All Blog Posts

What is website tracking and can it align with data privacy laws?

Website tracking offers valuable insights, but it raises concerns about user privacy and regulatory requirements. We explore how websites can implement tracking effectively while respecting privacy laws and user data.

Updated December 20, 2023.

Website tracking is an essential practice for most websites. Tracking users’ online activity can give you insight into how your website performs and whether your ad campaigns reach their target audience.

But, in tracking user behavior, end-user data privacy cannot be ignored.

In fact, major data privacy laws require you to only perform the kinds of user tracking that are in full compliance with strong consent and data protection obligations.

We explore what website tracking is, how it works, and how you can gain invaluable business insights from user activity on your website while staying legally compliant.

What is website tracking?

Website tracking (also known as web tracking or page tracking) is the activity of monitoring users’ movements, interests and behavior on the Internet, most often through the use of cookies and other website trackers.

It’s a popular way to get information on your users and is legal if you make sure that all relevant data privacy law requirements are met and respected before tracking users.

Website tracking works by collecting and processing data — often personal data — from users to obtain valuable insights into your website’s performance and your ad campaign’s reach.

Different website tracking tools can be used to collect different kinds of data for different purposes, ranging from information about users (gender, age, location, search and browser history) to information about how users interact with your website (what they click on, scroll past, hover over, how they arrived at your site and where they go afterwards).

Benefits of tracking users

What are the benefits of tracking users?

Tracking user activity on a website offers benefits before the visitor even arrives on your website, and then again when they’re browsing.

Drives relevant traffic

Targeted advertising: By tracking online activity and interests, you can deliver targeted advertisements to an audience that is interested in your product or service, increasing leads and conversions. You can also analyze which ads are effective at driving traffic and can adjust paid advertising campaigns.

Organic traffic: Tracking website activity helps you understand which marketing efforts successfully attract visitors. By identifying which strategies result in the most traffic sources, you can focus on these methods to enhance your return on investment.

Streamlines the user journey

Improves user experience: Tracking user behavior on websites enables you to provide personalized experience for visitors. For example, it can help remember visitor preferences, such as the preferred language, so that visitors don’t need to choose on every visit.

Increases conversions: By analyzing how users interact with their site and pinpointing areas for enhancement, website owners can make changes that lead to more users completing desired actions, like making a purchase or signing up, thereby helping achieve their business objectives.

How to track user activity on a website

How to track user activity on a website

Website tracking online works through cookiesand similar website trackers.

Tracking cookies and other web tracking methods work by storing themselves on a user’s browser when the user lands on your site.

Once stored on their browser, tracking cookies collect information on the user that is used to measure their visit, recognize them upon repeated visits, track them across browsers and devices and peek into their interests and behavior in general.

When you use a website tracking software on your website, the software will set third-party cookies, which will activate when a user lands on your website and start collecting personal data on them.

Most third-party cookies from website tracking software will use some variant of a unique ID that can recognize the individual user across the Internet, as they travel from news sites to online shops and to your website. This enables the third-party cookies to collect detailed data on the user’s movements, preferences, search and browser history, among many other things.

Is web tracking legal?

Most data that cookies and website trackers collect is personal data, which is protected by various global data protection regulations. Website tracking is legal only if you ensure end-user privacy protection in accordance with the data privacy law in force in the user’s region, including collecting their explicit consent. How does this work in practice? Continue reading!

Website tracking in which people’s personal and sensitive information is harvested freely and without any regard to their privacyis illegal.

What do data privacy regulations say about website activity tracking?

What do data privacy regulations say about website activity tracking?

If you have a website that tracks users or you want to start tracking users, the first thing you need to know is where in the world your website’s users are located.

This is because the location of your end-users will determine which data protection law applies to your website tracking’s online collection and processing of personal data.

The General Data Protection Regulation (GDPR) and website tracking

If you have users from the European Union (EU), then, regardless of where in the world you and your website are located,you need to be aware of the General Data Protection Regulation (GDPR) and its requirements for consent and other data protection obligations.

Tracking user activity on a website in compliance with the GDPR rests on three things:

  • explicit consent from end-users before tracking
  • extensive information about and transparency around your tracking practices
  • secure storage and documentation of end-user consents

Consent is a legal basis for obtaining user data under the GDPR. Website trackers that collect and process users’ personal data need the explicit consent of end-users before they can be activated and used for tracking website activity.

GDPR cookie consent must be given freely (i.e. not forced or as a condition for services) and it must be granular (i.e. users need to be able to give their consent to some website trackers and not others).

Your obligation to inform your users means that you need to tell them about:

  • what kinds of personal data your internet tracking tools collect
  • what purposes you collect personal data for
  • where you send personal data to
  • what third parties you share personal data with
  • what website trackers are used to collect and process data (e.g. cookies), including detailed data on their technical properties

Users must be made aware of all details about your web tracking practices before they can provide an informed, compliant consent. This information can’t be provided to them after they’ve given consent or be buried in a difficult legal text.

When a user consents to the website tracking on your domain, you need todocument this consent and securely store it.

Consent must also be renewed every 6 to 12 months, according to relevant national data protection guidelines.

Personal data under the EU’s GDPR include, for example:

  • name, location, email, address,
  • IP addresses, search history, browser history,
  • purchase history, credit information, preferences and settings,
  • inferences about sexual orientation, political convictions, religious beliefs
  • …and more.

California Privacy Rights Act (CPRA), California Consumer Privacy Act (CCPA) and website tracking

If you have users from California, the state-wide California Consumer Privacy Act (CCPA), as amended by California Privacy Rights Act (CPRA), applies to your website tracking if you meet its definition of a business.

Unlike the EU’s GDPR, the CCPA doesn’t require you to obtain end-user consent before tracking users, but it does require you to provide all the same transparency around your website tracking practices as the GDPR, including:

  • what kinds of personal information you collect
  • what purposes you collect this personal information for
  • who you share this personal information with

End-users from California need to be able to opt out of your web tracking by a link that says ”Do Not Sell or Share My Personal Information” on your website’s cookie banner. Should users click on this link, you’re not allowed to track their personal information any longer.

This is a manual process for users, who must click on this link for each website they visit. Users can also enable Global Privacy Control, a browser-based setting or extension where users set their privacy preferences, such as not wanting their personal data to be shared or sold. The extension then automatically notifies websites of these privacy preferences when the user visits. The CCPA/CPRA requires websites to respect the Global Privacy Control signals as a request to opt out, on par with the specific Do Not Sell or Share My Personal Information link.

Personal information under California’s CCPA includes:

  • name, location, email, address
  • IP addresses, search history, browser history
  • purchase history, credit information, preferences and settings,
  • inferences about sexual orientation, political convictions, religious beliefs

If your website processes any of the above information through cookies and website trackers, users must be notified about it in detail and also be given the choice of opting out of having their information collected and shared via third parties.

Website tracking in Brazil and South Africa

Users from Brazil and South Africa are also protected by data privacy laws that closely mirror the EU’s General Data Protection Regulation (GDPR), empowered with enforceable rights of consent and transparency just as users in the EU.

Compliance with Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) or South Africa’s Protection of Personal Information Act (POPIA) is mandatory if you have users from within these countries.

Legal requirements for site tracking

How can you comply with the legal requirements for site tracking?

There’s no doubt tracking website activity can be invaluable to understand users and make informed decisions, and it’s important to ensure you do so in a manner that complies with relevant data privacy laws and protects user privacy.

Adopt privacy-first website user tracking practices

Privacy-first web tracking is an approach to website analytics and user data collection that prioritizes user privacy and data protection. It’s designed in a way that respects user consent, only collects necessary data, and ensures the data is securely collected, stored, and processed in compliance with relevant data privacy laws.

This approach typically uses first-party cookies that gather data only on the customer’s own website, ensuring no cross-site tracking or third-party data sharing. Additionally, privacy-first tracking steers clear of invasive technologies like fingerprinting, prioritizing user privacy across web interactions.

Privacy-first web tracking aims to strike a balance between collecting valuable user data for website optimization and maintaining the integrity and confidentiality of user information.

Obtain legally valid consent

To comply with data privacy regulations that require opt-in cookie consent (such as the GDPR, LGPD and POPIA), it’s vital to obtain informed and explicit consent from users before collecting or tracking their data. Clearly explain the purpose, types of data collected, and its usage. This transparency not only meets legal requirements but also builds trust with your audience.

For jurisdictions where opt-out consent is mandatory (such as California), give users the ability to opt out of data collection and sharing or selling for personal information. Clear instructions on how to do this should be provided, and their preferences must be respected and implemented.

Keep detailed consent records

Maintain records of user consent, including when and how it was given, what data is collected, and any involved third parties. This documentation is key to demonstrating compliance with data privacy laws.

Implement a consent management platform

Use a consent management platform (CMP) like Cookiebot CMP for transparent and compliant user consent processes. The Cookiebot CMP plug-and-play compliance solution gives you:

  • a powerful scanner/cookie checker that detects all cookies and website trackers in operation
  • an unmatched consent solution that automatically manages all consents from your end-users and provides them with all the necessary and required information about your website’s tracking practices
  • secure storage and documentation of all end-user consents
  • automatic renewal of end-user consents
  • the tools to enable compliance with the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and more data privacy laws.

Cookiebot CMP is a Google-certified CMP that integrates the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF) v.2.2, a requirement for serving ads to visitors in the European Economic Area (EEA) and the United Kingdom (UK) from 2024.

Cookiebot CMP fully supports Google Consent Mode and enables you to run Google’s site tracking tools also without cookies, should your users decline consent. With the advanced version of Consent Mode, you will be able to still collect non-identifying page tracking data if users opt out, including:

  • basic measurements
  • modeling data
  • timestamps of visits
  • user agent
  • referrer
  • information on user’s navigation

With the close partnership integration between Cookiebot CMP and Google Consent Mode, your website can get the best of both worlds – end-user data privacy protection without losing valuable website tracking insights.

Tools and technologies for tracking websites

Tools and technologies for tracking websites

There are many popular page tracking and analytics tools that offer different insights from different kinds of data that you can choose according to what’s best suited for your website and online business.

Here are some popular site tracking tools and a breakdown of how to use them in compliance.

  • Google Analytics
  • HubSpot
  • Clicky Analytics
  • Crazy Egg
  • Kiss Metrics
  • Mixpanel

Website tracking tools: Google Analytics

When it comes to website tracking, Google Analytics is by far the most popular tool on the Internet, used by millions of websites across the world.

Google Analytics has a free version (Google Analytics 4 or GA4) that offers you both basic and detailed insights into your website’s performance, such as number of views, sessions, users and new users, bounce rate, including information on your end-users (e.g. location, age, browser, device, screen resolution, etc.)

The paid version of Google Analytics is called Google Analytics 360, which offers more customization options and increased limits for GA44 property data collection, reporting and retention.

Using Google Analytics will set a third-party cookie from Google called _ga on your end-users’ browsers, which is used to measure and distinguish users. This cookie, which expires after two years, includes a unique ID that is able to track website users across the Internet.

Using Google Analytics to track users on a website therefore requires EU users consent before activation and requires notification for California users at the moment of collection.

Website tracking tools: HubSpot

HubSpot is also a hugely popular tool for website tracking and inbound marketing administration. HubSpot comes as both a free and paid version.

As with Google Analytics, HubSpot lets you track visitors and gives you detailed information on how they behave on your domain, including traffic and conversion analytics, ad campaign’s reach on social media and much more.

Using HubSpot as a website tracking tool will set several third-party cookies on your end-user’s browser, including the _hstc-cookie (responsible for collecting data such as timestamps on visits and sessions) and the _hubspotutk-cookie, which determines users’ identities with an opaque GUID (similar to unique ID).

Both cookies have a lifespan of 13 months.

Using HubSpot on your website will set third-party cookies that are not necessary for the performance of your website and therefore require the explicit and prior consent from users in the EU and the transparent notification of users in California before any collecting, processing and sharing of the information is allowed to take place.

Website tracking tools: Clicky

Clicky is another popular website tracking software that gives you statistics and analytics insights into your website.

What sets Clicky apart from Google Analytics and other services is that they offer heat maps of traffic on your website – i.e. visualizations of the data that you would otherwise have to read in numbers.

Clicky also sets website trackers on your visitors’ browsers. It uses a UID (Unique ID tracking cookie) to accurately distinguish between individual users.

Among the kinds of data that Clicky collects is referrer, user agent, browser language, screen resolution, mouse movement and behavior, IP addresses and more.

To use Clicky as your domain’s website tracking tool in compliance with the EU’s GDPR and California’s CCPA, you must ensure that you obtain the explicit consent of users in the EU and notify users in California of tracking.

Learn more about Clicky cookies and web tracking policy

Website tracking tools: Crazy Egg

Crazy Egg is another internet tracking software that brands itself on its “extra” features, such as heat maps, which can be used on top of basic measurements from Google Analytics and other website tracking tools.

As with Clicky, Crazy Egg’s heat maps visualize user traffic on your site, showing where users click, hover, scroll and more to give you a detailed picture of the gravitational pulls of your domain’s elements.

Crazy Egg also records the entire user session from landing on your site to converting or leaving.

Like all the other website tracking tools, Crazy Egg sets third-party cookies that require the explicit consent of users in the EU and the notification of collection of users in California.

Crazy Egg sets cookies and website trackers, such as the ce.s-cookie that tracks whether a visitor has visited the site before (and lasts for 5 years on a user’s browser).

Use Cookiebot CMP on your website to make sure that all cookies and website trackers are detected and controlled based on your end-user’s consent state.

Website tracking tools: Kissmetrics

Kissmetrics is a website tracking tool designed specifically to break down how your users convert on your domain, with particular focus on reducing churn and increasing engagement through social media ad campaigns and email marketing.

Kissmetrics collects data through third-party cookies and website trackers on end-users, such as browser information, IP addresses, referring website, time of visit, operating system information, mobile device information and more.

Under both the GDPR and CCPA, much of the above data is defined as personal data/information – and you will need the explicit GDPR cookie consent and make sure that you notify and enable users in California to opt out before activating Kissmetrics as a web tracking tool on your domain.

Learn more about Kissmetrics web tracking policies here

Website tracking tools: Matomo

Matomo is a website tracking tool that offers insights into user behavior on your domain. Matomo positions itself as an ethical browser tracking solution that ensures “full data ownership”, user privacy and data protection.

Matomo primarily uses first-party cookies for data collection, thereby aligning with privacy-focused page tracking practices. It gathers information on end-users, including browser details, IP addresses (with an option for anonymization), visit times, operating systems, and mobile device usage, among others.

Matomo also enables cookieless tracking by disabling all cookies.

Learn more about how to use Matomo with Cookiebot CMP.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.


What is website activity tracking?

Website tracking involves monitoring online users’ activities and behaviors, primarily through cookies and other tracking technologies. Monitoring what’s tracking on a website serves as an effective method to gather user data, provided data privacy laws are adhered to.

How to track users on your website?

Website tracking can be done through the use of cookies and similar website trackers that collect behavioral data on your end-users to measure traffic and conversions. A variety of free and paid web tracking methods exist for you to use but be aware that you most likely need to comply with data privacy laws relevant in the user’s region for it to be legal.

Is website tracking legal?

Only if you comply with the relevant data privacy law in the region. If you have users from the EU, you are required to ask for and obtain their explicit consent before any tracking is allowed to happen. The same goes for users from Brazil and South Africa. If you have users from California, you are required to notify them about your website tracking data collection and enable them to opt-out.

How does internet tracking work?

Website tracking works with the use of cookies and similar tracking technologies that collect and process the actions of end-users to present you with aggregated and targeted statistics on their movements, interests, behavior and preferences. Third-party cookies can be privacy-invasive and always need the consent of end-users to be used. Internet tracking tools can help you gain insights into your website’s performance and ad reach.

How can I make my web tracking compliant?

Cookiebot CMP offers a plug-and-play compliance solution for your entire website, built around a powerful scanner that detects all cookies and trackers and controls them based on the consent state of your end-users. Using Cookiebot CMP in close integration with Google Consent Mode can give you tracking without cookies and valuable analytics insights into your website, when users don’t consent to being tracked on a detailed level.

Learn more about Cookiebot CMP and Google Consent Mode


Try Cookiebot CMP free for 14 days – or forever if you have a small website

Scan your website with Cookiebot CMP to see all cookies and website trackers in use

Get started with Google Consent Mode

Learn more about Google Analytics and GDPR/CCPA compliance

Learn more about HubSpot and GDPR/CCPA compliance

Learn more about GDPR and cookie consent

Learn more about CCPA compliance

Learn more about LGPD compliance in Brazil

Learn more about POPIA compliance in South Africa

Visit Google Analytics for more information on cookies and privacy policy

Visit Clicky for more information on cookies and privacy policy

Visit Crazy Egg for more information on cookies and privacy policy

Visit Kissmetrics for more information on cookies and privacy policy

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.