Location Icon Dublin, Ireland

GDPR Friendly Web Traffic Analytics without Cookie Consent Banner

The following are based on my personal interpretations and may not be entirely accurate. They should not be taken as legal counsel. For definitive GDPR guidance, please consult a legal professional.

Abstract

The introduction of GDPR led to an influx of cookie consent banners which sometimes hinder user engagement. However, GDPR's core goal isn't to disrupt the online experience by having banners presented but to reform how online applications monitor users. Thankfully, there are strategies to analyze web traffic in compliance with GDPR without these banners. These strategies are explored below.

The Issue with Current Cookie Practices

  1. Understanding GDPR's Implications: GDPR mandates that online platforms seek user consent before storing personal data, including IP addresses.
  2. The Present Scenario: Numerous websites now use invasive cookie banners, prioritizing user consent but sometimes making it difficult for users to opt for minimal tracking. This inadvertently discourages users from interacting with web content.
  3. Roles and Responsibilities:
    • Data Controller: As the primary point of user interaction online, you are a data controller, accountable for the personal data shared with data processors.
    • Data Processors: These can include services like Google Analytics, embedded social components, third-party comment boxes like Disqus, and similar. They process user data unless they clearly declare no collection of personal information with GDPR compliance, which is rare.
  4. GDPR's Data Minimization Principle: This principle underlines that only vital data should be collected. Ensure your analytics truly requires the data being accumulated to foster user trust and maintain GDPR compliance.
  5. User Experience Impact: A seamless user journey, without disruptive banners, can enhance engagement, potentially boosting conversions.

Pursuing GDPR-Friendly Solutions

Unnecessary popups and banners can significantly deter users from enjoying and engaging with your content. By ensuring GDPR-friendly analytics, you provide a smoother user experience, which can lead to better conversion rates.

Pseudonymization and Anonymization

While making data fully anonymous is ideal, pseudonymization is an effective alternative. It involves altering data, so it cannot be linked to a specific individual without supplementary information. A common technique is truncating IP addresses, for example turning 192.168.0.10 into 192.168.0.0. However, multiple EU Data Protection Authorities have ruled that truncated IPs still constitute personal data, regardless of how many octets you mask — especially when combined with other data points like timestamps, user agents, and referrers. To get closer to true anonymization, consider these alternatives:

  • Don't store IPs at all — tools like Matomo support this, tracking only page views, referrers, and non-identifying metrics.
  • Hash IPs with a rotating salt — discard the salt daily so the original IP becomes unrecoverable. Note that during the salt's lifetime, this is still pseudonymization.
  • Aggregate only — instead of storing individual visits, increment counters like "5 visits today from Germany." No individual record means no personal data.
  • Follow an authority-approved configuration — Matomo combined with specific settings (2+ octet truncation, no cookies, no user ID, short retention) has been recognized by French CNIL as consent-exempt.

Cookie-less Tracking

It is possible to track visited pages during a session without cookies. This reduces accuracy between sessions but can be a viable option. Techniques include ETags, local storage, or cached images. However, be aware that the ePrivacy Directive treats ETags and local storage similarly to cookies — using them to persist identifiers on the client may still require consent. A safer approach is purely server-side session tracking based on request context alone, without storing any identifier on the client. This reminds me years ago we used image tags to track web traffic when not everyone had javascript on their browsers.

Embedding Web Components the GDPR Way

To sidestep GDPR consent banners:

  • Ensure using GDPR-compliant third-party services that don't store personal data, including IP address. Unfortunately, using most web components like Disqus will require the consent banner. Most free services rely on collecting user data and if they become GDPR-compliant they cannot provide the services for free anymore. They might have paid versions that are GDPR-compliant.
  • For Google Analytics, note that GA4 no longer offers a simple IP anonymization toggle like Universal Analytics did. GDPR compliance with GA4 now requires Google Consent Mode v2, and several EU Data Protection Authorities (including Austrian and French DPAs) have ruled that GA violates GDPR due to US data transfers. If you still choose GA4, consider non-cookie-based tracking to reduce consent requirements, but be aware of the regulatory risks involved.

Google Analytics 4: A Brief Review

Google Analytics 4 has matured since its rocky initial launch, with improvements to its interface and reporting. However, its deep integration with other Google services like BigQuery and Looker Studio (formerly DataStudio) still makes it a more complex platform than its predecessor. It requires consistent engagement to retain proficiency, and no longer presents itself as a straightforward dashboard you can check sporadically. More importantly from a GDPR perspective, GA4 remains a third-party data processor that transfers data to US servers — a fundamental concern that no amount of UI polish resolves.

Hosting Considerations

Hosting sites outside the EU can pose GDPR challenges. Shared hosting platforms may not adhere to GDPR norms by collecting IP addresses and visited web pages, potentially compromising GDPR compliance. The panels they provide often include dashboard of visitors, even without the need of cookies, which is a GDPR concern.

The Essence of Javascript in Web Analytics

While JavaScript facilitates comprehensive data collection about user's operating system, browser version, screen resolution and more, for basic metrics like page visits and referral sources, alternatives like server logs or server's application context suffice.

Exploring Alternatives to Third-party Services

Self-hosted services like Matomo provide a privacy-conscious alternative to mainstream analytics platforms. Such tools offer IP anonymization and respect privacy signals like Global Privacy Control (GPC), which has replaced the now-deprecated Do Not Track standard.

Matomo: A Self-Hosted Analytics Solution

Matomo offers a robust alternative to platforms like Google Analytics, allowing users to host their own web traffic analytics. While setting it up on a LAMP stack is relatively straightforward, managing high traffic volumes will pose challenges.

Ensuring GDPR Compliance with Matomo

A standout feature of self-hosted Matomo is the inherent privacy it provides by not sharing your user data with third-party data processors. This is further reinforced by its features that address GDPR requirements directly, such as IP anonymisation and cookie-less tracking. Additionally, Matomo supports privacy signals including Global Privacy Control (GPC), which has replaced the now-deprecated Do Not Track header. Keeping these privacy signals enabled is recommended.

Navigating Adblockers, GDPR, and Anonymous Traffic Collection

Adblockers typically operate by targeting specific web components based on HTML DOM selector rules or by matching component URLs. Given its prominence, Google Analytics often becomes the primary target for most adblockers. This poses a challenge for websites utilizing third-party analytics services, as they cannot readily alter endpoint names to evade these blockers, barring the use of HTTP proxies to reroute requests.

However, if your analytics approach is truly GDPR-compliant — collecting only anonymous traffic data without personal identifiers — then circumventing adblockers is less of a legal concern and more of an ethical one. It's important to respect privacy signals like Global Privacy Control (GPC), which unlike the deprecated Do Not Track header, carries legal weight. That said, if data is thoroughly anonymized with no way to identify individuals, one could argue these signals are inherently honored. The optimal solution is to ensure genuine data anonymity and avoid tying user visits to personal data unless they willingly register and accept the associated privacy policy and terms of service. This approach is more user-friendly than immediately bombarding visitors with cookie consent prompts. Be aware, though, that regulators have begun scrutinizing adblocker circumvention practices — so ensure your anonymization is robust and defensible, not just nominal.

Bypassing Adblockers with Matomo

During my exploration, I observed that the matomo.js and matomo.php files—used for analytics and data collection respectively—were frequently blocked by adblockers. A simple workaround involved renaming these files by implementing server rewrite rules. Furthermore, Matomo supports data transmission via POST requests instead of GET, which is advantageous as adblockers are generally less aggressive towards POST requests. The code snippet below modifies Matomo to utilize POST requests, and both aforementioned files can be easily renamed within the tracker:

_paq.push(['setRequestMethod', 'POST']);