Volument Data Policy
Volument tracks the usage of a website without collecting personally identifiable information (PII). It respects the privacy of your visitors.
What is privacy-friendly analytics?
Privacy-friendly analytics does not process or collect personally identifiable information (PII). Sensitive information like passwords, email addresses, and user identifiers of any kind are not collected and there is no way to trace back the person or the person's device.
Examples of privacy-friendly analytics include Plausible, Fathom, Simple Analytics, and Volument.
What is privacy-unfriendly analytics?
Privacy-unfriendly analytics collects and processes personally identifiable information. They use a permanent and unique id on the client machine to track visitor's online behavior over a long period. There are no restrictions on what data can be collected: email addresses, passwords, and userId's are just fine. The data is typically used by advertising networks.
These systems are vulnerable to a data breach. For example, in 2018, Mixpanel pulled the values of hidden and password fields to their system and slurped them out to the public. No less than 25% of their customers were impacted.
Examples of privacy-unfriendly analytics include Google Analytics, Amplitude, and MixPanel.
Do I need a cookie banner?
All third-party analytics software, privacy-friendly or not, must ask for user consent from European visitors before tracking them. All behavioral information, such as the “amount of pages visited within a single session” is covered by the General Data Protection Regulation (GDPR).
Consent is needed regardless of the storage technology. GDPR covers cookies,
sessionStorage, server-side “fingerprinting”, or any new technology introduced in the future.
How about GDPR compatible analytics?
There is no such thing. “GDPR compatibility” is a marketing term to separate privacy-friendly analytics from the unfriendly ones. No privacy law specialist would give an exception for a third-party website analytics product.
For example, Plausible and Fathom use the user-agent and IP address information to uniquely identify visitors on the server-side. This is called “fingerprinting”, and is not permitted by GDPR.
Even if the personal data is being anonymized, the data is still being processed. Every third- party analytics requires consent from the visitor.
What should I do then?
You should obey the law and respect one’s right to choose if they want to share their behavioral data:
- And ask users for their consent before tracking.
- Allow users who don’t want to be tracked to opt-out.
- Always opt-out when the Do Not Track (DNT) header is set.
- Don’t disguise your tracker as a first-party resource to avoid ad-blockers.
Thanks to Roger Comply at Paranoidpenguin for clearing out the above points.
Aren't cookie banners terrible?
Yes. The banners you see over the internet are annoying because their purpose is to get your permission to all tracking or you don't get to see anything at all.
There is a better strategy: ask users for their consent in a nice way.
Use a small and clear dialog without ruining the user experience. The visitors will trust you and they won't leave the site as soon as they arrived. And you get more conversions as a result.
And if you are worried about not getting enough data for statistical significance you can disable the dialog from non-EU visitors.