Nosto and Cookies

How Nosto uses cookies and what to take into account touching technical, regulatory and practical perspective.

Lari Lehtonen avatar
Written by Lari Lehtonen
Updated over a week ago

The relationship among cookies, privacy regulations, and privacy statements forms a complex yet crucial part of the online ecosystem, including the use of Nosto on your website. However, these concepts and subjects frequently become conflated, leading to unnecessary worries. Fortunately, these concerns are straightforward to clarify, alleviate, and resolve.

It's crucial to our discussion to understand the nuances between three intimately linked areas. While they are connected, each pertains to specific concepts that vary by context.

Cookies, Legal Frameworks And Privacy Statements

Cookies are a primary method of collecting data that privacy regulations like the GDPR seek to regulate. Cookies are small text files used by websites to store information on a user's device. They play a crucial role in enhancing user experience by remembering login details, preferences, and tracking user activity for analytics and personalized advertising, and in the context of Nosto CXP: Personalizing the website experiences. Cookies are a fundamental element in the collection of online data, pivotal for both improving user experience and enabling detailed user tracking. Cookies can be categorized at a top level as:

  • First-party cookies: These are set by the website the user is visiting, aiding in functionality and user experience. Nosto writes a first-party cookie on your behalf, hence limitations to use of third party cookies by browsers such as Safari, Chrome and Firefox don't affect the use of Nosto.

  • Third-party cookies: Created by domains other than the one visited, these are often used for cross-site tracking and advertising purposes.

The cookies utilized and stored by Nosto on your behalf are detailed here. Considering these may be necessary when formulating your privacy statements, contingent on the legal frameworks with which you must ensure compliance.

Legal frameworks

As an example, GDPR provides a legal framework that dictates how organizations must handle cookies and other personal data, especially concerning consent, transparency, and user rights, but as this applies to the EU and EU residents, regulatory space in your country might differ. While the GDPR is a comprehensive data protection regulation that applies to entities operating within the EU and those dealing with the data of EU residents, it is just one example in a global patchwork of data privacy laws. Various countries, states and regions have developed their own regulations to address the challenges of privacy in the digital age:

  • California Consumer Privacy Act (CCPA): A state statute intended to enhance privacy rights and consumer protection for residents of California, USA, very similar to the EU's GDPR. As an example, it provides California residents with the right to know about the personal data collected about them, the right to delete personal data held by businesses, and the right to opt-out of the sale of their personal data.

  • Other Jurisdictions: Many other regions and countries, including Brazil with its General Data Protection Law (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and others, have established their own privacy laws with various protections and obligations.

Given the intricate and worldwide scope of legal frameworks, Nosto cannot offer legal guidance on compliance with your regulatory duties, but it is important to clarify a widespread misconception: legal regulations typically do not prohibit the use of cookies as-is, as cookies are fundamentally employed by digital technologies for essential functionalities, like remembering items in a shopping cart.

Moreover, we are not equipped to determine whether the functionality offered and generated by Nosto's technology (e.g. Search, categories, recommendations and similar) constitutes an essential function of your website, thus able to inform whether Nosto with its cookies is essential or functional. Instead, the evaluation to which category Nosto belongs to is done by you, but our tech and legal teams are equipped to assist you by covering details how Nosto works and what are its functions.

However, the mentioned legal frameworks do regulate the management of data collected through cookies and/or other means, including its usage, storage, access, and deletion, which also covers use of Nosto on your website and the data we process on your behalf.

Addressing a frequent concern and providing clarification as mentioned in the data processing addendum, Nosto serves as a data processor on your behalf, whereas you remain as the data controller, whereas shoppers (visitors) on your website are data subjects. This essentially signifies that the data remains under your control and ownership. As a result, Nosto is prohibited from selling or using your data for any purposes other than those contractually agreed upon, specifically, to deliver the personalization services to you. For more legal details, please visit Nosto Legal Center.

Privacy statements

Privacy statements are a direct communication tool that organizations like yours use to inform users about how they comply with the GDPR, CCPA, and other privacy laws in terms of using cookies and handling personal data.

Privacy statements or policies are tools for organizations to communicate their data handling practices. Given the global nature of the internet and the varied regulatory requirements across jurisdictions, these documents often need to address multiple legal requirements. They typically inform users about:

  • The types of data collected and the purposes for processing.

  • How and why cookies are used.

  • The users' rights concerning their data, which can vary significantly from one jurisdiction to another.

  • The mechanisms for users to exercise their rights, such as accessing, correcting, or deleting their data.

Once more, considering the intricate nature of legal frameworks, determining how the use of Nosto on your website should be conveyed to visitors hinges on your specific business, geographical location, and your company's policies. Our legal and technical teams are on hand to address detailed inquiries concerning these matters, but we’re not able to provide exact guidance on how to form and write your privacy statement. Nevertheless, we recommend consulting with your legal advisors about the nature and intended use of Nosto and we are more than willing to address any questions you and your team might have.

Cookies, Cookie Consent, and Regulatory Perspective: Deep-dive

As a continuation, let's examine cookies through the lens of regulation, specifically looking at the European Union's General Data Processing Regulation (GDPR) and California's California Consumer Privacy Act (CCPA).

To begin with, neither GDPR nor CCPA outright bans the use of cookies. Instead, they regulate the "proper" use of cookies within the scope of data protection. Essentially, while cookies aren't prohibited, the legislation more accurately dictates their usage.

The GDPR, despite its broad application as a general data protection regulation (hinted at in its name), has faced criticism for its approach to cookie regulation. It mandates that consent is required for cookies and tracking, yet it lacks detailed stipulations beyond that, leaving much open to interpretation. This ambiguity means compliance can vary depending on the country, business context and regional court decisions.

We're hopeful that the forthcoming EU's ePrivacy Regulation, intended to complement the GDPR as a ‘lex specialis’, will offer clearer guidance, especially on cookie management. This regulation, still under development as of 2024, promises more specific directives for instance how consent should be obtained. However, any prediction of its full impact remains speculative, while browser vendors' technical adjustments are already influencing cookie usage.

In summary, the current regulatory stance on obtaining consent for cookies is quite flexible and subject to interpretation. For Nosto users, this means consulting with your legal and technical teams to determine the most appropriate consent process for your operations and regions. Our customers have adopted consent mechanisms, or more specifically, included Nosto into existing ones, such as cookie consent pop-ups, to address this issue. However, it's crucial to recognize that this should not be seen as legal advice.

As a practical advise, in the instance that a shopper (data subject) should not be tracked by Nosto, there are two options:

  • Prevent the loading of Nosto’s javascript fully for the user if they opt out of all tracking and cookies or apply do-not-track. You can read technical guidelines on how this is done here, yet the practical implementation within for instance consent banner or similar is decided and managed by you.

    • Outcome of full opt-out: none of Nosto’s features are available.

  • Leverage opt-out of session tracking. You can read technical guidelines on how this is done here.

    • Outcome: Nosto’s features making use of session tracking e.g. personal browsing history and signals gathered through it are not available. (more details in the last section)

Technical Perspective to Changes to Cookies by Browsers

Recent public discussions around cookies frequently mix up first-party and third-party cookies, along with how various browsers and their developers have altered or plan to change their handling of these technologies.

In this chapter, we aim to disclose how these changes have affected Nosto and how they largely don’t affect the use of Nosto at all.

Third Party Cookies and Browsers

Apple’s Intelligent Tracking Prevention (ITP) and, to a somewhat lesser degree, App Tracking Transparency (ATT), have introduced significant changes to the use of third-party cookies.

ITP, a feature within Apple's Safari browser across iOS updates, has seen increasing restrictions with the introduction of iOS versions 14 and 15 already in 2020 and 2021, respectively. Apple has consistently updated ITP, progressively implementing tighter constraints on cookie usage, a trend expected to continue. In essence, these updates to ITP have systematically limited the ways in which cookies can be utilized, although these changes are not recent developments. For example, ITP version 2.0 was launched as far back as November 2018. While not a new modification, the updates following its release have incrementally tightened restrictions on the use of cookies, particularly in Safari.

Google (Chrome) and Mozilla (Firefox), the other two main browser vendors, have also tightened their cookie policies, focusing mainly on third-party cookies. Their approach, less stringent than Apple's, mainly targets third-party cookies.

Despite Safari's global market share being around 20% (27% on mobile), it plays a significant role in e-commerce, particularly in the US where Safari dominates 55% of mobile e-commerce browsing. This makes Apple’s cookie policy especially relevant to e-commerce businesses in the US, but also elsewhere, compared to the lesser impact of changes by Google and Mozilla.

It’s important to note that Apple’s ITP and similar restrictions by Google and Mozilla affect services that use their third-party cookies for tracking across sites, often for advertising purposes.

However, Nosto is not affected by these changes. Nosto uses client-side first-party cookies, similar to e-commerce functions like shopping carts and login information, which are widely accepted. Changes introduced by browsers mainly impact third-party cookies, used primarily by advertising services for tracking across multiple websites. Nosto's tracking is confined to the e-commerce site it operates on, meaning changes to third-party cookie policies by browsers do not affect it.

Apple, ITP and First Party Cookies

Originally, ITP focused on limiting third-party cookies. As restrictions tightened, methods to bypass ITP emerged, such as using first-party cookies and URL parameters for cross-site tracking.

Apple's response has been to update ITP, also partially limiting first-party cookies. Currently, cookies for cross-domain trackers are restricted to a 24-hour lifespan, though first-party cookies on Safari have a maximum lifespan of seven days, expiring if not revisited within this period.

This means personalization on Nosto customer sites can proceed normally, but after expiration, beyond seven day limitation, returning users are treated as new unless they are identified for instance by encouraging logging in. This highlights the main concern for Nosto customers regarding ITP: frequent cookie expiration disrupts website analytics and services, not only limited to Nosto, limiting personalization and web-analytics opportunities for Safari users. In addition, it is crucial to note that the same limitations affect any web-analytics service, such as Google Analytics.

In the last section, "Practical Perspective to Personalization," we'll explore strategies to lessen the impact of browser changes like ITP on Nosto, enabling brands to continue offering meaningful experiences despite restrictions on historical browsing and shopping data.

For technical and legal teams, a detailed list of cookies Nosto uses and their purposes is available here.

Cookies and Tracking: Practical Perspective to Personalization

Due to both technical and regulatory limitations on cookies, we generally encounter three types of shoppers and scenarios.

1. Shoppers who can be identified and tracked as before (the majority).

2. Shoppers who cannot be tracked across sessions, making it impossible to use their historical browsing and shopping data for personalization (mostly Safari users)

3. Shoppers who choose either to fully opt out or to opt-out of tracking, limiting their personalization experience (the percentage varies by site).

Since Nosto's launch, we've not only been able to, but also encouraged to, adapt personalization experiences during a current active session, in addition to using past orders and browsing history. This ability sets Nosto apart from many similar technologies that only adjust experiences based on the last transaction. For instance, if a shopper purchased skis in December, they might be recommended skis again in April, despite potentially seeking warmer-weather gear rather than winter sports equipment.

At Nosto, we believe personalization should primarily reflect the current session's intent, except when the source of their visit indicates a more specific interest, such as through a product- or category-specific advertisement or email, giving immediately a possibility to customize experiences for incoming traffic. In such cases, such as when Klaviyo integration is used, the landing page and experiences beyond landing can be optimized accordingly, as the traffic source provides insights into the user's current intent.

Technical restrictions on cookie use, particularly by Apple, don't always make historical data obsolete. For instance, shoppers not using Safari or those logging in can still have their data utilized by Nosto. However, these restrictions necessitate a shift in personalization strategy towards current intent (current session), especially since a significant portion of traffic, 20-55% globally and in U.S. mobile Safari traffic, can only be personalized based on the current visit. Hence, focusing more on current-session intent is advisable, allowing for more detailed personalization for shoppers who can be tracked across visits. This can be achieved by leveraging segments and merchandising rules, which make use of intent signals from the current session, not only from previous visits or transactions.

Leveraging order history and data for traffic acquisition and improving landing page experiences is naturally recognized as beneficial and shouldn’t be ignored. Yet, Nosto's personalization doesn't solely rely on identifying shoppers through cookies between sessions; other sources, such as utm parameters, leveraging integration such as with Klaviyo, can serve this purpose. After navigating the site, personalization should prioritize current actions and interests, focusing on present intent rather than past behaviors.

Concretely, this involves creating a compelling landing page experience, then emphasizing content, recommendations, and segments based on current behavior, along with merchandising decisions like promoting high-performing categories.

Introducing "self-segmenting" features on a website is another effective strategy for increasing engagement without historical data, occasionally referred to as obtaining first party data. This involves directly asking shoppers about their interests, aiding both personalization and encouraging account registration, allowing for retrieval of possible past site history upon login.

For shoppers who opt out completely, Nosto still delivers features, albeit in a more limited fashion, utilizing trend data and anonymous order information. For instance, showcasing 'best-sellers' and 'most viewed' products and cross-sellers on product detail pages remains possible also without personal data, as does providing Search results and Category Merchandising, albeit without any personalisation effects. Technical documentation from Nosto provides a way for shoppers to opt out of session tracking, allowing for the use of anonymous data for personalization functionalities.

For the opt-out group, features like product recommendations based on what others have viewed or bought and category merchandising based on product performance are still viable, despite not tracking individual shopper history. However, Nosto faces limitations in providing browsing history and segment-based experiences to shoppers who opt out, as these require tracking between page loads and visits.

Integrations and Optional Transfer of Data

Nosto offers integrations with various service providers, which are by default turned off and inactive. Essentially, the decision to enable any of these integrations, which may involve either exporting data from Nosto or importing data into Nosto from another system, rests with you and your users.

Certain integrations may entail the transfer of personally identifiable information, such as names and email addresses, between systems. For instance, Nosto’s integration with Klaviyo allows for the transfer of segments, including the emails and names of shoppers within those segments from Klaviyo to Nosto, thereby creating corresponding segments in Nosto. It's important to note that this integration is initially inactive and can only be activated by your team. We strongly recommend reviewing the compatibility of such actions with your legal obligations and the privacy commitments you've made to your data subjects before activating any integration.

Did this answer your question?