On this blog, I use Plausible Analytics to track the usage of my website while respecting the privacy of my visitors. Even though the purpose of Plausible Analytics is to track website usage, this can still be done without collecting any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of the website visitors.
Here’s a closer look at my data policy, the information that I do collect, what I use it for, and the steps I’ve taken to comply with the cookie law and the privacy regulations such as the GDPR, CCPA, and PECR.
❯ First thing first: What I collect and what I use it for
I do not track people across their devices and across websites and apps that they visit. All the data is isolated to a single day, single website, and single device only. There is no way to know whether the same person visits a site from more than one device or visits another website. See here the full list of what makes Plausible a privacy-first web analytics tool.
The goal of Plausible is to track overall trends in your website traffic, it is not to track individual visitors. I don’t use cookies, I don’t generate any persistent identifiers, and I don’t collect or store any personal or identifiable data. All of the data is aggregated data only and it has no personal information.
By using Plausible Analytics, all the site measurement is carried out absolutely anonymously. I measure only the most essential data points and nothing else. All the metrics I do collect fit on one single page. Here is the complete list of what I collect and store about your website visitors:
| Data point | Example | Comment |
|---|---|---|
| Page URL | `https://blog.laromierre.com/who-am-i/` | We track the page URL of each page view on your website. We use this to show you which pages have been viewed and how many times a particular page has been viewed. The hostname and path are collected. Query parameters are discarded, except for these special query parameters: `ref=`, `source=`, `utm_source=`, `utm_medium=`, `utm_campaign=`, `utm_content=` and `utm_term=`. |
| HTTP Referer | `https://facebook.com` | We use the referrer string to show you the number of visitors referred to your website from links on other sites. |
| Browser | `Chrome 86.0` | We use this to show you what browsers and browser version numbers people use when visiting your website. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Operating system | `macOS 10.15` | We use this to show you what operating systems people use when visiting your website. We show the brand of the operating system and the version number. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Device type | `Desktop` | We use this to show you what devices people use when visiting your website. Devices are categorized into desktop, mobile or tablet. This is derived from the User-Agent HTTP header. The full User-Agent is discarded. |
| Country, region, city | `France, Île-de-France, Paris` | We look up the visitor’s location using their IP address. We do not track anything more granular than the city level and the IP address of the visitor is discarded. We never store IP addresses in our database or logs. |
❯ How I count unique users without cookies
Counting unique visitors is an integral part of web analytics. Plausible attempts to strike a reasonable balance between de-duplicating pageviews and staying respectful of visitor privacy.
I do not attempt to generate a device-persistent identifier because they are considered personal data under GDPR. I do not use cookies, browser cache nor the local storage. I do not store, retrieve nor extract anything from visitor’s devices.
Every single HTTP request sends the IP address and the User-Agent to the server so that’s what I use. I generate a daily changing identifier using the visitor’s IP address and User-Agent. To anonymize these datapoints and make them impossible to relate back to the user, I run them through a hash function with a rotating salt.
| |
This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. The raw data IP address and User-Agent are never stored in my logs, databases or anywhere on disk at all.
Old salts are deleted every 24 hours to avoid the possibility of linking visitor information from one day to the next. Forgetting used salts also removes the possibility of the original IP addresses being revealed in a brute-force attack. The raw IP address and User-Agent are rendered completely inaccessible to anyone, including myself.
In my testing, using IP addresses to count visitors is remarkably accurate when compared to using a cookie. In some cases it might even be more accurate than using a cookie because some visitors block cookies altogether.
The biggest limitation with this approach is that I cannot do good retention analysis with Plausible. I cannot show stats like New vs Returning visitors because they rely on having a persistent user identifier.
If the same visitor visits your site five times in one day I will show that as one unique visitor. But if the same visitor visits your site on five different days in a month I would show that as five unique visitors.
❯ Hosted on Private Servers in France
I am an individual, self-hosting Plausible Analytics on my private servers located in France. This ensures that all of the website data is protected by the European Union’s strict data privacy laws.
The servers are privately owned and operated by myself, ensuring that all visitor data I collect is processed exclusively within this secure environment.
For encryption, I use HTTPS in transit and a hashing process at rest. I also perform regular backups, which are stored in France in a redundant site.
I have minimized the use of external services, and none of them have access to any of the data that I collect. No third-party vendors are involved other than myself, who owns the servers where the data is stored.
You don’t have to worry about Schrems II and its impact on the EU-US Privacy Shield. Your website data never leaves the EU.
❯ Data ownership of your web analytics
When you visit my blog, Plausible Analytics will collect information about your visit. You entrust me with your site data and I take that trust to heart. The privacy of your site data — and it is your data, not mine! — is a big deal to me.
By using Plausible, you keep 100% ownership of your website data. Although when visiting my blog, your site analytics are stored on my server, you remain completely in control of your site data and you fully own all of your data too.
You own all right, title, and interest to your website data. I obtain no rights from you to your website data. I will never sell or share your site data to any third-parties.
Your website data is not shared with advertising companies or any other companies in general. Your website data is not sent to any third-parties at all. Your website data is not mined and harvested for personal and behavioral trends. Your website data is not monetized.
❯ Why should I trust you?
Plausible is an open source website analytics tool. Its source code is available and accessible on GitHub so you can read it and review it to ensure this code does what I say.
I am not a black box. Everything is in the open. Anyone can view, review and inspect the code I’m running to verify that I practice what I preach.
This is essential in the market of privacy software. Corporations and proprietary software cannot always be trusted when data is in question. The only way to prove your trust is to allow experts to look into the code and verify that their users actually doing what they are saying they are doing.
Here’s also an independent legal assessment on GDPR-compliance of Plausible Analytics written by an experienced data protection expert and lawyer.
I encourage you to discuss specific issues with your lawyer to help you decide whether my service allows you to fulfill the legal requirements that apply to you.
❯ GDPR, CCPA and PECR compliant web analytics
By using Plausible, there is no need to have any GDPR, CCPA or PECR prompts and no need for a complex privacy policy about the use of analytics and cookies. With Plausible, no personal data are tracked after all. Visitors can enjoy the site without any annoyances and distractions.