6 Aug 2021

ePrivacy and the world without cookies. Privacy policies for promoting and selling goods online


Year over year, the policy for collecting, storing, and using sensitive data becomes stricter. In the future (probably, as soon as in 2022), we will behold the ePrivacy Regulation, a brand-new set of rules that are going to make things harder for those promoting and selling products on the web.

Read later or share with friends

To advertisers, publishers, online entrepreneurs, marketers, it’s critical that user activity is recorded. And counted. Without that, there would be no sales, no business, no monetization. Another imperative is that such activity monitoring is fully compliant with any legislation (nobody wants to get fined).

Though the GDPR and ePrivacy are heavily discussed matters, only few know—and fewer tell us—what to do, i.e., what measures e-commerce professionals should take to remain within the law. One of the most acute questions is what to do when cookie collection and storage processes become so severely regulated that this technology will not be available as we know it today. We’ve collected some expert opinions to share some bypasses with you.

Read this text to learn what cookies are. Cookies help marketers “track down” users and collect their personal info—to show the most relevant ads and offer the most relevant products. In particular, they monitor where a user came from and what they did on a target website. Cookies are a vital part of the tracking procedure that underpin such critical functions as the cart.

And the cookie matter is what we concern ourselves within the context of digital—and, specifically, affiliate—marketing. This is why cookies are the central subject of the ePrivacy Regulation that we are going to discuss in this article.

What the GDPR and ePrivacy are

The GDPR and ePrivacy look like terms that need to be explained. And everyone associated with online marketing, advertising, online business, and commercialization must know what they mean. The General Data Protection Regulation, or the GDPR, is a comprehensive document that prescribes how personal data of users must be treated. 

Geographically, the GDPR and ePrivacy Regulation apply to everyone who serves users that are residents of the EU member states. With that, it doesn’t matter which country the company is a resident of. For instance, if an American publisher deals with European regions, they must abide by European legislations.

The GDPR is a very vague document, even advisory. Moreover, every country of the EU zone interprets it in its own way. It was decided to adopt the ePrivacy Regulation as a complement to the GDPR—replacing the former document entitled the ePrivacy Directive with a more detailed, binding, and stricter version.

The ePrivacy Regulation (EPR) is a set of rules governing electronic communications that is designed to sharply regulate the collection and protection of personal data of users, including with the use of cookies. 

You may have seen a popup many times that warns you that the website uses cookies—and asks you whether you accept cookies or not. Website administrators have to show such popups as the GDPR obliges them to. 

Look at the box at the bottom

Not only does it affect major telecommunications projects, but also messengers, direct messages on social media, and even email. To cut it short, this act applies to any communication involving a user online; and not only data but also metadata are subject to regulation. 

The EPR addresses any activity related to online services, using tracking methods (e.g., affiliate marketing) or direct digital marketing. This regulation is going to be binding for marketers, brands, bloggers, SMM managers, and SEO specialists.

As per the ePrivacy Regulation, a resource must, every time, request a user’s explicit consent to the processing of their personal data. And if a user doesn’t want to give such consent, they must not be limited in anything—i.e., it’s forbidden to deny access to the website or only show a limited scope of content. 

In other words, a user may decline cookies and must be allowed to continue using the website as usual. Thus, website admins or marketers will not be able to track a user who did not agree to allow cookies. 

Also, any user must be able to revoke their consent to the use of cookies, whenever they want. As early data show, once the EPR comes into force, marketers will have to reach users at least twice a year to remind them of their right to revoke their consent to the use of cookies.

Apparently, such regulations emerge to serve good purposes in the first place—combating spam, protecting personal data, forming a unified approach to regulating advertising. But in the long run, this enactment may make life harder for those who promote and sell products on the Internet—e-commerce entrepreneurs, advertisers, publishers, and marketers. 

A study reveals that after the EPR is finally adopted, European entrepreneurs may lose up to 30% of their income. And non-compliance fines will amount up to 4% of the annual revenue, which is more than a hefty loss.

It is no surprise that most professionals, including business owners, are not happy with such a prospect, which is why implementation has been delayed for a long time. To date, the estimated time of the regulation’s arrival is the year 2022.

Vytautas Jakstys, Chief Product Officer at ESKIMI, says, “We currently don’t have much information about the ePrivacy Regulation. Countries are discussing the project at the domestic level. After that, the Regulation will be reviewed at the EU level. With what we have now, we cannot forecast anything confidently, since there’s a long way to go until the decree takes its full effect.”

Major companies are also concerned about data security and try to keep up with the transforming laws. For instance, Google announced that the company is going to do away with third-party cookies in Chrome from 2023. 

This means that marketers will no longer be able to collect user data as easily as they could do it before. Consequently, it will be a tougher task to segment the audience and show personalized ads.

Interestingly, Google was going to give up on external cookies a bit earlier, in 2021, but the termination was postponed. This provides industry professionals with a time buffer to prepare for the incoming changes.

By the way, other popular browsers—Firefox and Safari—have long ago stopped using third-party cookies to track user activity.

However, Google states that it’s going to support marketers. The company is working on some new APIs that will help optimize advertising campaigns in a new way. Those are compound techniques, but if you find yourself deeply interested in the topic, you can read about them here. We are going to get back to them below—in particular, to talk about FLoC, a technology that some experts think will ensure as accurate targeting performance as cookies do.

Apple doesn’t trail along and has already announced changes in the new respective versions of the iOS and macOS, as well as dropping the IDFA. All this will also affect digital marketing. However, both Apple and Google offer alternative marketing tools, among which are SKAdNetwork and IDFV. But their functionality is a bit limited: it will be much harder to form a target audience and segment it without the IDFA.

How SKAdNetwork works. Source: RevenueCat

How to handle the GDPR

Using your users’ data, never disregard the GDPR-stipulated rules that are already binding. Don’t be confused with this seemingly intricate acronym, GDPR. In fact, this regulation is very straightforward at its core.

Firstly, you need to collect user data properly, i.e., warn them that you do that. A user must provide you with an express confirmation (for instance, by checking a box or clicking “OK” in the box telling them that you are using cookies) that they have read the rules and terms of ads and cookie collection.  

Do not “pre-check” the consent box: the user must do it on their own. Here’s what it may look like:

Source: Formstack

Besides, we recommend using double opt-in, just in case. Double opt-in is a two-stage confirmation of a user’s intention to interact with you. For instance, after a user subscribes to your email newsletter in a special form (like that in the image above), you send them another message with a request to give their consent again. By doing this, you guard yourself against any claims or proceedings.

Register and keep the user’s consent in any form. 

Now, let’s talk about storing data. In a perfect case, you need to have a procedure governing how you store user data, defining how you prevent unauthorized access to personal data. In your Privacy Policy, stipulate who can access the data in question and what you do to keep them secure. Those are technically sophisticated solutions, so you may want to seek help from competent people and trusted software. For example, select a paid cloud storage or google some “turnkey data storage solutions.” 

You need to introduce a user to the data collection, protection, and storage mechanisms that you employ. The Privacy Policy must be accessible for all visitors to your website. For instance, the Academy website offers the rules in the dedicated section. 

Abidance by these rules will make your subscriber base more specific and bring more trust to your relations. Down the road, you will have no regulation-related worries. 

However, you won’t be able to make do with these measures only once the EPR comes into full effect.

How to handle the ePrivacy Regulation

So everyone engaged in selling and promoting products and services online is going to face some problems associated with the implementation of the ePrivacy Regulation. To extinguish your early panic, we want to assure you that there are some solutions that will still be able to manage user data and use them for marketing purposes. 

One of the most straightforward solutions is first-party data, or first-party cookies. Those are data that a marketer, advertiser, or publisher has collected during a user’s direct interaction with, say, a website. Such data may be collected when a user leaves reviews or makes purchases. Those are data from CRM systems, subscription forms, and social media profiles—in one word, information a user voluntarily provides.

You as a marketer can collect first-party data on your own, without relying on third parties, in compliance with the GDPR.

Vytautas Jakstys tells about first-party data and other ways to circumvent the ERP, “Online marketing can live without cookies, since they are just one of the mechanisms. Beside them, we have two types of alternative solutions.

1. Other ways of defining users: first-party cookies, usernames, and probability identifiers.

First-party cookies are collected by deploying a pixel on the publisher’s website; such a pixel collects and records information about audience behavior. Such data can be collected every time a user visits the website or clicks on its link, views products, or fills out a form.

Another option is fingerprinting, a technology that helps create a probability identifier. It blends together a series of signals that help define a unique user and assign them a hashed identifier. Such signals can be devices, operating systems, browsers, IP addresses, time zones, and language settings.

2. Alternative marketing methods. In this context, we can recall contextual marketing, or FLoC, which Google is actively promoting.

Contextual advertising does not exploit any kinds of cookies. Instead, it uses keywords and phrases on a web page—avoiding any dependence on user data. According to a GumGum report, relevant ads ensure 43% higher engagement. Data suggest that clients do remember contextual ads 2.2 times better than other types of ads.

With FLoC, Chrome is going to track a user’s behavioral patterns when viewing web pages and then “put” the user in an audience, or “cohort” as they put it, based on such habits. As a result, advertisers will target cohorts rather than particular personalities.

Advertisers who conform with the GDPR requirements may want to use a TCF-compatible consent management system (cookie popups). This solution can greatly facilitate online advertising processes. 

What is the TCF? It is a standard that helps gain consent from users and share it with other partners. The process involves three types of companies:

  • Publishers
  • Vendors (technical providers like DSPs, SSPs, DMPs; advertising servers) 
  • CMPs (Consent Management Providers), which are companies that can read, set the user consent status for website vendors, and transfer these data within the advertising ecosystem. 

Employing this standard, publishers will be able to make their users aware of which data are collected, which vendors will use them, and for which purposes. Any user can give their consent to, or not allow, the processing of their personal data. Their choice will be conveyed to other advertising professionals.”


List of vendors approved by the IAB (Interactive Advertising Bureau)

Sergey Balalayev, Product Owner at Retail Rocket, sees no big problem with the introduction of the EPR, “You see, the ePrivacy does not completely ban cookies. It depends on a specific company and case. For instance, cookies may be processed without the user knowing, if it’s technically necessary to render an IT service to them. With that, cookies may only be kept as long as they are needed for the purposes of such a service.”

Another thing that may help cope with the EPR restrictions is Soft Opt-in. For instance, you have a base of users who gave their consent to receiving commercial and marketing offerings from you. They are already your clients, and they interact with you. 

Once the ePrivacy Regulation comes into effect, you will not have to request their consent to interaction one more time. You will just have to send such users a notification informing them that they continue to cooperate with you and, thus, receive from you marketing messages relevant to their data you have already collected. 

Lawyers define such a method of dealing with the EPR as “probable.” But we can finally see whether it works when all the EPR provisions are fully firmed up and approved, given that they do not forbid Soft Opt-In in the first place.

Brian Philips, Head of Marketing at InMotion Marketing, says, “When the EPR comes around, marketers will have to alter their ways of collecting user data. For one, they will only be able to collect email addresses using double opt-ins or through authentication forms. 

A double opt-in example

Showing popups (like those users see when they are going to leave a website) to all users will also be under the ban.

As an alternative, marketers should focus on SEO optimization. Allocate more resources and focus on video content and social media pages. Make sure you select correct keywords for articles and video descriptions, and use key phrases in the bodies of your posts. Work with local SEO and local targeting to level up your positions in search results.”

Ella, Head of Marketing at WellPCB, explains, “Publishers can get round the EPR with the help of various activity and behavior tracking instruments. For one, they can turn to analytics tools like Google Analytics, which are based on combining cookie files

with other data sources (e.g., IP addresses or server logs).”

As marketers state, due to the EPR they will have to rely less on direct marketing methods and prefer general advertising tools. For instance, they will aim at larger demographic groups, or cohorts.

No need to hit the panic button. And remember that some users will still accept cookies and allow marketing interaction. You can increase the share of such loyal users: for that, prepare a proper privacy policy and tell your users why you need their cookies, why it is important to your company, and why it is important to them. 

Here’s a great popup on Evian’s website that transparently explains to a visitor that cookies are collected for the purposes of analytics, personalization of offerings, and showing relevant ads and information:

Building trust-based relations with users is the evergreen marketing strategy. When people realize that you treat their data with care, they are ready to provide you with all the necessary details. But don’t abuse user loyalty—and only collect data you really need. 

Moreover, software vendors will develop new solutions that will help identify and segment users without cookies. Admitad is already working on such a tool. 

Entitled Teleport, this is a tool that allows tracking without cookies or redirections. With it, a user will be able to visit an advertiser website directly, and new third-party cookie rules will not affect this model. Therefore, publishers and advertisers that deal with affiliate marketing can keep calm.

Brian Mullin, Co-Founder and CEO at Karlsgate Inc. believes that machine learning technology is going to learn very soon how to deeply manage first-party data, “It is such data, offering some identification features, that will be a go-to solution for marketers. Using the central knowledge base, artificial intelligence and machine learning will be empowered to expand a smaller audience—using associations, observing behavioral patterns of larger audiences, and forecasting activity. 

It’s imperative that brands, advertisers, and publishers work together and exchange valuable data—to boost the reach of their advertising campaigns.”

Inventing and developing new methods of presenting users with offerings and telling them about products is part of marketers’ work. Without any doubt, the EPR will be a challenge bringing new obstacles; but on the other hand, it will help professionals find new approaches to interacting with clients.

Read later or share with friends


Leave comment