Cookie vs. fingerprinting vs. localstorage: how to determine whether a pageview is unique?

[dannyvankooten]

Hello everyone,

We would like to use this as a place to discuss how we should implement the feature that detects whether a pageview is unique? There are several feasible approaches:

• Store a list of visited pages in a client-side cookie which expires in a couple of hours.
• Store a list of visited pages in localstorage along with the timestamp of the most recent pageview.
• Store a list of visited pages on the server keyed by the hash of a daily rotating seed + the visitor's browser agent and IP address.
• Any of these but combined with an option to not determine uniqueness at all?

Plausible, Fathom and others are doing the server-side fingerprint thing nowadays, all claiming it is compatible with both GDPR, CCPA and "Cookie Law" out of the box without any extra considerations.

Some users are thinking otherwise though - and I think they may be right.

Here's my take on the pro's and cons of each approach:

---

Cookie

Pro's:

• Can be inspected and cleared by the client.
• Nothing is stored on the server.
• Automatically expires.
• Lots of tooling related to asking permissions for setting a cookie.

Cons:

• Needs consent.
• Limited to 4 KB of data.
• Sent with every request, thus a bit wasteful, esp. since we have to store pathnames now.

---

LocalStorage

Pro's:

• Can be inspected and cleared by the client.
• Nothing is stored on the server.
• Plenty of storage space (8MB).
• Not sent with every request.

Cons:

• Does not automatically expire. Can be easily cleaned through browser settings though.
• Probably still falls under ePrivacy directive or "Cookie Law"? Needs consent?

---

Server-side fingerprint

Pro's:

• No cookie, so does not need consent. At least according to Plausible and Fathom.
• According to others (but IANAL), GDPR does not apply as long as the user agent and IP address used for the look-up is properly anonymized.
• Simplifies the client-side tracking script.

Cons:

• Does need consent, according to others.
• Less transparent.
• Some data is processed (user agent, IP address) and the list of visited pages is stored on the server.
• Slightly more complex server-side logic in the /collect endpoint.

---

Related reading

• "No need for cookie banners", Plausible GitHub Discussions
• GDPR compliant website analytics without cookies, Fathom
• Do cookie-free analytics need compliance pop-ups?, Johan Fagerberg's blog
• Wave of lawsuits in Austria due to use of Google Fonts, Patrick Riedl's blog

[dannyvankooten]

I just came across medama which has a really unique approach of using HTTP Cache headers to determine whether a visitor is unique.

Relevant source files are tracker.js and core/services/event.go.

We need to experiment with this but in theory, it should solve all the issues we have with the fingerprinting method.