Cross-Device Tracking in Light of the GDPR? It’s Possible.

Just as marketing tools and systems have made it increasingly simple for companies to identify and track visitors on their websites, current and upcoming regulations around the world are making this a more complicated task. Cross-device tracking in particular can be a challenge.

If you work in marketing there is a good chance that you have heard quite a bit about the GDPR over the course of the last year. The GDPR is Europe’s new framework for data protection laws, replacing a previous (and outdated) 1995 data protection directive. The GDPR came into force on May 25, 2018, modernizing the laws for EU member countries — and in the process, complicating the jobs of marketers around the world.

The LeadsRx attribution software measures any and all channels, providing an unbiased look at what channels are working, and how they are working together, to create customer paths to purchase. It does all of this without the use of third-party cookies.

To learn more about multi-touch attribution and how the insights from cross-channel data can help you improve return on ad spend, please book a demo today.

The GDPR made waves throughout the marketing world because it affects businesses of all shapes and sizes including solo business owners and large corporations. Companies and individuals that were covered under the previous regulations (DPA) are almost certainly covered under the GDPR.

The GDPR is intended to be a framework for data protection and privacy in the EU that will be expanded upon in the future. It is the first of what is expected to be a number of measures address a rapidly evolving business environment where customers increasingly had less knowledge of where and how their data was being used.

While the GDPR applies specifically to the EU, similar laws are expected to be passed in the future in the United States and other countries. One example is California’s Consumer Privacy Law, which added a number of new wrinkles to how businesses collected and utilized data from California residents.

Here at LeadsRX, a key capability of our platform is identifying users across devices (cross-device tracking). With these new regulations, we have had to find innovative ways to give marketers access to the same data that, five years ago, wouldn’t have been a concern to collect and utilize. It is important that our solution is a viable and compliant one for companies and customers across the world and not just for countries that have yet to pass comprehensive data protection reform laws.  

In this article, we’ll start by addressing the challenges that the GDPR (and other expected upcoming regulations) have presented, and then we’ll address how we have been able to overcome these issues in a compliant way while still ensuring that our product remains an insanely-valuable resource and handles cross-device tracking appropriately. 

The Upcoming Limitations in Personally Identifiable Information (PII)

When the first rumblings of the GDPR began to surface, the team at LeadsRX saw it as a clear sign that there would have to be changes in the way our software identified visitors on our client’s websites. Chiefly, the GDPR considers even the IP address of a user to be personally identifiable information, and the collection of that data presents a problem to consumers when the consumer isn’t made aware that the data is being collected.

This presented a big problem to many marketing software solutions that relied heavily on using IP addresses and other PII to identify users on websites. In the GDPR, the breadth of what is defined as “personally identifying information” is pretty substantial, severely limiting the way that websites can use almost any data they are able to collect without permission.

Types of PII as outlined by the GDPR include:

  • Linked information. This includes any personal information that can be used to directly identify an individual. Types of linked PII include a user’s full name, address, email, social security number, passport number, credit card information, date of birth, telephone numbers, or even their log in details.
  • Linkable information. This includes information that, on its own, may not be used to directly identify a person but when combined with other data can facilitate positive identification. This type of information includes but is not limited to common first and last names, zip codes, gender, race, non-specific age information, workplaces, and job titles.
  • Technical linkable information. While considered non-PII in other regulations around the world, the GDPR defines a range of technical data as PII. This can include but is not limited to device IDs, IP addresses, and cookies.

The main point to understand here is that what is considered PII is somewhat of a fluid topic. What is considered PII in the EU is not necessarily considered PII in the U.S. However, future regulations could drastically change what is considered PII in nearly any location.

Companies must decide how they will handle this challenge, particularly for cross-device tracking. Will they cater to the most strict regulations for all of their customers (at this point in time, the GDPR is the most comprehensive and restrictive set of personal data laws)? Will companies try to cater to individual regulations on a case-by-case basis? That could be an expensive and potentially risky choice.

An important element of our solution is to identify and track users across devices — whether they are using their desktop computer, laptop, tablet, or smartphone. However, due to the changes in IP tracking, device IDs, and “fingerprinting” brought on by the GDPR and upcoming regulations, we don’t want to limit our functionality. Instead, we have focused on the GDPR-compliant method of self-identification.  

Using Self-Identification to Remain Compliant on Cross-Device Tracking

Self-identification was our chosen solution to the growing data collection restraints around the world for cross-device tracking. This means that we require that the customer “log in” or fill out a form on a device in order for the LeadsRX system to recognize them and connect their actions across devices. As part of this process, we anonymize IP addresses so that they can not be used to trace the visitor in any way.

This strategy ensures that all customers have given appropriate permissions for every piece of data that our customers collect. The up-front nature of our platform’s data collection process fosters trust and ensures compliance with even the most stringent of personal data regulations. Cross-device tracking doesn’t have to be a struggle. But it does need to be properly handled in light of the GDPR and other such regulations.

A Reasonable Response

Despite the challenges that the GDPR and similar regulations have caused our business, enterprise brands, and agencies around the world — these laws are the right choice, morally. Customers deserve to have control over their data and how it is used by companies. The rapid pace of change on the internet had created an environment where most customers never fully understood what data was being collected, how it was being used, or whether they had a say in that process.

Beyond the moral implications of these regulations, companies should just accept that this is the direction that data collection is heading in. The winds are only blowing in one direction. More countries will join the EU in their quest to give consumers more power over their data and companies will be forced to comply whether they agree with the laws or not.

At LeadsRX, we have taken the position that we will ensure our software complies with the most stringent of data regulations. We focus on a system that provides exceptional value but tracks data conservatively to maintain user privacy and help our customers remain compliant. Cross-device tracking IS possible.