or access information from a consumers device. It does collect browser information in order to create a unique ID for that specific device. A website then collects a consumer's preference regarding cookies and stores that preference associated with the Device. This information is stored on our servers in the cloud. Device ID can be considered a "cookie in the cloud" in that you can store information associated with the Device ID on our servers exactly as you can store information in a cookie on the device.

@Ivor - Any website which uses our technology will explain in their privacy policy and terms and conditions that the technology is being used and that Javascript is used. Furthermore, websites make clear to the consumer how to turn off JavaScript, to opt-out by setting Do-Not-Track in their browser (if DNT is supported) or by visiting the BlueCava website.

@Ivor - Device ID works on a device specific basis. We provide the infrastructure. Individual websites then collect the privacy and other preferences on a visitor-by-visitor basis. The only preference we (BlueCava) watch for is Do-Not-Track which applies to the device and not to specific users/family members.

@Ivor - Rather than debate whether or not Device ID is covered by the cookie law - we prefer to take the approach that Device ID could be used to collect information about a consumer and thus we advise our clients to treat Device ID in the same way as they would cookies. We advise our website customers to collect consent from consumers to collect data (regardless if Cookies or Device ID are used) rather than to literally collect consent about cookies.

@Holly - Yes - The headline is more "editorial license" than literal government deadline.

@Emma - There are a lot of consumers who "delete cookies" without really understanding the full impact of what they are doing and without making a conscious choice about which cookies to keep and which to delete.

The IAB AdChoices program is a good example.

Consumers go to youronlinechoices.com and specify that they do not wish to be tracked by one or more member companies - then they close their browser which can be set to delete all cookies - and they find they are being tracked.

And then the consumers are really upset. They don't understand that their preference not to be tracked is stored in a cookie which when they delete all cookies - also deletes their preference not to be tracked.

Storing AdChoices and ePrivacy compliance in Device ID is good for both businesses and consumers because it is persistent. Device ID persistently stores a consumers preference and is a demonstration by website owners of their commitment to compliance with the law.

Please do keep the questions coming - thank you.

about 4 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

This is actually covered fairly explicitly in the ICO's guidance.

I've added paragraph breaks to aid legibility:

"In some areas it is possible for functions usually performed by a cookie to be achieved through other means. This could include, for example, using certain characteristics to identify devices so that you can analyse visits to a website (this is sometimes known as ‘device fingerprinting’).

When considering alternatives to cookies it is important to look at the broader privacy context. Focusing solely on cookies is missing the point.

Even where the clear cookies rules do not apply you must consider the DPA whenever you are collecting information that builds up a picture that could allow you to identify an individual. You should tell people what you are collecting and how you are using this information."

about 4 years ago

Avatar-blank-50x50

mark heseltine

@Troy thanks. If I understand this correctly, the word "fingerprint" is misleading because it's not a fingerprint. Fingerprints are unique. Device IDs generated in this manner could not be unique.

For example, suppose you use up to 30 different browser parameters to generate a DeviceID. The process combines the attributes and runs some sort of algorithm to generate an electronic fingerprint. Suppose two people, Alice and Bob, are both running a standard build PC that is similarly configured and accessing the internet through a shared proxy. This is a pretty common scenario in larger workplaces. Both their browsers will generate the same DeviceID because they are configured exactly the same way.

Suppose Alice visits your website and says it's OK to track her browsing habits. You generate her DeviceID store her preference against it.

You can see what's coming.

Next up, Bob visits your website. You dutifully generate his DeviceID and look it up and see that he's already stated his preference to allow you to track his browsing habits. Only he hasn't, that was Anne's preference. Do you have a pattern to deal with this scenario?

Without knowing what browser attributes you are using it's impossible to say how often a collision would occur. Without this information I couldn't perform a risk assessment to ascertain suitability of this approach. I guess one could glean the information empirically but this would take quite a lot of time and effort.

Can you please share the list of attributes you use? Do you have any stats on how often collisions occur?

about 4 years ago

Troy Norcross

Troy Norcross, Digital Strategy and Innovation / Principal at SER Associates

@Mark - Thanks for your question. We use all of the available parameters and these vary from browser to browser and platform to platform.

You are correct that there are some occasions when two devices could look unique. An office environment is one situation - and 1,000 new laptops from from ASDA is another. We have solutions for both of these situations or - in some cases - we do not return a device ID as the snapshot of data is not unique enough.

We are happy to discuss our rate of false positives/negatives with our prospective customers. With our patented technology we have a very acceptable performance rate.

about 4 years ago

Avatar-blank-50x50

mark heseltine

@Emma thanks for clearing it up. Sadly it appears this article was intentionally misleading and ended up being time-wasting. I guess at least I now know what a "Device ID" is. The Device ID approach only helps you persist a preference for users who are savvy enough to delete their cookies. These users might also become suspicious or even angry if they suspect you are tracking them through some other means. The http standard has cookies for a reason, I think cookies are a better approach than Device ID because they are part of the standard, under the control of users, and you don't have to worry about collisions etc.

about 4 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

There's actually a test to figure out how 'unique' your setup is:

https://panopticlick.eff.org/

(I found this via @RichardFergie on twitter a few weeks ago)

about 4 years ago

Ivor Morgan

Ivor Morgan, Personal

@Troy - I hope I don't seem over critical; I'm just trying to understand.

It seem to me that you have created a complicated version of a cookie that happens to be stored remotely as opposed to on an end-user device.

I don't see how it addresses the problem of uniquely identifying a visitor, or ensuring accuracy of personally identifiable data or how it (in spirit at least) gets around legislation related to data privacy.

As @mark heseltine says - your average joe is going to think it looks a bit like a "get around".

about 4 years ago

Troy Norcross

Troy Norcross, Digital Strategy and Innovation / Principal at SER Associates

@Dan B. - Thanks for this link. This is a good open-source version of browser fingerprinting and gives a good indication of what information is collected.

@Ivor - Thanks for your questions. Device ID is very accurate at identifying a user - not 100% - but significantly better than using cookies.

The other point I have been trying to make in the article - and in these comments - is that Device ID is "not" a way to get around the legislation. Device ID is a method to support websites who are complying with the legislation.

If a website owner asks a consumer "Is it OK for us to collect data about you?" - and the consumer says, "Yes." - then storing that "Yes." in Device ID is in the interest of both the consumer and the business. And if the website stores more profile information against the Device ID (Where they have just collected permission to do so) then the business gets a much better profile and everyone wins.

If a website discloses to the consumer that they are using Device ID as part of data collection then surely it cannot be considered a "get around". We always advise our website customers to make it clear in their privacy policy that Device ID is being used and to explain to the consumer how to opt-out from Device ID.

.

Thanks to everyone for the comments and questions about Device ID. Hopefully you've learned something new about how Device ID can be used to comply with ePrivacy legislation and to make websites and consumers work together better.

Have a good weekend.

about 4 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

Tony: Perhaps you could give us a paragraph that someone may add to their Privacy policy to explain to users what they're doing here in language that you think would be fine in terms of ePrivacy?

(terrible sentence, but hopefully that makes sense!)

about 4 years ago

dan barker

dan barker, E-Business Consultant at Dan Barker

(gah - 'Troy' not tony - my apologies)

about 4 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.