Client-Side Cookies: A Living Fossil…

Understand the urgency behind transitioning from client side to server side tracking for improved data privacy and security, especially in the wake of Google's third-party cookie phase-out (despite the delays, let's not try to run from the inevitable) and recent data breaches.

Client-Side Cookies - A Living Fossil…

Share with others

Navigating the Risks: Transitioning from Client to Server Side Tracking

Waves of regulatory changes and renewed customer focus on secure data collection have introduced a critical challenge for businesses. Reliance on client-side tracking methods, such as cookies and tags/pixels, has become increasingly problematic when taking into account the dynamic between first- and third-party customer data privacy risks. This piece aims to shed some light on the risks associated with client-side tracking and the pressing need for companies to adopt server-side data collection practices.

The End-of-the-Line for Client-Side Tracking?

Since the mid-nineties, when internet dinosaurs roamed free on Netscape among the grayscale Yahoo! and Alta Vista search pages, cookies have provided valuable customer data to entities intent on somehow putting those data to use. In the earliest days, all cookies were accepted by default, and few consumers knew the implications. Fewer still were looking at the future of privacy and the complications that would arise from sharing a few bits of personal information online. The term “Personally Identifiable Information (PII)” had not been born, and the nefarious usage of such data was limited to just a few black hats and early online government-affiliated organizations.

Client-side tracking has, until recent years, represented the best source of direct and contextual user data. This tracking method pulls data directly from the user’s browser or browsing session. All those targeted messages — including the weird ads that seem to read your mind and the contextual browsing hints you experience as a consumer every day — have been traditionally driven by data collected client-side; unbeknownst to most, and unwanted by many. As you can imagine, companies were quick to commoditize consumer data, and have since relied heavily on client-side tracking to gather valuable customer insights.

The debate around consumer privacy and data value has been raging since the late ‘90s. This debate has undergone several transformative iterations: first with consumers taking a level of control back by punching holes in data collection with ad-blockers (nearly half of all web users employ ad-blocking today), and then with regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that have imposed strict limitations on client-side tracking. So, the client-side approach has long since become outdated and incompatible with the focus on privacy.

Moreover, Google's well-conceived but poorly executed plan to consign third-party cookies to oblivion in Chrome further underscores the fact that the need for alternative data collection methods is generally and widely accepted [3]. The delays to such an initiative, however, are almost certainly to grant reprieve to the majority of online businesses that are woefully ill-equipped and lamentably unwilling to let go of old practices, even in the face of regulatory breaches, privacy infringements, and the notable phaseout of third-party cookies in browsers other than Chrome. Without third-party cookie deprecation as a forcing function to ensure that organizations are protecting consumers before prioritizing profit, we are just left to watch the powers that be gently nudge companies in the right direction without much care.

The Consequences of Complacency

Despite the clear signals that client-side tracking is on its way out, many companies remain complacent. This complacency can have severe consequences, as demonstrated by recent data breaches.

For instance, in April 2024, Kaiser Permanente inadvertently shared the personal information of millions of patients and policyholders with advertisers. In reality, the PII shared in this instance would have little bearing on consumers beyond advertisers' ability to track locations and make inferences based on browsing data. Still, it is information that should never have been in the hands of advertisers and represents flagrant disinterest in treating regulatory necessities as anything more than the burden of a checkbox exercise. The effect of this has been more damaging to the reputation of Kaiser Permanente than its consumers — rightly so.

The clearest — and by far most galling — fact of the whole matter is that this was an avoidable circumstance. A cursory look by staff at the data being shared by the website’s third-party scripts would have alerted the business much sooner and should have been a matter of course to any savvy web developer keeping abreast of news… since 2013. Had the staff considered any of the notifications around cookie deprecation, they would have likely explored server-side tracking technologies such as MetaRouter. In doing so, they could have prevented this breach by stripping third-party tags from their website while maintaining functionality and control over customer data.

The Cost of Non-Compliance 

The example above is incredibly recent, but will probably result in the lowest penalty; it was reported in time and remedied, and the damage to consumers was limited to IP addresses and other “less significant” identifiers. Failing to comply with privacy regulations can result in more significant financial penalties and reputational damage. British Airways faced a £20 million fine for a data breach caused by client-side Magecart attacks, which compromised sensitive customer payment data. Similarly, Ticketmaster was fined £1.25 million for client-side attacks and inadequate data security measures. These examples highlight the severe consequences of not prioritizing data privacy and security.

More Examples of Client-Side Vulnerabilities 

The risks associated with client-side tracking extend beyond the aforementioned cases. In 2018, Newegg, a popular online retailer, fell victim to a Magecart attack that compromised the credit card information of thousands of customers [8]. The attackers injected malicious JavaScript code into the company's checkout page, allowing them to skim sensitive data. This breach not only resulted in financial losses for Newegg but also eroded consumer trust.

Another notable example is the data breach suffered by Macy's in 2019. Hackers inserted malicious code into the company's online checkout page, collecting customers' personal information and payment details. This client-side vulnerability exposed Macy's customers to potential identity theft and fraudulent transactions.

These incidents underscore the inherent vulnerabilities of client-side tracking and the importance of adopting more secure data collection practices. By relying on client-side infrastructure, companies inadvertently expose themselves and their customers to entirely unnecessary risks.

The Server-Side Solution

The solution to the problem, as outlined here, is neither expensive nor complex. Ad-blockers and regulatory compliance may be eroding addressable consumer data by limiting the amount of client-side tracking that can be conducted on a website, but that doesn’t limit interaction with customers or consumers online. Most importantly, it doesn’t mean marketers must abandon whole segments of customer data entirely. With compliant tooling and practices that are available now (but woefully under-utilized), the impact of continual changes to the data landscape can be minimized, if not eliminated entirely, while reducing the risk surface for any organization with a web presence.

In order to mitigate the risks associated with client-side tracking, businesses should seriously consider server-side data collection. By shifting data collection to their own servers and utilizing server-side tag managers, companies can gain greater control over customer data while improving website performance and data governance. This approach allows businesses to respect customer privacy while still gathering the necessary data to make informed decisions.

Server-side data collection offers several key advantages. Firstly, and most importantly to this article, it enhances data security by minimizing the exposure of sensitive information to third-party scripts and potential client-side vulnerabilities. Secondly, it enables companies to have greater control over the data they collect, ensuring compliance with privacy regulations and allowing for more targeted data gathering. Lastly, server-side tracking can improve website performance by reducing the number of client-side requests and minimizing the risk of script conflicts.

Implementing Server-Side Tracking

To successfully transition to server-side data collection, businesses need to follow a strategic approach. The first step is to assess the current data collection infrastructure and identify areas where client-side tracking can be replaced with server-side alternatives. This may involve auditing third-party scripts, evaluating data collection requirements, and determining the necessary server-side tools and technologies.

Once this assessment is complete, companies should develop a comprehensive migration plan. This plan should outline the steps needed to implement server-side tracking, including the selection of appropriate tools, the configuration of server-side environments, and the testing and validation of data collection processes. It is essential to involve key stakeholders, such as IT, marketing, and legal teams, to ensure a smooth and compliant transition.

During the implementation phase, businesses should prioritize data governance and privacy. This includes establishing clear data handling policies, implementing secure data storage practices, and ensuring data collection meets regulatory requirements. Regular monitoring and auditing of server-side tracking should also be conducted to identify and address potential issues or vulnerabilities.

Conclusion

In a world where privacy is paramount, relying on client-side tracking is no longer a viable option for businesses. The risks are too high, and the consequences too severe. By adopting server-side data collection practices, companies can protect themselves from financial penalties, reputational damage, and the loss of valuable customer data. The time to act is now. Embracing server-side tracking is not just a smart business move—it is a necessity in today's privacy-focused landscape.

The examples of data breaches caused by client-side vulnerabilities serve as stark reminders of the urgent need for change. Companies that fail to adapt risk becoming the next cautionary tale, facing the wrath of regulators and the erosion of customer trust. On the other hand, those that proactively embrace server-side tracking will be well-positioned to navigate the evolving privacy landscape and build stronger, more trusted relationships with their customers.

In conclusion, the shift to server-side data collection is not optional—it is imperative. By taking a strategic and proactive approach, businesses can mitigate the risks associated with client-side tracking, ensure compliance with privacy regulations, and safeguard the privacy and security of their customers' data. The future of data collection lies serverside, and those who recognize this reality will be the ones who thrive in the years to come.