Consentless tracking: Boost data collection with privacy compliance

Data privacy concerns and the need for effective data tracking are often at odds. Users want to surf the internet securely, while companies want to offer them a personalized experience. The gaps in data due to privacy regulations can make it challenging for businesses to achieve this goal, resulting in incomplete performance metrics. In the end, companies have to rely on intuitive strategies instead of data-driven strategies, leading to less effective decision-making.

Can’t we collect data that respects users’ privacy without explicit consent? As PEMAVOR, a leading MarTech company, we believe the answer is yes. We have developed a privacy-friendly solution that bridges this gap. Before deep diving, let’s first talk about GDPR and consent requirements.

On this post:

    What is consentless data tracking?

    Consentless data tracking is a way to collect, store, and process users’ data (like online activities, preferences, locations, or behaviors) without their consent.

    Organizations want to know all the details about their target audience to create spot-on strategies. That’s why any data is like gold for them. However, this extensive data processing is a big concern now among users. What will the companies do with this data? Even if it’s for a good-intentioned reason (say “marketing”), people want to keep their personal information private and avoid manipulation.

    Do you remember the US 2020 presidential election? Because of biased information, conservatives engaged in more false news stories on Facebook than liberals during the election season. Algorithmic platforms can affect human communication (such as voting decisions, personal well-being, and emotional behaviors) more than we think.

    Read the detailed research, Facebook’s News Feed Algorithm and the 2020 US Election,” prepared by Jack Bandy and Nicholas Diakopoulos, published online in 2023.

    GDPR and user consent requirements

    After growing concerns, sure, the EU (European Union) didn’t stand idly by. It has decided to impose strict rules on personal data usage. To protect data privacy, the GDPR (General Data Protection Regulation) was adopted in 2016 and entered into application in 2018. It’s not a directive, directly applicable with the force of law, and states that organizations must get explicit consent from users before collecting or using their personal data. Whether using cookies or other technologies, they must follow the rules.

    Organizations must clearly provide options for users to accept or decline tracking. They also must explain what data they collect, why they collect it, how long they store it, how they will use it, and whether they share it with third parties (or outside the European Economic Area). Besides, personal data owners need to have the right to request a copy of their data anytime and to delete it under certain conditions.

    Now, it isn’t only an ethical issue; it’s also a legal one.

    On the other hand, it’s a big change for digital marketeers because companies need to revise their strategies for the growing number of users who reject data tracking. But how?

    How consentless tracking relates to GA4

    After replacing Universal Analytics (UA) in 2023, the new version of Google Analytics 4 (GA4) is more concerned with privacy. However, GA4 still uses first-party cookies to track user activities on websites.

    First-party cookies identify unique users and are identified with individual sessions (visits). This lets businesses gather information about user behavior and engagement on a single domain. Besides, they’re also less likely to be blocked by browsers or ad blockers, so they provide more accurate data. While they’re considered more privacy-friendly than third-party cookies, they still collect user data, which poses challenges for consentless analytics.

    Consentless tracking process
    Consentless tracking process

    What happened to third-party cookies? 

    Google had intended to end third-party cookies by early 2025. But, recently, VP Anthony Chavez posted on the Privacy Sandbox Blog that they won’t remove cookies. Instead, they’ll focus on giving users more control over their browsing data.

    “In light of this, we are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We’re discussing this new path with regulators and will engage with the industry as we roll this out.”

    GDPR compliance

    When collecting any personal data from EU users, organizations must get their explicit consent, even for cookie-based tracking. With a consent management system, you should inform users about it and provide them with the option to accept or reject tracking cookies.

    Consentless tracking
    An example of PEMAVOR.

    Despite the shift to first-party cookies, GA4 still collects personal data. That means, if you use GA4, pay attention to comply with the GDPR when collecting data from the EU.

    • Get explicit consent from users before collecting their data, even with first-party cookies.
    • Have a data processing agreement with Google, as Google acts as a data processor.

    Side info: The Consent Mode feature offered by Google for data collection enables website and application owners to process visitor data within the scope of the law. Consent Mode V2 is an upgrade of the Consent Mode that allows Google to store and process the data for Google Ads when the user consents.

    But, how will this affect your online advertising?

    Let’s say you have a cookie pop-up on your website for user consent. First, this can impact user experience, causing higher bounce rates because pop-ups can be annoying.

    Second, if many users reject tracking, you can’t get complete data. Therefore, significant data gaps make it hard to fully understand user behavior. Besides, inconsistent data tracking leads to misinterpreted insights. So then, how will it be possible to create user-specific personalizations? Without personalized marketing, users may feel less satisfied and show less engagement.

    • Actual Conversions: All users, whether they have granted consent or not.
    • Measured Conversions: A subset of actual conversions that were tracked and recorded based on user consent.

    For example, you have 1,000 actual conversions in a month. Say, 70% of users provided consent. So, your measured conversion is 700. The remaining 300 conversions go untracked, which results in underreporting. 

    In this situation, you may want to rely on alternative methods. But, some don’t provide the same accuracy as cookie-based tracking, and some can be complex to figure out. What about tracking users without their consent? This time, you could be fined under GDPR and other privacy laws.

    This discrepancy shows how consent-based tracking can skew performance metrics and make it harder to do an accurate analysis.

    Limited Collection of User Interaction DataImpact on Measuring User Activities and Conversions
    Incomplete dataUnderreported traffic
    Loss of user journey visibilityInaccurate conversion rates
    Reduced personalizationIncomplete funnel analysis
    Limited retargetingAttribution challenges
    Compliance risksA/B testing issues

    No worries. We have a privacy-friendly consentless tracking solution: Server-side tracking

    Is there a way to capture events without GA4, a traditional analytics platform? Yes. We recommend server-side tracking.

    Tracking methods can be divided into two categories: server-side and client-side. Client-side tracking relies on the user’s browser to collect and send data. This data can be easily blocked or manipulated. Server-side tracking, on the other hand, offers a more reliable approach. So it processes data on your server before sending it to third-party tools. The best part is that it’s in line with current privacy standards.

    So, organizations: 

    • maintain privacy compliance. ✅
    • respect user privacy. ✅
    • advanced analytics capabilities. ✅

    Moreover, for those who don’t want a third party solution, they can use a custom JavaScript code instead of walker.js.

    For example, we have a custom solution that is supported by a well-implemented data layer and provides a modern approach to event tracking and data collection. 

    How does our custom solution work? 

    It captures various user interactions and events (clicks, page views, and more) on a website or application. Instead of storing data in cookies (without being dependent on user identifiers), it sends this information directly to BigQuery.

    Data processing and storage in BigQuery

    1. Data Collection: The JS code captures user interactions and sends this data to Cloud Run instances.
    2. Data Processing: Cloud Run instances perform initial processing, like data validation, enrichment, and formatting.
    3. BigQuery Ingestion: The system sends processed data to BigQuery in real-time. Then, it structures this data into tables optimized for analytical queries.
    4. Visitor Identification: Instead of using traditional cookies, we use an fp_session_id for visitor identification. The fp_session_id is a unique identifier generated for each session, not tied to personal information.
    5. Data Structure: Each event is stored with associated metadata, including:
      1. fp_session_id
      2. Timestamp
      3. Event type
      4. Page URL
      5. Other relevant, non-personally identifiable information
    6. Data Retention and Privacy: To ensure compliance with privacy regulations, any personal data is pseudonymized (the processing of personal data) or anonymized before storage.
    7. Analysis Capabilities: You can create custom dashboards and reports using tools like Google Looker Studio, which connects directly to BigQuery.

    Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers or pseudonyms.

    Technologies used in the consentless tracking solution

    1. Google Tag Manager (GTM)

    Role: Manages and deploys tracking tags on the website.

    Functions

    • Implements walker.js and other necessary scripts.
    • Allows for easy updates and modifications to the tracking setup without changing the website’s code.
    • Facilitates the creation and management of the data layer.

    GTM itself doesn’t need cookie consent, but the tags may use cookies.

    2. Google Cloud Run

    Role: Hosts and runs the server-side component.

    Functions:

    • Provides a serverless environment for running data collection and processing scripts.
    • Ensures scalability to handle varying levels of traffic.
    • Offers automatic scaling and pay-per-use pricing for cost efficiency.

    3. Google Cloud Load Balancer

    Role: Distributes incoming traffic across multiple Cloud Run instances.

    Functions:

    • Ensures high availability and fault tolerance.
    • Provides SSL termination for secure data transmission.
    • Offers global load balancing for optimal performance across different geographic regions.

    4. Google Cloud BigQuery

    Role: Serves as the data warehouse for storing and analyzing collected data.

    Functions:

    • Stores large volumes of tracking data.
    • Enables fast, SQL-like queries for data analysis.
    • Supports real time data ingestion and analysis.
    • Provides strong security and access controls for stored data.

    5. walker.js

    Role: Custom JavaScript library for consentless tracking.

    Functions:

    • Captures user interactions and events without using cookies.
    • Sends data to BigQuery for processing.
    • Implements privacy-preserving techniques for data collection.

    What data can we collect without user consent?

    Certain types of data can be collected without user consent, and this data remains anonymous to ensure both legal compliance and ethical data collection. 

    Data TypeExamplesPurpose
    Click IdentifiersGCLID, MSCLKIDAttribute traffic sources
    Session IDUnique identifier per browsing sessionAnalyze behavior within a single session
    Geolocation DataCountry, Region/State, CityUnderstand geographical distribution of visitors
    UTM ParametersSource, Medium, Campaign, Term, ContentEvaluate marketing effectiveness
    Page PathURL path of visited pagesAnalyze popular content and user journeys
    TimestampDate and time of interactionsUnderstand usage patterns and peak times
    DeviceDevice type, OS, browser typeOptimize content, analyze user experience, and ensure platform compatibility

    Nonetheless, while this data is considered anonymous, the combination of many data points could lead to identification in some cases. But here are the best practices for data collection:

    • Ensure that no personally identifiable information (PII), such as names, email addresses, or phone numbers, is collected or stored.
    • If you need IP addresses for geolocation purposes, they should be anonymized (e.g., by removing the last octet) or removed after obtaining general location information.
    • Where possible, analyze data in aggregate rather than individual data points to further protect user privacy.
    • Only collect necessary data for your specific analytics needs. 
    • Audit your data collection practices regularly to make sure no personal data is being collected inadvertently. Plus, use technical measures to prevent unintentional data collection, such as filtering out personal information from URLs or form submissions.
    • Be clear in your privacy policy about what anonymous data you collect and how it’s used.

    Personal data to avoid collecting without consent

    1. Names and surnames
    2. Home addresses
    3. Personal email addresses
    4. Identification numbers (e.g., Social Security numbers, passport numbers)
    5. Location data that can identify an individual
    6. IP addresses
    7. Cookie IDs
    8. Advertising identifiers of phones
    9. Biometric data
    10. Health and medical information
    11. Financial information (e.g., bank account numbers, credit card information)
    12. Religious or philosophical beliefs
    13. Political opinions

    This list isn’t exhaustive. But, shortly, any data that can directly or indirectly identify an individual should be treated as personal data and not collected without explicit consent. To better understand the scope and implications of personal data under GDPR, read the following official resources:

    1. Official GDPR Text on Personal Data
    2. European Commission’s Guide on Personal Data
    3. ICO’s Guide to the GDPR — Key Definitions
    4. EDPB Guidelines on Personal Data

    Advantages of consentless tracking 

    Consentless tracking offers a balanced approach that respects user privacy while still providing valuable insights for business decision-making. When implemented correctly and ethically, it’s a brilliant solution.

    1. Higher data accuracy and completeness

    Consentless tracking captures data from all users, not just those who opt-in. So it provides a more accurate insight into your entire user behavior. 

    2. Continuous tracking, even with stringent privacy regulations

    This approach follows privacy regulations like GDPR and CCPA. Better yet, even if the laws change, you can always collect data without breaking any rules. Because you only collect necessary, non-personal data, which aligns with modern privacy laws.

    3. The ability to compare data with traditional tracking methods

    To compare results and validate the accuracy of the consentless approach, track with traditional methods (where consent is given). 

    4. Improved user experience

    Without consent pop-ups, users have a smoother and more enjoyable browsing experience. 

    Case study

    Consentless tracking

    The visual displays a comparative analysis of tracked visits using fp_session_id (representing consentless tracking) versus ga4_client_id (representing GA4 tracking) over a three-month period from January 1st, 2024, to March 31st, 2024.

    Analysis:

    • Initial Period (Before 02/25/2024): Both fp_session_id and ga4_client_id track a similar number of visits, with fp_session_id slightly higher in some instances. We can say that both tracking methods were fairly aligned before the implementation of Consent Mode V2.
    • Post-Implementation of Consent Mode V2 (From 02/25/2024): There is a noticeable difference between the two tracking methods. While the fp_session_id values (consentless tracking) either maintain their levels or even show temporary spikes, the ga4_client_id values decrease significantly, by about 30%. Based on this data, we can say the implementation of Consent Mode V2 negatively impacted GA4’s ability to track events effectively, whereas the consentless tracking approach remained consistent.
    • Spikes and Variations: The chart also indicates high peaks for fp_session_id following the implementation of the Consent Mode V2. It’s important to note that fp_session_id and ga4_client_id can only be compared accurately on a daily basis. This is because the fp_session_id is generated new each day, while the ga4_client_id remains the same for recurring visits. Therefore, these IDs should not be compared over weekly or monthly periods, as this could lead to misleading conclusions.

    Strengthen your tracking strategy with PEMAVOR. Our server-side and consentless tracking services provide the data you need—quickly and efficiently. Adopting our consentless tracking solutions promises higher data accuracy, compliance with privacy regulations, and a better user experience. Already curious? We’ll be happy to help. Contact us now.

    More Similar Posts