Author here: the title might seem like a clickbait, but we've seen it's accurate. Another option is "harmful". Correct answer is that it depends depending on how the testing tool is used:
1. If used correctly -> "harmful" (months of waiting without touching the site)
2. If not (like in most cases) -> "bullshit" (results are random)
The major difference between traditional A/B testing and Volument is that the comparisons are based on _cohort analysis_. It takes two groups of visitors and places them side-by-side starting from the very first visit: how they gradually build awareness and interest (metrics from the first visit) before taking action (on the first visit or on later visits). Then you take a cutoff day (say Day 7) and compare what has happened (how much retention, conversions, sales, virality) before that day. The whole "traction" so to speak.
The eDirective states that the browser and device information (like the URL) is private data and you need a permission to access it for non-essential purposes such as analytics. This is why Simple Analytics also needs a cookie banner, contrast to what their marketing says.
Cookies are not an issue for GDPR, it's all about respecting users' privacy. In fact you can freely store anonymous data to cookies, localStorage, and sessionStorage without issues. The problem comes when you are dealing with personally identifiable information such as permanent identifiers.
You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.
We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:
Founder of Simple Analytics [1] here. There is a lot of information around cookie banners that is just not true. For example cookies are not limited to the technology of cookies, it contains any piece of information that you can use the track a user. An IP address, localStorage, sessionStorage, ... You are allowed to add a functional cookie with a dark mode setting for example without a cookie banner. You can't use an analytics cookie without a cookie banner.
What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.
You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.
Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.
Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.
Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
I would argue that atleast for Czech Republic, the notice is not required if the processed data is crucial to providing the service the user requested.
You cite Article 89(3) of the Electronic Communications Act, where it's stated that "... nor does it apply to
the cases where such technical storage or
access activities are needed for the provision of an information society service explicitly
requested by the subscriber or user.".
This part was also modified several times, most recently at 2018 in 20/2018 s. 687
How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".
It means essential for the usage of the website, as in technically essential, like login or shopping cart.
The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.
A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent [1].
Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.
I am confused. What do you mean by “browser URL”? Do you mean the URL of the page that the user accessed? How is that not essential? How is it specific to the user’s device?
Yes: the location information on the browser. You cannot access it for non-essential purposes without user consent. See
Article 5 / Statement 3 in the ePrivacy directive[1]
The browser sends the URL to the server to download the page so you can’t avoid receiving the URL before receiving consent from the user. You get to see the URL without accessing the user’s device.
Your citation does not mention URLs or clarify why they might be non-essential.
ePrivacy talks about "information stored in the terminal equipment", which includes any information you can get from the device. For example the user agent, location, and operating system. It's not about the information itself being essential or not, but what you do with it: is it for essential purposes (consent not needed) or non-essential purposes (consent needed).
Ah, this would make sense. They mean if I put data in the url and retrieve it from there. www.example.com/search?q=abcd would be fine in that interpretation.
The GDPR is not a clarification of the ePrivacy directive, on the contrary. The ePrivacy directive "particularises" certain aspects of the GDPR. National implementations of the ePrivacy directive (which, unlike the GDPR, needed to be put in laws within each EU country) that e.g. regulate certain aspects of electronic communication have priority over the GDPR as a "lex specialis". Wherever such provisions do not exist, the GDPR takes precedence as a "fallback legislation".
The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.
That depends solely on what is an "analytics cookie". If it's a permanent identifier, then it's considered PII and requires a GDPR consent. Otherwise GDPR doesn't care. You can freely store foo=bar to a cookie.
Volument - A new take on website analytics
volument.com