Location Icon Dublin, Ireland

GDPR Friendly Web Traffic Analytics without Cookie Consent Banner

The following are based on my personal interpretations and may not be entirely accurate. They should not be taken as legal counsel. For definitive GDPR guidance, please consult a legal professional.

Abstract

The introduction of GDPR led to an influx of cookie consent banners which sometimes hinder user engagement. However, GDPR's core goal isn't to disrupt the online experience by having banners presented but to reform how online applications monitor users. Thankfully, there are strategies to analyze web traffic in compliance with GDPR without these banners. These strategies are explored below.

The Issue with Current Cookie Practices

  1. Understanding GDPR's Implications: GDPR mandates that online platforms seek user consent before storing personal data, including IP addresses.
  2. The Present Scenario: Numerous websites now use invasive cookie banners, prioritizing user consent but sometimes making it difficult for users to opt for minimal tracking. This inadvertently discourages users from interacting with web content.
  3. Roles and Responsibilities:
    • Data Controller: As the primary point of user interaction online, you are a data controller, accountable for the personal data shared with data processors.
    • Data Processors: These can include services like Google Analytics, embedded social components, third-party comment boxes like Disqus, and similar. They process user data unless they clearly declare no collection of personal information with GDPR compliance, which is rare.
  4. GDPR's Data Minimization Principle: This principle underlines that only vital data should be collected. Ensure your analytics truly requires the data being accumulated to foster user trust and maintain GDPR compliance.
  5. User Experience Impact: A seamless user journey, without disruptive banners, can enhance engagement, potentially boosting conversions.

Pursuing GDPR-Friendly Solutions

Unnecessary popups and banners can significantly deter users from enjoying and engaging with your content. By ensuring GDPR-friendly analytics, you provide a smoother user experience, which can lead to better conversion rates.

Pseudonymization and Anonymization

While making data fully anonymous is ideal, pseudonymization is an effective alternative. It involves altering data, so it cannot be linked to a specific individual without supplementary information. This is basically obfuscating IP addresses at the last block, like keeping an IP like 192.168.0.10 as 192.168.0.0. This is a good compromise between data privacy and analytics.

Cookie-less Tracking

It is possible to track visited pages during a session without cookies. This reduces accuracy between sessions but can be a viable option. It involves tracking using etags, local storage or a cached image. This reminds me years ago we used image tags to track web traffic when not everyone had javascript on their browsers.

Embedding Web Components the GDPR Way

To sidestep GDPR consent banners:

  • Ensure using GDPR-compliant third-party services that don't store personal data, including IP address. Unfortunately, using most web components like Disqus will require the consent banner. Most free services rely on collecting user data and if they become GDPR-compliant they cannot provide the services for free anymore. They might have paid versions that are GDPR-compliant.
  • For Google Analytics, use the IP anonymization feature and consider non-cookie-based tracking. This can reduce the accuracy of tracking between sessions but you can always use more enhanced traffic once user converts to be a member.

Google Analytics 4: A Brief Review

While Google Analytics 4 offers extensive features, its complex user interface and delayed data collection can be off-putting. The evident increase in its integration with other Google services, such as BigQuery and DataStudio, appears to be a strategic move to attract a broader clientele to Google Cloud. As a result of these integrations, there is a pronounced ascent in the learning curve associated with the new Google Analytics. Moreover, it's imperative for users to engage with the platform consistently to retain proficiency in its operations. The platform no longer presents itself as a straightforward dashboard that users can access sporadically to glean their statistics.

Hosting Considerations

Hosting sites outside the EU can pose GDPR challenges. Shared hosting platforms may not adhere to GDPR norms by collecting IP addresses and visited web pages, potentially compromising GDPR compliance. The panels they provide often include dashboard of visitors, even without the need of cookies, which is a GDPR concern.

The Essence of Javascript in Web Analytics

While JavaScript facilitates comprehensive data collection about user's operating system, browser version, screen resolution and more, for basic metrics like page visits and referral sources, alternatives like server logs or server's application context suffice.

Exploring Alternatives to Third-party Services

Self-hosted services like Matomo provide a privacy-conscious alternative to mainstream analytics platforms. Such tools offer IP anonymization and respect Do Not Track requests.

Matomo: A Self-Hosted Analytics Solution

Matomo offers a robust alternative to platforms like Google Analytics, allowing users to host their own web traffic analytics. While setting it up on a LAMP stack is relatively straightforward, managing high traffic volumes will pose challenges.

Ensuring GDPR Compliance with Matomo

A standout feature of self-hosted Matomo is the inherent privacy it provides by not sharing your user data with third-party data processors. This is further reinforced by its features that address GDPR requirements directly, such as IP anonymisation and cookie-less tracking. Additionally, Matomo respects the "Do Not Track" headers by default. Although this setting can be changed, it's advised against.

Navigating Adblockers, GDPR, and Anonymous Traffic Collection

Adblockers typically operate by targeting specific web components based on HTML DOM selector rules or by matching component URLs. Given its prominence, Google Analytics often becomes the primary target for most adblockers. This poses a challenge for websites utilizing third-party analytics services, as they cannot readily alter endpoint names to evade these blockers, barring the use of HTTP proxies to reroute requests.

However, if your analytics approach is in line with GDPR—collecting anonymous traffic data without personal identifiers, then circumventing adblockers isn't a GDPR concern. It's important to respect the "Do Not Track" headers, but if data is thoroughly anonymised, one could argue that these headers are inherently honored. Completely removing tracking isn't a viable solution either, as malevolent actors could flood a site with "Do Not Track" headers, going unnoticed. The optimal solution is to ensure data anonymity and avoid tying user visits to personal data unless they willingly register and accept the associated privacy policy and terms of service. This approach is more user-friendly than immediately bombarding visitors with cookie consent prompts.

Bypassing Adblockers with Matomo

During my exploration, I observed that the matomo.js and matomo.php files—used for analytics and data collection respectively—were frequently blocked by adblockers. A simple workaround involved renaming these files by implementing server rewrite rules. Furthermore, Matomo supports data transmission via POST requests instead of GET, which is advantageous as adblockers are generally less aggressive towards POST requests. The code snippet below modifies Matomo to utilize POST requests, and both aforementioned files can be easily renamed within the tracker:

_paq.push(['setRequestMethod', 'POST']);