Take a free trial of our A/B testing software, if you’d like to see how a privacy conscious tool runs. We (just like the ePrivacy Regulations) are convinced A/B testing is a positive method that can help validate businesses’ efforts in providing a better experience for users and not exploiting them.
I laid out all I know about CNAME in this post — hope you found it useful and it shed some light on this complicated topic.
In doing so, you are limiting your other marketing efforts that are still considered safe.
The web is slowly becoming a creepy place where a few large players know more about you than your life partner.
What Do Browsers, Europe and the CCPA Want for Users?
You may see this as a cat and mouse technology game that you can win, but all you’re doing is postponing the inevitable.
This practice could also add a security risk to your website.
• Audience measurement.
With Safari ITP and Firefox ETP leading the efforts, and Google recently joining, internet giants are hard at work to come up with a uniform legal framework setup.
A/B testing and personalization tools have had first-party cookies for years. They have already been able to manipulate the entire site and login systems as part of the system they have. For those types of tools, nothing changes using CNAMEs except the experiences could be consistent for 30-60 days instead of 7 days.
When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. We believe that that is the role of a web browser, also known as the user agent.
Let’s talk about the idea behind these laws and the browser technologies that are rolling out. They are meant to offer transparency to website visitors and have them explicitly agree to requests. They are also meant to prevent hidden data collection and the creation of personalized profiles without the users being aware of it.
Our tool is often used by brands that care about compliance with all privacy laws worldwide. We offer options where website owners can share a link or shortcut key to be transparent about what experiences run on the website and what experiences users are in.
Technology Hack or Permanent Battle?
Browsers or privacy laws don’t want you to lose your conversion as a marketer once you are shown an ad (even if it’s a month from now). They don’t mind you using a universal login for multiple sites or using anonymous analytics on your site to measure the impact. They mind, however, that you (or your provider, Google or Facebook) snuck in tracking scripts everywhere to build user profiles at the same time. Users wanted to log in, not share that they logged in with Facebook and now would be pushed to +1 some ad category that had their interest. If you do that, they will cut you off, but new initiatives will help you collect that conversion (read on…)
If you want to build a better world, make forms better and shorter. Browsers, users and the privacy laws support you on that. What they won’t support is an A/B test where you snuck in an upsell checked by default. Improve your properties and then there will be no problem being transparent about it. A/B testing benefits users and can be good for business, because you offer the best online experiences.
You might set up A/B testing on the edge without cookies (on Fastly), but that isn’t transparent and can be frowned upon. Browsers are limiting the information you are getting to make a hashed/unique experience for someone.
When you use services like CookieSaver and TraceDock, which pretend to give you back the “business as usual”, and the focus is on what you “think you’re missing”, you might miss the logic behind the new privacy laws and browser changes.
Set up a CNAME for tools you trust. Don’t let them funnel information about your visitors to third-party sites and locations. You and you alone are responsible for what these tools store and do with the data. You can look at each tool and the tons of snippets they lift with the tool (you can use Collision — see image below). Setup CNAME only for a company where you have a signed DPA (Data Processing Agreement) — find ours here.
Most articles about CNAME Cloaking focus on ad systems building profiles on users. We would like to distance ourselves from this practice.
• Analytics in the scope of a single website.
I’m sure other browsers share this idea.
However, we will try to limit the unintended impact. We may alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience. In other cases, we will design and implement new web technologies to re-enable these practices without reintroducing tracking capabilities. Examples of these include Storage Access API and Private Click Measurement.
CNAME as a Temporary Solution
security of client authentication.
ePrivacy Regulations are clear — they allow no fingerprinting. Browsers and the privacy authorities will fight you even harder over fingerprinting than they would over cookies. Don’t go there.
Webkit, the organization behind ITP in Safari explain this in their Tracking Prevention Policy:
Just because CNAME may be an option right now to extend the tracking of ad networks and allow them to build personal profiles, it does not make it a viable long-term solution.
Although their technology and speed of implementation might reflect their politics and vision, they are all working towards increasing transparency and opt-in of users in one or another. A useful tool to track all their efforts is Cookie Status by Simo Ahava.
Stop doing that! You need to stop giving ad networks so much access to your users’ data. Period!
Benefit from the exemption from consent, subject to a certain number of conditions, cookies used for audience measurement are exempt from consent. These conditions, as specified in the guidelines on cookies and other trackers, are (1) inform users of their use; (2) to give them the power to oppose it; (3) to limit the system to the following purposes only: audience measurement and A/B testing.
We encourage our customers to build experiences that improve user experience and optimize the flow.
This is a controversial move. Read on (or watch the video below) to see why we recommend it and how you can use it (or not) properly.
Recent laws like the European GDPR, the ePrivacy Directive, California’s CCPA and the upcoming ePrivacy Regulations nudged browsers to join the cause of protecting user privacy.
What will the final draft say?
Europe is working on its latest drafts of the ePrivacy Regulations that allows placing cookies for analytics and website optimization. This sends a clear signal that, from now on, only essential cookies, like storage of login sessions or products in shopping carts, also analytics and A/B testing for the benefit of the user, will be allowed. This shift is significantly changing the online ad industry. We now have companies reach out with requests like: “change your DNS for CNAME in this 2-minute job and we continue business as usual”.
Some of these properties are your IP address, your operating system version, your browser version, your computer language, your time, the size of your screen, the pixel density of your screen, how fast your computer is, and the list goes on and on.
We will have to wait for the final version of the Regulations and then for national laws to really start discussing the guidelines more in-depth. But the current ePrivacy Directive gives good hope for A/B testing. Paul Schmitt pointed out to me that even though the ICO (the UK privacy authority) and the CNIL (the French privacy authority) regulated that cookies for A/B testing and analytics needed consent, the CNIL’s latest guidelines (in French) from Github say otherwise. Here’s a translation:
Feel free to connect to me on LinkedIn or read how we completely shifted towards a privacy focus in 2018.
We aggregate data in reports and send warnings when segments become so small, they make users identifiable or when we suspect personal data was added in fields where it should not be.
Fingerprinting means building a unique identifier by combining multiple properties that by themselves are not unique to you, bypassing browser restrictions on cookies, and even being able to track you across devices (it’s something cookies can’t do).
Gaming Tech Law sums it up as:
Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site, which always requires the consent of the end-user.
The ePrivacy Regulations draft focuses on the idea that tracking and analytics are allowed without consent, as long as they’re not used to build user profiles, as mentioned in article 17AA:
It’s the browsers intention to protect users from this. If you extend the life of cookies that allow building profiles of users on your site and retarget them elsewhere, or even worse, build user profiles and sell them… that is when browsers and third-parties will start building blocking lists for such dubious networks.
Browsers like Safari and Firefox (and to a lesser extent, Chrome) also want to protect their users from these types of cookies, which are used to build users’ profiles and buying interests. This information will then be sold and used to target users on other sites. The ad seller will make a higher profit on an ad placement with verified intent vs on a plain ad impression. Ad industry leaders understand that the way forward is less tracking and more ad placements that match user intent on the page (by using content ad matching).
Browsers like Chrome and Safari are working on initiatives that will give you access to personalized user information that the user approved. Some personalization will be possible based on those (they’re still two years away).
No Cookies… Let’s Use Fingerprinting
You should stop supporting any system that builds personal profiles outside of your domain. This is what users, browsers and privacy laws want. It’s what will bite you if you don’t. Be sure someone will expose your brand for doing this.
When you move ad trackers that have a third-party cookie to a first-party cookie using CNAME, this adds the risk that their scripts can read authentications and login cookies of your users.
For A/B testing purposes, you most likely don’t need consent and can place cookies without problem, as the latest draft of the ePrivacy Regulations (Nov 2019) statesin article 21a:
This is exactly what browsers and European laws are trying to prevent.
As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics of an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behavior of a specific end-user or to draw conclusions concerning the private life of an end-user. For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing.
More Transparency, not Less
Convert Experiences is our A/B testing and personalization tool. It doesn’t allow building user profiles using personal data by default.
For businesses using A/B testing tools and personalization who want to extend the time they show a personalization or variation to the same person — for example, upwards of 7 days — the best solution is moving to DNS over HTTP(s), also called a CNAME setup, to set first-party cookies.
In Europe, setting cookies (even for analytics, A/B testing or personalization purposes) without consent is a questionable practice, since some of them contain personal data and that’s a BIG issue.
You may consider not using cookies at all for specific techniques. However, this does not mean you can forego transparency and privacy concerns hiding what you do to the individual visitors server-side or on the CDN edge. That is one reason we promote absolute transparency on testing and personalization efforts that are running on our site.
To summarize, both browsers and the privacy laws want the same thing. They are not here to stop your efforts to analyze users (on your site) or to do A/B testing to improve and optimize user experience.
On 8 November 2019, the Finnish government issued a revised proposal for the ePrivacy Regulation with some amendments.
But be clear, some cookies you should keep off CNAME! It’s a new world where people choose if they want to give up all their privacy for comfort and opt-in and log-in. You can’t keep taking privacy away from people to meet your business goals. You cannot be that selfish anymore. You need to trust that by doing the right thing, your business will grow. Trust and measure….
This practice introduced the term CNAME Cloaking and BAM, we are entering the dark side of the useful CNAME function. Ad networks can hide behind a company subdomain and keep collecting personal information and building profiles for higher ad revenue.
The problem with this is that the privacy laws are enforced now, while these alternatives are not yet available.
Chrome and Webkit (Safari) are working on technologies that allow you to get the ad conversions back using an API. This means you’ll be able to keep doing some attribution and even track conversions 3-60 days from the impression day.
I hope this article made it clear how you can use CNAME in your efforts to extend your A/B testing experiments from 7 to 30 days. Don’t buy CNAME tools that extend the life of ad-cookies that build user-profiles, please.
So when you install CNAME for your A/B testing tool, make sure your tool is not building user profiles. Don’t use identifiers like gender, age, race and religion to target (some tools – not ours – offer that). Don’t go there, it’s not worth it and nobody wants this anymore.