All Blog Posts

Compliant website tracking

Find out how Cookiebot CMP makes your website compliant, and how the Cookiebot CMP/Google Consent Mode integration makes your website tracking fully legal without any loss of data.

Updated October 28, 2020.

Website tracking is an essential practice for most websites.

Tracking user behavior can give you insight into how your website performs and whether your ad campaigns reach their target audience.

But end-user data privacy cannot be ignored.

In fact, major data privacy laws (GDPR, ePrivacy Directive, CCPA) require you to only perform the kinds of user tracking that are in full compliance with strong consent and data protection obligations.

Our consent management platform (CMP) has made finding out how to do compliant website tracking easy and automatic – we call it plug-and-play compliance.

Website tracking, in short

What is website tracking?

Website tracking is the activity of monitoring people’s movementsinterests and behavior on the Internet, most often through the use of cookies and other website trackers.

Website tracking works by collecting and processing data – often personal data – from users in order to present you with important insights into your domain’s performance or your ad campaign’s reach.

Person sitting on a sofa typing on a laptop - Cookiebot
You must obtain the explicit, prior consent from end-users for your web tracking to be GDPR-compliant.

Different website tracking tools can be used for collecting different kinds of data for different purposes, ranging from information about users (gender, age, location, search and browser history) to information about how users interact with your website (what they click on, scroll past, hover over, how they arrived at your site and where they go afterwards).

Popular website tracking tools (like Google AnalyticsCrazy Egg and Clicky) make it easy to do smart and extensive user tracking on your domain, but these are only legal to use if you run them on your website in compliance with data law requirements on end-user privacy.

In short, your website tracking is only legal if you ensure end-user privacy protection in accordance with the data privacy law in force in the user’s region.

Website tracking of users in the EU is only legal if you (among other requirements) ask for and obtain their explicit consent before activating any non-necessary cookies and website trackers on your domain.

The same goes for tracking of users in Brazil and users in South Africa.

Website tracking of users in California is only legal if you inform them of the kinds of data you collect, the purposes for which you collect, who you share it with and enable visitors to opt-out of your website tracking practices altogether.

Scan your website for free with Cookiebot CMP to see where in the world your users are located, and which cookies and website trackers are in use on your domain.

Pole with a sticker reading 'big data is watching you' - Cookiebot
You must obtain the explicit, prior consent from end-users for your web tracking to be GDPR-compliant.

Website tracking in which people’s personal and sensitive information is harvested freely and without any regard to their privacy, is not only illegal, it’s also unsustainable for your website.

A growing public awareness around data privacy has made even the world’s largest tech company, Google, introduce consent-based overhauls of their core services, turning the entire adtech industry in the direction of a fairer and more privacy-focused Internet.

True end-user data privacy protection is becoming a measurable metric for users to evaluate websites on, just as consumers evaluate their goods based on food and safety standards.

However – for many website owners and operators – the task of becoming compliant with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) is a difficult and time-consuming task.

Compliance has also often meant that your website will experience a loss of web tracking data and vital insights into your domain’s performance.

If users from e.g. the EU don’t give their consent to the website trackers on your domain, these will not be allowed to activate and collect data for user tracking, and you are left in the blind on vital statistics of performance and ad reach that could benefit your website and, in the end, your users as well.

This is not a good solution for anyone…

End-user data privacy is paramount to a future free and fair Internet, but the data-driven analytics from website tracking and the adtech economy is to a great extent what funds the free Internet as we know it today.

There has to be a balance that works for both the end-user, tired of privacy infringements, and you, who wants to be able to see what’s happening on your website.

And there is…

Cookiebot CMP and compliant website tracking

Plug-and-play compliance for your website and its user tracking

Our CMP is the world’s leading consent management platform (CMP) that brings plug-and-play compliance to your website with no need for manual implementation or on-site support.

Cookiebot was launched in 2012 with the mission at heart to find a balance on your domain between real data privacy and compliant user tracking.

Cookiebot CMP is fully automatic and built around a powerful website scanner that detects all cookies and similar website trackers on your domain and controls them through the granular consent of your end-users.

Cookieboot Pop Up Banner - Cookiebot
You must obtain the explicit, prior consent from end-users for your web tracking to be GDPR-compliant.

Cookiebot CMP is built to find a balance between data privacy protection and website tracking, so that you can get vital knowledge and insights into your domain’s performance and business, while end-users enjoy real and thorough protection of their personal data and privacy online.

Our CMP ensures compliance for your website with major data laws like the EU’s GDPRCalifornia’s CCPABrazil’s LGPDSouth Africa’s POPIA and more.

How to track user activity on your website in compliance and without losing data

With the close partnership integration between Cookiebot CMP and Google Consent Mode, your website can get the best of both worlds – end-user data privacy protection without losing valuable website tracking insights.

Google Consent Mode lets you run all your website’s Google-services (e.g. Google Analytics, Google Tag Manager) based on end-user consent.

Using Cookiebot CMP with Google Consent Mode brings you true cookie control and compliance and a streamlined use of all your website tracking tools from Google in one simple solution – giving you aggregated, anonymous website tracking without cookies if users don’t consent to website trackers.

Google Consent Mode gives you non-identifying website tracking data if users opt out, including –

  • basic measurements
  • modelling data
  • timestamps of visits
  • user agent
  • referrer
  • information on user’s navigation
Laptop screen showing website analytics data - Cookiebot
Compliant tracking without cookies and without losing vital data with Cookiebot CMP and Google Consent Mode.

Cookiebot CMP integrates closely with Google Consent Mode offering an all-in-one solution for compliance and across-the-board control of your website tracking tools in a fully automatic way, without the need for you to do anything beyond the plug-and-play implementation.

Get started with Google Consent Mode

Learn more about GDPR and cookie consent

Learn more about CCPA compliance

Website tracking, in detail

Website tracking is a popular way to get information on your users and it is legal, as long as you make sure that all relevant data privacy requirements are met and respected before tracking users.

Let’s take a closer look at how website tracking works, how you can find a compliant balance between web tracking and end-user protection, what the most popular website tracking tools are today – and how you can use them compliantly.

How website tracking work – website trackers and cookies

Website tracking online works through cookies and similar website trackers on your website.

Cookies and website trackers work by storing themselves on a user’s browser, when they land on your site.

Once stored on their browser, they collect information on the user that is used to measure their visit, recognize them upon repeated visits, track them across browsers and devices and peek into their interests and behavior in general.

When you use a website tracking software on your website, the software will set third-party cookies, which will activate when a user lands on your website and start collecting personal data on them.

Did you know that?

99% of cookies on the Internet are used for web tracking and for the purpose of showing targeted advertisement to users.

72% of cookies are placed on your website are so-called trojan horses that are loaded by fourth parties, often hidden within other cookies.

In addition, 50% of trojan horses will change between user visits, making them difficult to detect for website owners and operators without deep-scanning technology.

Source: Beyond the Front-Page, study on cookies (PDF)

Man standing in street looking at phone - Cookiebot
Personal data collected as part of your user tracking is protected and must be handled in compliance.

Most third-party cookies from website tracking software will use some variant of a unique ID that can recognize the individual user across the Internet, as they travel from news sites to online shops and to your website; thereby collecting detailed data on their movements, preferences, search and browser history, among many other things.

But – and this is important – most data that cookies and website trackers collect is personal data!

Personal data is protected in the EU by the General Data Protection Regulation (GDPR). Among its requirements for websites is that of asking for and obtaining end-user consent before activating any website tracking cookies that collect personal data.

Personal data/information is also protected by the CCPA in California, the LGPD in Brazil and POPIA in South Africa – among others – so if you have users from any of those places, your website tracking needs to be calibrated to meet compliance.

Website tracking and compliance

What do data privacy laws say about website tracking?

If you have a website that tracks users or you want to start tracking users, the first thing you need to know is where in the world your website’s users are located.


Well, the location of our end-users will determine which data protection law applies to your website tracking’s online collection and processing of personal data.

If you have users from, say, inside the EU, regardless of where in the world you and your website is located, you need to be aware of the General Data Protection Regulation (GDPR) and its requirements for consent and other data protection obligations.

GDPR and website tracking

Website tracking in GDPR compliance rests on three things –

  • Explicit consent from end-users before tracking
  • Extensive information about and transparency around your tracking practices
  • Secure storage and documentation of end-user consents

In order to track website users from the EU, they must consent to your website tracking.

Flag of European Union - Cookiebot
Website tracking of EU users only legal if their prior consent has been obtained.

This consent must be given freely (i.e. not forced or as a condition for services) and it must be granular (i.e. users need to be able to give their consent to some website trackers and not others).

Your obligation to inform your users means that you need to tell them about –

  • what kinds of personal data your website tracking tools collect
  • what purposes you collect personal data for
  • where you send personal data to
  • what third parties you share personal data with
  • what website trackers are used to collect and process data (e.g. cookies), including detailed data on their technical properties

This information must be provided in such a way that users can give their consent to it, i.e. not provided later or buried in a difficult legal text.

Users must know all details about your web tracking practices before they can provide an informed, compliant consent.

When a user consents to the website tracking on your domain, you need to document this consent and securely store it.

Consent must also be renewed every 6 to 12 months, according to relevant national data protection guidelines.

Personal data under the EU’s GDPR includes –

  • name, location, email, address,
  • IP addresses, search history, browser history,
  • purchase history, credit information, preferences and settings,
  • inferences about sexual orientation, political convictions, religious beliefs

Website trackers that collect and process any of the above need the explicit consent of end-users before they can be activated and used for website tracking.

Cookiebot CMP automatically makes your website tracking GDPR-compliant. Our plug-and-play compliance solution contains a powerful cookie scanner that detects and controls all website trackers and handles all end-user consents.

Use Cookiebot CMP with Google Consent Mode to make your website tracking compliant – and without losing valuable insights into your website’s performance.

CCPA and website tracking

If you have users from California, the state-wide California Consumer Privacy Act (CCPA) applies to your website tracking – however, only if you meet its definition of a business.

California state flag - Cookiebot
Website tracking in California is legal if users are able to opt out on your website’s landing page.

The CCPA doesn’t require you to obtain end-user consent before tracking users, but it does require you to provide all the same transparency around your website tracking practices as the EU’s GDPR, including –

  • what kinds of personal information you collect
  • what purposes you collect this personal information for
  • who you share this personal information with

End-users from California need to be able to opt out of your web tracking by a Do Not Sell My Personal Information link on your website’s landing page.

Should users click on this link, you’re not allowed to track their personal information any longer.

Personal information under California’s CCPA includes –

  • name, location, email, address,
  • IP addresses, search history, browser history,
  • purchase history, credit information, preferences and settings,
  • inferences about sexual orientation, political convictions, religious beliefs

If your website processes any of the above information through cookies and website trackers, users must be notified about it in detail and also be given the choice of opting out of having their information collected and shared via third parties.

Cookiebot CMP automatically makes your website tracking CCPA compliant.

Our plug-and-play compliance solution provides all the necessary transparency around your processing of personal information and features the required Do Not Sell My Personal Information link on your website.

Website tracking in Brazil and South Africa

Users from Brazil and South Africa are also protected by data privacy laws that are closely mirrored to the EU’s General Data Protection Regulation (GDPR), empowered with enforceable rights of consent and transparency just as users in the EU.

Half of the South African flag & half of the Brazil flag - Cookiebot
Tracking of users in South Africa and Brazil is also protected under domestic data privacy laws.

Compliance with Brazil’s LGPD or South Africa’s POPIA is a necessity if you have users from within these countries.

Learn more about LGPD compliance in Brazil

Learn more about POPIA compliance in South Africa

Website tracking tools

How to ensure full compliance when tracking user activity on your website

Tools and software for website tracking are many and popular, offering different insights from different kinds of data that you can choose according to what is best suited for your specific website and online business.

Here’s a list of the most popular website tracking tools and a breakdown of how to use them in compliance.

The most popular website tracking tools include –

  • Google Analytics
  • HubSpot
  • Clicky Analytics
  • Crazy Egg
  • Kiss Metrics

Website tracking tools: Google Analytics

When it comes to website tracking, Google Analytics is by far the most popular tool on the Internet, used by many millions of websites across the world.

Google Analytics is free and offers you all both basic and detailed insights into your website’s performance, such as number of visits, sessions, bounce rate, click-through rate, including information on your end-users (e.g. location, devices, age etc.)

Screenshot of Google Analytics report - Cookiebot
Google Analytics website tracking data measuring number of visitors to a website.

Using Google Analytics will set a third-party cookie from Google called _ga on your end-users’ browsers, which is used to measure and distinguish users. This cookie, which expires after two years, includes a unique ID that is able to track website users across the Internet.

Using Google Analytics as your website tracking tool therefore requires EU users consents before activation and require notification for California users at the moment of collection.

With Cookiebot CMP and Google Consent Mode, you can make Google Analytics run in full compliance with the EU’s GDPR and its requirements for end-user consent.

Cookiebot CMP and Google Consent Mode lets your website do tracking without cookies, when end-users don’t consent to the website trackers necessary for normal, personalized tracking – all in full compliance.

Learn more about Google Analytics and GDPR/CCPA compliance

Website tracking tools: HubSpot

HubSpot is also a hugely popular tool for website tracking and inbound marketing administration. HubSpot comes as both a free and paid version. As with Google Analytics, HubSpot lets you track visitors and gives you detailed information on how they behave on your domain, including traffic and conversion analytics, ad campaign’s reach on social media and much more.

Screenshot of HupSpot Event reporting  - Cookiebot
HubSpot website tracking data visualizations.

Using HubSpot as a website tracking tool will set several third-party cookies on your end-user’s browser, including the _hstc-cookie (responsible for collecting data such as timestamps on visits, sessions) and the _hubspotutk-cookie, which determines users’ identities with an opaque GUID (similar to unique ID).

Both cookies have a lifespan of 13 months.

Using HubSpot on your website will set third-party cookies that are not necessary for the performance of your website and therefore requires the explicit and prior consent from users in the EU and the transparent notification of users in California before any collecting, processing and sharing of the information is allowed to take place.

Learn more about HubSpot and GDPR/CCPA compliance here

Website tracking tools: Clicky

Clicky is another popular website tracking software that gives you statistics and analytics insights into your website.

What sets Clicky apart from Google Analytics and other services is that they offer so-called heat maps of traffic on your website – i.e. visualizations of the data that you would otherwise have to read in numbers.

Screenshot of heat maps from Clicky  - Cookiebot
Heatmaps from Clicky that show you where most user traffic is condensed on your website.

Clicky also sets website trackers on your visitors’ browsers.

The UID (Unique ID tracking cookie) is used by Clicky to accurately distinguish individual users.

Among the kinds of data that Clicky collects is referrer, user agent, browser language, screen resolution, mouse movement and behavior, IP addresses and more.

To use Clicky as your domain’s website tracking tool in compliance with the EU’s GDPR and California’s CCPA, you must ensure that you obtain the explicit consent of users in the EU and the notification of users in California.

Learn more about Clicky cookies and web tracking policy

Website tracking tools: Crazy Egg

Crazy Egg is another website tracking software that brands itself on its “extra” features, such as heat maps, which can be used on top of basic measurements from Google Analytics and other website tracking tools.

As with Clicky, Crazy Egg’s heat maps visualize user traffic on your site, showing where users click, hover, scroll and more to give you a detailed picture of the gravitational pulls of your domain’s elements.

Screenshot of Crazy Egg’s website tracking heat maps - Cookiebot
Crazy Egg’s website tracking heat maps for visualizing user traffic on your domain.

Crazy Egg also records entire user session from landing on your site to converting or leaving.

Like all the other website tracking tools, Crazy Egg sets third-party cookies that require the explicit consent of users in the EU and the notification of collection of users in California.

Crazy Egg sets cookies and website trackers, such as the ce.s-cookie that tracks whether a visitor has visited the site before (and lasts for 5 years on a user’s browser).

Use Cookiebot CMP on your website to make sure that all cookies and website trackers are detected and controlled on the basis on your end-user’s consent state.

Website tracking tools: Kissmetrics

Kissmetric is a website tracking tool designed specifically to breakdown how your users convert on your domain, with particular focus on reducing churn and increasing engagement through social media ad campaigns and email marketing.

Kissmetric collects data through third-party cookies and website trackers on end-users, such as browser information, IP addresses, referring website, time of visit, operating system information, mobile device information and more.

Screenshot of Kissmetrics website tracking data - Cookiebot
Kissmetrics website tracking data to help you optimize ad campaign reach and domain performance.

Under both the EU’s GDPR and California’s CCPA, much of the above data is defined as personal data/information – and you will need the explicit consent of users in the EU and to make sure that you notify and enable users in California to opt out before activating Kissmetrics as a web tracking tool on your domain.

Learn more about Kissmetrics web tracking policies here

Cookiebot CMP for compliant user tracking

Still confused how to make your website’s user tracking compliant with data privacy laws?

All you need to do is sign up to Cookiebot CMP to get started.

The mission of Cookiebot CMP on the Internet is to help your website reach a sustainable balance of compliance and website tracking – and Cookiebot CMP has automated the entire compliance process for your website’s tracking.

The Cookiebot CMP plug-and-play compliance solution gives you –

  • powerful scanner that detects all cookies and website trackers in operation
  • An unmatched consent solution that automatically manages all consents from your end-users and provides them with all the necessary and required information about your website’s tracking practices.
  • Secure storage and documentation of all end-user consents.
  • Automatic renewal of end-user consents.
  • Full compliance with the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and more data privacy laws.

Cookiebot CMP integrates fully and automatically with Google Consent Mode that lets you not only obtain full data law compliance, but also lets you run all of Google’s website tracking tools without cookies, should your users not give their consent.

With Cookiebot CMP and Google Consent Mode, you can track users without cookies and ensure that you get vital insights into your website’s performance, conversion rates and ad reach in full compliance.

Learn more about GDPR and cookie consent

Learn more about CCPA compliance


How can I track users on my website?

Website tracking can be done through the use of cookies and similar website trackers that collect behavioral data on your end-users in order to measure traffic and conversions. A variety of free and paid website tracking tools exist for you to use but be aware that you most likely need to comply with data privacy laws relevant in the user’s region for it to be legal.

Try Cookiebot CMP for free for compliant website tracking today

Is website tracking legal?

Only if you comply with the relevant data privacy law in the region. If you have users from the EU, you are required to ask for and obtain their explicit consent before any tracking is allowed to happen. The same goes for users from Brazil and South Africa. If you have users from California, you are required to notify them about your website tracking data collection and enable them to opt out.

Scan your website to see where your users are located

How does website tracking work?

Website tracking works with the use of cookies and similar tracking technologies that collect and process the actions of end-users in order to present you with aggregated and targeted statistics on their movements, interests, behavior and preferences. Third-party cookies can be privacy invasive and always need the consent of end-users in order to be used. Website tracking tools can help you gain insights into your website’s performance and ad reach.

Get started with Google Consent Mode

How can I make my web tracking compliant?

Cookiebot CMP offers a plug-and-play compliance solution for your entire website, built around a powerful scanner that detects all cookies and trackers and controls them based on the consent state of your end-users. Using Cookiebot CMP in close integration with Google Consent Mode can give you tracking without cookies and valuable analytics insights into your website, when users don’t consent to being tracked on a detailed level.

Learn more about Cookiebot CMP and Google Consent Mode


Try Cookiebot CMP free for 14 days – or forever if you have a small website

Scan your website with Cookiebot CMP to see all cookies and website trackers in use

Get started with Google Consent Mode

Learn more about Google Analytics and GDPR/CCPA compliance

Learn more about HubSpot and GDPR/CCPA compliance

Learn more about GDPR and cookie consent

Learn more about CCPA compliance

Learn more about LGPD compliance in Brazil

Learn more about POPIA compliance in South Africa

Visit Google Analytics for more information on cookies and privacy policy

Visit Clicky for more information on cookies and privacy policy

Visit Crazy Egg for more information on cookies and privacy policy

Visit Kissmetrics for more information on cookies and privacy policy

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.