Articles

Cookies, Pixels, and Tags: The Data Privacy Implications of Each

Written by Matt Davis, CIPM (IAPP) | August 16, 2022

You see different companies show up in the headlines every week, suffering million-dollar fines over some obscure violation of one data privacy law or the other. It can be tough to wrap your head around what data privacy compliance is all about, let alone the different technologies at play.

To assist your business as you orient yourself in the data privacy space, here are some common technologies you might run across and how they relate to data privacy.

Cookies

What Are Cookies?

Cookies are small text files that a website stores on your computer via your browser. By themselves, cookies don’t do anything; they just store information that can be read later by a website to perform some kind of function. So, that might be remembering what you’ve added to your shopping cart, showing you advertisements related to the products you’ve been searching for, remembering your login information, and so on. They can also be used for analytics purposes, like tracking the number of unique visits to a website.

There are two kinds of cookies: first-party and third-party cookies.

First-party cookies are the ones set by the website you’ve visited — to use some of the examples we listed above, that would include cookies for analytics purposes or to remember login information.

Third-party cookies are a bit different. These are set by a different website than the one you visited. Advertising networks are a great example of this. If a brand wants to advertise its products, it might add some code from an advertising network to its website. That code drops a cookie on your browser when you visit the brand’s website. Even though you were visiting the brand’s website, the cookie itself comes from the advertiser (i.e., a third party). So long as you have that cookie on your browser, if you visit another website that displays ads from the advertiser, you’ll see ads related to the brand whose website you initially visited.

How Do Cookies Relate to Data Privacy?

Cookies and data privacy regulations both exist along a spectrum.

Certain kinds of cookies are more or less invasive. Few would object to the cookies that are necessary for a website to function or to anonymous analytics cookies. But cookies that track your browsing behavior from site to site (like third-party advertising cookies) or cookies that store sensitive information are more unsettling.

Similarly, privacy regulations take a range of attitudes to cookies. In the EU, the ePrivacy Directive (soon to be replaced with the ePrivacy Regulation) requires all websites serving EU citizens to have their users indicate consent before loading any cookies except for strictly necessary ones.

On the other end of that spectrum, California’s CPRA requires that businesses merely notify users that the website will be dropping cookies onto their browser. Additionally, businesses have to provide users the opportunity to opt out of cookies that track personal information (like the user’s name or IP address) and sensitive personal information (like one’s social security number).

In general, most data privacy regulations treat cookies that can’t identify an individual as a separate concern from cookies that contain personally identifiable information. The thing to focus on with cookies (and with all digital tracking technologies) is whether they collect personal information or not.

Pixels

What Are Pixels?

You’re probably already familiar with the general definition of a pixel: they’re the smallest possible units on a digital screen.

And that’s what they are in the context of data privacy and tracking technologies as well — it’s just that they’re used in a particular way. Tracking pixels are 1x1, transparent images embedded in a website, email, or ad, and which contain a link to an external server. When a user interacts with an email, navigates to a website, or views an ad, the user’s browser downloads the invisible image file. That action triggers a request from the pixel server, providing the server owner with knowledge of who downloaded the pixel as well as information like the operating system used, the type of browser used, the time the pixel was interacted with, the IP address, and more. 

All told, this information can be used for a variety of purposes. Marketers could use pixels to, for instance, tell when a visitor clicked on one of their brand’s ads on an outside website and then made a purchase on their website. Using this information, a marketer could place more ads of the same type on the referring website.

How Do Pixels Relate to Data Privacy Laws?

Like cookies, tracking pixels can collect users’ personal information without their knowledge or consent.

Under the GDPR, that means tracking pixels can only be used if the user gives their consent first. Without their consent, or if the user rejects the use of pixels, then a website must find a way to block the pixel.

The CPRA works a little differently. Under the CPRA, consumers have the right to stop businesses from selling or sharing their personal information with third parties. Pixels typically come from third parties. In the example above, where a marketer used pixels to determine when their ad was clicked on, the marketer is the third party. So, if a website visitor opts out of having their information shared with a third party, then a website would need to block any tracking pixels from activating on its page.

Other data privacy regulations take similar approaches. Generally, privacy laws require either explicit consent from a user before their personal information is collected or that users are informed about data collection and given a means of opting out. Thus, it’s a matter of blocking pixels until a user gives consent or blocking them after they withdraw consent.

The water gets a bit muddy when pixels are used to track email usage, however. It’s easy enough to give consumers a way of opting into or out of tracking pixels on a website — you can just present a pop-up with the appropriate functionality. When tracking pixels are embedded into an email, merely opening the email triggers the tracking function. Some websites consider you to have consented to this kind of tracking when you sign up for their newsletter or otherwise provide them with your email address. Others simply don’t use tracking pixels, but those businesses lose out on important information regarding email performance.

Tags

What Are Tags?

Tags are small segments of code that execute when loading a website. Typically, they’ll be HTML or JavaScript that describe an element or function on your website.

There’s a lot of overlap between tags and cookies and pixels. Cookies and pixels are typically set by tags. So, if you want to block a cookie, you can target either the cookie itself or the tag that sets it.

How Do Tags Relate to Data Privacy?

Since tags set tracking technologies like cookies and pixels, some businesses subject to data privacy regulations develop additional infrastructure that permits or blocks tag scripts from firing depending on whether the visitor has consented to or rejected data collection. That way, if a user rejects marketing cookies, then the tags associated with setting those marketing cookies don’t fire.

How Do You Actually Become Compliant?

Knowing what different tracking technologies are and how they relate to data privacy is just the first step for businesses looking to get compliant. The next step is knowing how to actually operationalize compliance.

Unfortunately, there are over 40 data privacy laws across the globe, they’re each many thousands of words long, and none of them make for particularly friendly reading if you aren’t a legal expert. How do you actually take these different technologies and make them compliant with these different laws?

If you’re looking for a more digestible way to wrap your head around compliance, check out our ebook: Corporate Data Privacy — An Introduction.