CONTENTS

    Understanding Website Visitor Tracking: Can You Really See Who Views Your Website?

    avatar
    alex
    ·September 16, 2025
    ·7 min read
    Illustration
    Image Source: statics.mylandingpages.co

    You might wonder: who is actually looking at my site right now—can I see their names or emails? In short, website visitor tracking helps you understand behavior and measure marketing performance, but it does not magically reveal a person’s real identity. Identification happens only when people willingly share their details (for example, by creating an account or checking out) and when you have a lawful basis and consent to process that data in line with privacy rules.

    Definition: Website visitor tracking is the practice of collecting and connecting on‑site interactions (page views, clicks, conversions) to analyze user behavior and attribute outcomes to marketing. It spans from aggregate analytics to user‑level insights where a person has identified themselves and consented. It does not inherently disclose names or emails.

    Key takeaways

    • Most web tracking is pseudonymous. You typically cannot see a random visitor’s name or email unless they provide it and you have a lawful basis with clear disclosure.
    • Consent is required for most analytics and advertising technologies under ePrivacy/PECR-style rules; people must be able to refuse non‑essential tracking just as easily as they accept it.
    • Platform rules matter: GA4 prohibits sending PII; Safari limits third‑party cookies; Chrome is replacing cross‑site identifiers with Privacy Sandbox APIs.
    • Identification can be lawful and useful when visitors log in, subscribe, or check out—and when you honor consent and purpose limitations.
    • Future‑proof setups emphasize first‑party data, server‑side event routing, and privacy‑preserving APIs.

    How visitor tracking actually works today

    Think of tracking tools as a set of “digital breadcrumbs” that help you map journeys:

    • Cookies and first‑party IDs: Small pieces of data your site stores in the browser so you can remember a session or recognize returning users. For a practical primer, see the overview in MDN’s guide to cookies, including the Set‑Cookie header mechanics in the web platform.
      • The behavior of cookies is documented for developers in the formal HTTP state management mechanism; if you are technical, you can explore the cookie spec lineage described in RFC 6265.
    • Pixels and beacons: Tiny image requests or background signals that record events such as page views or email opens. The modern Beacon API is designed to reliably send analytics data without delaying page unloads.
    • Scripts/tags and SDKs: Snippets you add to pages (or via a tag manager) to capture events and forward them to analytics or ad platforms.
    • Fingerprinting and “similar technologies”: Techniques that try to identify a device/browser based on characteristics (fonts, canvas, etc.). Regulators generally treat these as tracking technologies that require consent, similar to cookies.

    In 2025, most sites favor first‑party cookies and clear consent prompts. Third‑party cookies are heavily restricted or being deprecated, so cross‑site tracking increasingly relies on privacy‑preserving alternatives and server‑side architectures.

    References for further reading:

    • The practical basics of cookies are explained in the MDN Web Docs guide to using HTTP cookies (living documentation by Mozilla).
    • The Beacon API, which many analytics tools use to send events in the background, is described in the MDN entry for navigator.sendBeacon().

    The legal boundaries in plain English

    While this article is not legal advice, it reflects widely cited guidance in the EU/UK and California. In those regions:

    • Consent for storage/access tech: Most analytics, advertising cookies, and fingerprinting require prior consent and clear information. Regulators provide detailed guidance on what counts as “storage and access technologies,” how to run consent banners, and what limited exceptions exist for strictly necessary cookies.
      • See the UK ICO’s explainer on storage and access technologies and its practical guide to PECR rules and consent management (ongoing guidance; accessed 2025).
    • Personal data and IP addresses: Data like IP addresses can be personal data when linkable to a person. The European Data Protection Board’s 2023 update on access rights discusses how logs and identifiers can fall under data subject rights.
    • California consumer rights (CCPA/CPRA): California law treats online identifiers and web activity as personal information, with rights to access, delete, and opt out of sale/sharing. The California AG and the California Privacy Protection Agency provide consumer-facing overviews and regulatory materials (current as of 2025).

    What this means for your site:

    • Don’t send PII to tools that prohibit it (like GA4). Avoid collecting more than you need; explain what you collect and why.
    • Use a consent banner that is easy to accept or refuse for non‑essential cookies.
    • Be prepared to honor access/deletion requests where applicable.

    Platform rules that shape tracking in 2025

    Even with consent, platform policies and browser features define what’s technically possible:

    • GA4 and PII: Google Analytics 4 prohibits sending personally identifiable information like names or emails. GA4 also ships with data redaction features to help prevent accidental collection of emails in URLs (ongoing documentation; 2023–2025).
    • Safari’s ITP and ATT: Apple’s Intelligent Tracking Prevention blocks third‑party cookies and limits cross‑site tracking on the web; the 2020 WebKit announcement marked “full third‑party cookie blocking.” For apps, Apple’s App Tracking Transparency requires user permission before cross‑app tracking.
    • Chrome’s Privacy Sandbox: Chrome is replacing third‑party cookies with privacy‑preserving APIs for relevance and measurement (for example, Topics, Protected Audience, Attribution Reporting). The initiative reached general availability for the open web in 2024, with ongoing developer guidance and compliance FAQs.

    Implication: To keep measurement resilient, prioritize first‑party data capture, consent signals, server‑side event routing, and privacy‑preserving APIs instead of legacy third‑party cookies.

    When you can identify a visitor—lawfully and usefully

    You can associate activity to a known person when:

    • They self‑identify by logging in, subscribing, or completing checkout.
    • You disclose the purposes and obtain valid consent where required (for example, for analytics/advertising cookies and email pixels).
    • You honor user choices and regional laws (for example, access/deletion rights in California; consent standards in the EU/UK).

    Examples that fit the rules:

    • A customer creates an account on your Shopify store or logs in before purchase; you associate their browsing and conversions with their profile for analytics and personalization consistent with your privacy notice. Shopify documents merchant responsibilities, customer privacy tools, and how to collect consent in product flows (current documentation; accessed 2025).
    • You match known users across sessions using first‑party IDs and consented CRM data; avoid pushing PII into tools that prohibit it (such as GA4) and stick to hashed or platform‑approved identifiers where permitted and disclosed.

    Practical stack patterns that work in 2025

    • First‑party event collection: Use your own domain and first‑party cookies to stabilize measurement, respecting consent.
    • Server‑side tagging/event routing: Move tag execution to a server you control so you can filter, redact, and govern data before forwarding to partners. Google Tag Manager’s server‑side overview explains the architecture; industry guidance emphasizes identity governance and honoring consent end‑to‑end (2024–2025 resources).
    • Clear event taxonomy: Name and document key events (view_item, add_to_cart, purchase) consistently across channels.
    • Governance and auditing: Document what is collected, which vendors receive it, retention periods, and how consent preferences are enforced.

    Quick do/don’t

    • Do: Use a CMP/consent banner; implement first‑party storage; redact PII from URLs.
    • Don’t: Fingerprint without consent; send emails into GA4; assume analytics cookies are “strictly necessary.”

    A neutral toolbox for website visitor tracking

    Below are common building blocks you can assemble into a compliant, resilient stack. Choose tools based on your use case, consent strategy, and data governance standards.

    • Google Analytics 4 (analytics)
      • Strengths: Broad adoption; event‑based model; strong integrations. Note GA4’s policy that you should not send personally identifiable information and its built‑in data redaction features to mitigate accidental capture (policy and features documented and updated through 2025).
    • Matomo or Plausible (privacy‑focused analytics)
      • Strengths: Self‑hosted (Matomo) or lightweight cloud (Plausible) options; flexible data residency and privacy controls. You still need consent for non‑essential tracking in many jurisdictions; evaluate configurations accordingly.
    • Segment (CDP/event routing)
      • Strengths: Centralizes events and routes to downstream tools; helpful for maintaining a consistent event schema and enforcing governance in one place. Server‑side connections can reduce client bloat; ensure consent signals propagate.
    • Attribuly (ecommerce attribution and server‑side tracking)
      • Strengths: Designed for ecommerce attribution, with multi‑touch measurement and server‑side event flows for major ad platforms. Useful where you need to unify journeys and improve campaign ROI while honoring consent and PII restrictions. Disclosure: Attribuly is our product.
      • Learn more: Visit Attribuly.

    FAQs

    • Can I see a visitor’s IP address? Treat IPs carefully. In the EU, supervisory guidance indicates IP addresses can be personal data when linkable to a person, and logs may fall under access rights per the EDPB’s 2023 update.
    • Are analytics cookies exempt from consent? Generally no. Regulators clarify that most analytics cookies are not “strictly necessary” and require consent, with narrow exceptions documented in cookie guidance.
    • Is it legal to use email tracking pixels? Email open tracking typically counts as a storage/access technology and usually requires consent under ePrivacy/PECR, alongside direct marketing rules (see regulator guidance on email marketing and storage/access technologies; accessed 2025).
    • Can I send emails into GA4 to stitch identities? No. GA4 explicitly prohibits sending PII (including emails) and offers data redaction controls to reduce accidental capture.
    • Does “cookieless” mean I can track without consent? Not necessarily. Many “cookieless” techniques still fall under rules for storage/access or fingerprinting. If a technology stores or accesses information on a device—or derives a stable fingerprint—it likely requires prior consent in EU/UK regimes.

    The mindset shift: trust first, measurement second

    Measuring what matters isn’t about seeing names—it’s about aligning your analytics with consent, platform rules, and business goals. A durable setup in 2025 looks like this: first‑party data capture with clear disclosures; consent signals that travel with the event; server‑side governance to redact/limit data; and privacy‑preserving APIs for ad relevance and attribution. If you build on these principles, you protect user trust and keep your reporting reliable as browsers and laws evolve.

    Action steps you can take this week

    • Review your consent banner and make refusal as easy as acceptance for non‑essential cookies.
    • Audit URL parameters and forms to ensure PII never flows into analytics tools like GA4.
    • Map your event taxonomy and verify that consent preferences are enforced client‑ and server‑side.
    • Test Privacy Sandbox measurement paths where applicable, and confirm they align with your disclosures.
    • Document data retention, vendor sharing, and user rights handling in your privacy program.

    Further reading and references (accessed and applicable as of 2023–2025):

    • Read an accessible walkthrough of cookies and browser behavior in the MDN Web Docs “Using HTTP cookies.”
    • Explore the Beacon API and navigator.sendBeacon() in MDN’s developer documentation.
    • Review regulator guidance on cookies and consent in the ICO’s storage and access technologies series, including how to manage consent and what exceptions exist.
    • See how IP addresses and logs can be personal data in the EDPB’s 2023 right‑of‑access guidelines (PDF).
    • Check California’s consumer privacy resources from the Attorney General and the California Privacy Protection Agency (CPPA) for CPRA updates and regulations (including consolidated regulations PDF).
    • Understand GA4’s prohibition on PII and its data redaction features in Google’s Analytics Help documentation.
    • Learn about Safari’s full third‑party cookie blocking from the 2020 WebKit announcement and Apple’s App Tracking Transparency overview for apps.
    • Track Chrome’s Privacy Sandbox general availability and developer FAQs to plan your cookie migration and compliance.
    • See Shopify’s merchant documentation on customer privacy, consent collection, and cookie/consent banner setup in Online Store.

    Retarget and measure your ideal audiences

    Start Free Trial
    Attribuly
    Home

    © Copyright 205 Attribuly Inc. - All Rights Reserved.