6 ways analytics software collects data online – plus a comparison of 5 popular platforms
Data collection and analysis are a vital part of running any organization. For online data tracking, cookies and fingerprinting are among the most popular technologies and the basis for many tracking methods. In this article, we’ll discuss those different methods and the possibilities they provide. Additionally, we’ll compare how these 6 platforms approach tracking: Piwik PRO, Google Universal Analytics (GA3), Google Analytics 4 (GA4), Adobe Analytics, Matomo and Countly.
Chapters
Chapter 1
The analytics tracker – the code at the center of data collection
What affects the kind of data that is collected, whether with cookies or fingerprinting? How do different tracking options fit into the new era of privacy regulations?
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
At the heart of any analytics platform is a tracker, an algorithm with several data collection possibilities. As the user of the platform, you set the parameters for the tracker and maybe add JavaScript tags around it. Once configured, it decides what will be tracked and what not.
The details of how any tracker works have never been more important. Privacy laws such as the General Data Protection Regulation (GDPR) in Europe have made it crucial for organizations to know what data they collect and how. On the other hand, having good data has also never been so important to decision-making processes in the public and private sector.
Luckily, trackers can be set up both to collect useful data and to respect privacy regulations. The word track is even a little misleading. It might make you think that all trackers follow individuals around the web, collecting personal data. Some do, unfortunately. But many are set up to collect mostly anonymous data and then personal data only when there is clear consent for such collection.
There is confusion about which trackers are doing this in a compliant way. For example, some cookieless trackers claim to be only collecting anonymous data when this isn’t true. As we’ll see later, many cookieless methods still need consent because they collect personal data.
In this article, we’ll go through the different ways trackers can work and compare the pluses and minuses of each. We’ll also compare which analytics platforms offer support for each tracking method (looking at Google Universal Analytics, Google Analytics 4, Adobe Analytics, Matomo and Countly).
Piwik PRO Analytics Suite tracks web, intranet and app events with 6 tracking methods. All are what we consider to be part of a privacy-friendly approach to analytics. Here are those 6 methods along with basic information about them:
Piwik PRO tracking methods | Event tracking | User/device tracking | Session metrics | Uses cookies | Needs a consent mechanism |
---|---|---|---|---|---|
First-party tracking | |||||
Cookieless tracking | |||||
Opt-in only tracking | |||||
Anonymous data tracking with cookies and session data | |||||
Anonymous data tracking without cookies, but with session data | |||||
Anonymous data tracking without cookies or session data |
Chapter 2
Two worlds apart when collecting data
The tracker is a powerful instrument to collect data to aid your decision-making process. As already mentioned, you decide how to configure and use any given tracker. That said, many trackers were built with one goal: maximize data collection with little regard for data privacy.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
Maximizing data collection
AdTech vendors collect large amounts of data and offer an attractive way for advertisers to target specific groups of people. Maximizing that data collection, without much regard for individual privacy, has made the most aggressive AdTech players into large profitable enterprises.
Some analytics platforms, such as Google Analytics, are part of that AdTech ecosystem and have trackers designed to maximize data collection, often at the expense of data privacy. This doesn’t mean they cannot be privacy-compliant, but they do put some serious hurdles along the way to privacy-friendly data collection.
We have written about such practices extensively on our blog:
- 4 Key Google Analytics drawbacks you won’t realize until it’s too late
- Is Google Analytics GDPR-compliant? 10 things to consider [UPDATE]
- Piwik PRO vs. Google Analytics: the most comprehensive comparison
- Piwik PRO vs. Google Analytics 360
- Piwik PRO vs. Adobe Analytics: An alternative to a powerful platform that falls short on data privacy [UPDATED]
First-party tracking and privacy-friendly analytics
Marketers and analysts increasingly are looking to a first-party approach, since the introduction of laws such as the GDPR and the blocking of third-party identifiers, such as with IDFA for iOS. So what is the first-party approach?
Keep in mind that various tracking methods have a way of identifying an individual or a group of individuals.
Article 5, paragraph 3 of the ePrivacy directive 2002/58/EC states:
[…] access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information […] about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
In other words, you often need the data subject’s consent for tracking and collecting behavioral data. This isn’t just part of the ePrivacy directive or GDPR. Many new privacy regulations require consent before any collection of personal data online. Besides consent, there are several other key parts of a first-party, and privacy-friendly, data collection approach:
- Have 100% control over your data, especially when it comes to personal data. You must be able to tell data subjects what the data is collected for and where it is being stored. In case of cloud solutions, avoid countries where local regulations don’t offer the same level of privacy protection as the GDPR. It is therefore important to pay attention to cloud solution providers and their server locations.
- Do not forward data to third parties or use it for any other purposes not mentioned during consent. This also applies to your data processor.
- Do not transfer the data outside the geographical borders of the jurisdiction where data was collected. If you need to do this, make sure you have consent and that the transfer destination has proper data protection safeguards (i.e. privacy laws – country- or even state-level).
- Make sure the data comes from a direct interaction between your website or product and the data subject.
- Do not restrict the data subject’s rights or freedoms – they should be able to consent to specific data collection purposes and be able to change their decision easily at any time.
- You, as data controller, should provide a transparent privacy policy for data subjects to stay informed. It is an important tool for acting in compliance with the GDPR and other data privacy regulations.
Additionally, you need to keep track of consents and data subject requests. You can either implement a standalone consent manager that will connect to your analytics stack, or you use an analytics platform offering an integrated consent manager.
A peek at the vendors
Most platforms would require the addition of an external consent manager to fit into the above approach. This integration introduces added complications. There can be a lot involved in making sure the external consent manager passes the right messages to the analytics platform, which needs information about what data to track based on consent.
It’s most important to find an analytics stack and consent manager that fits your use case. If that leads to choosing an external consent manager, just make sure you have the resources and expertise to get it properly integrated.
Some analytics vendors offer a simple consent banner, implemented in a tag manager, as an interim solution. Remember that a consent banner isn’t enough to satisfy most data privacy regulations. To meet legal requirements, you need to offer a clear choice and make it easy to not consent (no reject options hidden deep in menus allowed).
Piwik PRO | Google Analytics (3 & 4) | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|
Does not need an external consent manager to stay compliant | |||||
Data residency | specific country, region or data center (private cloud in 60+ regions, 5 locations of public cloud) and on-premises | no specified data residency | specific country (limited to Germany) or on-premises | specific country, region or data centre (limited to 9 regions) | specific country (limited to 10 countries) or on-premises |
Piwik PRO offers an integrated consent manager. It collaborates seamlessly with the Analytics Suite’s Analytics, Tag Manager and Customer Data Platform modules. It automates much of the consent collection and management process, and provides an API to share your collected consent data with your whole analytics stack. Additionally, it can run in a zero-cookie-load mode that prevents tracking tags and pixels from firing before a consent is collected.
As a data processor, Piwik PRO doesn’t share the collected data. Your organization controls the data and what happens to it completely. Your organization gets its choice of server locations, cloud or private cloud, all over the world in addition to an option for on-premises self-hosting.
Both versions of Google Analytics presents some major disadvantages:
- You don’t have control over where the data is sent and stored.
- The data you collect is used in other Google products and services, which everyone has access to.
- Most collected data will end up on American servers, even if that data was collected in the EU or anywhere else outside the US. In Europe, the invalidation of Privacy Shield means that these kinds of transfers are riskier than ever.
Matomo on the other hand, doesn’t send data of European users overseas and lets you store the data on your own servers. Still, the consent banner implemented in Matomo’s tag manager isn’t enough if you are collecting any personal data. Either you disable cookies and take the risk of keeping only pseudonymous personal data (fingerprinting) in your database, or you implement a standalone consent manager that collects and manages consents. In some cases though, data subject requests need to be handled manually, which can be an arduous task on your own.
Let’s move on to discuss the tracking methods themselves.
Chapter 3
Tracking with first-party cookies
In this chapter we cover everything there is to know about cookies and see how each vendor implements cookies into data collection methods on their platforms.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
For years, cookies have been used as the primary mechanism to identify and track users. They have been the undisputed champions when it comes to recognizing returning visitors on analytics platforms. For this reason, most cookies need consent from data subjects, especially those that have lifetimes longer than a session.
Keep in mind that the GDPR and the ePrivacy directive also acknowledges so-called functional cookies, as in “strictly necessary”. They exist to ensure the stable operation of a site or application or provide a service requested by the user. They generally don’t require consent because they are essential to provide basic functionality. These can be cookies used for e-commerce sites to remember items in a shopping cart or keep a session going for a logged-in user. Functional cookies can’t be used to collect personal data though. Depending on the country, they may not be able to collect analytics data at all, even if anonymous.
Used correctly and with proper consent, cookies allow for an important symbiosis that benefits your company and customers:
- You receive data about the behavior and journey of your customers that you can analyze to improve your products and services.
- Customers receive a better experience. They get the information they need more quickly and more easily find the products or information they want.
Yet not all cookies are without concern. Let’s take a look at third-party cookies. Third-party means these cookies are set by an external entity, often some kind of ad platform, that a visitor is not currently on. As a result, visitors often don’t know who is going to use their data and how.
The use of non-functional first-party cookies and third-party cookies is permitted under consent-first regulations like the GDPR if explicit consent is given by the data subject. The GDPR also requires you to keep track of data passed to third parties, in case a data subject request requires data changes or deletion. This is a big downside of using them, as third-party cookies demand more complicated data governance measures.
Finally, popular browsers are starting to block third-party cookies. This includes:
- Safari
- Mozilla Firefox
- Microsoft Edge
- Google Chrome, which will be blocking third-party cookies from mid 2023 onward
If you want to know more about cookies, we recommend this post: First-party vs third-party cookies: why first-party is the way to go
Here is a small table to recap tracking with first-party cookies:
First-party tracking | |
---|---|
Captures all traffic | |
Tracking technology | First-party cookie and/or local storage |
Visitor metrics | |
Session metrics | |
Event metrics | |
Channel attribution | Session and visitor level |
The data collected falls into the categories of sessions, events and website performance. To look at the full spectrum of data collected in Piwik PRO visit this help center article.
A peek at the vendors
The widespread use of first-party cookies among analytics vendors makes it clear that they are a practical method to collect data.
Piwik PRO | Google Analytics (3 & 4) | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|
First-party cookie | |||||
Third-party cookie |
Adobe Analytics offers third-party cookies under the designation: adobe.sc.omtrdc.net. Google Analytics offers a third-party cookie for its Display Advertiser feature focusing on remarketing. Both are optional and will only be useful in some analytics stack configurations.
Chapter 4
Cookieless tracking or fingerprinting
In this chapter we turn our back on cookies and look to fingerprinting as a possibility for collecting data. We also discuss the privacy aspects of cookieless tracking.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
Cookieless tracking most often serves the purpose of tracking users or their devices, when they delete cookies or don’t allow them in the first place. Also known as fingerprinting, it identifies returning users by combining similar patterns of linked and linkable information.
Most platforms employ a client-side method. This means the analytics instance places a container with a JavaScript snippet and the desired tag configuration on the user’s browser that collects information such as:
- IP address
- Browser type and version
- Browser plugins
- Default language
- Screen resolution
- Operating system
These data points may seem abstract, but together they can become personal data. In many cases it’s possible to use this information, together or with other unique identifiers, to create links to an individual or a group of people. If those links are possible, then cookieless tracking does need a specific consent from the data subject.
Recital 24 of the ePrivacy directive 2002/58/EC states:
[…] devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
If you want to learn more about this topic, we recommend reading this article: Device fingerprint tracking in the post-GDPR era
Although cookieless tracking provides many advantages, it can make analyzing data much harder. This is especially true if you are trying to use fingerprints for tracking across sessions. This could lead to mixed up profiles, as two sessions of one visitor become two separate profiles, or sessions of several visitors are combined to one profile.
Here is a small table to recap cookieless tracking:
Cookieless tracking | |
---|---|
Captures all traffic | |
Tracking technology | Browser fingerprint |
Visitor metrics | |
Session metrics | |
Event metrics | |
Channel attribution | Session and visitor level |
A peek at the vendors
Most vendors offer cookieless tracking by default.
Piwik PRO | Google Analytics (3 & 4) | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|
Cookieless tracking by default |
Piwik PRO allows you to operate solely on cookieless tracking by deactivating cookies with a single setting.
Whenever cookieless tracking requires asking for consent, Piwik PRO’s built-in consent manager helps easily get proper consent.
Google Analytics does not offer any possibility to track cookieless by default. Under the new Consent mode, cookieless pings are sent to Google Analytics but are not collected or exposed in reporting at all.
Matomo requires you to embed an additional code into every site you want cookieless tracking for. This involves having an IT-specialist or analytics expert familiar with the platform. It is worth mentioning that Matomo has integrated cookieless tracking by default since version 4.
Chapter 5
Opt-in-only tracking
This chapter centers on consents, no matter how the tracking is done. We also take a look at the technical side of implementing consent mechanisms.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
Opt-in-only tracking involves the collection of data, both personal and anonymous data, only in the case where specific consent is present. The specific consents can be for any number of data purposes, such as:
- Analytics
- Conversion tracking
- Remarketing
- A/B testing and personalization
- Marketing automation
- User feedback
Opt-in only tracking is a safe approach. As long as you use the data exactly as you describe in the consent, you’ll stay in line with even the strictest privacy laws. If you collect personal data, then you have to watch out for other restrictions such as data residency and data subject rights. If you don’t collect personal data, then opt-in-only tracking is even safer – asking consent to collect anonymous data will keep you well within all current data privacy regulations.
Since this method relies entirely on consent, let’s talk more about the details of properly collecting it. The GDPR explains under article 7 and recital 32 that “consent must be a clear affirmative act proving a freely given, specific, informed and unambiguous indication of the data subject’s agreement”. For any other privacy law that requires consent, the requirements are usually similar to this.
The ePrivacy directive, for example, states in recital 17 that “Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.” You must therefore ensure that every visitor receives clear communication about what data will be collected and how. In addition:
- Each user should be allowed to give or deny consent for each individual data collection purpose.
- Each user should have the option of withdrawing their consent at any time.
- Each user should be allowed to deny consent.
The downside of opt-in-only tracking is that no consent means no data. Depending on the industry and country as well, 30% to 50% of users are willing to give their consent for tracking. Some companies might not be able to accept getting data from less than half of visitors to their website. That is why analytics vendors provide many solutions for getting more analytical data without necessarily relying on consent.
Note
It is worth noting that a well-written and designed consent form can increase your consent rate drastically. If your consent rate is dropping, try changing your approach to the consent form design and copy.
Here is a small table to recap opt-in-only tracking:
Opt-in only tracking | |
---|---|
Captures all traffic | |
Tracking technology | First-party cookie and/or local storage |
Visitor metrics | |
Session metrics | |
Event metrics | |
Channel attribution | Session and visitor level |
If you want to learn more about consent and our Consent Manager, we recommend these articles:
- CNIL’s consent exemption for Piwik PRO – What it means for you and the analytics data you collect
- How Consent Manager can help you obtain GDPR-compliant consents?
And in the help center:
A peek at the vendors
Among the vendors we’re looking at, only Piwik PRO and Countly provide an integrated consent manager.
If you need a consent manager for opt-in-only tracking or another method, then this is worth thinking about. Using an external consent manager might steer your company into rough waters, as several problems emerge:
- Lost time in the search for a new tool that hopefully does what it promises. This may cost you more in the long run if the integration needs maintenance or stops working.
- Seamless integration with the other tools in your analytics stack is often difficult and requires a lot of coding experience to do right.
- Extra work generated by an inefficient integration. Let’s say a data subject requests the deletion of their data through your external consent manager. If the integration fails or doesn’t support a certain function, you will have to dig through records manually to find the data subject’s information.
Piwik PRO | Google Analytics (3 & 4) | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|
Opt-in tracking with an integrated consent manager |
Piwik PRO provides you with an integrated consent manager that lets you quickly set up a system to prompt users with a consent form. In addition, Consent Manager also:
- Supports company branding with the possibility of creating your customized consent forms
- Collects and manages all data protection requests in one place
- Integrates seamlessly with the Piwik PRO Tag Manager
- Lets non-IT personal easily use the consent manager
- Provides users with an easy opt-in mechanism to comply with the GDPR, CCPA and other privacy laws around the world
- Can show consents only for the European Economic Area, which covers the whole jurisdiction of the GDPR
- Shows reports on consent performance
- Can send consents to other parts of your analytics stack via API
Google Analytics does not offer an integrated tool for collecting and processing consents. There is only a beta version of a consent mode, but no clear information on when a final version will be released.
Matomo provides you with a code that enables you to implement an internal consent banner, but a fully-functioning consent management system is not provided.
Comparison
Which consent manager would best fit your needs?
Compare the 38 key differences to determine which CMP fits your business needs: Piwik PRO, TrustArc, OneTrust, Cookiebot, consentmanager.net, Tealium, Quantcast, Crownpeak and UniConsent
Chapter 6
Anonymous data tracking
Once a user ignores or declines consent, it means no personal data can be collected. Vendors therefore offer multiple ways to collect anonymous data. We define what anonymous means in analytics, discuss what problems you might run into and take a brief look at the regulatory side of the topic.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
DEFINITION
Anonymous data is data without any personal identifiers, direct or indirect, that could lead to an individual being identified. It is not personal data for the purposes of GDPR.
According to Recital 26 of GDPR: The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Some platforms also offer hashing or pseudonymization of personal data, in which individuals can be identified by anyone with the hashing key. Pseudonymous data is still personal data for the purposes of GDPR and many other data regulations.
Disclaimer
We let you and your legal department decide whether you want to work solely with active consents or inform your users that you use anonymous data for audience measurement.
Based on your location, regulations may vary. For example, CNIL (France’s data protection authority) added an exemption for audience measurement without consent. Still, the Court of Justice of the European Union ruled in the Planet49 case, based on the ePrivacy directive, the GDPR and German directives, that cookies require consent before they are placed on a user’s browser.
On the other hand, the European Data Protection Board Working Party’s opinion from 2012 states that this type of cookies “are not strictly necessary to provide a functionality explicitly requested by the user. […] However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes”.
The ePrivacy draft from February 2021 provides an exception from consent requirement for sole purpose of audience measurement, but it is not law yet.
Sometimes the data collected with opt-in-only tracking is not enough to build a full analysis. Your organization may need additional datato fuel analytics projects. This is where vendors differ slightly from one another in their use of tracking methods with and without cookies.
We will present several ways to collect anonymous analytics data online. Each of them needs to be examined by your IT and legal team individually, depending on where you operate and collect data. Some regulations demand consent even when dealing with anonymous data. A good example of this is the Privacy and Electronic Communications Regulations (PECR) in the UK.
Chapter 7
Anonymous tracking with cookies and session data
This chapter addresses cookies used to collect data anonymously. It answers questions on how this method works and what advantages it offers.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
A session identifier in the form of a cookie is deployed. The session cookie is then removed from the browser after 30 minutes.
Let’s take a closer look at how Piwik PRO does this, as an example. Once a user visits your website, Consent Manager presents tracking consent options. If the visitor ignores the banner or doesn’t give consent, session tracking is deployed that solely collects events and binds them into a session of a non-returning visitor. The individual cannot be identified or tracked across sessions.
The major advantage of this approach is that duplicates of sessions are non-existent. The data collected is more trustworthy than any other anonymous data tracking method. Moreover, if a visitor changes their mind during a session and consents to tracking, the session identifier turns into a first-party tracking cookie that will last longer than 30 minutes.
Anonymous tracking with cookies and session data | |
---|---|
Captures all traffic | |
Tracking technology | First-party session cookie |
Visitor metrics | Partly |
Session metrics | |
Event metrics | |
Channel attribution | Session and visitor level |
A peak at the vendors
Among the vendors presented, only Piwik PRO has a mode for collecting anonymous data with a session cookie. If needed, you can either hash the IP address or leave it out completely with the Piwik PRO Analytics Suite.
In Piwik PRO, this means:
- Browser fingerprint recognition is deactivated.
- The geolocation is based on anonymized IP addresses or is deactivated.
- A session identifier is set (session cookie).
- No personal data is tracked and stored in the database without explicit consent.
- Visitors who don’t consent appear as one-time visitors and can’t be identified across sessions.
- If the visitor consents to tracking within the session, all the collected data will be added to their profile. If you enable Piwik PRO’s CDP module, the platform creates a profile connecting additional data to mold a single customer view. This gives you the ability to retarget a specific segment of your customers.
Piwik PRO | Google Universal Analytics | Google Analytics 4 | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|---|
Anonymous tracking with cookies and session data |
Google Analytics does not offer a method for anonymous data collection by default. There is a workaround by creating new client IDs, every time a returning user logs on. However, you are dependent on the help of the IT department or an analytics expert.
According to Countly’s help center article on the topic, there is no built-in anonymous tracking mode available. You have two ways to omit fetching user device IDs, and therefore personal data. Firstly, you hardcode the user ID as a constant string, which renders most of the user-related data ineffectual. Or you introduce a mechanism for generating random device IDs for every session, which could hurt overall platform performance and data quality. Basically, it’s a choice between privacy compliance and data quality.
Chapter 8
Anonymous tracking without cookies, but with session data
This chapter addresses fingerprinting used to collect data anonymously. It answers questions on how this method works and what advantages it offers.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
A session identifier in the form of a device fingerprint is deployed. It ties events, such as page views, to one session. The analytics platform doesn’t deploy cookies.
The major advantage of this method is that it’s allowed by several regulations, including the new Telecommunications Telemedia Data Protection Act (TTDSG). The downside is that it creates duplicate sessions. So-called false-positive fingerprints are registered that result in recognizing several devices from the same IP address as one user. This is a drawback of most fingerprint-based methods. It’s worth noting that session cookies don’t have this problem.
Anonymous tracking without cookies, but with session data | |
---|---|
Captures all traffic | |
Tracking technology | Session fingerprint |
Visitor metrics | Partly |
Session metrics | |
Event metrics | |
Channel attribution | Session and visitor level |
A peak at the vendors
Some vendors present cookieless tracking as anonymous, so also not requiring consent. This is often not true. The data collected through cookieless methods can be anonymous, but this depends on the details of what happens in the background.
For example, many vendors collect pseudonymous and even unhashed personal data through cookieless methods. Be suspicious of such simplistic claims that cookieless tracking is a free pass to collect how and what you want.
In Piwik PRO, the session fingerprint (beta) consists of a variable part (a statistical analysis and learning tool “salt”) that resets periodically. Unlike browser and device fingerprints that identify a visitor across different sessions, session fingerprints only identify events (e.g. page views) belonging to one session.
Once again, if the user decides to give their consent, the session fingerprint changes into a first-party cookie.
Piwik PRO’s anonymous data tracking based on fingerprinting works as follows:
- Browser fingerprint recognition is deactivated.
- The geolocation is based on anonymized IP addresses or is deactivated.
- A session identifier is set.
- No personal data is tracked and stored in the database without explicit consent.
- Visitors who don’t consent appear as one-time visitors and can’t be identified across sessions.
- If the visitor consents to tracking within the session, all the collected data will be added to their profile. If you enable Piwik PRO’s CDP module, the platform creates a profile connecting additional data to mold a Single Customer View. This gives you the ability to retarget a specific segment of your customers.
Matomo’s cookieless approach stores fingerprints for up to 24 hours before deleting the data. This could be fine in some jurisdictions, but in others could cause problems if the platform is storing cross-session fingerprints (personal data) for an extended period of time. This tracking approach also runs into many performance problems for higher levels of traffic.
Piwik PRO | Google Universal Analytics | Google Analytics 4 | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|---|
Anonymous tracking without cookies, but with session data |
Chapter 9
Anonymous tracking without cookies or session data
This chapter addresses the strictest and most cautious way to collect data anonymously.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
Every event that can’t be considered personal data is tracked. The method can’t identify an individual and the combination of the data it collects can’t pinpoint a single session either. More limited than the previous methods in the data it collects, it definitely doesn’t require consent, as the following happens:
- Browser fingerprint recognition is deactivated
- The geolocation is based on anonymized IP addresses or is deactivated
- Session identifier and visitor recognition are deactivated
- No visitor data is saved and every event is recorded separately. Essentially, your instance doesn’t record sessions.
In Piwik PRO, the data shows up in event statistics. Since you don’t track visitors or sessions, the following data is not recorded:
- The time on the website
- Bounce rate
- User flows and funnels
- Channel attribution
This tracking method is useful in certain areas of business intelligence. For instance, for an umbrella organization that doesn’t use its website as a main source of business development. Nevertheless, they might want to track how many times an investor has downloaded a certain document or has viewed a particular page. For this purpose, session or user-level data isn’t always necessary, so the trade off of less data for stricter privacy controls is worth it.
Anonymous tracking without cookies or session data | |
---|---|
Captures all traffic | |
Visitor identification | |
Visitor metrics | |
Session metrics | |
Event metrics | |
Channel attribution | Traffic sources only |
A peek at the vendors
Of course, it depends on the data collector how the analytics platform is set up. You can configure a similar tracking method with some analytics and coding knowledge. Piwik PRO and Countly offer a tracking method for special use cases.
Piwik PRO | Google Universal Analytics | Google Analytics 4 | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|---|
Anonymous tracking without cookies or session data | N/A |
Chapter 10
Review of the analytics platforms and tracking methods
The last chapter of our odyssey in tracking methods brings everything together in one table.
Chapters
- The analytics tracker – the code at the center of data collection
- Two worlds apart when collecting data
- Tracking with first-party cookies
- Cookieless tracking or fingerprinting
- Opt-in-only tracking
- Anonymous data tracking
- Anonymous tracking with cookies and session data
- Anonymous tracking without cookies, but with session data
- Anonymous tracking without cookies or session data
- Review of the analytics platforms and tracking methods
Most analytics tracking methods can be privacy-friendly, but most can also be used to collect data inappropriately as well. The final result depends on the details of any given analytics project. Those details depend on the intentions of project leaders, of course, but also on the options available to them. As we’ve seen, different analytics platforms offer widely varying sets of options. Here’s a review:
Piwik PRO | Google Analytics | Matomo | Adobe Analytics | Countly | |
---|---|---|---|---|---|
Privacy-friendly approach | |||||
Integrated consent manager making privacy-friendly collection easier | |||||
First-party cookies | |||||
Third-party cookies | |||||
Cookieless tracking | |||||
Anonymous data tracking with cookies and session data | |||||
Anonymous data tracking without cookies, but with session data | |||||
Anonymous data tracking without cookies and session data |
It also helps to have a solid analytics partner to navigate all the options for collecting the data you need. Piwik PRO works with customers to find a privacy-compliant setup for their use case, which also delivers reliable insights from accurate data. If you want to hear more about how we can help your company, schedule a demo with our team.
In the meantime, you might find these articles useful:
→ Is Google Analytics GDPR-compliant?
→ Piwik PRO vs. Google Analytics 360
→ Piwik PRO vs. Matomo
→ Piwik PRO vs. Adobe Analytics
If you want to learn more about the tracking methods, reach out to us
We’re here to answer all your questions