You could just do "Set-Cookie: visited=true; Max-Age=<interval>". No unique id, but you still can count uniques by checking requests for the lack of that cookie. This cookie is not personal information, and cannot be used to identify a person, not even indirectly, and thus needs no consent. This is basically what most those "cookie banners" do anyway, set a preferences cookie - that cannot be linked back to a person, if done properly.
Or if you want to avoid the cookie altogether, you could use some static, cachable resource with a cache expiration date. Basically the good old counting pixel. Almost the same as the non-identifying cookie, except caches are more likely to be automatically evicted by browsers.
The only thing that matters about cookies is whether they are necessary, not whether they contain identifying information. Even duration doesn't matter. They should be explained to the user, but consent is not necessary.
Some cookies are even mentioned specifically as allowed. The example given is keeping track of a shopping cart across visits. Do that, and you have your uniques. While hinted at, it does not specifically mention those have to be session cookies: you could have a banner with "accept cookies", then use session cookies whether or not accept is pressed. It even seems to be common practice to hide explanations behind a "more info" button.
it all depends on if you are a logged in user with a session or not. you can login to an account from any number of devices but you are still only one user in the metrics.
Services like this make it trivial to land in court, because they nudge their customers to collect data under the pretense of error analysis, a valid business interest not requiring consent, and then use the data for behavior analysis and profiling. If, as a user, you can't turn of the later without damaging the former, you got sold shit and should take your business elsewhere.
rndgermandude|3 years ago
Or if you want to avoid the cookie altogether, you could use some static, cachable resource with a cache expiration date. Basically the good old counting pixel. Almost the same as the non-identifying cookie, except caches are more likely to be automatically evicted by browsers.
candiodari|3 years ago
Some cookies are even mentioned specifically as allowed. The example given is keeping track of a shopping cart across visits. Do that, and you have your uniques. While hinted at, it does not specifically mention those have to be session cookies: you could have a banner with "accept cookies", then use session cookies whether or not accept is pressed. It even seems to be common practice to hide explanations behind a "more info" button.
https://www.privacypolicies.com/blog/eu-cookies-directive/
I'm pretty sure "uniques" stats don't require you to violate the EU cookie directive.
hedora|3 years ago
philistine|3 years ago
minusf|3 years ago
nikeee|3 years ago
[1]: https://www.goatcounter.com
kenniskrag|3 years ago
minusf|3 years ago
Jon_Lowtek|3 years ago