To improve websites and other online services, measuring how they are used is a key tool. However the law on measuring visitors to websites is a mess. Nine years ago, when reviewing the types of cookies that do not need consent, the Article 29 Working Party of data protection regulators concluded that requiring consent when sites measure their own audiences was a major source of “consent fatigue”. A law to fix this was proposed in 2017 but has been stuck in debate in the European Council of Ministers ever since. While there has recently been some progress, Brexit means there is no guarantee that the UK will follow the result. Meanwhile the entry into force of the GDPR – in both the EU and UK – made that consent requirement even more onerous for both websites and their visitors. Last year the UK’s Information Commissioner said that enforcing this aspect of law was “unlikely to be prioritised”, but that could change at any time. If it does, regulators already have automated “cookie sweep” tools that would make widespread enforcement straightforward.
The law currently distinguishes between two (in future maybe three) different groups of technologies:
- Multi-site measurement cookies, tracking pixels, fingerprinting, etc. All technologies that store or access data from user devices require prior opt-in consent (unless they are solely for an exempt purpose) under the ePrivacy Directive. Using such data also requires a justification under the GDPR, and doubts have been cast whether this is possible given the close link between multi-site measurement, user profiling and targeted advertising.
- Single-site measurement cookies, etc. These technologies currently require opt-in consent under the ePrivacy Directive, however the proposed ePrivacy Regulation would make at least some of them exempt from this requirement.
- Logfiles. It is possible to measure website traffic using the logfiles routinely collected by the server. This is outside the scope of the ePrivacy Directive, and may be considered a Legitimate Interest under the GDPR. However, using general logfiles for this purpose may well be more intrusive than a tool that is specifically designed to produce audience statistics, so this approach is likely to require more in the way of safeguards.
It’s worth noting that all audience measurements are inaccurate for both technical and social reasons. Many people use cookie and script blockers that reduce the numbers recorded by those technologies. Changes to the default behaviour of popular browsers can also have a significant impact. On the other hand logfiles contain records of visits by search engines and other web mapping tools, so are likely to over-report. Adding or changing consent banners is also likely to change user behaviour, either reducing the number granting consent, or increasing the number willing to trust that the technology is beneficial.
There’s no obvious “right answer” to how to do audience measurement, either in law or technology. Changing involves a trade-off. Moving to a different technology on your own schedule should allow you to determine the effect of the change in measurement, and how to compare figures from before and after. Waiting until a regulator, legislator, technology firm or public sentiment forces the change may give more consistency in the short term, but a greater risk of an irreconcilable break when the change has to be made.