loading...

Avoiding Cookie Banners

ihucos profile image ihucos ・3 min read

One thing I was researching for is a Web Analytics solutions - preferably free - that does not require any consent of it's users. I really want to archive a sane and clutter free user experience on my web projects. The attention span of users today is - a number in my head right now - 5 seconds. It already takes 2 seconds for a consent banner to load on your users browser and for the user to fully get over the distraction that there is something directly asking for its attention. After that there are only 3 seconds left to the user to decide if she is staying on that site or not. So in my opinion consent banners are really, really expensive. They eat up one of the most important resources: User attention.

This is not a defenitive list but comments on (preferably free) Web Analytics that could possibly be used without consent banners.

Google Analytics

The first product you think of when you hear about Web Analytics is Google Analytics. While you can at least disable cookies on Google Analytics with some efforts, the devil is in the details. So I will not go into that and just unfairly state that Google will always be Google. I actually did not manage to definitively find out how exactly to use Google Analytics without a consent banner or if this is possible at all. But I want to list it here because it is still today one of the obvious choices to consider.

Plausible

While it is not a Free product, it at first sight seems quite interesting to me and claims on the front page "No cookie banners or GDPR/CCPA consent needed". It is open source, has a public road map and I actually do like the product itself. At first sight this product clearly seems to be the solution to avoid a cookie banner. Well I am afraid not. I am no lawyer and will only present apparently contradictory information from Plausible and another source and also ask Plausible to clarify after publishing this post.

Here is a really good article. According to that source, asking for consent is only needed if you are only collection anonymized data. For pseudonymized data you still need consent. To quote the linked Article

In layman’s terms, the main difference is that while pseudonymous data still allows for some form of re-identification, anonymous data can’t be re-identified. That’s why the former is still considered personal data, while the latter isn’t.

While Plausible has good explanations of it's internal workings it is actually quite nice that we can transparently look directly into the source code: On each Pageview, there is a user_id saved to the database as attribute of an event here. The user id is a hash of the user's ip with her user agent and the website domain. That is also explained in plain words here. There possibly may lie other consequences in saving the hashed ip address but for this blog post my interpretation and claim is the following: This does not qualify as anomyzation, it’s pseudonimization and therefore a consent banner is still needed when using this product. I hope Plausible can clarify on this and if applicable, remove all corresponding claims about it's product.

Simple Web Analytics

After not finding anything Free with no cookie banner needed and not wanting to somehow figure out how exactly Google Analytics can fit the bill, I really just wrote my own analytics service and this is it. One of the biggest differences to other products is that it is really only a bunch of counters for the date, browser, country and so on. There are no cookies and no sessions (user ids) at all. I still do not claim that it is "GDPR compliant" anywhere at this point in time due to the complexity of the topic.

I conclusion this is the comparison of three products that could possibly fit the requirement of Web Analytics without a consent banner - and that preferably free of charge. Maybe only partly satisfying and I hope the internet and me will gain more clarity about the DSGVO with some time but I hope, I could clarify some points. I'd be happy to discuss more trough the comments!

Posted on by:

Discussion

markdown guide
 

Nice, but Analytics is not the only problem,

I am worried mostly about Google Analytics and Disqus, actually. Or, are they respective companies' problems?

Actually, I have exactly another one use case of cookies -- securing user authentication and session without relying on localStorage.