6 ways analytics software collects data online – plus a comparison of 5 popular platforms

At the heart of any analytics platform is a tracker, an algorithm with several data collection possibilities. As the user of the platform, you set the parameters for the tracker and maybe add JavaScript tags around it. Once configured, it decides what will be tracked and what not.

The details of how any tracker works have never been more important. Privacy laws such as the General Data Protection Regulation (GDPR) in Europe have made it crucial for organizations to know what data they collect and how. On the other hand, having good data has also never been so important to decision-making processes in the public and private sector. 

Luckily, trackers can be set up both to collect useful data and to respect privacy regulations. The word track is even a little misleading. It might make you think that all trackers follow individuals around the web, collecting personal data. Some do, unfortunately. But many are set up to collect mostly anonymous data and then personal data only when there is clear consent for such collection.

There is confusion about which trackers are doing this in a compliant way. For example, some cookieless trackers claim to be only collecting anonymous data when this isn’t true. As we’ll see later, many cookieless methods still need consent because they collect personal data.

In this article, we’ll go through the different ways trackers can work and compare the pluses and minuses of each. We’ll also compare which analytics platforms offer support for each tracking method (looking at Google Universal Analytics, Google Analytics 4, Adobe Analytics, Matomo and Countly).

Piwik PRO Analytics Suite tracks web, intranet and app events with 6 tracking methods. All are what we consider to be part of a privacy-friendly approach to analytics. Here are those 6 methods along with basic information about them:

Maximizing data collection

AdTech vendors collect large amounts of data and offer an attractive way for advertisers to target specific groups of people. Maximizing that data collection, without much regard for individual privacy, has made the most aggressive AdTech players into large profitable enterprises.

Some analytics platforms, such as Google Analytics, are part of that AdTech ecosystem and have trackers designed to maximize data collection, often at the expense of data privacy. This doesn’t mean they cannot be privacy-compliant, but they do put some serious hurdles along the way to privacy-friendly data collection.

We have written about such practices extensively on our blog:

• 4 Key Google Analytics drawbacks you won’t realize until it’s too late
• Is Google Analytics GDPR-compliant? 10 things to consider [UPDATE]
• Piwik PRO vs. Google Analytics: the most comprehensive comparison
• Piwik PRO vs. Google Analytics 360
• Piwik PRO vs. Adobe Analytics: An alternative to a powerful platform that falls short on data privacy [UPDATED]

First-party tracking and privacy-friendly analytics

Marketers and analysts increasingly are looking to a first-party approach, since the introduction of laws such as the GDPR and the blocking of third-party identifiers, such as with IDFA for iOS. So what is the first-party approach?

Keep in mind that various tracking methods have a way of identifying an individual or a group of individuals.

In other words, you often need the data subject’s consent for tracking and collecting behavioral data. This isn’t just part of the ePrivacy directive or GDPR. Many new privacy regulations require consent before any collection of personal data online. Besides consent, there are several other key parts of a first-party, and privacy-friendly, data collection approach:

• Have 100% control over your data, especially when it comes to personal data. You must be able to tell data subjects what the data is collected for and where it is being stored. In case of cloud solutions, avoid countries where local regulations don’t offer the same level of privacy protection as the GDPR. It is therefore important to pay attention to cloud solution providers and their server locations.
• Do not forward data to third parties or use it for any other purposes not mentioned during consent. This also applies to your data processor.
• Do not transfer the data outside the geographical borders of the jurisdiction where data was collected. If you need to do this, make sure you have consent and that the transfer destination has proper data protection safeguards (i.e. privacy laws – country- or even state-level).
• Make sure the data comes from a direct interaction between your website or product and the data subject.
• Do not restrict the data subject’s rights or freedoms – they should be able to consent to specific data collection purposes and be able to change their decision easily at any time.
• You, as data controller, should provide a transparent privacy policy for data subjects to stay informed. It is an important tool for acting in compliance with the GDPR and other data privacy regulations.

Additionally, you need to keep track of consents and data subject requests. You can either implement a standalone consent manager that will connect to your analytics stack, or you use an analytics platform offering an integrated consent manager.

A peek at the vendors

Most platforms would require the addition of an external consent manager to fit into the above approach. This integration introduces added complications. There can be a lot involved in making sure the external consent manager passes the right messages to the analytics platform, which needs information about what data to track based on consent.

It’s most important to find an analytics stack and consent manager that fits your use case. If that leads to choosing an external consent manager, just make sure you have the resources and expertise to get it properly integrated.

Some analytics vendors offer a simple consent banner, implemented in a tag manager, as an interim solution. Remember that a consent banner isn’t enough to satisfy most data privacy regulations. To meet legal requirements, you need to offer a clear choice and make it easy to not consent (no reject options hidden deep in menus allowed).

Piwik PRO offers an integrated consent manager. It collaborates seamlessly with the Analytics Suite’s Analytics, Tag Manager and Customer Data Platform modules. It automates much of the consent collection and management process, and provides an API to share your collected consent data with your whole analytics stack. Additionally, it can run in a zero-cookie-load mode that prevents tracking tags and pixels from firing before a consent is collected.

As a data processor, Piwik PRO doesn’t share the collected data. Your organization controls the data and what happens to it completely. Your organization gets its choice of server locations, cloud or private cloud, all over the world in addition to an option for on-premises self-hosting.

Both versions of Google Analytics presents some major disadvantages:

• You don’t have control over where the data is sent and stored.
• The data you collect is used in other Google products and services, which everyone has access to. 
• Most collected data will end up on American servers, even if that data was collected in the EU or anywhere else outside the US. In Europe, the invalidation of Privacy Shield means that these kinds of transfers are riskier than ever.

Matomo on the other hand, doesn’t send data of European users overseas and lets you store the data on your own servers. Still, the consent banner implemented in Matomo’s tag manager isn’t enough if you are collecting any personal data. Either you disable cookies and take the risk of keeping only pseudonymous personal data (fingerprinting) in your database, or you implement a standalone consent manager that collects and manages consents. In some cases though, data subject requests need to be handled manually, which can be an arduous task on your own.

Let’s move on to discuss the tracking methods themselves.

For years, cookies have been used as the primary mechanism to identify and track users. They have been the undisputed champions when it comes to recognizing returning visitors on analytics platforms. For this reason, most cookies need consent from data subjects, especially those that have lifetimes longer than a session. 

Keep in mind that the GDPR and the ePrivacy directive also acknowledges so-called functional cookies, as in “strictly necessary”. They exist to ensure the stable operation of a site or application or provide a service requested by the user. They generally don’t require consent because they are essential to provide basic functionality. These can be cookies used for e-commerce sites to remember items in a shopping cart or keep a session going for a logged-in user. Functional cookies can’t be used to collect personal data though. Depending on the country, they may not be able to collect analytics data at all, even if anonymous.

Used correctly and with proper consent, cookies allow for an important symbiosis that benefits your company and customers:

• You receive data about the behavior and journey of your customers that you can analyze to improve your products and services.
• Customers receive a better experience. They get the information they need more quickly and more easily find the products or information they want.

Yet not all cookies are without concern. Let’s take a look at third-party cookies. Third-party means these cookies are set by an external entity, often some kind of ad platform, that a visitor is not currently on. As a result, visitors often don’t know who is going to use their data and how.

The use of non-functional first-party cookies and third-party cookies is permitted under consent-first regulations like the GDPR if explicit consent is given by the data subject. The GDPR also requires you to keep track of data passed to third parties, in case a data subject request requires data changes or deletion. This is a big downside of using them, as third-party cookies demand more complicated data governance measures.

Finally, popular browsers are starting to block third-party cookies. This includes:

• Safari
• Mozilla Firefox
• Microsoft Edge
• Google Chrome, which will be blocking third-party cookies from mid 2023 onward

Here is a small table to recap tracking with first-party cookies:

A peek at the vendors

The widespread use of first-party cookies among analytics vendors makes it clear that they are a practical method to collect data.

Adobe Analytics offers third-party cookies under the designation: adobe.sc.omtrdc.net. Google Analytics offers a third-party cookie for its Display Advertiser feature focusing on remarketing. Both are optional and will only be useful in some analytics stack configurations.

Cookieless tracking most often serves the purpose of tracking users or their devices, when they delete cookies or don’t allow them in the first place. Also known as fingerprinting, it identifies returning users by combining similar patterns of linked and linkable information. 

Most platforms employ a client-side method. This means the analytics instance places a container with a JavaScript snippet and the desired tag configuration on the user’s browser that collects information such as:

• IP address
• Browser type and version
• Browser plugins
• Default language
• Screen resolution
• Operating system

These data points may seem abstract, but together they can become personal data. In many cases it’s possible to use this information, together or with other unique identifiers, to create links to an individual or a group of people. If those links are possible, then cookieless tracking does need a specific consent from the data subject.

Although cookieless tracking provides many advantages, it can make analyzing data much harder.  This is especially true if you are trying to use fingerprints for tracking across sessions. This could lead to mixed up profiles, as two sessions of one visitor become two separate profiles, or sessions of several visitors are combined to one profile.

Here is a small table to recap cookieless tracking:

A peek at the vendors

Most vendors offer cookieless tracking by default.

Piwik PRO allows you to operate solely on cookieless tracking by deactivating cookies with a single setting:

Whenever cookieless tracking requires asking for consent, Piwik PRO’s built-in consent manager helps easily get proper consent. 

Google Analytics does not offer any possibility to track cookieless by default. Under the new Consent mode, cookieless pings are sent to Google Analytics but are not collected or exposed in reporting at all.

Matomo requires you to embed an additional code into every site you want cookieless tracking for. This involves having an IT-specialist or analytics expert familiar with the platform. It is worth mentioning that Matomo has integrated cookieless tracking by default since version 4.

Opt-in-only tracking involves the collection of data, both personal and anonymous data, only in the case where specific consent is present. The specific consents can be for any number of data purposes, such as:

• Analytics
• Conversion tracking
• Remarketing 
• A/B testing and personalization
• Marketing automation
• User feedback

Opt-in only tracking is a safe approach. As long as you use the data exactly as you describe in the consent, you’ll stay in line with even the strictest privacy laws. If you collect personal data, then you have to watch out for other restrictions such as data residency and data subject rights. If you don’t collect personal data, then opt-in-only tracking is even safer – asking consent to collect anonymous data will keep you well within all current data privacy regulations.

Since this method relies entirely on consent, let’s talk more about the details of properly collecting it. The GDPR explains under article 7 and recital 32 that “consent must be a clear affirmative act proving a freely given, specific, informed and unambiguous indication of the data subject’s agreement”. For any other privacy law that requires consent, the requirements are usually similar to this.

The ePrivacy directive, for example, states in recital 17 that “Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.” You must therefore ensure that every visitor receives clear communication about what data will be collected and how. In addition:

• Each user should be allowed to give or deny consent for each individual data collection purpose.
• Each user should have the option of withdrawing their consent at any time.
• Each user should be allowed to deny consent.

The downside of opt-in-only tracking is that no consent means no data. Depending on the industry and country as well, 30% to 50% of users are willing to give their consent for tracking. Some companies might not be able to accept getting data from less than half of visitors to their website. That is why analytics vendors provide many solutions for getting more analytical data without necessarily relying on consent.

Here is a small table to recap opt-in-only tracking:

A peek at the vendors

Among the vendors we’re looking at, only Piwik PRO and Countly provide an integrated consent manager. 

If you need a consent manager for opt-in-only tracking or another method, then this is worth thinking about. Using an external consent manager might steer your company into rough waters, as several problems emerge:

• Lost time in the search for a new tool that hopefully does what it promises. This may cost you more in the long run if the integration needs maintenance or stops working. 
• Seamless integration with the other tools in your analytics stack is often difficult and requires a lot of coding experience to do right.
• Extra work generated by an inefficient integration. Let’s say a data subject requests the deletion of their data through your external consent manager. If the integration fails or doesn’t support a certain function, you will have to dig through records manually to find the data subject’s information.

Piwik PRO provides you with an integrated consent manager that lets you quickly set up a system to prompt users with a consent form. In addition, Consent Manager also:

• Supports company branding with the possibility of creating your customized consent forms
• Collects and manages all data protection requests in one place
• Integrates seamlessly with the Piwik PRO Tag Manager
• Lets non-IT personal easily use the consent manager
• Provides users with an easy opt-in mechanism to comply with the GDPR, CCPA and other privacy laws around the world
• Can show consents only for the European Economic Area, which covers the whole jurisdiction of the GDPR
• Shows reports on consent performance
• Can send consents to other parts of  your analytics stack via API

Google Analytics does not offer an integrated tool for collecting and processing consents. There is only a beta version of a consent mode, but no clear information on when a final version will be released. 

Matomo provides you with a code that enables you to implement an internal consent banner, but a fully-functioning consent management system is not provided.

Comparison

Comparison

Which consent manager would best fit your needs?

Compare the 38 key differences to determine which CMP fits your business needs: Piwik PRO, TrustArc, OneTrust, Cookiebot, consentmanager.net, Tealium, Quantcast, Crownpeak and UniConsent

Download

Sometimes the data collected with opt-in-only tracking is not enough to build a full analysis. Your organization may need additional data to fuel analytics projects. This is where vendors differ slightly from one another in their use of tracking methods with and without cookies. 

We will present several ways to collect anonymous analytics data online. Each of them needs to be examined by your IT and legal team individually, depending on where you operate and collect data. Some regulations demand consent even when dealing with anonymous data. A good example of this is the Privacy and Electronic Communications Regulations (PECR) in the UK.

A session identifier in the form of a cookie is deployed. The session cookie is then removed from the browser after 30 minutes. 

Let’s take a closer look at how Piwik PRO does this, as an example. Once a user visits your website, Consent Manager presents tracking consent options. If the visitor ignores the banner or doesn’t give consent, session tracking is deployed that solely collects events and binds them into a session of a non-returning visitor. The individual cannot be identified or tracked across sessions.

The major advantage of this approach is that duplicates of sessions are non-existent. The data collected is more trustworthy than any other anonymous data tracking method. Moreover, if a visitor changes their mind during a session and consents to tracking, the session identifier turns into a first-party tracking cookie that will last longer than 30 minutes.

A peak at the vendors

Among the vendors presented, only Piwik PRO has a mode for collecting anonymous data with a session cookie. If needed, you can either hash the IP address or leave it out completely with the Piwik PRO Analytics Suite.

In Piwik PRO, this means:

• Browser fingerprint recognition is deactivated.
• The geolocation is based on anonymized IP addresses or is deactivated.
• A session identifier is set (session cookie). 
• No personal data is tracked and stored in the database without explicit consent.
• Visitors who don’t consent appear as one-time visitors and can’t be identified across sessions.
• If the visitor consents to tracking within the session, all the collected data will be added to their profile. If you enable Piwik PRO’s CDP module, the platform creates a profile connecting additional data to mold a single customer view. This gives you the ability to retarget a specific segment of your customers.

Google Analytics does not offer a method for anonymous data collection by default. There is a workaround by creating new client IDs, every time a returning user logs on. However, you are dependent on the help of the IT department or an analytics expert.

According to Countly’s help center article on the topic, there is no built-in anonymous tracking mode available. You have two ways to omit fetching user device IDs, and therefore personal data. Firstly, you hardcode the user ID as a constant string, which renders most of the user-related data ineffectual. Or you introduce a mechanism for generating random device IDs for every session, which could hurt overall platform performance and data quality. Basically, it’s a choice between privacy compliance and data quality.

A session identifier in the form of a device fingerprint is deployed. It ties events, such as page views, to one session. The analytics platform doesn’t deploy cookies.

The major advantage of this method is that it’s allowed by several regulations, including the new Telecommunications Telemedia Data Protection Act (TTDSG). The downside is that it creates duplicate sessions. So-called false-positive fingerprints are registered that result in recognizing several devices from the same IP address as one user. This is a drawback of most fingerprint-based methods. It’s worth noting that session cookies don’t have this problem.

A peak at the vendors

Some vendors present cookieless tracking as anonymous, so also not requiring consent. This is often not true. The data collected through cookieless methods can be anonymous, but this depends on the details of what happens in the background. 

For example, many vendors collect pseudonymous and even unhashed personal data through cookieless methods. Be suspicious of such simplistic claims that cookieless tracking is a free pass to collect how and what you want.

In Piwik PRO, the session fingerprint (beta) consists of a variable part (a statistical analysis and learning tool “salt”) that resets periodically. Unlike browser and device fingerprints that identify a visitor across different sessions, session fingerprints only identify events (e.g. page views) belonging to one session.

Once again, if the user decides to give their consent, the session fingerprint changes into a first-party cookie.

Piwik PRO’s anonymous data tracking based on fingerprinting works as follows:

• Browser fingerprint recognition is deactivated.
• The geolocation is based on anonymized IP addresses or is deactivated.
• A session identifier is set. 
• No personal data is tracked and stored in the database without explicit consent.
• Visitors who don’t consent appear as one-time visitors and can’t be identified across sessions.
• If the visitor consents to tracking within the session, all the collected data will be added to their profile. If you enable Piwik PRO’s CDP module, the platform creates a profile connecting additional data to mold a Single Customer View. This gives you the ability to retarget a specific segment of your customers.

Matomo’s cookieless approach stores fingerprints for up to 24 hours before deleting the data. This could be fine in some jurisdictions, but in others could cause problems if the platform is storing cross-session fingerprints (personal data) for an extended period of time. This tracking approach also runs into many performance problems for higher levels of traffic.

Every event that can’t be considered personal data is tracked. The method can’t identify an individual and the combination of the data it collects can’t pinpoint a single session either. More limited than the previous methods in the data it collects, it definitely doesn’t require consent, as the following happens:

• Browser fingerprint recognition is deactivated
• The geolocation is based on anonymized IP addresses or is deactivated
• Session identifier and visitor recognition are deactivated
• No visitor data is saved and every event is recorded separately. Essentially, your instance doesn’t record sessions.

In Piwik PRO, the data shows up in event statistics. Since you don’t track visitors or sessions, the following data is not recorded:

• The time on the website
• Bounce rate
• User flows and funnels
• Channel attribution

This tracking method is useful in certain areas of business intelligence. For instance, for an umbrella organization that doesn’t use its website as a main source of business development. Nevertheless, they might want to track how many times an investor has downloaded a certain document or has viewed a particular page. For this purpose, session or user-level data isn’t always necessary, so the trade off of less data for stricter privacy controls is worth it.

A peek at the vendors

Of course, it depends on the data collector how the analytics platform is set up. You can configure a similar tracking method with some analytics and coding knowledge. Piwik PRO and Countly offer a tracking method for special use cases.

Most analytics tracking methods can be privacy-friendly, but most can also be used to collect data inappropriately as well. The final result depends on the details of any given analytics project. Those details depend on the intentions of project leaders, of course, but also on the options available to them. As we’ve seen, different analytics platforms offer widely varying sets of options. Here’s a review:

It also helps to have a solid analytics partner to navigate all the options for collecting the data you need. Piwik PRO works with customers to find a privacy-compliant setup for their use case, which also delivers reliable insights from accurate data. If you want to hear more about how we can help your company, schedule a demo with our team.

In the meantime, you might find these articles useful:

→ Is Google Analytics GDPR-compliant?
→ Piwik PRO vs. Google Analytics 360
→ Piwik PRO vs. Matomo
→ Piwik PRO vs. Adobe Analytics