How we do analytics without cookies
Conventional analytics invents a unique identifier for each visitor, so they can recognize that when you view different pages, you’re the same person.
They store this information in a cookie, which is just a piece of information stored on your computer.
There are many problems with cookies:
- They can track your behavior between multiple websites (e.g. Google/Facebook knows almost everything their users do) and users have no idea
- They can persist almost forever
- Most of your users will not consent to cookies, so you can’t legally measure those visitors
- Recent legislation (e.g. GDPR) means you need to ask for permission to use cookies, which is annoying and puts off your visitors
Here, we’ll outline the journey that your user data takes when visiting a website containing the Silktide Analytics script. We’ve split it into three parts, “Data Collection”, “Data Journey”, and “Privacy Preservation”.
Data collection
Step 1: Load the Silktide Analytics script
Silktide’s lightweight script is fast-loading at just 18 kB. It doesn’t set or require cookies.
Step 2: Establish if you are a new user
Privacy is the main priority for Silktide Analytics, so we do not store your IP address or User Agent alongside your browsing history. In order for your user data to be anonymized, we need to perform some math functions.
hash(ip + userAgent + propertyId + salt)
- To identify a visitor, Silktide Analytics combines their IP address (
ip
) and User Agent (userAgent
) using a cryptographic hash function with a rotating salt. That’s a mathematical way of encrypting some data in a way that cannot be reversed. - The resulting hash (
hash
) is a unique identifier for the visitor that cannot be reversed or used to track them across websites. - The hash is unique to each website (
propertyId
), which means it’s not possible to track the same visitor across multiple websites. We use SHA-256 (an industry-standard hashing algorithm) to generate our hashes. - The IP address and User Agent are immediately forgotten upon creating the unique identifier.
- The salt changes every 24-48 hours, which means the identifier also changes every day. The addition of salt also means that Silktide Analytics doesn’t need to store any personally identifiable information (PII), nor is able to restore any.
- The salt is never stored. After 24-48 hours, it is deleted forever. This means the hashes are not reversible, by Silktide or by anybody else.
When a user lands on a web page containing the Silktide Analytics script, a check is made against the unique identifier. If one is found, that user is classified as a returning visitor. If not, they are considered a new user.
All users are considered new if it’s been more than 24-48 hours since their last visit.
Data movement
Step 3: Send a page-view event
Once a user is identified as new or returning, a page-view event is sent to Silktide’s servers. The event looks similar to this:
{
"propertyKey": "5hej242d435g4k58l70f71043fwsr2733",
"url": "https://silktide.com/resources/",
"referrer": "https://silktide.com/",
"viewWidth": 885,
"events": [
{
"event": "page_load"
}
]
}
- The
propertyKey
is the unique identifier for our customer’s web property (i.e. their website or collection of their websites). Because we’ve included thepropertyId
in the hash function, the same visitor across different customers has a different identity to us. So even if we wanted, we could never determine if a visitor to one customer was the same as a visitor to another. - The
url
is the current web page the user has viewed - The
referrer
is the previous website the user visited. For privacy purposes, the full path is not stored or transmitted, only the domain. - We store the
viewWidth
of the user’s browser as a way of reporting what kind of device the user is visiting from. events
are either built-in Silktide Analytics events ( like apage_load
) or any custom event you set up yourself, like a specific button click or checkout submission.
All data is stored in the customer’s region of choice, either the EU or the US.
No data is transmitted between the two regions – they are entirely separate. This data segregation ensures your compliance with local privacy laws.
Step 4: Count bounce rate, time on page, and frustration events
Silktide measures common events that you’d expect in an analytics platform, but without you having to set up any complicated additional scripts.
By default, we include a measure of time spent on the page, and whether a user visits only that page before leaving. We also measure how far down a page a user reads, which helps you understand how engaging your content is. We show click events that have no outcome as a measure of user frustration.
All this information is presented in heat maps, which are unlimited and available on every page you have tested with Silktide.
An example of the types of events Silktide measures in order to report on this data is outlined below:
{
duration: 8,
event: "page_update",
maxScroll: 100,
readToSelector: "#blog-post-1",
readWords: 709,
totalWords: 4231,
usedKeyboard: false,
usedMouse: true,
usedTouch: false,
}
Privacy preservation
Step 5: Customer data is privacy-safe
Your customer data has now completed its journey. By using the methods above, it’s possible for you to comprehensively track user behavior without invading their privacy
- Silktide Analytics preserves privacy by not using cookies
- Visitors are given unique identifiers that cannot be tracked across websites
- Silktide Analytics never stores any personally identifiable information (PII)
- Data is stored in compliance with EU data privacy laws
- Silktide Analytics deliberately never stores text entered into a search box or a form, including query parameters
- Referrer data is simplified to just the website and not the specific webpage
Is there a trade-off in the data I can collect versus, say, Google Analytics?
To an extent, yes. With Google Analytics, and indeed any analytics product that sets a cookie, you can get data from returning visitors for an almost indefinite amount of time. This is because once the cookie is set, it’s stored on the user’s computer. If it’s not set to expire by the company setting it, or deleted by the user from their device, that person can be identified forever whenever they return.
This is not great for user privacy. Notably, platforms like Google or Facebook, which have their tracking pixels across many millions of websites, can track user behavior on whichever website they visit. They use this data to create a profile of a visitor and serve adverts. This is why you see adverts related to things you may have recently searched for or websites you’ve recently visited, regardless of which website you are currently visiting.
Silktide’s approach is more privacy-friendly. We can see a visitor as returning if they come back within 24-28 hours, but after that, they are completely forgotten and appear as a new user. However, during the time they visit, we can still give you all the statistics you’d expect from an analytics platform like the pages visited, the length of visit, and more. On top of this, we include an unlimited heatmap solution, so you can see user behavior on every page of your website.
The benefit of our approach is that you could, if you’re not using other tracking pixels that set cookies, remove your cookie consent banner. For EU web visitors, this provides a much better user experience.
Frequently asked questions
Big tech tracks your every move online. Under GDPR, it’s illegal for personally identifiable information to be sent outside the EU. But Google’s servers are located in the US, so by using Google Analytics you could be breaking the law. Not just this, but Google also tracks user data, building a profile of online activity online. That profile is used to send targeted ads to users whichever website they visit. All this is made possible by the use of third-party cookies. Eliminate cookies, and you can help to eliminate user tracking online and create a more privacy-focused Internet.
No. Silktide Analytics is designed to ignore or forget all of the following: IP address, User agent, Precise location (we only remember country + region, e.g., US state), query parameters (except where the customer has explicitly indicated a parameter is safe), or form data.
No. Cookies are not required. This means you can ditch your cookie popup banner, which is intrusive and has made the web worse for everybody.
Potentially. If you only use Google Analytics, then you could remove that script, implement Silktide Analytics, and you wouldn’t need a cookie popup anymore. Most people will use many third-party cookies (Facebook, Twitter, live chat widgets, etc.), so you’d have to remove those before removing your cookie popup.
Yes. You can create a single analytics “property” and share it over multiple domains.
Yes. Silktide Analytics is compliant with all global privacy laws, including GDPR and CCPA. No personally identifiable user data is stored, and no cookies are set.
No. By design, we do not store anything that could be used to identify individuals, e.g. IP address, cookie, email address, query parameter, form entries, or User ID.
This applies even if the user is logged in to your website. Some analytics platforms are designed to store logged-in visitor behavior. Silktide is deliberately designed to not do this.
Yes. By default, Silktide can only identify someone if they return within a 24 to 48-hour window of their last visit. This helps ensure our high standards for visitor privacy.
When we receive an event from a visitor, we use their IP address to look up their country and region, and then we immediately forget their IP address and only store these two pieces of information. This means that we never know the specific location of a visitor (e.g. their city, or street), and only store the broad location so it can be reported on in aggregate. We don’t believe analytics has any morally defensible need to store more accurate geographic data on visitors than this.
Yes. All of our regular analytics work in the same way whether on a public website or a private intranet. Heatmaps aren’t possible for private pages by default – this is true for all heatmaps solutions, not just Silktide. Generally, unless Silktide can “see” a page itself, it can’t show the page to put a heatmap over it.
Yes, all analytics data is encrypted “at rest” (i.e. when stored), and also “in flight” (when being sent between computers, e.g. from Silktide to you over our web interface).
There’s a very simple setup process that takes about a minute. Silktide gives you a snippet of JavaScript code to copy into your website. This is the same requirement for all web analytics platforms, so if you’re using any analytics already, you’ve already done this before.