Cookies, consent, and the GDPR: The role of privacy in a product analytics strategy - Mixpanel
Product Foundations

Cookies, consent, and the GDPR: The role of privacy in a product analytics strategy

Peter Day Head of Global Privacy & Technology Services and Director of Legal at Mixpanel

Collection and use of personal data is core to product analytics, and data protection should feature prominently in designing any analytics strategy.  With ever-evolving regulations like GDPR, CNIL, LGPD, ePrivacy Directive (cookies), and more, it’s important to build a flexible data stack to meet almost any privacy or data protection regulation.

So how do you prepare for a procurement process which will likely include working with compliance, security, and legal teams when selecting new tools? Consider it an important opportunity to stress test your analytics strategy and ensure you are putting in place a privacy-compliant product analytics solution. 

This guide aims to help product leaders do just that, based on our experience working with hundreds of customers around the world. 

Why the fuss?  

Product teams play a crucial role in advancing privacy protections

The last several years have seen a veritable explosion in privacy requirements.  From the 2018 enactment of the GDPR to the passage of California’s landmark CCPA to Brazil’s adoption of the LGPD, the rules governing data collection, processing, and analysis have grown more complex, hyper-localized, and challenging.  

While some nay-sayers may take these trends as a sign that data-driven product analysis is no longer viable,here at Mixpanel we see them as an opportunity for more thoughtful, tailored analysis. Careful consideration of data privacy means product teams will be more considerate of the questions they wish to answer, and collect only the data needed to answer those questions.  

We’re not saying this is easy stuff, but we do believe that product teams play a crucial role in advancing privacy protections beyond just delivering superior products.  Nowhere is this challenge more significant than in Europe, so what follows will focus heavily on equipping you to work within the confines of European privacy law.

The ePrivacy Directive is taking on bigger importance, yet many only focus on GDPR

Many people working in product design and development have heard of the EU’s General Data Protection Regulation or “GDPR.”  The GDPR mandates that businesses seeking to do virtually anything with personal data must comply with a series of requirements, including:

  1. Clearly informing individuals about what is being done with their personal data
  2. Ensuring that a “lawful” basis exists for using that data
  3. Entering into appropriate contracts with others with whom you might share personal data
  4. Responding to any number of requests from individuals for information about their data.  

Add to this potential fines of up to €20 million, and it becomes clearer why compliance and legal departments sweat the GDPR so much. We’ll dive into several of the GDPR’s key provisions below, but for now, know that the GDPR is a big, complex challenge, but one that is ultimately workable. 

Despite its size and complexity, the GDPR is not the only word on privacy compliance in Europe. In 2002, the European Commission adopted a “directive” regulating the use of cookies called the ePrivacy Directive.  The ePrivacy Directive has taken on increased importance as more and more regulators want to see evidence of informed consent for the placement of cookies (i.e., cookie banners), and clear opportunities for people to withdraw their consent for any reason, at any time.  

We want to help you become confident working with privacy experts, not become one yourself

There are huge, boring books on the GDPR and the ePrivacy Directive.  We could spend hours together going over the minutiae of each provision.  As exciting as that sounds to us (and it truly does), our aim here is not to turn you into privacy experts. Instead, we hope to enable you to work closely with your privacy experts and lawyers so you can help design, build, and share fantastic products.

Key Concepts 

What are cookies?

Regulators, lawyers, and compliance officers are all talking about cookies these days. Have they gone mad for the chocolate chip?  Sadly, no.  

Cookies are generally understood as small text files placed on a site visitor’s computer, which are then read by a browser to determine and enable a host of services to that site visitor. But EU law takes a broader approach and as outlined in Article 5(3) of the ePrivacy Directive, cookies are anything that accesses a site visitor’s or app user’s local device memory. Based on the EU’s expansive interpretation of the legal definition for cookies, Mixpanel’s SDKs are considered “cookies.”   

So why does this expansive definition of a cookie cause so many headaches? As noted above, the answer comes from the ePrivacy Directive. Under the ePrivacy Directive, placing and reading cookies—including Mixpanel SDKs—is seen as a privacy infringement. To the Directive, any technology accessing a site visitor’s computer memory infringes on the privacy rights of that computer’s user. And that infringement triggers a host of privacy concerns for your legal and compliance colleagues.  No need for alarm: as we’ll discuss below, Mixpanel can help you navigate those conversations so you can still uncover deep product usage insights while fully complying with the law.

It is important to note that EU law does not ban or prohibit the use of cookies.  Instead, it allows website owners or publishers to use cookies if the site visitor provides valid, verifiable consent (we’ll talk more about this in a minute).  A so-called “cookie banner” is the most visible manifestation of techniques used for obtaining this consent, and it’s the approach Mixpanel (and nearly every other company) uses on its websites.

First vs. third-party cookies

When discussing cookies (or SDKs), the conversation can quickly turn to so-called “first” and “third” party cookies.  In a nutshell, first-party cookies are stored directly on the website by the website’s owner. They are used to collect data on how the site visitor navigates the website, and typically the data collected is only accessible to the website owner. For example, when a customer signs into the Mixpanel platform, we use a cookie to track how they use our software to inform us about what is working or not working, for instance. 

Third-party cookies, on the other hand, are created by other domains or generally belong to other parties such as Facebook, Twitter, Google, or Drift. These cookies are pushed onto visitors of a website by that third party. In this case, a visitor to the Mixpanel website (who opts-in to our cookies banner) might allow our website to deliver a Twitter cookie onto that visitor’s browser. 

As might be obvious, Mixpanel’s SDKs are third-party cookies in the typical deployment. As previously mentioned, this is a consequence of the broad EU interpretation that treats similar tracking technologies as falling under the definition of cookies.  Because of this, some product teams might want to consider alternatives to Mixpanel’s SDK, such as using Mixpanel’s server-side tracking or creating a proxy to send data to Mixpanel via its ingestion API. 

In discussions with your legal and compliance teams, alleviate any cookie-related concerns by ensuring they understand Mixpanel’s SDK is just one way of getting access to Mixpanel’s powerful analysis tools.

Necessary vs. unnecessary (or optional) cookies

The terms used may vary a bit but generally there are two overarching groups of cookies: essential and non-essential. Within the essential group, you have necessary cookies and everything else typically falls into the non-essential group. For the past several years, there has been a consensus among EU and UK data protection authorities about “necessary cookies.” These are cookies or SDKs deemed so fundamental to the operation of a website or application (e.g., for authentication, billing info, shopping cart contents) that website or application operators do not need consent to use them. The catch is, product teams must inform users upfront about their use.  All other cookies require users’ valid consent even if the data is only statistical and anonymized to help enhance the website’s user experience or functionality. 

CNIL and France’s new cookie guidance

Recently, France’s data protection authority (“CNIL”) took a crack at defining what “necessary” means when talking about cookies and SDKs, like Mixpanel’s. You probably noticed this from an uptick in inquiries from product teams about an exemption from obtaining consent from users if the intent is solely for audience measurement, commonly referred to as the “CNIL exemption” or “CNIL compliant tracking”. 

The good news is that Mixpanel’s flexibility as a solution allows customers to comply with the CNIL exemption (if they want) or stick with the “consent-based” approach which is the standard set by data protection and privacy regulations.  In short, product teams under the CNIL’s authority can use cookies, including Mixpanel SDKs without obtaining consent if they meet a number of very specific requirements, including (but not limited to):

  1. Strictly limited to the purpose of measuring audience only on the site and only for use by the site owner.
  2. Not enabling collected data to be combined with other data or shared with third parties for tracking across different applications or website
  3. Serve solely to produce anonymous statistics.

Product teams need to know that CNIL compliant tracking may lead to less depth in their data collection and analysis platforms because of these stringent requirements.  This trade-off illustrates the importance of including legal and compliance when preparing an analysis strategy. 

So, if the end goal requires less depth, a product team might consider deploying “exemption-based” tracking while avoiding the need to obtain consent. But alternatively, a product team may ultimately determine in consultation with their compliance department that “consent-based” tracking is the most effective approach for their use case.    

Consent management

Consent management is one of the most challenging aspects of EU privacy. In the EU, ownership of one’s personal data is a fundamental civil right.  Granting individuals ownership of their personal data means that they have the right to determine how, when, and even if it is processed or used.  This right is often called “consent.” 

What constitutes “valid consent” under the GDPR is relatively prescriptive. For product teams seeking to use Mixpanel SDK, the following sets out the high-level consent requirements.  It must be:

  • Affirmative (i.e., it must be a positive act by the visitor, they don’t look kindly on implied consent or pre-ticking of choice); 
  • Freely given (i.e., the visitor has the option to decline); and 
  • Specific and informed (i.e., the visitor understands what they agree to, including by whom, for what, and where their data will be processed and may elect to withdraw consent at any time). 

Legal and compliance teams spend tons of time on questions of consent.  This focus makes sense because without an individual’s permission to use their personal data, a product team may lack the legal right to use that data.  

Product teams should think through a consent management strategy and work with their compliance and/or legal teams to assess any analytics solution’s consent management capabilities early to develop an analysis strategy, lest they risk having great tools without access to data.

Now for some good news: Mixpanel helps product teams ace the consent management game.  Mixpanel has built a powerful opt-in and opt-out functionality that allows our customers to honor individuals’ tracking choices while obtaining affirmative, freely given, and specific consent. Said another way: if you’re chatting with legal and compliance on consent questions, Mixpanel’s built-in consent functionality has your back.

Data subject rights

The goal of EU regulation around privacy and data protection is to allow individuals to control their personal data. The liability of businesses who deal with personal data is no laughing matter should they be found in violation of the law (i.e., upwards of 20 million Euros, or up to 4% of their total global turnover of the preceding fiscal year, whichever is higher). 

There is an entire chapter in the GDPR dedicated to the rights of the data subject but at a high level and broadly speaking, these include (1) the right to be informed transparently, (2) the right to access, (3) right to rectification, erasure or restriction of processing (4) the right to data portability, (5) right to object and (6) the right not to be subject to a decision based on automated processing including profiling.

In practice, these access rights impose an obligation on product teams to detail how an analytics solution will collect, process, and store personal data for legal and compliance teams.  Legal or compliance teams need this detailed information to prepare privacy policies, respond to regulatory questions, and help users exercise their legal rights. The more details and context a product team can share, the faster legal and compliance teams can modify privacy policies and prepare to meet other legal obligations. 

Sending data abroad

For many EMEA-based customers, sending data abroad (particularly to the United States) has become a bit of a nightmare post-Schrems II. In July 2020, the Court of Justice of the European Union (CJEU) issued a ruling that invalidated something called “Privacy Shield.” As context, many multinational companies previously relied on Privacy Shield as a legal way to get data out of Europe and into American data centers for processing.  Mixpanel was among them. But after Schrems II, companies like Mixpanel had to find another way.

Product teams should count on legal and compliance departments asking about data transfers, especially when working with American companies like Mixpanel. Like the vast majority of businesses, Mixpanel now relies on a series of legal documents called Standard Contractual Clauses (SCCs) coupled with certain additional assurances to transfer information out of Europe. Mixpanel SCCs apply automatically to customers who sign up for Mixpanel using our online terms of use.  

But the best part?  Product teams don’t need to send data out of Europe to use Mixpanel.  One more time, all those hoops we talked about just now can be avoided with Mixpanel because we offer EU Data Residency.

How Mixpanel Helps Manage Risk

Server side and cookie-less deployments

One of Mixpanel’s best features is its flexibility.  Because it can collect data from either its SDKs or via its ingestion API, Mixpanel can be configured to collect information from the server-side.  This type of deployment removes the cookie challenges we discussed above because it does not access site visitors’ or app users’ local memory.   

First party tracking

Like server-side tracking, Mixpanel’s SDKs also function as first-party trackers.  This capability allows our SDK to send data directly to a server the customer controls first, and then onto Mixpanel.  We have found legal and compliance are receptive to this when product teams analogize Mixpanel to a very advanced, cloud-based version of Microsoft’s Excel.  In the analogy, Mixpanel simply takes data shared with it by the customer and performs very advanced statistical analysis and visualization.  Mixpanel makes no further use of the data, and Mixpanel never shares the data with anyone for data enrichment, ad-targeting or placement, or anything else.  

Customized data collection

Another feature of the SDKs that can help product teams work with legal and compliance comes in tailoring data collection through Mixpanel’s SDK customization options.  From fully anonymous tracking to limiting the amount of data collected, product teams can configure Mixpanel’s SDK only to collect what is needed or legally permissible.  This flexibility equips product teams to help legal and compliance manage data-related risks and reduce the amount of noise collected from other codeless or auto-track-like solutions.  Since we’re fans of analogies, think of Mixpanel as a spotlight, not the house lights.  

Our products give complete control of what data product teams can collect and for what purposes. We have a strong CSM and professional services team to help our customers configure and implement Mixpanel to achieve their needs. An individual rights management platform allows us to manage data subject requests from our end-users and requests we may receive on behalf of our customers’ end users. Per our DPA, we will notify our customers if such DSARs involve their end-users. For Mixpanel’s end users, we triage internally any DSAR and use the individual rights management platform to record and document actions taken for compliance purposes. 

Powerful consent management

Mixpanel helps you meet your privacy obligations by not tracking or collecting information from data subjects unless they opt-in to tracking or collection.  Mixpanel’s SDKs also make it easy for data subjects to opt-out at any time.

Data Residency

Data Residency, also referred to as “data localization,” is one of the more powerful tools available to Mixpanel customers to meet emerging privacy guidelines and regulations. Mixpanel offers the option to send customer data to our EU data centers for hosting, storage and processing without losing any product capability otherwise available in the US. In other words, customers using Mixpanel are not worse off by opting to keep all their data local. Mixpanel is the only advanced analytics solution offering data residency. 

Looking for more?  Partner with our Privacy Program. 

Our Privacy Program loves chatting with customers and enjoys geeking out with other privacy and compliance nerds.  If your team is looking for an assist, ours will help talk through risks, discuss industry trends, and map out solutions. 

Meet Mixpanel’s privacy experts:

Peter Day

Peter Day

Global Head of Privacy & Security @ Mixpanel

Angelica Bos

Angelica Bos

Counsel @ Mixpanel

Get the latest from Mixpanel
This field is required.