Perhaps you have developed a reflex like we have: Every time you open a new website, your mouse pointer automatically moves to the center to prepare to dismiss the cookie banner that you have a love-hate relationship with. You might have been even more surprised when you visited our website. Where is our cookie banner? The answer is not a malfunction of your browser or a subconscious and forgotten dismissal of the banner: We don't have a cookie banner. But how is that possible? A look into the development of privacy protection on the internet and why warning lawyers have little chance with us (and how your website can also deter them).
Cookies: Why, what for, how come
With the emergence of the "Web 2.0" phenomenon, it seemed like a new method was developed weekly to track website visitors' surfing behavior as effectively as possible. This ranges from capturing the IP address to bizarre methods of "fingerprinting" users through browser attributes such as screen resolution, to storing a small amount of data on the user's computer: the cookie. Over the years, however, the use of such tracking measures has escalated and (at least in the European Union) has rightly ended in a tough legal approach against them: The European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Even though these legal changes had a long lead-up, it suddenly felt on May 25, 2018, as if the deluge had broken over the internet overnight.
With the GDPR and the sudden surprise that personal data is legally protected, new, privacy-friendly methods had to be developed to perform analysis. At least some might have thought. The reality was quite different: Legal grey areas like the (now overturned) "US-EU Privacy Shield" or cookie banners arose to continue the invasive tracking methods.
Tracking with minimal data
Even before the GDPR took effect, we already refrained from using tools on our website that were known to handle user data carelessly. This included, in particular, Google Analytics, which, due to new legal precedents, is now also losing ground in the EU in practice. But how do we manage to get by without cookies and thus without a cookie banner?
Analyzing the status quo
If no cookies or other invasive tracking mechanisms are used, no banner is needed. Simple enough, really. This applies only to non-essential cookies. Technically necessary cookies are very few (such as cookies that store the contents of a shopping cart). However, the reach of cookies is not so well understood by many: Almost every third-party tool you integrate into your website stores cookies on the user's computer and/or phones home. Often, these involve US companies, which makes the data transfer especially problematic after the invalidation of the "Privacy Shield". But it doesn't have to be that way: There are enough privacy-friendly alternatives for practically every problem.
The first step must be to analyze the current status or the cookies currently stored by your own website. For this, you can either use browser functionalities (the "Web Inspector") or use tools like PrivacyScore. Record all cookies and connections to third parties and analyze or research where they come from.
Data-efficient alternatives
Once you know where your website is calling home and what data is being stored on the user's computer (and especially why), you can replace these third parties with other providers dedicated to the protection of personal data. One thing in advance: The big disadvantage (or advantage?) here is that many of these tools are fee-based. Where no money can be made from your users' data, money must be made differently. Many of these tools are open-source and can be hosted on your own servers free of charge (which is even more privacy-friendly!), but this requires technical understanding or at least a good IT department (sensibly with technical understanding as well).
Below, we list some of the tools and methods we use to operate as data-efficiently as possible and completely avoid tedious cookie banners.
Google Analytics
Let's be honest: The elephant in the room is still Google Analytics. We are already too accustomed to this powerful tool. Unfortunately, it is among all the tools you can integrate into your website the one that handles user data the most carelessly. Various court rulings have now also ensured that the use of Google Analytics in the EU is practically impossible.
A privacy-friendly alternative we use is the tool Simple Analytics from the Dutch company of the same name. Simple Analytics completely refrains from setting cookies. When the website is opened, a script from Simple Analytics is retrieved (from European servers), which takes over the task of tracking the user during their website visit. However, it explicitly refrains from tracking the IP address or other personal data. The tracking is done entirely via the HTTP referrer. Without getting too deep into technical details, you can learn more here if you're interested.
Another alternative is Matomo, which can also be hosted on your own servers.
Google Maps
Google Maps was long the only connection to a third-party server on our website. Unfortunately, there is still no privacy-friendly, yet easy-to-implement alternative. On our old website, we therefore used OpenStreetMap. The problem? Basically, it comes without setting cookies, but the retrieval of map data still happens from OpenStreetMap servers, which are preceded by Fastly CDN (a content delivery network) operated on American servers. Additionally, OpenStreetMap's privacy policy itself is not compliant. Therefore, using OpenStreetMap out of the box is not legally compliant in terms of data privacy.
So we helped ourselves with a little trick that we also use for other third-party services: We placed an HTTP proxy between the connection from your browser and the OpenStreetMap servers. When retrieving the map, your browser does not request the map data directly from OpenStreetMap, but from our server. Our server then forwards the request to OpenStreetMap. OpenStreetMap can therefore only see the access through the IP address of our server. Your IP address remains hidden.
OpenStreetMap can also be operated privacy-compliantly by hosting a so-called "tile server" yourself. However, the installation and maintenance of such a server is so outrageously complicated that it probably won't be worth it for most users.
Here we can hope that in the future, the market will open up a bit more and easily usable "out of the box" privacy-compliant options will be added.
Zoom & Co.
Zoom, Microsoft Teams, Google Meet... do the hairs on the back of your neck stand up too? Many of these video conferencing tools are operated by US companies and are therefore not necessarily the best options in terms of data privacy. However, unlike with map services, there are numerous privacy-friendly alternatives on the market. One popular option is Jitsi Meet, as it is fully open-source and can be deployed on your own hardware. With a few small additional configurations, like disabling Gravatar integration, no connections to third-party servers are made anymore. Even out of the box, Jitsi already meets the applicable data protection regulations. Those who prefer a cloud solution might find the European video conferencing software Whereby appealing.
Google Fonts
Admittedly, perhaps somewhat off-topic, as no cookies per se are stored, but at least as important due to its still widespread use: Google Fonts. Basically, the use of the beautiful fonts provided by Google is not a data protection problem. We also use one ("Inter"), which allows you to read this text! The problem that still persists on many websites and has led to a real wave of warnings in recent weeks, is the integration of the fonts via link tag to Google's servers.
Instead, the fonts must be integrated locally, meaning they must be hosted on the same server as the rest of your website. The integration is not too complicated and is further simplified by useful tools like the "Google Web Fonts Helper".