How to comply with data privacy laws
Data privacy laws and public concern over privacy matters will affect your business. Four reasons:
- Analytics: companies want data, but people don’t like to be tracked
- User experience: the banner is ugly, but every analytics needs one
- Brand trust: tracking without permission is not okay
- Legal risks: do this wrong, and you could get fined
There’s a lot of confusion around analytics and privacy, so we listed all the different options to help you comply with privacy regulations.
Validated: Niku Hinkka — CIPP/E certified Data Protection Officer @ Opsec
Last updated: April 27, 2022
Use Google Analytics without a banner - Illegal ☠️
The default configuration in Google Analytics (GA) is to track user identities without a consent banner. And because GA powers 60% of all websites, most websites use GA illegally.
Pros No banner
Cons Illegal
Use a GDPR banner - Bad 👎
One way to comply with the GDPR and other regulations is to use a consent banner that asks for permission to track the visitor.
This option is the worst because the banner overlay covers your content and does more harm than good to your website experience and brand.
According to some privacy experts, the banners are almost a useless exercise. No one reads or trusts the banner because many sites set cookies and track people regardless of what the visitor chooses on the overlay. For example: here's a GDPR banner from forbes.com
Some harsh facts from the banner above :
- The list has a whopping 425 options. Seriously: that's more than 400 different trackers.
- The “Reject all” option is not visible on the viewport.
- After rejecting all options, Forbes doesn't care. They still track people and set identifying cookies.
Forbes gives us an excellent example of how not to treat your visitors, which makes a terrible first impression and hurts your conversion rates.
Pros No legal risks (if done right)
Cons UX issues, lack of trust, less conversions
Ditch all cookies and the banner - 50% Good 🤞
Another way to comply with GDPR is to configure GA to work without cookies or pay for a simple, privacy-friendly alternative like Plausible, Fathom, and Simple Analytics.
Ditching cookies limits your data quite a bit: for example, you can't make a distinction between new visitors and returning visitors. And while this makes you GDPR and CCPA compliant, it doesn't make you compliant with ePrivacy, which states that all analytics requires consent in Europe, whether you use cookies or not.
Disregarding ePrivacy holds a legal risk because you are tracking visitors without their permission.
Pros No UX issues
Cons Small legal risk, Small trust issue, Limited data
Ditch identifying cookies and the banner - 70% Good 👍
This is a privacy-friendly option without the need to limit your data. You get the essential information about your return visitors and their past website behavior.
This model is how Volument operates. We use localStorage
to store historical data anonymously without any identifying tokens, making Volument compliant with GDPR and CCPA.
There's a consent-free option available for your use, but we cannot recommend this option because it's not compatible with the ePrivacy directive.
EU is preparing a new version of the directive and we'll make all the necessary adjustments when the final version is released.
Pros Get all data, No UX issues
Cons Small legal risk, Small trust issue
Use a log analyzer - Good 👍👍
The ePrivacy banner is always required if you use a client-side JavaScript tracker. However, no banner is needed if you use a pure server-side log analyzer like GoAccess.
Log analyzers offer a limited amount of data, but enough for early-stage startups who are good with just the very basic traffic statistics.
Pros No UX issues, No legal risk
Cons Limited data, Setup & maintenance work
Anonymous cookies + ePrivacy banner - Best 👍👍👍
The best option is to take advantage of anonymous cookies and display the privacy banner only for European visitors. This option has all the pros and little or no cons. You get retention data while complying with the privacy regulations: GDPR, CCPA, and ePrivacy.
The ePrivacy banner is subtle and doesn't attempt to fool the visitor and it's only shown for visitors from Europe. For the rest of the world, no banner is needed. Here's how the ePrivacy banner looks like in Volument:
You can customize the banner to your likings and style it with CSS.
Pros Get all data, No UX issues, No legal risk
Cons None
We're building Volument because we want to solve this puzzle.