How to comply with data privacy laws

Data privacy laws and public concern over privacy matters will affect your business. Four reasons:

  1. Analytics: companies want data, but people don’t like to be tracked
  2. User experience: the banner is ugly, but every analytics needs one
  3. Brand trust: tracking without permission is not okay
  4. Legal risks: do this wrong, and you could get fined

There’s a lot of confusion around analytics and privacy, so we listed all the different options to help you comply with privacy regulations.

Validated: Niku Hinkka — CIPP/E certified Data Protection Officer @ Opsec

Last updated: April 27, 2022

Use Google Analytics without a banner

The default configuration in Google Analytics (GA) is to track user identities without a consent banner. And because GA powers 60% of all websites, most websites use GA illegally.

Pros: No banner

Cons: Illegal

Use a GDPR banner

One way to comply with the GDPR and other regulations is to use a consent banner that asks for permission to track the visitor.

This option is the worst because the banner overlay covers your content and does more harm than good to your website experience and brand.

According to some privacy experts, the banners are almost a useless exercise. No one reads or trusts the banner because many sites set cookies and track people regardless of what the visitor chooses on the overlay. For example: here's a GDPR banner from forbes.com

Some harsh facts from the banner above :

  1. The list has a whopping 425 options. Seriously: that's more than 400 different trackers.
  2. The “Reject all” option is not visible on the viewport.
  3. After rejecting all options, Forbes doesn't care. They still track people and set identifying cookies.

Forbes gives us an excellent example of how not to treat your visitors, which makes a terrible first impression and hurts your conversion rates.

Pros: No legal risks (if done right)

Cons: UX issues, lack of trust, less conversions

Ditch all cookies and the banner

Another way to comply with GDPR is to configure GA to work without cookies or pay for a simple, privacy-friendly alternative like Plausible, Fathom, and Simple Analytics.

Ditching cookies limits your data quite a bit: for example, you can't make a distinction between new visitors and returning visitors. And while this makes you GDPR and CCPA compliant, it doesn't make you compliant with ePrivacy, which states that all analytics requires consent in Europe, whether you use cookies or not.

Disregarding ePrivacy holds a legal risk because you are tracking visitors without their permission.

Pros: No UX issues

Cons: Small legal risk, Small trust issue, Limited data

Ditch identifying cookies and the banner

This is a privacy-friendly option without the need to limit your data. You get the essential information about your return visitors and their past website behavior.

This model is how Volument operates. We use localStorage to store historical data anonymously without any identifying tokens, making Volument compliant with GDPR and CCPA.

There's a consent-free option available for your use, but we cannot recommend this option because it's not compatible with the ePrivacy directive.

EU is preparing a new version of the directive and we'll make all the necessary adjustments when the final version is released.

Pros: Get all data, No UX issues

Cons: Small legal risk, Small trust issue

Use a log analyzer

The ePrivacy banner is always required if you use a client-side JavaScript tracker. However, no banner is needed if you use a pure server-side log analyzer like GoAccess.

Log analyzers offer a limited amount of data, but enough for early-stage startups who are good with just the very basic traffic statistics.

Pros: No UX issues, No legal risk

Cons: Limited data, Setup & maintenance work

Anonymous cookies + ePrivacy banner

The best option is to take advantage of anonymous cookies and display the privacy banner only for European visitors. This option has all the pros and little or no cons. You get retention data while complying with the privacy regulations: GDPR, CCPA, and ePrivacy.

The ePrivacy banner is subtle and doesn't attempt to fool the visitor and it's only shown for visitors from Europe. For the rest of the world, no banner is needed. Here's how the ePrivacy banner looks like in Volument:

You can customize the banner to your likings and style it with CSS.

Pros: Get all data, No UX issues, No legal risk

Cons: None

 

We're building Volument because we want to solve this puzzle.

{"style":"/docs/doc","og_image":"/img/volument-og-image.png","uri":"/comply-with-data-privacy-laws","title":"Web analytics and how to comply with data privacy laws | Volument","desc":"This is what you need to know about GDPR, ePrivacy, CCPA and web analytics.","url":"/comply-with-data-privacy-laws","key":"comply-with-data-privacy-laws","created":"2022-07-18T06:16:12.901Z","modified":"2022-07-18T06:16:12.901Z","createdISO":"2022-07-18","modifiedISO":"2022-07-18"}