But, because of the somewhat incongruous way the internet works with regulation, the way you handle third-party cookies could be putting your business at risk. Here are three ways in which your third-parties could cause some problems (as well as ways to avoid these problems)
Before we dive in, let me clarify what I mean by thrid-party cookies: these are cookies dropped by websites other than yours. So if you use Intercom for live chat, they will set a cookie — that is a third-party cookie.
Regulation dictates that you get consent for non-essential cookies. These include anything relating to marketing, advertising, and site statistics.
This is one of the most common mistakes websites make — we scanned over 800 of the top websites using the tech that powers TrackerTracker, and found that on average, websites drop 21 third-party cookies without consent.
Our CEO, Rich, throwing out some stats
The most common third-party cookies are dropped by:
Don’t be one of those companies that sends data to Big Tech without asking first — you should be dropping 0 non-essential cookies before consent.
So let’s say you run an e-commerce store and use Stripe to process payments, Intercom to handle customer service, and Typeform to get feedback. Have you read each of their privacy policies?
The answer is no. Of course you haven’t. Who has time for that? The person who has time for that is one of those people who wakes up at 4am everyday (those people don’t exist).
On our site we use Intercom — a user has a chance to see what Intercom do with data before opting-in.
If you are not aware of these kinds of details, you can’t get consent from your users, and you risk getting fined. You are the first point of entry for your users — they give you their data; if you don’t handle it appropriately (which includes how it flows around the web), you are liable.
In our scan of the top 800 websites, we found that the average number of third-party providers was just over seven per site. So, while your e-commerce site only uses three third-parties, each of those could use seven.
That means your user’s data is potentially accessible not just by those three companies that you picked yourself, but 21 — and you don’t actually know who they are. You may know that Intercom uses Google Analytics, but who comes after that?
Notice how messy it gets at the end there… just vague puffs of anything — could even be data brokers
And if you don’t just have a site, but a web app, the risk is higher because the data you process will be a lot more detailed, and possibly identifying (such as email addresses).
The difficult part here is the incongruence between regulation, and how data currently flows around the web. So if one of your users asked you to delete their email address from your database, under regulation you would also have to ensure that it’s deleted from the databases of all the providers in the above tree.
Fulfilling a subject access request like that would be a tough job — but the way you can avoid this is knowing who your third parties are, and staying up to date with any changes they make to how they process data.
Results from re-scanning a domain in the Metomic Dashboard — as you can see the Facebook pixel is hidden behind Google Tag Manager
👉 Truly understanding data flow as a whole is tough. As a site owner, you can quite easily control the entry of user data into your platform. But controlling it after entry — in the current way the internet operates — is challenging. At Metomic we are building tools to help you manage this. After all, user data should flow as much as it needs to, but that flow should be both ethical, and equitable. Watch this space ✨