[bouzouk]

We do it a bit differently (French company). Since the only cookie that is endangered is the « third party cookie », it is very much ok to store anonymous session information in a first party cookie for all anonymous visitors. So we store page views and utm there, and capture this data in the datawarehouse when (and only when) there is a conversion. This is also working with returning visitors (who most likely kept the first party cookie).

[culturedsystems]

Note that you still need to get consent for the cookie in this case, as the cookie is being used for something which isn't strictly necessary to provide the service.

[CogitoCogito]

I think this is kind of interesting question actually. If this cookie is entirely separated from the rest of the experience (e.g. _never_ gets associated to a logged in cookie, or IP address, etc.), is it really tracking the user? It's more like tracking article association. I agree it's not strictly necessary to provide the service, but is it necessarily tracking users at all? Another similar approach would be to keep the clients IP address as a similar key, but in that case the IP address can often be used to (at least closely) identify the client, but if the UUID is randomly generated it's a bit different.

I mean my gut feeling is that you're correct, but I kind of wonder about this case.

edit: A cursory reading of this site makes me think you are correct:

https://www.privacypolicies.com/blog/eu-cookie-law/

[xyzzy_plugh]

If the cookie is never used until a later date e.g. conversion, when the user clicks through an agreement, do you still need consent?

Edit: I honestly have no idea, I haven't read the regulations and I'm curious if any experts know. Seems sleazy regardless!

[AstralStorm]

What does it mean? Even a session cookie is used at a later date, e.g. 5 minutes later. The law does not specify minimum retention time.

[wdb]

What if the cookie is also used for feature toggles?

[ahmedelsama]

Love it! This is super similar but we allow many different layers of conversions. So anytime we bridge systems you can connect the user. This is critical with the many browsers, devices and so on. In e-commerce we see that emails have such high conversion rates but they are often opened on the phone then the user buys on the browser without clicking. These situations are captured by doing the many layers of identity resolutions

[kcartlidge]

> Since the only cookie that is endangered is the « third party cookie »

Data protection regulations (esp. GDPR) are totally unconcerned with the distinction between first and third party cookies. They are concerned with data collection permissions and scopes, regardless of the technology used.

If you are capturing information which is not essential to the service/product you are offering at that moment and in that session, then you need specific permission - even for your own cookies. And if you did not have that permission at the time it was collected then you cannot merge it into records after conversion.