Privacy & Security Highlights: How Tracking & Cookies Changed in 2020 (and What it Means for Your Testing in 2021)
2020 changed everything. The pandemic forced us to move our entire lives online and to maintain a semblance of normalcy when the reality is a fully remote world is anything but normal. Individuals and businesses turned to technology to survive, exposing deep privacy and security issues and putting pressure on lawmakers to reform the policies.
In this article, we take a look at privacy and security highlights from the past year, what their implications are for consumers and businesses, and how Convert dealt with them.
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
Introduced by: State of California
When: All throughout 2020
Summary: The California Consumer Privacy Act (CCPA) went into effect in January 2020. Then, in November, a significant update to the law came with the California Privacy Rights Act (CPRA). While the CPRA won’t go into effect until January 2023, it provisions a one-year lookback, meaning companies need to be compliant by 2022.
While this may seem like a distant future, the CPRA is an incredibly comprehensive law with a multitude of requirements and changes. It will require businesses to do a real tour de force to get up to speed and set up compliant policies and procedures.
How the CCPA & the CPRA Impacted Convert
Because of the many product and process enhancements we made in preparation for the General Data Protection Regulation (GDPR), when the CCPA came about, we were already well-positioned to support customers needing to comply. We are committed to protecting our users’ privacy and see the CCPA as an opportunity to strengthen our commitment even further.
We don’t collect and process our users’ personal information beyond what is required for the functioning of our services and this will never change. We have put in place processes and procedures to comply with the various provisions of the CCPA—consumer rights, data protection addendum, data deletion, data retention, and pseudonymization—which align with our core values of customer trust and data privacy.
Google Incognito Blocked Third Party Cookies
Introduced by: Google Chrome (v83)
When: May 2020
Summary: In the Incognito mode, Chrome doesn’t save users’ browsing history, information entered in forms or browser cookies. Starting with Chrome 83, the browser blocks third-party cookies in Incognito sessions by default. Users can still allow third-party cookies for specific sites by clicking the “eye” icon in the address bar (see example below).
How the Chrome Update Impacted Convert
Convert isn’t impacted by this change as its tracking doesn’t use any third-party cookies since February 2018.
Strict Tracking Prevention in Microsoft Edge’s InPrivate Mode
Introduced by: Microsoft Edge
When: May 2020
Summary: Microsoft Edge Canary Channel users were the first to get access to all the features Microsoft added to the Edge Stable build. Since then, the default InPrivate behavior has changed a couple of times. In Microsoft Edge 80, the default behavior allows users to decide whether to turn on the Strict mode protections or to keep their regular settings while browsing InPrivate.
How the Microsoft Edge Update Impacted Convert
The Microsoft Edge Tracking Prevention blocks the Convert tracker only when a visitor is using an InPrivate mode window and has set the Tracking Prevention setting to “Strict” (and not the recommended Balanced mode). Hence, in normal browsing, Convert’s experiences are not affected by the new settings.
The EU-US Privacy Shield Was Invalidated
Introduced by: The Court of Justice of the European Union (CJEU)
When: July 2020
Summary: 2020 also brought the invalidation of the EU – U.S. Privacy Shield framework by Schrems II, which forced many businesses to rethink their approach to transfers of personal data between the EU or the UK and the US.
Schrems II didn’t invalidate the use of Standard Contractual Clauses (SCCs) for the transfer of data but it did call into question whether the SCCs are adequate enough to address the risks associated with data transfers to a non-EU country.
Data exporters may need to apply extra measures, in addition to SCCs, to protect personal data transfers. Supplemental measures can include encryption, anonymization, and pseudonymization, as well as other tools.
Schrems II asks businesses to analyze the protections in place for data transfers between the EU or the UK and the US to ensure compliance.
How the Invalidation Impacted Convert
Convert prepared for the post-Privacy Shield era and put standard contractual clauses (SCCs) in place for our own data protection. Our complete plan is described here.
The Brazilian General Data Protection Law (LGPD)
Introduced by: Brazil’s Congress
When: August 2020
Summary: Brazil passed the General Data Protection Law (LGPD) in August. Drawing inspiration from the GDPR, the LGPD brought disparate data protection requirements together into a comprehensive framework. The LGPD took effect after the passing of the Conversion Bill (PLV) 34/2020 in September. Sanctions for violations of the LGDP will go into effect in August 2021.
How the LGPD Impacted Convert
We are committed to providing secure services to all our Brazilian customers by implementing and adhering to prescribed compliance policies. To prepare for the LGPD, we worked with our vendors to ensure compliance. We are continuing to review our security measures, as we always do, to stay at the forefront of evolving industry standards and best practices.
Enhanced Tracking Protection (ETP) 2.0
Introduced by: Mozilla (Firefox v79)
When: August 2020
Summary: Since June 2019, new Firefox users have Enhanced Tracking Protection (ETP) set on by default. In August 2020, Mozilla added a further security layer with Enhanced Tracking Protection 2.0, where they block a new advanced tracking technique called redirect tracking, or bounce tracking. ETP 2.0 clears cookies and site data from sites every 24 hours, except for those users regularly interact with.
How ETP 2.0 Impacted Convert
In our efforts to become GDPR compliant in 2018, we disabled third-party cookies. Consequently, in normal browsing, Convert’s experiences are NOT affected by the new settings Firefox has imposed with ETP 2.0.
Intelligent Tracking Prevention for All Browsers in iOS 14, iPad 14, and Safari 14
Introduced by: Apple
When: September 2020
Summary: With the release of iOS 14, iPad 14, and Safari 14, Apple included a couple of new privacy features:
- Privacy Report: Users will now be able to see how many trackers were blocked by Safari on a given page, as well as other information about trackers.
- ITP for all web browsers: For iOS 14 users, Intelligent Tracking Prevention (ITP) will be applied to all web browsers, not only Safari.
This means that all web browsers, not just Safari, will include the Intelligent Tracking Prevention feature on iOS devices (v14 and above).
How ITP Impacted Convert
For testers who have a large audience share using the Safari browser, this update could’ve skewed their Convert experiment results in a major way. That’s why we considered quite a few ways to resolve ITP (from 2.1 onwards) and finally settled on moving the cookie creation process away from the browser and into the server.
Since the new cookie duration restrictions apply only to browser-created cookies, we moved the cookie issuance part to your web server, which means your server will create the cookies and not the users’ browsers.
Find the steps to facilitate server-side cookie creation here. If you need any help with changing your web server infrastructure, please feel free to contact us.
Privacy Standards Came to Apple & Google App Stores
Introduced by: Apple App Store & Google Web Store
When: December 2020
Summary: Since January 2021, the Mac and iOS App Stores display mandatory labels that provide a rundown of their privacy policies.
The labels pertain to three main categories of information to disclose:
- Data Used to Track You,
- Data Linked to You,
- Data Not Linked to You, detailing what the app has going on under the hood.
In parallel, Google Chrome extensions require more details on the data collected, as per Google’s new set of policies. Also starting January, developers of Chrome extensions have to
- certify their data use and privacy practices, and
- provide information about the data collected by the extension(s), in clear and easy-to-understand language, in the extension’s detail page in the Chrome Web Store.
How the Privacy Standards Impacted Convert
Convert Experiences isn’t impacted by these privacy changes. However, in October 2020, we uploaded our updated Convert Debugger Chrome Extension to the Chrome Web Store and had to go through this privacy exercise ourselves. Our extension isn’t collecting any data that could be used outside of the extension itself, so below you can see all the checkboxes we ticked:
Google Privacy Sandbox
Introduced by: Google
When: January 2021
Summary: The Privacy Sandbox initiative consists of privacy-preserving APIs meant to support business models that fund the open web in the absence of tracking mechanisms like third-party cookies.
The initiative was introduced in 2019 and updated in January and October last year. In 2021, more testing is in the works, with continued opportunities for the web ecosystem to get involved. This post provides an update on the status of the Privacy Sandbox APIs and proposals.
How the Google Privacy Sandbox Impacted Convert
Convert is not impacted by this change as its tracking does not use any third-party cookies since 2018.
Summary
That’s a lot of technical details to take in. You don’t need to be an expert in all the ITP/ETP updates. But given the state of flux, one thing is clear.
Browsers will continue to tweak things and until an alignment occurs, testing tool set-up and installation time will increase, given the complexity of the use cases you are addressing.
If we had one piece of advice to give, it’d be this: partner with privacy-oriented vendors like Convert and don’t collect any data your lawyer is unwilling to argue on your behalf in a court of law!