How to comply with data privacy laws

1. Analytics: companies want data, but people don’t like to be tracked
2. User experience: the banner is ugly, but every analytics needs one
3. Brand trust: tracking without permission is not okay
4. Legal risks: do this wrong, and you could get fined

There’s a lot of confusion around analytics and privacy, so we listed all the different options to help you comply with privacy regulations.

Use Google Analytics without a banner - Illegal ☠️

The default configuration in Google Analytics (GA) is to track user identities without a consent banner. And because GA powers 60% of all websites, most websites use GA illegally.

Use a GDPR banner - Bad 👎

One way to comply with the GDPR and other regulations is to use a consent banner that asks for permission to track the visitor.

This option is the worst because the banner overlay covers your content and does more harm than good to your website experience and brand.

According to some privacy experts, the banners are almost a useless exercise. No one reads or trusts the banner because many sites set cookies and track people regardless of what the visitor chooses on the overlay. For example: here's a GDPR banner from forbes.com

Some harsh facts from the banner above :

1. The list has a whopping 425 options. Seriously: that's more than 400 different trackers.
2. The “Reject all” option is not visible on the viewport.
3. After rejecting all options, Forbes doesn't care. They still track people and set identifying cookies.

Forbes gives us an excellent example of how not to treat your visitors, which makes a terrible first impression and hurts your conversion rates.

Ditch all cookies and the banner - 50% Good 🤞

Another way to comply with GDPR is to configure GA to work without cookies or pay for a simple, privacy-friendly alternative like Plausible, Fathom, and Simple Analytics.

Ditching cookies limits your data quite a bit: for example, you can't make a distinction between new visitors and returning visitors. And while this makes you GDPR and CCPA compliant, it doesn't make you compliant with ePrivacy, which states that all analytics requires consent in Europe, whether you use cookies or not.

Disregarding ePrivacy holds a legal risk because you are tracking visitors without their permission.

Ditch identifying cookies and the banner - 70% Good 👍

This is a privacy-friendly option without the need to limit your data. You get the essential information about your return visitors and their past website behavior.

This model is how Volument operates. We use localStorage to store historical data anonymously without any identifying tokens, making Volument compliant with GDPR and CCPA.

There's a consent-free option available for your use, but we cannot recommend this option because it's not compatible with the ePrivacy directive.

EU is preparing a new version of the directive and we'll make all the necessary adjustments when the final version is released.

Use a log analyzer - Good 👍👍

The ePrivacy banner is always required if you use a client-side JavaScript tracker. However, no banner is needed if you use a pure server-side log analyzer like GoAccess.

Log analyzers offer a limited amount of data, but enough for early-stage startups who are good with just the very basic traffic statistics.

Anonymous cookies + ePrivacy banner - Best 👍👍👍

The best option is to take advantage of anonymous cookies and display the privacy banner only for European visitors. This option has all the pros and little or no cons. You get retention data while complying with the privacy regulations: GDPR, CCPA, and ePrivacy.

The ePrivacy banner is subtle and doesn't attempt to fool the visitor and it's only shown for visitors from Europe. For the rest of the world, no banner is needed. Here's how the ePrivacy banner looks like in Volument:

You can customize the banner to your likings and style it with CSS.

We're building Volument because we want to solve this puzzle.