Website Tracking: Why and How Do Websites Track You?
Most of us are aware that websites track us when we browse the web. We’ve all had the experience of looking for a product online, and then having advertisements for the same product follow us around for weeks on end.
What may be less clear is what data websites collect, why they do so, and how websites track you. In this article, we aim to answer some of those questions about web tracking, as well as explain how new privacy regulations affect how websites can track users.
- What is Website Tracking?
- Why do Websites Track Users?
- How do Websites Track Users?
- Website Tracking and Global Privacy Regulations.
What is Website Tracking?
Website tracking is when websites collect information about site users to monitor their online behaviour.
The practice is used to power many online services including digital advertising and website analytics. Website tracking is incredibly common; a 2017 survey found that 79% of websites use trackers that collect user data.
Here are some examples of how websites track users outside of advertising.
- When you search for a restaurant on Google and the service provides you with a list of restaurants in your local area, it’s because the search engine knows where you are based.
- When an e-commerce store shows you a list of recommended products, it knows what you like because it has tracked items you looked at or bought previously.
Without website tracking technology, the above two examples would either not exist or would exist in a less personalized—and therefore useful—way.
However, the prevalence of website tracking and the lack of transparency about the data websites collect, how they use this data, and who has access to it, means there are issues with the practice.
It is in part because of these issues that countries and regions around the world are introducing laws to regulate the way websites can collect data to track users.
What Data Can Websites Collect?
Websites collect a vast array of data for many different uses. This includes data you provide via forms, for example, email address and credit card information, as well as many other types of information gained from tracking technology.
Some of the data points websites collect include:
- IP addresses to determine a user’s location.
- Information about how the user interacts with websites. For example, what they click on and how long they spend on a page.
- Information about browsers and the device the user access the site with.
- Browsing activity across different sites. This gives those with access to the information insight about the individual user’s interests, shopping habits, problems they are facing, and more.
Not all websites collect all the above data. Some don’t collect any data at all. It will all depend on the service the website is providing as well as how the site is monetized.
It’s also worth remembering that websites aren’t the only way that companies collect data about users. Companies also collect data from smartphone apps, smart speakers, and emails.
First-Party vs Third-Party Tracking
One of the main issues when it comes to website tracking is in the difference between first-party and third-party web tracking.
First-party tracking is done by the website you chose to visit. For example, when an e-commerce store tracks pages you have visited to provide you with a “Recently Viewed” section that shows the past few items you have looked at.
Third-party tracking, on the other hand, is that done by sites other than the one you are currently visiting.
Generally, a third-party drops a cookie onto the user’s device using code on the first-party website. These cookies are often used for advertising purposes, or by third-party tools used on a site. For example, if the site has embedded a video hosted on a different platform.
The issue with third-party tracking is that while users may expect a first-party site to perform some form of tracking, they may not know about all the other parties that are also tracking them. Also, the amount of third-party tracking can be significant. A factsheet produced by the University of Oxford and the Reuters Institute in August 2018, soon after GDPR came into effect, found that European news sites still used an average of 40 third-party cookies per page.
Why do Websites Track Users?
The main reasons websites track users are to gain insights about how their customers use their site, to provide a personalized online experience, and to monetize the user by showing them targeted adverts.
Many website functions will not work without some form of tracking. For example, websites track users to keep them logged into their site as they browse different pages, and e-commerce providers monitor users to save products in the shopping basket.
Other functions would not work as well without tracking. Think about when you watch videos on YouTube and the algorithm recommends videos to view next. This feature works because YouTube knows what you have watched in the past and uses this information to show other clips you may find interesting.
Tracking users for analytics purposes is incredibly common. The most popular analytics tool is Google Analytics, which website tool tracking company BuiltWith estimates is in use on over 29 million sites, including 88.5% of the top 10,000 sites and 86% of the top 100,000.
Websites generally use analytics software to gain information about their customers. This can include the demographics of site visitors and how these customers use the site. For example, how they arrive on the site and how many pages they visit.
This information can help the website owners make business decisions and optimize the website based on how visitors use it.
For example, a technology news publisher may notice that many visitors only read one story when they visit the site. If this is the case, they could change the way they use interlinking between posts to attempt to make other articles more noticeable. This could increase the number of pages readers access.
Websites collect data about users to provide them with targeted advertising.
A common practice is retargeting. This is when websites track which sites you have visited and then show you adverts based on this data. It’s why you often see adverts for products you have recently viewed while browsing the web.
Adverts are also shown based on data collected about your search history, location, your interests, and the time of day you are visiting a website.
Google AdSense is the largest web-advertising network. The company makes it easy for you to see what data is used to show you ads. Next time you see a Google ad, if you click on the information sign in the top right corner then click “Why this ad?”, Google will show you why it chose to show you a particular advert.
While targeted advertising and sharing data between companies is something many of us would prefer didn’t happen, some websites rely on the income targeted advertising brings in to be able to provide an often free service.
Although, whether targeted advertising brings enough extra value over non-targeted ads is up for debate.
How do Websites Track Users?
Websites use several technologies to track visitors. Here is a rundown of some of the most common ones.
How long a cookie can track a user depends on the type of cookie.
Session cookies are only stored on the user’s computer for the duration of their session; they disappear when the user closes the browser. Persistent cookies are those which have a lifespan set by the website that drops them. These cookies can be set to stay on a computer for years into the future unless the user deletes them.
Fingerprinting is a form of website tracking that uses the attributes of the user’s device or browser to build a profile of a user. Information fingerprinters use include the user’s device, operating system, screen resolution, browser and browser version, language, and time zone.
On its own, each piece of information isn’t that valuable. However, when it is all put together, it provides an incredibly accurate way to identify users.
If you want to see how well fingerprinting can identify you, head over to Panopticlick.
This is a site run by the Electronic Frontier Foundation that tests your browser to show how unique your fingerprint is in relation to others the site has tracked. This writer’s browser fingerprint was unique amongst the 224,279 browsers the site has tested over the past 45 days.
Web Beacons and Tracking Pixels
A web beacon is a small tag placed on a website or in an email to track how the user interacts with the content. The beacon is usually a clear 1-pixel by 1-pixel transparent image placed within the webpage’s code.
When the browser lands on a site with a web beacon, it requests to download the image. The request will contain details that can track the user including the IP address, time, or information about the browser.
This allows webmasters to track users as they navigate a website. Alternatively, when used in email marketing, they can provide the company that sent the email information including if and when the user opens the email as well as how many times a user opens the email.
Website Tracking and Global Privacy Regulations
Website tracking is legal. However, the practice is becoming more and more regulated with new and recently introduced directives such as GDPR in Europe and CCPA in California giving website operators guidelines they must operate within when dealing with customer data.
Here is a look at how the guidelines affect website tracking.
Website Tracking and GDPR
GDPR requires businesses to receive opt-in consent from consumers before collecting their personal data. GDPR defines personal data as any piece of information that relates to an identifiable person. This includes online identifiers such as IP addresses, cookies, and digital fingerprints.
What this means is that while websites can use these technologies to track users, they must receive permission from the user before doing so. The only exception is when the tracking technology is necessary for the site to function, for example, cookies that keep users logged in as they browse a website.
There are other conditions websites must satisfy. For example, consent must be specific to each type of data collection. The wording of consent forms should be clear for web users to understand, and websites need to name any third parties who will have access to the data.
If a user has provided consent to website tracking, the site must still provide them with a way to withdraw their consent and to delete the data they have stored about the user.
It is because of GDPR that if you are based in the EU, you will have likely seen much more comprehensive cookie banners over the last year or so than the ones used pre-2018. These banners, like the one in the screenshot below, allow websites to collect permission to drop cookies and track users.
Website Tracking and CCPA
Like GDPR, CCPA targets what companies affected by the regulation can and cannot do with personal data. Also, like GDPR, CCPA counts online identifiers and IP addresses as personal data, meaning website tracking is affected.
CCPA does not require websites to receive opt-in consent from users to collect their data (unless the user is under 16). However, sites that collect information must inform the user about the categories of data it will collect and why it collects this information at the point of collection.
The upcoming regulation also gives customers the right to access the information the business has collected as well as the right to have their information deleted. Finally, companies that sell personal data to third parties must allow the user to opt-out of the sale of this data.
What this means is that websites can track users, but they must be upfront about why they do so. They must also have a way to organize the data they collect due to this tracking so they can delete it if they receive a request. Websites can use a cookie banner to help them stay compliant with CCPA.
Introduction to CookiePro
CookiePro helps websites use tracking technology in a way that is compliant with global regulations. It does this by:
Scanning your website to gain an overview of the tracking technologies in use on your site. The website scan checks and identifies all trackers including cookies, tracking pixels, and beacons. Once it has this information, it categorizes these cookies based on what they do (strictly necessary, performance, functional, targeting).
Creating a cookie banner and cookie preference center based on the cookies your site uses. This allows users to opt-in to all cookies, or select which types of cookies and tracking technologies they are happy to receive. They can also opt-out at a later date. Websites can customize the look of this banner based on their website branding.
Finally, CookiePro can be customized based on the model of consent most applicable to your customers. Alternatively, users can deploy multiple models of consent based on the detection of the location of the website visitor.
If you own a website and you want to find out more about how to put in place processes that allow you to track users while staying compliant with global privacy regulations, head over to our cookie consent page to find out more.
Have you seen our Knowledge Base?
We’re building out our knowledgebase with new content daily so we can provide you with the most up-to-date news and resources in regards to website consent and compliance. If you have an idea for an article that we should write, please write in to [email protected] and we’ll dig in to provide you with the information you need!