Compliant Website Tracking Guide: How To Track Users Legally

Try Termly for Free

Web tracking enables a business to monitor its users’ online behaviors and habits, enabling it to target each user for the optimal online experience.

Website tracking, however, is not popular with everyone.

Public awareness of web tracking and data collection has significantly increased over the past few years. As a result, consumers have become more conscious of who is tracking them, and data privacy laws have popped up worldwide.

This article will help you understand how to use website tracking to grow and scale your business while complying with these new governmental regulations.

Table of Contents
  1. What Is Website Tracking?
  2. Benefits of Tracking Users
  3. Web Tracking Methods
  4. Is Website User Tracking Illegal?
  5. Data Privacy Regulation on Website Activity Tracking
  6. How To Track Website Visitors and Be Compliant
  7. What Are the Best Website Tracking Tools?
  8. Summary

What Is Website Tracking?

Website tracking is the practice of monitoring a user’s behavior when they visit the website and collecting and analyzing that data. This is a vital tactic for many businesses these days.

For example, say you operate an online appliance store, and a user visits your website to research vacuums. Later on, as they’re browsing social media, advertisements for vacuums appear on their screen.

This is a form web tracking — specifically called retargeting.

Here are some more examples of how you can track user activity:

  • Track store website logistics such as account login information or previous purchase list
  • Monitor traffic to the website
  • Track user behavior and preferences

Tracking users’ behaviors on your website can give you access to useful information such as:

  • Who visits your website
  • The length of their stay on your website
  • Actions they take on your website

This information can help you in multiple ways.

For example, you’ll be able to determine if you are targeting the proper audience or if you should expand your target market. Additionally, you’ll have the information to tailor your website to your users’ preferences and make necessary improvements.

First-party vs. Third-party Tracking

There are two types of website user tracking: first-party tracking and third-party tracking.

First-party Tracking

First-party tracking is performed by the website the user visits — typically by using tracking cookies. The website tracks the user’s behavior and what they surf on the website. The data collected from the tracking is then used to improve the user experience on the website.

For example, suppose a user goes to an online supermarket website and searches for fruit. The next time they visit the website, they will see links to the pages of fruit.

First-party tracking saves the user’s preferences and settings on your website so they can have a positive online experience. They expire once the user leaves your website.

Third-party Tracking

This type of tracking is performed by a website — or party — that is not the original one a user visited. It’s usually achieved by having tracking cookies placed on a website by third-party sites or software.

Businesses primarily use these types of cookies for advertising purposes.

For example, suppose a website (the host) allows another website to advertise on it. The advertising website collects information about the user of the host website. Third-party tracking cookies stay in the browser longer than first-party tracking cookies.

What Is Cross-website Tracking?

A tracker or code is used to follow or track a website user when they visit other websites. The purpose is to investigate the reason the user visits the other websites.

Benefits of Tracking Users

There are numerous benefits to tracking your website users if done according to data privacy regulation:

  • Website Performance: Tracking users can help you to understand if your website performs properly. You’ll be able to detect any glitches that affect user experience so they can be corrected immediately.
  • Monitor User Behavior: Tracking website users allows website owners to understand their users’ behavior, which is crucial to website performance. If you can understand why users are acting a certain way on your website, you can improve different features and tailor settings to each user’s behavior.
  • Advertisement Improvement: Tracking website visitors will let you see which advertisements work. You can tell if a user clicked on an advertisement to get to your website. You’ll also be able to tell which advertisements on your website the user clicks on. This allows you to optimize your marketing initiatives.
  • Traffic Control: Tracking user traffic to your website will allow you to identify the origin location of your visitors. For example, did they arrive at your website from clicking an advertisement? Did they get there from a marketing email? Or were they redirected from a search engine? This will also allow you to improve your marketing techniques.

What Visitor Activity Can Be Tracked?

What you choose to track will depend on your business purposes and objectives, as long as you comply with applicable data privacy laws. Examples of visitor activities that can be tracked include:

  • Page Traffic: How many times does a user go to each website page?
  • Click Rates: How often does a user click on a particular website section?
  • Origin of Traffic: Where do the website users come from? (Are they directed from an ad or Google?)
  • IP Addresses: These will help to determine user location.
  • Voluntarily Provided Information: This includes the user’s credit card information or delivery address.
  • The medium used to access the website: This may include a computer, tablet, or mobile device.
  • A visitor’s interests or habits: This can help you decide on features to implement and how to improve your site.

Web Tracking Methods

Websites can track their visitors by utilizing different tracking methods. Here’s a list of some of the most popular site tracking methods:

IP Tracking

Every user has a unique “address” to their device, made up of numbers. This is called an Internet Protocol address or simply an IP address. Website operators can use users’ IP addresses to determine their location (city and country). This aids in determining demographics, advertisement strategies, and how to target customers.


Another popular website tracking method is cookies — small bits of data that websites store on a user’s device. With cookies, websites can remember a user’s preferences and tailor their experience to those preferences.

Cookies can be temporary or permanent:

  • Temporary cookies can disappear when the user leaves.
  • Permanent cookies remain on a computer or other device.

Additionally, there are two types of cookies: first-party and third-party cookies.

  • First-party cookies follow a user as they surf a website.
  • Third-party cookies follow a user as they surf from website to website.


Fingerprinting is when a user’s account settings and browser information are compiled to build a profile about the user. This tracks a user across the website they are visiting and other websites.

Information compiled includes:

  • Device
  • Operating system
  • Browser
  • Language
  • Time zone

Pixel tracking

Pixels are small images that load onto web pages and emails. They can be used to determine if an email was opened or if a web page was visited, among other functions.

Is Website User Tracking Illegal?

Website user tracking is not illegal — but data privacy laws now regulate it. Governments worldwide have implemented laws and regulations concerning data privacy and website user tracking.

The effect of the majority of these laws on website tracking is the requirement of businesses to obtain user consent before tracking them.

Businesses that service users who live in areas with these laws must first inform users of their data collection and tracking practices and then obtain their consent to do so.

The purpose of consent is to give users control of their personal information and decide whether they want websites to track them.

Data Privacy Regulation on Website Activity Tracking

Due to increases in illegal user tracking, data breaches, data selling, and more, national and regional governments have stepped into the arena to protect the privacy rights of their citizens.

Here are some most significant data privacy regulations you need to be aware of:

GDPR and Website Tracking

The General Data Protection Regulation (GDPR) was passed by the European Union and enacted in May 2018. It’s a very strict law that protects the data privacy of people in the European Union, Switzerland, Island, Lishtenstein and Norway.

Here is a brief overview:

A website operator who collects data from or offers goods and services to citizens or residents in the EU must comply with the GDPR or face harsh penalties. This applies even if you are not located in an EU country.

Under the GDPR, companies cannot process personal data without lawful basis, such as user consent.

Personal data is defined as:

  • Names and email addresses
  • Location information, like an IP address
  • Ethnicity, gender, religious beliefs, and political opinions
  • Biometric data
  • Web cookies

Data processing is defined as an action performed on data. This basically means anything done to data is data processing, such as tracking, storage, collection, and selling of data.

Websites can only use visitors’ personal data if they meet one of the following criteria:

  • User gave consent
  • Processing is necessary to execute or enter a contract
  • Complies with a legal obligation
  • Saves somebody’s life
  • Performs tasks in the public interest
  • There is legitimate interest

One of the main issues you’ll have to deal with is whether you provide the user with enough information and transparency about the web tracking to constitute consent under the GDPR.

Consent must be “freely given, specific, informed and unambiguous” by the user and must be easy to understand in plain language.

The GDPR penalties and fines are unforgiving. If you are found to have violated a provision of the GDPR, you can be fined some very high penalties, up to €20 million ($20.3) or four percent of your global revenue, whichever is higher.

Individuals whose data was breached can also seek compensation for any damages from the breach.

CCPA and Website Tracking

The California Consumer Privacy Act (CCPA) is a data privacy law enacted by the California state legislature in June 2018. Like the GDPR, it was passed to protect the data privacy and security of its inhabitants.

You’ll fall under the CCPA’s jurisdiction if you meet the CCPA definition of a business:

  • You operate for profit.
  • You are based in California.
  • You collect the personal information of your users.
  • You are in control of defining the purpose and method of processing the personal information.
  • You meet one of the following criteria:
    • You have more than $25 million in yearly gross revenue.
    • You buy, receive for a commercial purpose, sell, or share the personal information of at least 50,000 users.
    • More than half of your annual revenue results from selling your users’ personal information.

If you meet these criteria and some of your website users are residents of California, then you must abide by the CCPA.

Under the CCPA, California residents have the:

  • Right to know what information is collected about them and how it’s used and shared
  • Right to delete personal information about them
  • Right to opt-out of the selling of their personal information
  • Right to non-discrimination for exercising any right under the CCPA

Personal information is the following:

  • Name
  • Email address
  • Social security number
  • Records of past purchases
  • Internet browsing history
  • Geolocation data
  • IP address
  • Fingerprints
  • Any inferences about other personal information that can be used to build a profile about preferences and characteristics

This means that any website tracking falls under the CCPA. While explicit consent is not required, the CCPA states that you must explain to your visitors what data you’ll collect and why.

Other Major Laws Worldwide

Other countries have followed and enacted their own data privacy laws. Two examples are Brazil and South Africa.

Brazil Privacy Laws

Brazil enacted its own data protection law in August 2020. It’s called Lei Geral de Proteção de Dados Pessoais (LGOD), or in English, General Data Protection Act.

This law also controls how websites track their users.

If part of your web tracking activities includes collecting and processing personal data from your users in Brazil, then you must follow the LGPD. Under the LGPD, you can only process personal data (subject to legal, research, health, and safety reasons) with user consent. Consent must be freely given, informed, and unambiguous.

South Africa Privacy Laws

South Africa also enacted its own data privacy law called the Protection of Personal Information Act (POPIA) in June 2021.

This law sets the standards for processing personal user data. Like the GDPR and LGOD, the POPIA also calls for user consent to process personal information.

Under the POPIA, consent is defined as a “voluntary, specific, and informed expression of will” where permission is given to process personal information.

Personal information is defined as:

  • Demographical information about the user (race, gender, sex, partial status, age, health, disability, religion, culture, belief, etc.)
  • Information about the educational, criminal, financial, or employment status of the user
  • Identifying information belonging to the user (number, symbol, address, IP address, etc.)
  • Biometric information of the user
  • Private correspondence of the user
  • Views and opinions of another about the user
  • Name of the user if it appears with other personal information

How To Track Website Visitors and Be Compliant

The last decade has ushered in awareness of tracking, collecting, storing, and selling users’ data. Unfortunately, shady tactics by less-than-reputable companies have left a bad taste in consumers’ mouths regarding being tracked.

With a push from users for more transparency and protection, national and regional governments stepped in to mediate.

Here’s how you can still track users on your website while being legally compliant with  existing data privacy and protection laws.

Focus on Getting User Consent

The main concern of the GDPR, the LGPD, and various other global privacy laws is getting user consent.

Under these laws, you must obtain user consent before you can collect their data, set cookies, or track them in any way.

In the U.S., the state laws — like the CCPA — are a bit different in that they require you to inform users of everything you are doing, but instead of obtaining consent before you collect data, set cookies, and track them, you must give them an easy way to opt out of these actions.

Even if you are solely based in the U.S., it’s a good idea to abide by GDPR standards when it comes to tracking website users.

Build and Maintain User Trust

Compliance with data privacy laws is imperative in building user trust. If a user knows you have a reputation for violating these regulations, they will be less inclined to visit your site, buy your products, or use your service.

The more transparent and user-friendly you make your web tracking, the better your data protection reputation will be.

Having clear and conspicuous links to your privacy policy and other legal policies is not only a legal requirement in most cases; it’s a way to show your customers you respect their privacy and have nothing to hide.

Use Termly

Termly’s mission is to make it easy for businesses like you to comply with data privacy laws and build the trust of your customers.

You can use Termly to:

What Are the Best Website Tracking Tools?

There are different types of tools that track users’ website activity. Here is a list of commons ones:


  • Google Analytics: This tool is free and helps you to analyze data. It will help you collect information from your users, including language settings, browser settings, and the number of visits the user made to your site. Google Analytics can also help you determine the source of the traffic to your website. You can tell if a search engine, advertisement, or marketing email was the method of transporting the user to your website.
  • KissMetrics: This tool allows you to view a user’s journey history to your website. With KissMetrics, the information collected is tied to a user — not just collected anonymously as with Google Analytics. It also tracks the same user across multiple devices, rather than treating every visit as a different person.


  • Crazy Egg: This tool offers different products to better understand your users’ behavior. Crazy Egg will help you understand how users engage with your website pages. For example, their heat map report will aid in determining which areas of your website have the highest click activity.

Visitor Identity

  • Leadfeeder: This tool is focused on business-to-business (B2B) marketing. Leadfeeder helps to identify users of your website and lets you track their activity. Therefore, you can better hone in on what they are looking for.


Web tracking can be an important part of your website operations. Being able to understand your users’ behaviors can help improve website performance. Further, understanding demographics and web traffic origin enables you to better direct resources, especially advertisement funding.

However, you must be aware that governments have enacted data privacy laws affecting web tracking. Two of the main requirements of these laws are user consent and transparency.

Successful juggling of web tracking operations and legal compliance will help you use the information to your business’s advantage and lead to a positive website reputation.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Related Articles

Explore more resources