Anonymous tracking: How to do useful analytics without personal data

When running into the many restrictions on collecting and using personal data in web analytics, you might be asking yourself: Can I do useful web analytics without personal data?

The simple answer is yes. Although you won’t be able to draw the same conclusions as with personal data tracking, anonymous data collection methods absolutely do provide you with valuable insights into user behavior.

Regulations worldwide, like GDPR or the ePrivacy Regulation, set a high bar for collecting user data. For one, GDPR requires consent to process the data if it’s reasonably likely that such data could be used to identify an individual. The problem is that consent opt-in rates vary between 30% and 70% depending on the industry. 

The solution? 

Anonymizing data about users who don’t consent to personal data processing.

Analytics platforms featuring anonymous data collection, such as Piwik PRO, offer a viable path to processing user data instead of an all-or-none choice based on consent.

The core benefits of anonymous data from a privacy and regulatory perspective include:

• You are not dealing with personal data because there is no visitor identification. 
• You are not using data collected for other purposes (for instance, Google uses the data for advertising and to improve its services).
• You are not transferring data outside the EU.

Anonymous tracking – how it really works

Piwik PRO gives you three anonymous tracking methods to choose from:

Anonymous tracking with cookies and session data

In this scenario, Piwik PRO deploys a cookie that collects session data but no personal data. The session lasts 30 minutes, after which the web browser removes the identifier.

In this case, session tracking collects events and binds them into a session. The individual cannot be identified or tracked across sessions, so a user can’t be identified as a returning visitor.

The major advantage of this approach is that it gives you more trustworthy data than any other anonymous data tracking method. This method doesn’t create duplicate sessions. Plus, if a visitor decides to grant consent during their session, the session identifier turns into a first-party tracking cookie that will last longer than 30 minutes.

This is a good approach if you need to comply with strict privacy laws.

Anonymous tracking without cookies but with session data

In this method, Piwik PRO deploys an identifier in the form of a session hash. No cookies are created or stored in visitors’ browsers.

The session hash is temporary and kept for 30 minutes after the visitor’s last action. This type of identifier isn’t persistent or used for any analysis.

The platform collects only session data, without personal data. The session hash ties events, such as page views, to one session. 

The major advantage of this method is that it’s permissible under several privacy and cookie regulations, such as German’s TTDSG. The downside is that it is less precise in differentiating visitors, meaning sessions of different visitors may be glued together. The severity of this issue depends on the industry.

Anonymous tracking without cookies or session data

This method can’t identify an individual and can’t be used to pinpoint a single session. There are many pieces of data this approach doesn’t track, such as time spent on page, bounce rate, user flows, funnels or channel attribution. 

It’s the strictest way to collect anonymous data, and removes the risk of breaching privacy laws. Despite the lack of visitor and session data, this method is still useful in many business use cases.

Here is a summary of these anonymous data tracking methods:

All three anonymous tracking methods work under the following conditions:

• The geolocation is based on anonymized IP addresses or is deactivated.
• No personal data is tracked and stored in the database without explicit consent.
• Visitors who don’t consent appear as one-time visitors and can’t be identified across sessions, and their actions can’t be tied across multiple sessions. You won’t be able to determine if actions were performed by a returning visitor.

The lack of persistent tracking means your data can’t be used for certain marketing activities, such as:

• Long-term personalization.
• Remarketing.
• Attribution of conversions to actions taken over several visits.

But there are still many ways you can use anonymous data in marketing.

You can get the most value from the two tracking methods that bind the collected event data into sessions. Whether you use the solution with a cookie or session hash depends on your preference and your company’s situation. For example, a session hash will be a safer choice if you are subject to strict cookie laws. 

On the other hand, full anonymous tracking only collects events, making it a more limited source of information. But it still works when session or user-level data isn’t necessary.

How to use anonymous analytics data in your marketing activities

With all the technicalities explained, it’s time to show you some use cases for working with anonymous data.

You will be able to track the following information:

• Actions performed by users, such as the number of visitors, page views, conversions and time spent on the site. In most cases, you will be able to credit these actions to a single visitor. You’ll know that an anonymous visitor performed actions A, B, and C during their session.
• Basic attribution – How visitors got to your site, such as through organic search, ad, email campaign, etc.

Let’s look at a specific case:

A visitor enters a tracked website from Google organic search and doesn’t give consent. They visit a page with an article and read it, view a banner with the promo code for subscribing to a newsletter, then subscribe to the newsletter. After a few hours, they enter the website once more, view a product list, and make a purchase.

Here is what this visitor’s actions will look like for each type of anonymous tracking.

Cookies and session hash

• The visitor’s IP address is completely erased. 
• Geolocation is limited to the country level. 
• The visitor’s actions create a session.
• The visitor completes a goal: subscribes to the newsletter.
• The visitor enters a funnel defined for the tracked website.
• During the subsequent session, the user is not recognized as a returning visitor.
• The visitor’s purchase is not attributed to Google organic search channel – it’s classified as Direct.
• Most metrics in Audience, Behavior, and Video Overview are accurate.

No cookies but session hash

This option works in a similar way to the one with cookies and session hash. Due to the nature of cookies, the method with cookies is more resistant to cases when browser setup or IP address changes. Thus, in some cases, the option without cookies and with session hash can be a bit less accurate.

No cookies, no session hash

With this method:

• The visitor’s IP address is completely erased. 
• Geolocation is limited to the country level. 
• The visitor’s actions do not create a session.
• The visitor completes a goal: subscribing to the newsletter. The goal is not assigned to a specific session.
• The visitor does not enter a funnel defined for the tracked website.
• During the subsequent session, the visitor is not recognized as a returning visitor. 
• The purchase is attributed to the Direct channel. 
• Metrics like the number of page views, downloads, outlinks, site searches, and custom events (event-scoped metrics) appear correctly.

Anonymous tracking and personal data tracking: a hands-on use case

Now, let’s say a visitor ignores the consent banner, browses for 15 minutes and then consents for you to use their personal data for personalization. 

The data from those 15 minutes of browsing can now be added to their record using a cookie with a longer lifetime – in the case of Piwik PRO, it’s 12 months.

Initially, such data was anonymous, but now it can be used for personalization every time this person visits your website.

Can a website visitor block anonymous tracking?

Since one of the methods is based on a session cookie, you may wonder if it will still work if the visitor blocks cookies, for example, through their browser settings or an ad blocker. There are a few things to clarify:

1. Most of the tracking cookies contain personal data, but there are exceptions. The session identifier cookie, which Piwik PRO uses for anonymous data collection, doesn’t collect any personal data, as the web browser automatically deletes it after 30 minutes. It’s unlikely to identify a person based on the actions taken on a single website.
2. In many EU countries, privacy-friendly analytics is exempted from the consent requirement. For example, CNIL, the French data protection authority, has added Piwik PRO Analytics Suite to the list of analytics platforms that can be used to collect data without consent, given a certain configuration and set of limitations.
3. First-party cookies are rarely blocked. Browsers and ad blocking software are getting more successful in detecting third-party scripts. That said, analytics experts estimate that only about 1% of Internet users deactivate JavaScript or block all cookies. And if that’s not enough, you can always switch to the session identifier without a cookie.

Analytics without personal data – a long history and a promising future

Although anonymous data collection is still rare in web marketing and analytics, it has a long and effective history in other fields. 

Companies need to respond to the data privacy demands of Internet users around the world. Luckily, anonymous data collection methods, like the ones available in Piwik PRO Analytics Suite, will be your friend in achieving it. 

Learn more about privacy-compliant ways to collect analytics data:

• 6 ways analytics software collects data online
• Collect data in a privacy-friendly way
• Cory Underwood: US businesses are interested in how the changes in privacy laws in Europe affect data collection