Compliant Website Tracking Guide: How To Track Users Legally

Try Termly for Free

Web tracking enables your business to monitor users’ online behaviors and habits, enabling you to target each user for the optimal online experience.

Website tracking, however, is not popular with everyone.

Public awareness of web tracking and data collection has significantly increased over the past few years — consumers are more conscious of who’s tracking them, and data privacy laws have popped up worldwide.

Keep reading to understand how to use website tracking to grow and scale your business while complying with these new governmental regulations.

Table of Contents
  1. What Is Website Tracking?
  2. Benefits of Tracking Users
  3. Web Tracking Methods
  4. Is Website User Tracking Illegal?
  5. Data Privacy Regulation on Website Activity Tracking
  6. How to Track Website Visitors and Be Compliant
  7. What Are the Best Website Tracking Tools?
  8. Summary

What Is Website Tracking?

Website tracking is the practice of monitoring a user’s behavior when they visit a website and collecting and analyzing that data — a vital tactic for many businesses these days.

For example, web tracking called retargeting occurs when you operate an online appliance store, a user visits your site to research vacuums, and later on, when browsing social media, advertisements for vacuums appear on their screen.

Some more examples of how you can track user activity include:

  • Tracking store website logistics (i.e., account login information or previous purchase lists)
  • Monitoring traffic to your website
  • Tracking user behavior and preferences

Tracking users’ behaviors on your website can give you access to useful information such as:

  • Who visits your website
  • The length of their stay on your website
  • Actions they take on your website

Information like this can help you determine if you’re targeting the proper audience or if you should expand your target market.

Additionally, you’ll have the data to tailor your website to your users’ preferences and make necessary improvements.

First-Party vs. Third-Party Tracking

There are two types of website user tracking: first-party tracking and third-party tracking.

First-Party Tracking

First-party tracking is performed by the website the user visits and typically involves using tracking cookies.

The cookies track the user’s behavior and what they surf on the website, and the data collected from the tracking is then used to improve the user experience.

For example, if a user goes to an online supermarket website and searches for fruit, the next time they visit the website, they’ll see links to pages for fruit.

First-party tracking saves the user’s preferences and settings on your website so they can have a positive online experience, and some of them actually expire once the user leaves your site.

Third-Party Tracking

Third-party tracking is performed by a website or entity that is not the original one a user visited.

It’s usually achieved by the third-party site or software placing tracking cookies on the user’s browser, and businesses primarily use these types of cookies for advertising purposes.

For example, when a host website allows another site to advertise on it, the advertising website collects information about the user of the host website.

Third-party tracking cookies stay in the user’s browser longer than first-party tracking cookies.

What Is Cross-Website Tracking?

Cross-website tracking is when a tracker or code follows a website user when they visit other websites, and they’re used to investigate why the user visits the other websites.

Benefits of Tracking Users

There are numerous benefits to tracking your website users if done according to data privacy regulations, including the following:

  • Website Performance: Tracking users helps you understand if your website performs properly. You can detect any glitches that affect the user experience so you can correct them immediately.
  • Monitor User Behavior: Tracking website users allows website owners to understand their users’ behavior, which is crucial to website performance. If you can understand why users act a certain way on your site, you can improve different features and tailor settings to each user’s behavior.
  • Advertisement Improvement: Tracking website visitors lets you see which advertisements work. You can tell if a user clicked on an advertisement to get to your website and which advertisements the user clicks on, allowing you to optimize your marketing initiatives.
  • Traffic Control: You can identify the origin location of your visitors by tracking user traffic to your website. For example, did they arrive at your website by clicking an advertisement, a marketing email, or a search engine? This also allows you to improve your marketing techniques.

What Visitor Activity Can Be Tracked?

What you choose to track depends on your business purposes, objectives, and applicable data privacy laws, but some examples include:

  • Page Traffic: How many times does a user go to each website page?
  • Click Rates: How often does a user click on a particular website section?
  • Origin of Traffic: Where do the website users come from? (Are they directed from an ad or Google?)
  • IP Addresses: These will help to determine user location.
  • Voluntarily Provided Information: This includes the user’s credit card information or delivery address.
  • The medium used to access the website: This includes a computer, tablet, mobile device, or other technology.
  • A visitor’s interests or habits: This can help you decide on features to implement and how to improve your site.

Web Tracking Methods

Websites can track their visitors by utilizing different techniques, and in the next section, we cover some of the most popular website tracking methods.

IP Tracking

Every user has a unique “address” to their device made up of numbers called an Internet Protocol address or IP address.

Website operators can use users’ IP addresses to determine their location (city and country), aiding in determining demographics, advertisement strategies, and how to target customers.


Another popular website tracking method is cookies, which are small bits of data that websites store on a user’s device.

With cookies, websites can remember a user’s preferences and tailor their experience and can be temporary or permanent:

  • Temporary cookies disappear when the user leaves.
  • Permanent cookies remain on a computer or other device.

Additionally, there are two types of cookies: first-party and third-party cookies.

  • First-party cookies follow a user as they surf a website.
  • Third-party cookies follow a user as they surf from website to website.


Fingerprinting is when you compile a user’s account settings and browser information to build a profile about them to track them across the internet.

Information compiled includes:

  • Device
  • Operating system
  • Browser
  • Language
  • Time zone

Pixel Tracking

Pixels are small images that load onto web pages and emails and can be used to determine if a user opened an email or visited a web page, among other functions.

Is Website User Tracking Illegal?

Website user tracking is not illegal — but data privacy laws regulate it, and governments worldwide have implemented laws concerning data privacy and website user tracking.

The majority of these laws require websites to obtain user consent before tracking them.

Businesses that service users who live in areas with these laws must first inform users of their data collection and tracking practices and then obtain their consent to do so.

The purpose of consent is to give users control of their personal information and decide whether they want websites to track them.

Data Privacy Regulation on Website Activity Tracking

Due to increases in illegal user tracking, data breaches, data selling, and more, national and regional governments have stepped into the arena to protect the privacy rights of their citizens.

Here are some of the most significant data privacy regulations you need to be aware of:

GDPR and Website Tracking

The European Union (EU) passed the General Data Protection Regulation (GDPR) in 2018, and it requires you to have a legal basis for website tracking.

It’s a very strict law that protects the data privacy of people in the EU, Switzerland, Iceland, Lichtenstein, and Norway.

A website operator who collects data from or offers goods and services to individuals within the EU must comply with the GDPR, including those outside EU Member States.

Under the GDPR, companies cannot process personal data without establishing a lawful basis, such as user consent.

Personal data includes:

  • Names and email addresses
  • Location information, like an IP address
  • Ethnicity, gender, religious beliefs, and political opinions
  • Biometric data
  • Web cookies

Data processing means an action performed on data — so anything done to data is data processing, including tracking, storage, collection, and selling.

Websites can only use visitors’ personal data if they meet one of the following criteria:

  • User gave consent
  • Processing is necessary to execute or enter a contract
  • Complies with a legal obligation
  • Saves somebody’s life
  • Performs tasks in the public interest
  • There is legitimate interest

According to the GDPR, consent must be “freely given, specific, informed and unambiguous” by the user and requested using plain language that’s easy to understand.

You must provide the user with enough information and transparency about the web tracking to constitute consent.

If you violate a provision, the GDPR penalties are unforgiving, as you can be fined up to €20 million ($20.3) or four percent of your global revenue, whichever is higher.

Individuals can also seek compensation for any damages if their data is breached.

CCPA and Website Tracking

The California state legislature enacted the California Consumer Privacy Act (CCPA) in June 2018 to protect the data privacy and security of individuals in the state, and it requires you to inform users about your data-tracking activities.

You fall under the CCPA’s jurisdiction if you are based in California or sell goods and services targeted to California users and meet one of the following criteria:

    • You have more than $25 million in yearly gross revenue.
    • You buy, receive, sell, or share the personal information of at least 100,000 users.
    • More than half of your annual revenue results from selling or sharing your users’ personal information.

Under the CCPA, California residents have the right to:

  • Know what information is collected about them and how it’s used and shared
  • Delete personal information about them
  • Opt out of the selling or sharing of their personal information
  • Limit the use and disclosure of their sensitive personal information
  • Non-discrimination for exercising any right under the CCPA

Personal information includes:

  • Name
  • Email address
  • Unique personal identifier
  • Online identifier
  • IP address

Whereas sensitive personal information means:

  • Driver’s license numbers, passport numbers, Social Security Numbers (SSN), and State ID numbers
  • Union membership
  • User credentials such as usernames and passwords
  • Biometric data and genetics
  • Ethnic or racial origins
  • Precise geolocations
  • Religious or philosophical beliefs
  • Information about a consumer’s sexual orientation, sex life, or health
  • Contents of a consumer’s text, mail, and email

Technically, any website tracking falls under the CCPA.

While you don’t need opt-in consent from users to track them, you must explain what data you’ll collect, why, and allow them to opt-out of tracking that involves sharing their information.

Other US State Data Privacy Laws

Several other U.S. state data privacy laws besides the CCPA impact how you track the personal data of individuals within those states, including the following:

  • Colorado Privacy Act (CPA)
  • Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
  • Virginia Consumer Data Protection Act (VCDPA)

Under these laws, you must inform your users if you’re tracking them and provide them with an easy way to opt out of:

  • The sale of their personal data
  • Targeted advertising

The additional state laws that will enter into force over the next few years have similar opt-out requirements regarding tracking users online.

Other Major Laws Worldwide

Other countries have followed and enacted their own data privacy laws. Two examples are Brazil and South Africa.

Brazil Privacy Laws

Brazil enacted its data protection law in August 2020 called Lei Geral de Proteção de Dados Pessoais (LGPD), or the General Data Protection Act in English.

The LGPD controls how websites track their Brazilian users.

If part of your web tracking activities includes collecting and processing personal data from your users in Brazil, then you must follow the LGPD.

Under the LGPD, you can only process personal data (subject to legal, research, health, and safety reasons) with freely given, informed, and unambiguous user consent.

South Africa Privacy Laws

South Africa enacted a data privacy law called the Protection of Personal Information Act (POPIA) in June 2021.

POPIA sets the standards for processing personal user data, and, like the GDPR and LGPD, it calls for user consent to process or track personal information.

It defines consent as a “voluntary, specific, and informed expression of will,” requiring permission to process personal information.

POPIA defines personal information as:

  • Demographical information about the user (race, gender, sex, partial status, age, health, disability, religion, culture, belief, etc.)
  • Information about the educational, criminal, financial, or employment status of the user
  • Identifying information belonging to the user (number, symbol, address, IP address, etc.)
  • Biometric information of the user
  • Private correspondence of the user
  • Views and opinions of another about the user
  • Name of the user if it appears with other personal information

How to Track Website Visitors and Be Compliant

The last decade has ushered in awareness of tracking, collecting, storing, and selling users’ data. Unfortunately, shady tactics by less-than-reputable companies have left a bad taste in consumers’ mouths regarding being tracked.

With a push from users for more transparency and protection, national and regional governments stepped in to mediate.

Here’s how you can still track website users while legally complying with existing data privacy and protection laws.

Focus On Getting User Consent

The main concern of the GDPR, the LGPD, and various other global privacy laws is getting user consent.

Under these laws, you must obtain user consent before you can collect their data, set cookies, or track them in any way.

In the U.S., the state laws are different.

They require you to inform users of everything you are doing, but instead of obtaining consent, you must give them an easy way to opt out of such processing activities and honor their Do-Not-Track request settings on their browsers.

But even if you’re in the U.S., it’s a best practice to abide by the GDPR standards when tracking website users.

Build and Maintain User Trust

Compliance with data privacy laws is imperative in building user trust.

If a user knows you have a reputation for violating these regulations, they’ll be less inclined to visit your site, buy your products, or use your service.

The more transparent and user-friendly you make your web tracking, the better your data protection reputation will be.

Having clear, conspicuous links to your privacy policy and other legal policies is not only a legal website requirement — it’s also a way to show your customers you respect their privacy and have nothing to hide.

Use Termly

Termly makes it easy for businesses like you to comply with data privacy laws and build the trust of your customers.

You can use Termly to:

What Are the Best Website Tracking Tools?

There are different types of tools that track users’ website activity, so let’s cover the common ones in the next section.


The following analytics tools track how visitors behave on your website and across the internet:

  • Google Analytics: This free tool helps you analyze data and collects information from your users, including language settings, browser settings, and the number of visits they made to your site. Google Analytics also helps determine the traffic source to your website, like if users came from a search engine, advertisement, or marketing email.
  • KissMetrics: This tool allows you to view a user’s journey history to your website. KissMetrics ties the information to a user; it’s not collected anonymously like with Google Analytics, and it tracks the same user across multiple devices rather than treating every visit as a different person.


The following behavior-tracking tool helps you understand how users engage with your website:

  • Crazy Egg: This tool offers different products to help you better understand your users’ behavior. Crazy Egg shows you how users engage with your website pages. For example, a heat map report highlights which areas of your site have the highest click activity.

Visitor Identity

The following tool helps you identify users on your site to learn more about what products they’re interested in:

  • Leadfeeder: A business-to-business (B2B) marketing tool, Leadfeeder enables you to identify website users and track their activity to better hone in on what they’re looking for.


Web tracking is an important part of your website operations, as understanding your users’ behaviors can help improve website performance.

Knowing details like demographics and web traffic origin enables you to better direct resources, especially advertisement funding.

However, governments have enacted data privacy laws affecting web tracking, and two of the main requirements of these laws are user consent and transparency.

Ensure your web tracking operations are legally compliant to use the information to your business’s advantage and maintain a positive website reputation.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources