194

When you open a Stack Exchange site the first time you are asked about your consent for storing cookies. You can disallow all cookies except those that are defined as "strictly necessary". The explanation of this category from the privacy policy is the following:

These cookies are necessary for our website to function properly and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms or where they’re essential to provide you with a service you have requested. You cannot opt-out of these cookies. You can set your browser to block or alert you about these cookies, but if you do, some parts of the site will not then work. These cookies do not store any personally identifiable information.

I was a bit surprised looking at the cookies when I saw that SE is saving a _ga cookie even before you consent to any cookies and even if you disallow any but the strictly necessary cookies. The _ga cookie is a Google Analytics cookie and contains a unique identifier that is used to track users. Looking at the privacy policy this specific cookie is also clearly identified as a "strictly necessary" cookie there.

Now, it is true that the cookie contains no personally identifiable information, but it does contain a unique ID designed for tracking users. So while it probably doesn't violate the letter of the privacy policy here, I find it very deceptive to put a tracking cookie into the "strictly necessary" category. My personal suspicion would be that this might not be GDPR-compliant, but I don't know enough here to be sure. But independent of that I find it deceptive to claim that a tracking cookie is strictly necessary for the site to function. And if you include tracking cookies as strictly necessary, the explanation in the privacy policy is deceptive and misleading as well, as it does not mention them at all and only describes cookies with actual functionality.

I also checked the network requests, and even with all optional cookies declined there are requests made to Google Analytics that also include the tracking ID from the cookie on every page load. So Google Analytics tracking is enabled automatically without asking for consent. And while the cookie is declared as 1st party in the privacy policy, when the id inside it is sent via Javascript to a third-party domain, that description is rather deceptive while being only technically true.

I don't see how Google Analytics is "strictly necessary" for the functionality on the site, and enabling it and the tracking cookie without consent does not seem right to me.

Improve this question
13
  • 45
    Re GDPR: the cookie consent requirement in European law does not stem from the GDPR, but from the ePrivacy directive. It applies regardless of whether the cookie contains personal data. It says that any access or storage of information on the end user's device needs consent, unless the access or storage is strictly necessary for a service explicitly requested by the user. That is a fairly narrow exception. Since at least 2014 there's official guidance that analytics cookies are not strictly necessary in this sense, though some countries have more flexible rules in national law.
    – amon
    Commented Jan 6, 2022 at 11:34
  • 20
    @benisuǝqbackwards in a technical sense they are 1st party cookies, they belong to the SE domain. But the tracking ids in them are sent via Javascript to Google Analytics servers, so while the cookie itself isn't sent to a third party the content is.
    – Mad Scientist
    Commented Jan 6, 2022 at 12:02
  • 2
    It might possibly have something to do with the fact that Google Analytics data access is a privilege granted to high-rep (25k+) users and moderators, and saving that cookie is necessary for those users to have proper data to exercise their privilege. If it weren't saved for a large proportion of users, it would make the data there useless and would essentially nullify the privilege.
    – Sonic the Anonymous Hedgehog
    Commented Jan 17, 2022 at 1:46
  • 36
    The fact that it is so difficult to get an answer to this makes me feel like something nefarious is going on. Or someone was sloppy with an implementation of something and it has complicated legal ramifications. Or the evil tech overlord Alphabet has decreed that their invasive marketing shall not be interfered with lest one wishes to incur their wrath. Or one of a number of other scenarios (none of them good) that I won't elaborate on just in case I want to write a dystopian scifi novel.
    – ColleenV
    Commented Mar 28, 2022 at 16:16
  • 2
    @ColleenV nefarious? Nah. More likely they hope that if they ignore it for long enough, it will go away on its own.
    – Shadow Wizard
    Commented Apr 19, 2022 at 7:09
  • 20
    This is taking us a long time to answer, but I want to comment that we're committed to giving an answer here and the Community Team is actively working with several other teams across the company to give as comprehensive an answer as we can. I don't have a precise timeline yet for when we can get this answer posted, but I am hoping it'll be soon (this month or early next month).
    – Cesar M StaffMod
    Commented Apr 20, 2022 at 0:48
  • 14
    @CesarM uh oh, that sort of wording implies that SE is going to try and justify this non-consensual tracking rather than, you know, stop doing it
    – Jo King
    Commented Apr 20, 2022 at 10:44
  • 7
    @JoKing that's not the current working goal
    – Cesar M StaffMod
    Commented Apr 20, 2022 at 17:25
  • 4
    @CesarM well, if you would have said "we're working to fix this" instead of "we're working to give answer", that could give more hopes. So can see where Jo comment is coming from. Either way, having answer, even if negative, is better than no answer at all, so thanks.
    – Shadow Wizard
    Commented Apr 20, 2022 at 21:42
  • 16
    @ShadowWizardSaysNoMoreWar I understand - the trick here is that I cannot commit to any formal plan because I don't have a final decision yet. There are multiple compounding factors that are making an answer taking this long, one of them is a concrete action plan going forward and finding all the relevant stakeholders that need to be aware of any change. A sorry we're not changing anything would've been probably easier and faster.
    – Cesar M StaffMod
    Commented Apr 20, 2022 at 21:55
  • @CesarM yeah, there's big money involved so I totally understand. And would understand decision to not change how things work, while respecting the official answer saying so.
    – Shadow Wizard
    Commented Apr 20, 2022 at 22:00
  • 17
    @CesarM A statement that the team is aware of the question and is working on an answer really does go a long way, in my opinion, so thank you very much.
    – Sonic the Anonymous Hedgehog
    Commented Apr 27, 2022 at 6:41
  • "Community Team is actively working with several other teams across the company" - I wonder if some of those "several other teams" are lawyers... But I am very glad we got some kind of reply from official source, nonetheless.
    – Vanity Slug - codidact.com
    Commented Apr 27, 2022 at 14:25

1 Answer 1

Reset to default
72
+500

We are committing to recategorizing the Google Analytics cookie as a “Performance Cookie” by May 13, 2022.

(Update: This change was made on Tuesday, May 10th; we spent the remaining days monitoring it, and can confirm it is now working as expected under "Performance Cookie".)

While we’ve recategorized the Google Analytics cookie, the longer-term solution is to upgrade our Google Analytics platform to version 4, then enable Consent Mode, which automatically adjusts what it tracks to remain compliant based on users’ given consent on our cookie dialog. We don’t have a date for that change yet (it will be some time after May 13, 2022), which is why we’re moving the Google Analytics (version 3) cookie to Performance first and upgrading after.

The decision to list Google Analytics as “Strictly Necessary” was made during a cookie audit in 2020 involving several teams across the organization. At that time, we used it not only for analytics but also for bot detection and other security-related tasks. Google Analytics also provides us with critical business information like traffic data and browser usage stats for our product teams, and there was no way to separate these functions - security and traffic information. These metrics are essential to our product teams to improve our sites.

We recognize, however, that under today’s privacy landscape, they fall clearly under “Performance Cookies”. That’s why we are making the commitment to change it.

Please know that our goal was to use Google Analytics exclusively for high-level aggregate statistics for the purposes of better understanding users’ collective usage of our products. We’ve investigated our historical usage of this data and are confident that we have never used it to identify an individual personally; GA was explicitly configured only to provide high-level aggregates. We hope you consider turning on the “Performance” category in your Cookie Settings at the bottom of the page to help us make better-informed decisions about the product and our traffic data.

I know the response to this has been a long wait. Delays were many and had multifactored causes, including but not limited to time loss due to the departure of key involved individuals and onboarding of new staff, identifying the needed information and historical context, gathering the relevant stakeholders, determining legal requirements and how we will comply with them, and determining what technical steps are required due to integration complexity.

I appreciate your patience while we dug into this, brought new staff up to speed, chased enough information as to why the decision was made, and ultimately reversed the decision. We recognize the extended delays in producing this response, and we sincerely apologize for not respecting your privacy preferences.

Improve this answer
14
  • 23
    It should be stated that "Strictly Necessary" refers to the users of the website, not to the business running it. It's clear that product usage data does not qualify, but nor does the heuristic security application. If that were removed then the site would still work, regardless of the additional work for your employees.
    – OrangeDog
    Commented May 4, 2022 at 9:44
  • 9
    @OrangeDog Typically - security, anti-fraud, and anti-spam, among other security measures, can be classified under Strictly Necessary by companies, as long as they're not used for anything else.
    – Cesar M StaffMod
    Commented May 4, 2022 at 14:21
  • 28
    "We’ve investigated our historical usage of this data and are confident that we have never used it to identify an individual personally; GA was explicitly configured only to provide high-level aggregates." I definitely believe this, and I don't have a problem with you using high-level aggregate tracking. What is problematic is that you funnel individual user data to Google without consent in order to generate those aggregates, since even though you may be not tracking individual users, Google definitely is.
    – NobodyNada
    Commented May 4, 2022 at 16:58
  • 28
    In other words: my problem isn't so much what you do with the analytics data, it's what Google does -- which is a big part of what laws like GDPR are trying to reign in by regulating the transfer of user data to third parties. I do appreciate you and the team putting in the effort to make this happen, thank you very much for doing this.
    – NobodyNada
    Commented May 4, 2022 at 17:02
  • 3
    @NobodyNada I think your comment is so incredibly good it should be converted to an answer for historical purposes. Thank you for posting it.
    – bad_coder
    Commented May 6, 2022 at 1:03
  • 2
    While I'm glad that the conclusion is you're going to fix the functionality in total, I want to respond to one particular notion: "there was no way to separate these functions - security and traffic information" This is absolute nonsense. IF statements are fundamental programming concepts and nobody can build a site of this complexity without knowing how to use them. There are many ways you can decide in the code whether you're adding a tracking statement or a security statement. This is pure misinformation.
    – samuei
    Commented May 6, 2022 at 14:14
  • 10
    @samuei I think you've misunderstood their point. They're not denying the existence of if statements; Stack Exchange is well in control of what they do with data. What they're saying is that Google Analytics v3 tracks indiscriminately. Stack Exchange had no way to untangle security and traffic tracking because GA didn't give them the option in that version. It all got tracked by Google regardless of what Stack Exchange did or did not do with that data.
    – zcoop98
    Commented May 6, 2022 at 15:37
  • Is it possible that these changes may or already have been impacting "site-analytics" pages under "Tools"? On two sites where I can access these tools, page views & visits are in sharp decline, "New Visits" fell to zero.
    – LаngLаngС
    Commented May 14, 2022 at 15:01
  • 4
    @LаngLаngС Yes- this change was made on Tuesday, May 10th, and will impact site-analytics page as that is directly from Google Analytics.
    – Cesar M StaffMod
    Commented May 14, 2022 at 18:04
  • Could you please also tag the other feature request as completed?
    – Sonic the Anonymous Hedgehog
    Commented May 14, 2022 at 18:06
  • 1
    @LangLangC I've requested that the help center page be updated to reflect that data from users with performance cookies disabled is not included.
    – Sonic the Anonymous Hedgehog
    Commented May 14, 2022 at 18:07
  • @CesarM would you consider a banner about this in the 25k and Mod analytics pages?
    – JonathanReez
    Commented Jun 29, 2022 at 19:27
  • 1
    Would be nice to have a note on the page though
    – n00dles
    Commented Jul 29, 2022 at 13:34
  • 3
    Is it called "performance cookie" because it makes my browser's performance worse?
    – Federico Poloni
    Commented Oct 14, 2022 at 22:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .