How to comply with data privacy laws

Illegal

Use Google Analytics without a banner

The default configuration in Google Analytics (GA) is to track user identities without a consent banner. And because GA powers 60% of all websites, most websites use GA illegally.

Bad

Use a GDPR banner

One way to comply with the GDPR and other regulations is to use a consent banner that asks for permission to track the visitor.

This option is the worst because the banner overlay covers your content and does more harm than good to your website experience and brand.

According to some privacy experts, the banners are almost a useless exercise. No one reads or trusts the banner because many sites set cookies and track people regardless of what the visitor chooses on the overlay. For example: here’s a GDPR banner from forbes.com.

Some harsh facts from the banner above :

1. The list has a whopping 425 options. Seriously: that’s more than 400 different trackers.
2. The “Reject all” option is not visible on the viewport.
3. After rejecting all options, Forbes doesn’t care. They still track people and set identifying cookies.

Forbes gives us an excellent example of how not to treat your visitors, which makes a terrible first impression and hurts your conversion rates.

50% Good

Ditch all cookies and the banner

Another way to comply with GDPR is to configure GA to work without cookies or pay for a simple, privacy-friendly alternative like Plausible, Fathom, and Simple Analytics.

Ditching cookies limits your data quite a bit: for example, you can’t make a distinction between new visitors and returning visitors. And while this makes you GDPR and CCPA compliant, it doesn’t make you compliant with ePrivacy, which states that all analytics requires consent in Europe, whether you use cookies or not.

Disregarding ePrivacy holds a legal risk because you are tracking visitors without their permission.

70% Good

Ditch identifying cookies and the banner

This is a privacy-friendly option without the need to limit your data. You get the essential information about your return visitors and their past website behavior.

This model is how Volument operates. We use localStorage to store historical data anonymously without any identifying tokens, making Volument compliant with GDPR and CCPA.

There’s a consent-free option available for your use, but we cannot recommend this option because it’s not compatible with the ePrivacy directive.

EU is preparing a new version of the directive and we’ll make all the necessary adjustments when the final version is released.

Good

Use a log analyzer

The ePrivacy banner is always required if you use a client-side JavaScript tracker. However, no banner is needed if you use a pure server-side log analyzer like GoAccess.

Log analyzers offer a limited amount of data, but enough for early-stage startups who are good with just the very basic traffic statistics.

Best

Anonymous cookies + ePrivacy banner

The best option is to take advantage of anonymous cookies and display the privacy banner only for European visitors. This option has all the pros and little or no cons. You get retention data while complying with the privacy regulations: GDPR, CCPA, and ePrivacy.

The ePrivacy banner is subtle and doesn’t attempt to fool the visitor and it’s only shown for visitors from Europe. For the rest of the world, no banner is needed. Here’s how the ePrivacy banner looks like in Volument:

You can customize the banner to your likings and style it with CSS.

 

We’re building Volument because we want to solve this puzzle.