Tracking return visits with The Anonymous Cookie

Simple, private, self-hosted, cookie free website day...maybe

Tracking return visits with The Anonymous Cookie

I’m still working through the pros and cons of using cookies.

On the one hand, they seem like they will allow some super-useful things at relatively low cost, such as tracking a returning visitor in order to show “visitors” and “unique visitors”.

But adding non-essential cookies (analytics are classed as non-essential) means that, in theory, if you’re in the EU you’re supposed to have informed, but not explicit consent for that cookie, which I read as: “you need a pop-up, but not a checkbox”.

A session cookie is, I believe, an “online identifier” and this is personally identifiable and subject to DPA or GDPR in the UK/EU (though I would argue that because you can’t perform a lookup on the session ID it’s not, but who am I to argue). So session cookies aren’t great for tracking (and wouldn’t scale). But nor is any other unique ID stored in a cookie and sent to the server.

There’s been a great conversation about this topic in a GitHub issue in Kownter’s competitor/collaborator  Fathom (I love them, it’s all good). And I’ve realised (yeah, took a while!) that you don’t need an ID in the cookie.  You can just set tracked_with_kownter = 1 or whatever, and that will identify a returning visitor to the site you’re tracking.

So the next step is: what can I put in the cookie that is anonymous, but useful?



One Response

  1. This isn’t legal advise and I’m not a lawyer. (I am “da2x”, however.)

    Consent requirements under the ePrivacy Directive vary greatly from country to country and ICO’s interpretation only applies to Great Britain. You can’t really make product design decisions based on a directive that has been implemented so completely differently from country to country. You should follow the ePrivacy Regulation proposal, however. The current draft proposal clarifies that browser settings (cookie controls, DNT, others) is sufficient for consent, but you need a privacy and a cookie policy that documents what you do and why. As a regulation, it would be implemented directly into the laws of each EU member state instead.

    As for what is useful to put in cookies I’d suggest the same things as in the Fathom discussion: ratelimiting (per-page and site-wide), pageview counter per session, and timestamp of last visit (for tracking retention rates).

Leave a Reply

Your email address will not be published. Required fields are marked *