How to run analytics without a consent banner? It is simple; don't use cookies nor collect personal information.

Frankly, the amount of information our devices give away is scary. Amongst other places, it ends up in the dashboard of a company's analytics app. For product people like us, many of these data points turn out to be irrelevant when making important product or marketing decisions anyway.

Even Google's Head of Insights & Analytics, Janneke van Geuns, said that "The biggest misconception is the perceived need to capture and measure everything and anything." "A common belief is that if you capture every type of metric, it will tell you magically what works and what doesn't. Unfortunately, that is not how we get to insights, and would be comparable to having to find a needle in a haystack."

So, not only does harvesting data without intent can invade your users' privacy, but it can make your work more challenging. Keep it simple they say!

NOTEAnalytics/tracking were never included in our apps (mail.missiveapp.com, iOS, Mac, etc). This post is exclusively about our homepage and marketing site hosted at https://missiveapp.com.

The switch

We asked ourselves if it was time to switch to a less invasive analytics app than Google Analytics; one where lengthy privacy policies weren't needed to figure out their compliance with privacy laws of various countries (GDPR, CCPA, or PECR).

We realized that the answer was yes, a change was needed. Here are a few reasons why:

1. As an email collaboration tool, transparency and our users' privacy are paramount to us. Even if we were only including Google Analytics on our marketing site, we had to reference it in our privacy policy, which made it longer and scarier without a clear upside.
2. Many users are blocking invasive metrics scripts, skewing the quality of the data.
3. We hate those annoying cookie banners required to use Google Analytics legally in Europe. To scroll is not to give consent. So a veritable "consent-wall" is needed for it to be compliant.We are not fans of using free products; there is always a long-term hidden cost.

We looked at three potential replacements: Fathom Analytics, Plausible.io, and Simple Analytics.

After some due diligence, we decided to go with Simple Analytics, a product run by a small independent team from the Netherlands.

They were the only one not using fingerprinting to track users between page views. The upside is better privacy protection, the downside is the unique visitor metric can’t really be trusted.

But as seen here in this exchange between Rafael (our CTO) and the Fathom Analytics team, even with fingerprinting, the unique metric is not so reliable:

After a few days of using Simple Analytics, I'm happy to say it’s a far less overwhelming experience than the Google Analytics dashboard. You get a straightforward single-page dashboard with all the metrics they offer.

Privacy-first service

Let's explore what makes Simple Analytics a privacy-first analytics service:

• They don't save or collect IP addresses.
• They have an interesting way to detect unique visits, again, without cookies or IP addresses. They do it based on the hostname of the referrer of the page. They explain it like this: "When a user comes from one domain to another, their browser shares the previous domain with the next. If the current page's domain is the same as the one in the referrer, we know it's a non-unique visit." Not perfect, but good enough.
• They do collect and store timestamps, but those are entirely harmless and crucial for the graphs they generate.
• User Agents. They use them only for counting operating systems, device sizes, and browsers. They don't use User Agents for fingerprinting.
• Simple Analytics never tracks users, and by default, they ignore visits with Do Not Track (DNT) enabled.

The caveats

Simple Analytics currently offers these metrics: page view count, visitor count, referrals, top pages, screen widths, browsers, and countries. Seven metrics versus dozens in regular analytics apps. Is that a disadvantage? Not for us at the moment.

Since we don't plan to run ads anytime soon, we don't need to profile our audience, get their demographics, likes, interests, behavior patterns, etc.

Also, they don't crunch any data for you, so you will need to calculate ratios and percentages for traffic metrics manually. But again, not a problem for us.

They just rolled out cookie-less event tracking, which we will use to manually track some events like downloads.

On the other hand, they seem pretty engaged and are continually developing new features. You can see the whole roadmap.

And they were great at answering all our questions before the transition.

Conclusion

We traded a ‘free’, privacy-less, and complex analytic dashboard to a paid, privacy-first & simple one. We couldn’t be happier.

Also, thanks to this change our DuckDuckGo privacy rating was upgraded from C+ to B+

We have submited our Privacy Policy to the organization ToS;DR. DuckDuckGo works with them to provide these privacy grades. We will hopefully get the A grade soon.