GDPR and CPRA: rethinking analytics

The screenshot is from my laptop with macOS Big Sur using Safari.

It’s time to be a little hard with the bullshit about analytics and trackers.
Do you need all your trackers?
Do you want to ask your user to consent to a very long list?

We are living with GDPR and CPRA soโ€ฆ Let’s start rethinking analytics!


California Privacy Rights Act (CPRA) includes all parts of the California Consumer Privacy Act (CCPA) and reinforces it.

At this time (July 5th, 2020), GDPR and CCPA are effective. So each part where I indicate that it’s from/included in CCPA, it’s effective right now.

effective Date May 25th, 2018 January 1st, 2023
who is regulated Controllers Businesses (CCPA)
who is protected Data Subjects Consumers (CCPA)
children get special protection โœ… โœ… (CCPA)
covers Employees โœ… right to erasure/right to be forgotten
what information is protected Personal data Personal info (CCPA)
additional restrictions on sensitive data โœ… โœ…
exemptions โœ… โœ… (CCPA)
lawful bases to process personal data โœ… โŒ (CCPA)
law is protected from watering down โŒ โœ…
right to know / right to be notified โœ… โœ… (CCPA)
right to access โœ… โœ… (CCPA)
right to correct / right to rectification โœ… โœ…
right to limit the use of sensitive personal information
(including precise geolocation)
โœ… โœ… (CCPA)
right to restrict processing โœ… โœ…
right to data portability โœ… โœ… (CCPA)
right to “Opt-Out” / right to say no โœ… โœ… (CCPA)
right to reject automated decision-making and profiling โœ… โœ… (provide )
right to reject automated decision making and profiling โœ… โœ…
right to no retaliation/right to not be discriminated against โœ… โœ… (CCPA)
privacy policy disclosure โœ… โœ… (CCPA)
data protection by design and default โœ… โœ…
written contracts with processors, service providers,
contractors, third parties
โœ… โœ… (CCPA)
maintain records of processing activities โœ… โœ…
respond to rights requests โœ… โœ… (CCPA)
new homepage links required
(ex. limit use of sensitive personal information)
โŒ โœ… (CCPA)
implement appropriate security measures โœ… โœ… (CCPA)
security breach notification โœ… โœ… (CCPA)
data protection impact analysis โœ… โœ…
data protection officers โœ… โŒ (CCPA)
adhere to the rules of cross-border data โœ… โŒ
dedicated supervisory authority โœ… โœ…
penalties (civil fines) โœ… โœ…
penalties (private rights of action) โœ… โœ…

No tracker on my blog?

You have no banner or selector about cookies or consent because I don’t use trackers.
I replaced trackers like Google Analytics, and Matomo (ex Piwik) with a customized web server and reverse proxy.

You can’t imagine what your browser can tell about you without using JavaScript, it’s incredible.

My stack

For a business reason, I won’t give you all information about how I get and analyze metrics but these are the big lines:

  • database with homemade functions
  • homemade module for reverse proxy and web server
  • message broker
  • workers to parse each message and send it to the database
  • dashboard to analyze and get alerts if needed

I don’t need Google Analytics to know your screen size because I know with which image is loaded, thank you HTML5 and CSS3.

Analytics = just what you need

You need to limit the information that you ask/collect to what you need, thank GDPR to remember it.
Let’s think about what metrics do you needโ€ฆ

  • URL
  • number of views
  • number of errors like trying to go to a restricted page or trying to brute-force
  • user’s country (easy with your IP) but I don’t need to save this IP, just the country, It is so easy and a lot more privacy-friendly
  • screen size
  • the language accepted by the browser

It’s just an example but please, stop accumulating 5/10/20 trackers just to know what you can know just by reading correctly information from the user’s browser and your reverse proxy/webserver.