GDPR Compliant Website Analytics — Putting Users in Control👌
Every website needs analytics 📈 to improve its product or service offering — to understand where users get lost in unclear UI, to monitor and resolve bugs, to justify the best copy, etc. No one disputes this. However, with the GDPR coming into force this May, it is becoming more clear than ever that it’s not acceptable for website owners to just collect analytics on everything a user does on your website by default. Users should be in control. How can website owners handle this? ❓
At Snips we do everything Private-by-Design 🔐, so our websites have always respected the Do Not Track headers, anonymized collected data, and avoided monitoring more than necessary. Recently we added an opt-in for analytics in a banner that we show all of our website visitors.
Now we could just perform analytics, business as usual 💼, until a visitor opts-out of analytics, but our sites do the opposite — they run completely without analytics until user consent has been given, via clicking the “Accept” button. This way we are preventing analytics scripts from setting any tracking cookies — unless they give consent— a privacy win!
How to implement consent-first analytics 📚
Update 📣: We just open sourced a library that makes it trivial to implement consent-first analytics on your websites: https://github.com/snipsco/yett 🎉
Conceptually it’s easier than you think to require consent before running analytics on the web — you won’t have to make any extensive changes to your sites. All you have to do is prevent analytics libraries from executing. But wait! Won’t my sites break if they’re setup to use these libraries? No! Let me explain why.
Analytics services such as Google Analytics & Mixpanel start recording events into a local buffer in the browser as soon as your site starts loading, in order to capture any early events such as page load times and page visits. They do this regardless of whether their analytics libraries have loaded, via the code they give you to put straight into your html. This code usually creates an empty array (the buffer), and a dummy “tracking function”, that just pushes events into this array.
The full analytics libraries, loaded separately, take care of sending away recorded events (including any events recorded before the library loaded) to the analytics services. The libraries also handle things like identifying a returning user, usually via cookies. Before a user has given consent for analytics, we want to avoid loading and executing all analytics libraries. As long as we still keep their bootstrapping code in our html, all we need to do when the user gives consent is to load and execute the missing libraries, and the libraries will take care of the rest, as if they were never missing in the first place! We get full analytics from users who are willing to share data, and all other visitors retain their full user privacy. 👌
Configuring your setup to defer the analytics libraries, while keeping their bootstrapping code, can require some reverse engineering of the code embeds these platforms provide. That’s why we created a library that handles this for you 🎉: https://github.com/snipsco/yett !
A final word of caution ⚠️️️️️️
Naturally, implementing a consent-first analytics policy means that data for a portion of users will be missing, which can affect the representative nature of the analytics. This will impact the absolute numbers, sometimes in a significant way: for example, users who bounce on your site are much more likely to not give the analytics consent (before bouncing) than other users. This means that the bounce rate will be harder to track with consent-first analytics. However, we believe that analytics should be about trends rather than absolute numbers. For most metrics, the bias introduced by the policy can be assumed to be stable over time, which means that trends can be relied upon just as before.
With this post you’ve learned about our approach to user data, and how you as a website owner can set up consent-first analytics for your website. If you have questions or feedback, please comment!
Thanks to those who reviewed this article, especially Joseph Dureau for the statistics refresher!
If you liked this article and want to support Snips, please share it!
Follow us on Twitter 👉 snips.
If you want to work on AI + Privacy, check out out jobs page.