Understanding customer behavior and desires is key to effective marketing. You need to know what your customers are looking at across various websites to pinpoint their needs and tailor your content accordingly.
Cross-site tracking helps you do this by following users across websites and collecting data about their online behavior. From there, you can fill in the gaps about what they want and need.
However, as tracking tools have advanced, so have attitudes toward privacy. Many consumers are uncomfortable with how much of their personal information companies can access. 63 percent say they’d delete all their online information, even if it meant giving up personalized web experiences.*
In response to these concerns, data privacy laws have evolved to become stricter and more robust. They generally require you to inform users about which browser tracking tools you use and to obtain their consent for tracking their online activity.
This article explores how cross-site tracking can fit into your marketing strategy amid regulatory changes. We explore the key regulations to keep an eye on and best practices for achieving compliance.
Cross-site tracking explained
Cross-site tracking is the practice of monitoring users’ online activity across multiple websites. This enables you to collect data on your customers, such as browsing habits and language preferences, so you can develop more targeted marketing strategies.
Here’s what that looks like in practice. When a user visits your website, tracking tools like cookies and pixels collect information about their activity. Third-party cookies store that information in the user’s browser, while pixels send the data to a server.
If a user visits a website with the same tracking technology, you — or your advertising partners — can recognize their device, browser, and other unique identifiers. This enables you to access data about their activity on other sites and use it to tailor the online experience to their needs and preferences.
Retargeted ads are an example. Suppose a customer browses your online store and clicks on a product but leaves without completing the purchase. Later, they scroll through their social media feed and see the same product being advertised there.
This happens because your tracking tools log the user’s interactions with your product and associate it with their device or browser. When they visit another site in the same advertising network, that data is used to serve them the relevant ad.
Cross-site tracking gives you a more complete picture of customer behavior than just the information you collect through their interactions with your site. You can discover what websites they visit, which other products they buy, and the steps they usually take before a purchase.
However, with this power comes responsibility. That’s why it’s important to take steps to safeguard customer data and uphold transparency when participating in this practice.
What data privacy laws say about cross-site tracking
Since cross-site tracking involves collecting and processing data, it’s subject to international privacy laws. Failing to comply with these laws can lead to significant penalties and even legal action.
Usercentrics Senior Privacy Expert Tilman Harmeling says “Businesses need to be familiar with both relevant privacy regulations and the tracking tools they’re using.” He adds, “not just with a one-time audit, but over time as regulations and technologies in use change.”
Here are some key privacy laws to pay attention to when engaging in cross-site tracking. Just note that which regulations you’re required to comply with depends on several factors, such as where your customers reside and the size of your business. We recommend consulting relevant legal counsel to help ensure you’re paying attention to the regulations most relevant to your organization.
GDPR
Under the GDPR, you need a legitimate basis for collecting and processing the personal data of your users. You must obtain explicit consent before doing so, and you must clearly communicate the purpose of data collection and processing.
Consent must be a real choice. Users need to actively agree to tracking cookies if you’re going to use them. This means you can’t use pre-checked boxes or default settings. Additionally, users can withdraw consent at any moment, meaning you must promptly disable cross-site tracking and stop sharing their site data.
The GDPR also requires you to publicly disclose all your cross-site tracking practices in your website’s privacy notice. This notice should explain what information you collect, how you use it, and who you share it with if anyone.
Some companies have claimed they have a right to track users due to a “legitimate interest.” For example, collecting user data to prevent fraud or protect their system from security threats. Regardless, the GDPR insists on informed, opt-in consent in all cases.
As cross-site tracking entails processing personal data, you must follow the GDPR’s requirements when engaging in this practice to remain compliant. That means listing any tracking tools in your policy, collecting consent from visitors, and disabling tracking the moment they decline or withdraw permission.
Any organization that collects data from end-users located in the EU, even if the data collecting and/or processing takes place outside the EU or by providers outside the EU, must comply with the GDPR.
ePrivacy Directive
The ePrivacy Directive complements the GDPR. While the latter primarily regulates data processing, ePrivacy, which is also known as the “cookie law,” aims to ensure privacy and protection in electronic communications.
Consent under the GDPR and ePrivacy follows the same definition. Both require you to obtain each user’s explicit, opt-in consent before implementing cross-site tracking. They also both require you to be transparent about how you collect and use customer information within your website privacy policy.
However, the ePrivacy Directive also regulates the use of cookies. The regulation requires you to collect consent for the use of any cookies other than those that are strictly necessary for the functioning of your website or the service the user has requested.
As an example, an online store might use essential cookies to enable its basket and checkout to function and non-essential cookies for behavioral marketing purposes. They must inform users and collect informed consent from them for the latter.
Any organization that collects data from end-users located in the EU must comply with ePrivacy. This is true even if the data collecting and/or processing take place outside the EU or by providers outside the EU.
CCPA/CPRA
The CCPA/CPRA regulate cross-site tracking differently from the GDPR. Rather than focusing on consent, they aim to give users more control over their information.
Here’s what that means for your business. You must enable users to opt out of cross-site tracking and promptly disable cross-site tracking tools when they do. Any advertising partners you work with must also stop selling or sharing their site data.
Opting out should be straightforward, and your website must provide a clear and accessible “No Not Sell or Share My Personal Information” link that users can click to communicate their preferences.
You must also respect browser-based privacy settings. If a user enables Global Privacy Control (GPC) in their browser, you can’t require them to manually click an opt-out link. Here, you’re also responsible for preventing your advertising network from tracking any users who have opted out this way.
All this means you can engage in cross-site tracking, but you must give visitors the means to withdraw consent and be prepared to disable your tracking tools at their request.
Any organization that falls under at least one of the following three thresholds must comply with the CCPA/CPRA:
- Annual revenue threshold: Your gross annual revenue exceeds USD 26,625,000 (calculated based on global revenue).
- Data volume threshold: You buy, sell, or share personal information of 100,000 or more California consumers or households annually.
- Revenue dependency: You derive 50 percent or more of your annual revenue from selling or sharing California consumers’ personal information.
How to achieve compliance when using cross-site tracking
While cross-site tracking is technically permitted, follow best practices and take precautions to achieve and maintain privacy compliance when engaging in the practice. Here are some steps to follow for privacy-compliant cross-site tracking.
1. Display a cookie banner and cookie policy
Transparency is a main component of most privacy laws. Help users understand all their consent options through a clear cookie banner and detailed cookie policy.
Cookie banners are interactive pop-ups that appear when people visit your website. They provide an overview of your policies and ask for each user’s consent before tracking their online activities and using their data.
Some banners let users customize their preferences and specify what information you can collect and who you can share it with.
You can use a Consent Management Platform (CMP) like Usercentrics to generate and install a cookie banner on your website. The platform adapts the notice to various data regulations to enable compliance no matter where your website visitors log in from.
Meanwhile, a cookie policy is a document you display on your website. It details all the cookies you use and how you use them, including any cross-site tracking tools.
Usercentrics can also help manage your cookie policy. The software scans your website to look for tracking tools and helps you generate a document with all the required details.
You should frequently update your cookie policy, but not just to keep visitors informed and enforce compliance. Harmeling says, “Familiarity with tracking tools also enables businesses to stay up to date with the third-party vendors they share data with, what data they’re collecting, and if it’s still relevant to operations.”
2. Block trackers from collecting user data without consent
You need to prevent cross-site tracking until you’ve obtained user consent for it. If trackers load before users share their consent choices, your website may preemptively start collecting data, leaving you vulnerable to compliance risks.
Usercentrics automatically blocks non-essential cookies and other tracking technologies that enable cross-site tracking, while permitting essential cookies that keep your site running smoothly by default. This helps you maintain compliance without disrupting site features like secure login, unique user profiles, and shopping carts.
Users may not give consent for some or all of your cross-site tracking tools. In this case, Usercentrics integrates with Google Tag Manager and tells it which scripts to run and which to continue blocking.
3. Use a consent management platform (CMP) to collect consent
Gathering consent is more than getting visitors to click on a button. You need a standardized system to obtain each user’s permission and apply their preferences across your website, app, and online services.
What’s more, unclear and inconsistent processes may detract from the experience users have with your brand. Users may then opt out or leave the page entirely. This undermines your cross-site tracking efforts, which aim to gain customer insights to increase traffic and engage more users.
CMPs automatically collect and apply consent across all your website services. This includes all devices and domains so visitors don’t need to repeatedly opt in, which reduces friction from their experience. This is especially useful for users who frequently change locations or jump between your website and mobile app.
Concerned your CMP will hinder your marketing efforts? Giving users more control over how you track them won’t necessarily lead to a drop in the data you collect. Research shows only one in ten adults refuse cookies when browsing on their own devices, and honestly is always the best policy for building trust with your audience.
4. Track user preferences and enable easy updates
Giving users complete control over how you track them helps maintain their trust. At the same time, ideally, you can maximize how much information you’re able to collect from them.
The first step is offering more options than just ‘accept’ and ‘reject’ options. As Harmeling says, “With cross-site tracking, businesses need to ensure that they are obtaining informed consent from users, ideally at a granular level.”
This choice enables privacy-conscious users to reject the tracking tools they’re uncomfortable with and accept others, instead of declining everything. For example, your website might enable visitors to opt out of first, second, and third party cookies. They might agree to first-party cookie tracking on your site but decline tracking via your advertising partners.
The second step is to adapt to user preferences quickly. “Businesses must also respond to user requests in a timely manner,” says Harmeling, “including revocation of consent and the right to be forgotten.”
5. Maintain secure records of user consent over time
Storing records of user consent helps you comply with applicable laws like the GDPR and CCPA.
CMPs log every time you collect consent from users to enable cross-site tracking. The technology time-stamps these files and stores them for a period of time. If you’re ever faced with an audit or user complaint, these logs can serve as evidence you met all the legal requirements.
You should also make an effort to keep logs of all data-sharing activities. “Companies need to maintain up-to-date information about third-party vendors that may have access to data and update privacy notices and consent options as technologies and purposes change over time,” says Harmeling.
Optimize marketing outcomes while protecting website visitor data and complying with privacy laws
Despite privacy concerns and evolving regulations, cross-site tracking remains a powerful marketing tool. You can use it to gain comprehensive insights into your customers and provide the hyper-personalized online experience they expect.
The key is to adopt a privacy-led approach to marketing and keep user privacy at the center of your strategy. To do so, use a tool like Usercentrics CMP that supports responsible practices and helps you achieve privacy compliance.
The software collects and manages consent for all your tracking tools in line with key privacy laws like the GDPR and the CCPA. As regulations evolve, Usercentrics CMP automatically adapts privacy policies and consent management settings to minimize the risk of gaps in your compliance efforts and foster trust with your users.
*Have American Consumers Had Their Fill of Internet Cookies?, Genesys