The problem with website analytics today (i.e. how I ditched Google Analytics)

Why are website analytics about privacy?

As a web developer living in Europe, I have witnessed many meetings, emails, phone calls, ... about GDPR and concerned clients about their website since it came into effect on May 2018. I am no lawyer (nor is this article legal advice), but GDPR is about collecting personal information. Cookies fall under the EU cookie directive (which has been in effect long before GDPR came to exist) and are about your consent to place non functional cookies on your device, i.e. analytical cookies.

The two start to overlap however when cookies are used for personal information, like for example: your IP address. 

Introducing Google

When you include Google Analytics in your website, by default, Google will place cookies on your device and store your IP address. Google can now use this information to keep a profile of your browsing habits, and track you along the way. And because Google Analytics is installed on > 60% of the top 1 million websites (according to BuiltWith), it does so on a immense scale.

The fact that Google places a cookie is not so much an issue. If you show the user an opt out (cookie banner / notice), you're perfectly fine. What's not fine, is that Google collects your IP address, and is thereby able to start tracking you, long after you've even left the site. 

Google offers an option to prevent this though: ga('set', 'anonymizeIp', true);. This is also what I've been doing for a while now. And I thought I was fine.

Here come the GDPR police

In December 2019, the first website in Belgium was fined for being in violation of the GDPR act. In the past I have been telling clients (and GDPR consultants 🙄) that it was fine if you included Google Analytics in your site without sharing the users IP address unless they consented. However, the privacy commission in Belgium recently overruled this. Read more about their decision (sorry, in dutch) here.

Reason being is the IP address is still being stored on Google servers before it is anonymized. Google's own statement reads:

"When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case."

This made the Belgian privacy commission decide that there is a period of time in which the full IP address is visible. And in addition, the full address is not being anonymized completely, which could still lead to identification.

git commit -m "Fix GDPR"

Maybe you're thinking, "Great, so I'm not allowed to use Google Analytics at all?". Of course not, but you need consent before including it. Even with IP anonymization. And that's exactly what every site on the internet is doing wrong at the moment. But I don't blame anyone, I've been doing it 'wrong' myself for years. Heck, even belgium.be is including Google Analytics before I've accepted the use of cookies. Even after I declined, they still include it.

As long as the government is not setting an example on how to do it right, you can't expect everyone to implement it correctly

In fact, one of the few website I came across that is not including analytics until after I've consented, is the Belgian privacy commission.

Being one step ahead

This is all, to say the least, very confusing. Web developers are no lawyers, and if the government is not clear about the correct implementation, then we'll all be in an indefinite discussion with the privacy commission about what's correct and what's not.

That's why I became tired of arguing, and decided to not work with Google Analytics anymore.

Website analytics should be about analytics. Not about who my users are, and definitely not about storing personal information about them. And secondly, I don't want to share their information with third party services anymore, like Google. 

Not surprisingly, SaaS companies dedicated to privacy focused website analytics are on the rise. After some research I came across Fathom Analytics. Not only do they take privacy seriously, they also offer an open source self-hosted version. I removed Google Analytics from this site (and will start contacting clients to make the switch as well). The OS version currently still uses a cookie, but the data is not being shared with anyone but myself, and for analytical purposes only. Fathom is also taking a stand in not collecting any personal information.

Integrating into Craft CMS

If you or your client are willing to support Fathom, please consider the Pro version. You won't have to worry about hosting, and you'll get a lot more data out of it. However, if you need some basic info on your site such as current visitors, page view count, etc. then go with the self-hosted open source version.

The downside however, is that you can't set up separate user permissions within Fathom Lite. I've created a set of Craft dashboard widgets to work around this. This way you can set up multiple sites for all your clients, and have them see reports right from within Craft, without sharing your Fathom user account with them.

Have a look at the Github repo, I hope you'll consider using it and ditching Google!