Are 3rd-Party Cookie Alternatives GDPR-Compliant? CNIL Issues Guidance

December 7, 2021 - Jeff Edwards

 By now, most marketers and privacy and compliance professionals are intimately familiar with the General Data Protection Regulation's (GDPR) rules on cookies and consent. But what of alternative tracking technologies like fingerprinting, unique identifiers, and cohort-based targeting? Are they too covered by the GDPR's consent requirements?

France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés, or CNIL, seeks to answer those questions with newly published guidance on the use of alternatives to third-party cookies aimed at helping businesses ensure that they are “compliant with the data protection legal framework.”

In its guidance, the CNIL identifies four primary alternatives to third-party cookies: fingerprinting, unique identifiers, single sign-on (SSO), and cohort-based tracking, and offers insight into the GDPR's rules for these emerging technologies. 

In this post, we'll dive into the CNIL's guidance, and outline the alternatives to third-party cookies that are discussed therein. First, let's give a brief refresher on third-party cookies and the GDPR's requirements for their use. 

What are Third-Party Cookies?

Third-party cookies are cookies that are created not by the domain you are visiting, but by third parties such as advertisers or analytics systems. Third-party cookies are usually added to a website via tags or scripts and are accessible to any website that loads the third-party server's code.

What are the GDPR's Requirements for Third-Party Cookies?

Under the GDPR, any cookie that can be used to identify an individual is considered personal data, so any business wishing to collect or process this data must prove a legitimate interest in doing so. Most often, this takes the form of consent from the user themselves.

GDPR Enforcement Actions are Up 70% Year-over-Year. Get the Report.

Users' consent must be gathered before any cookies, aside from those strictly necessary for website performance, can be fired.  The website must also provide the user with information about the specific purpose of each tracking cookie, as well as the data it collects before granting consent. Once the user has granted consent, the data processor must document and store that consent, and enforce the user’s wishes. Finally, it must be possible for the user to withdraw consent at any time. For a more in-depth breakdown of the GDPR's consent requirements, check out our Guide to GDPR Consent Compliance.

Common Alternatives to Third-Party Cookies

The CNIL has identified four primary alternatives to third-party cookies. commonly used to circumvent the blocking of third-party cookies: fingerprinting, unique identifiers, single sign-on (SSO), and cohort-based tracking.

What is Fingerprinting?

Fingerprinting, or browser fingerprinting, is the process of differentiating between users based on the technical characteristics of the web browser they are using. Typically, the hardware used by the user will give a certain amount of information to the browser, such as operating system, screen size, and IP address, that allows the browser to display the website correctly. This information, when parsed correctly, can be used to identify individuals and track their behavior. Log files may also be used to identify visitors to a network or website.

What is Single Sign-On Tracking?

Single Sign-On (or "SSO") is not strictly a tracking technology but has evolved into such use cases in recent years. In a single sign-on service model, users are able to log into a single portal, which gives them automatic log-in access to a multitude of websites or applications. For users, this presents several benefits in terms of security and convenience--the most obvious being that users must only present one set of credentials for access, rather than mesmerizing separate credentials for hundreds of websites. 

However, SSO systems also present a secondary benefit to the system owners: they give an overall and consolidated view of users' browsing on all the websites, applications, or services using the SSO platform the user account becomes a tracker that follows the user during his/her browsing.

Google and Facebook, the global leaders in online advertising,  offer two of the most popular free single sign-on options on the internet.

What are Unique Identifiers?

Unique identifiers, also known as mobile ad ID (MAID), are anonymized deterministic hashed data that is assigned to individual devices. For example,  The Identifier for Advertisers (IDFA) is an anonymized unique identifier assigned by Apple to a user's device that allows applications to track user behavior across other apps or websites. This is typically done for the purposes of ad targeting and personalization. 

Unique identifiers are often used in combination with fingerprinting, one being used to enable the other.

What is Cohort-based Targeting? What is Google FLoC?

In light of regulations like the GDPR, and a general shift away from third-party cookies, advertising stakeholders, such as Apple or Google, are developing what the CNIL calls "cohort-based targeting systems."  According to the CNIL, these solutions, such as Google's Privacy Sandbox, "aim to reproduce the current possibilities of cookies in the context of targeted advertising, while attempting to implement limitations in order to reduce the intrusive nature of these practices."

These limitations could mean avoiding targeting individuals by instead targeting groups with similar characteristics, providing only aggregated results to advertisers (without view to individual data), or obfuscating certain operations, such as ad auctions, from advertisers, to keep individual data anonymous. 

Google's current approach to cohort-based targeting, known as the Federated League of Cohorts (FLoC), works by identifying groups of individuals with common browsing behaviors and characteristics and assigning those users to a "cohort." Each cohort will have a unique and persistent identifier, which is stored on the user's browser. The browser would then communicate the cohort ID via API to websites. In this manner, site owners and advertisers would only receive information about cohorts, and not about individual users and their behavior. 

.In principle, this cohort-based targeting is less invasive than current techniques utilizing third-party cookies, but the CNIL warns that further evaluation is necessary to ensure that such techniques uphold user privacy and data minimization requirements. Particularly, the DPA identifies the re-identification of users as a risk. 

What is the CNIL's Guidance on Alternative Tracking Technologies? 

First and foremost, the CNIL guidance states that "the development of alternative [sic] to third-party cookies must not be made at the expense of the Internet user’s right to protection of their personal data and privacy." 

In essence, that means that using these alternatives is not a valid excuse to skirt the spirit of the law regarding user consent for tracking. The use of these techniques must not only be GDPR compliant, but also compliant with the ePrivacy Directive, an EU law focused on protecting privacy and personal data in electronic communication.

Consent is Required, Even Without Individual Targeting

These regulations guarantee the protection of not only private communications and data, but also access to terminal equipment, such as smartphones and desktop computers. 

Because the techniques outlined above all rely on access to the user's terminal equipment in order to gain access to information already stored in this equipment (such as advertising or cohort-based identifier) or to record information into it, in the same way as for cookies, the CNIL has identified user consent as a crucial requirement of their use. 

According to the CNIL, these operations "require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service directly requested by the user." 

And where consent is required, it must be solicited in a manner compliant with the GDPR, i.e, users must be able to choose freely and in an informed manner whether they want to consent to or reject such tracking.

The Bottom Line

In short, "tracking for advertising purposes, when based on browser or terminal information, must rely on the informed choice of the Internet user, regardless of the technique used." Therefore, the CNIL’s guidelines and recommendations on cookies and other tracking devices also apply to the use of these techniques.

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now