Web Analytics in the Era of the New Data Protection Act TTDSG

§ 25 TTDSG actually addresses access to users' end devices. Cookies are just one method of this access. Other technologies are also affected by the TTDSG. For example, reading system variables in the user's browser via JavaScript could be such an access.

The TTDSG mandates that user consent must be obtained if there is access (cookie or reading a system variable) that is not necessary (as stated more precisely, though lengthily and incomprehensibly for the layperson, in § 25 para. 2 TTDSG).

Previously, under the Telemedia Act, only cookies for marketing purposes and user profiling were subject to the consent requirement. With the TTDSG, counting visitors has become even more challenging if it is to be done without consent.

Tracking and Visitor Counting

The term "tracking" is not precisely defined. Normally, tracking refers to following users across multiple sessions and websites. A well-known tool that tracks users in such an invasive manner is Google Analytics. For this reason, and due to the cookies used, Google Analytics requires consent. Therefore, you would need to display an annoying cookie popup every time someone visits your website. These cookie popups are not only annoying but often result in non-compliant websites (see my investigation on Cookiegeddon).

For simplicity, we use the term "tracking" in this article to also refer to the essentially uncontroversial practice of visitor counting. Counting visitors means that a user must be distinguishable from other users. If this distinction is missing, either too few or too many accesses are counted. Counting a user in the "Unique Visitor" category twice if they visit two pages in a row skews the statistics. Similarly, counting two users only once if they visit the same webpage does not sound like exact science either.

The question, therefore, is how users can be distinguished from one another. The HTTP protocol, which is used for retrieving web pages, is stateless. Statelessly, users cannot be distinguished ad hoc. It is like someone without memory thinking that every time the same person walks by, it is someone different.

This memory used to be cookies. However, cookies now require consent, even for the innocuous task of visitor counting. At least, this is one interpretation of the TTDSG. The act refers to "strictly necessary" cookies. Cookies for visitor counting are not strictly necessary for two reasons. First, exact visitor counting is not strictly necessary (this point is debatable, but I see more chances for the strict interpretation). Second, cookies are not necessary for visitor counting. This second point is what we will address now.

How can users be distinguished from one another?

Cookies are not an option if one wants to avoid a consent request.

Users can be very well distinguished without cookies. For this purpose, metadata can be used, which is transmitted by the user's browser to the target website with every HTTP connection.

Technicians often refer to this metadata as connection data or traffic data. However, lawyers might use these latter terms with different meanings. Therefore, we will refer to them more generally as metadata.

The metadata that is always transmitted from the user to a visited website includes:

• Browser type and browser version. Example: Mozilla Firefox Version 95.3, subversion 47.11
• Operating system type and version. Example: Microsoft Windows 10, 64-bit
• Preferred language. Example: German
• Network address (IP address)
• Cache settings
• Requested page. Example: https://dr-dsgvo.de/
• Time of the request (not directly transmitted, but logically available upon receipt of the request)

When this metadata is used to distinguish users without cookies, it is referred to as browser fingerprinting.

Fingerprinting can be made even more accurate by gathering additional information through JavaScript access. These include, for example:

• Screen resolution. Example: 1920×1080
• Size of the browser window. Example: 1788×910
• Color depth. Example: 24-bit
• Time zone. Example: GMT+1

These fingerprinting data must be explicitly requested, whereas the previously mentioned metadata are directly (because necessarily) available and do not need to be requested. Although in my opinion screen resolution is not stored on the user's end device, the interpretation of the TTDSG could oppose this view. One argument for my standpoint is that the orientation of a smartphone, whether portrait or landscape, obviously does not need to be stored on the end device, as this device orientation can constantly change. Additionally, the image format (portrait or landscape) after restarting the smartphone does not depend on how it was before shutting down, but on how the user is currently holding their smartphone.

Through techniques such as canvas fingerprinting, additional data about the user can be obtained, helping to distinguish them even better from other users. However, canvas fingerprinting is generally considered to be an access method that requires consent.

The highest legal certainty is achieved if no metadata is read from the user at all.

The challenge here is to have sufficiently high data quality to be able to accurately count visitors.

Counting Visitors Without Consent

Trackboxx demonstrates that the mildest version of tracking can work without cookies, without device access, and thus without consent.

The metadata used by Trackboxx consists only of the data that is always available with every webpage request. Therefore, no additional access to the user's browser is performed. Such access would require consent if the TTDSG is strictly interpreted.

Trackboxx also does not use cookies, not even session cookies (unless the customer configures the tool differently). While a cookie that only lasts for a session is certainly less critical than one that lasts for a month (this is also called the duration or lifespan), the TTDSG does not legally differentiate between session and permanent cookies. It only distinguishes between necessary and unnecessary cookies or access.

Because no access occurs in the sense of the TTDSG, using Trackboxx does not require consent from a TTDSG perspective.

GDPR and TTDSG

However, the GDPR also applies, although it only comes into play after the TTDSG (for cookies and other access) has been addressed. GDPR stands for General Data Protection Regulation and is legally correctly written as DS-GVO. The hyphen is often omitted in texts for non-lawyers.

The GDPR applies to personal data and data that can be related to individuals. Data is considered relatable to individuals if users can be distinguished from one another. The European Court of Justice (ECJ) determined in 2016 that network addresses (IP addresses) are to be regarded as personal data. The Federal Court of Justice (BGH) confirmed this ruling in 2017.

Therefore, the user's IP address cannot be simply stored, at least not for the purpose of better counting the user. If the IP address were stored unencrypted, consent would likely need to be obtained according to Article 6 of the GDPR.

To avoid the requirement for consent here as well, Trackboxx does not store IP addresses. Instead, each IP address is pseudonymized, and this is done not directly, but in combination with other values.

A time-limited key is used for this purpose. This key is applied to the combination of IP address, browser version, operating system version, and the current day in the calendar. Therefore, the Trackboxx database does not contain any IP addresses. Only if a user revisits the website within the same day could their IP address theoretically be recovered from the encrypted data. However, this is unnecessary because the user's IP address is (again) explicitly available during a subsequent visit. Thus, the GDPR is complied with, and the pseudonymized data storage can be justified by legitimate interest. Legitimate interest is one of the legal bases that the GDPR provides alongside consent.

In contrast to consent, legitimate interest does not require annoying cookie popups. Another advantage, besides the fact that users are no longer annoyed by consent requests, is the higher legal certainty. Cookie popups are subject to numerous regulations arising from Articles 7 and 13 of the GDPR. For instance, where consent is requested, there must also be information on how and where to withdraw consent. Anyone who examines cookie popups on various sites will notice that this legally required notice often is missing.

IP addresses typically change over time. This seems to happen less frequently with cable internet connections than with DSL. However, network addresses do not change exactly when a user visits a website. Therefore, a user can be recognized with very high probability within a single day. In corporate networks, users are less distinguishable if a synchronized update mechanism for employees' computers is in place. This update ensures that browsers and operating systems of company employees appear the same externally. However, in practice, the imprecision introduced by corporate networks does not significantly impact recognition.

Conclusion

Tracking visitors and optimizing content works entirely without cookies and without intrusive and error-prone cookie popups. Tools like Trackboxx offer a privacy-friendly solution that complies with the requirements of the TTDSG and GDPR.

The data quality is so good that no compromises need to be made compared to cookie-based visitor counting. After all, solutions based on cookies have an additional weakness besides legal uncertainty. It is well known that anyone can easily delete cookies in their browser. There are even tools for this, such as CCCleaner or antivirus programs. A deleted cookie robs privacy-invasive trackers of their memory. They then do not function any better than Trackboxx but still require consent. Cookie-based trackers are not better off in corporate networks either. In larger companies, cookies are regularly deleted from employee computers due to security policies.