Cookies and privacy compliant web analytics

Sergey Buryking

Software Engineer
August 3rd, 2021


Privacy of user data is becoming more and more critical in the modern world. Last decade we saw multiple countries introduce regulations concerning the processing of personal data, with the most popular ones being:

  • EU General Data Protection Regulation (GDPR). This laws applies to all countries in European Union.
  • California Consumer Privacy Act (CCPA). A legislation that covers California.
  • The Privacy and Electronic Communications Regulations (PECR) is almost identical to GDPR and applies to the United Kingdom.

Key concepts about gathering personal data and using cookies are:

  • Customer Consent: Consent must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes to provide data
  • Data minimization: the amount of personal data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

In the article below we're going to explain how those regulations apply to data collected by Jitsu, and how Jitsu can be configured to comply with them.


The most common way to identify users on the internet (unless identity is known by other means, such as email login) is HTTP-cookies. GDPR distinguishes cookies by duration, provenance and purpose. The key point is as follows: if a cookie isn't strictly necessary (such as login cookie), its purpose should be explained to the user. And the user should have an option to opt-out. The usual way to deal with this is a cookie-banner — a popup that allows user to make the choice.

According to GDPR, cookies are split by purpose into the following categories:

Required Cookies, such as login / session cookies. Users can't switch them off. Functional / Analytics / Statistics cookies. Cookies set by Jitsu (as well as other analytics systems) fall under that category. Those cookies are not necessary for the website to function properly. They are used to improve application performance and UX Marketing Cookies. Those cookies are used to deliver a more targeted marketing message for the user. Facebook pixel cookies is a great example. Other advertising platform pixels fall under that category as well. Some can argue that Google Analytics cookies are marketing cookies too, since Google uses data from GA to optimize ad campaigns across the board.

Jitsu cookies are analytics cookies. In most cases, data collected by Jitsu is used for analytics only unless you specifically use the data to optimize marketing campaigns. To send data to Jitsu for EU, UK and California residents, you should obtain consent beforehand.

What happens if the user hasn't consented to cookies? Either the user has decided to opt-out for analytics cookies, or an application developer has chosen not to bother people with the cookie banner at all.

In that case, Jitsu has privacy mode — a special Jitsu SDK setting (see technical details below). If privacy mode is enabled, Jitsu will use other means to identify users instead of cookies: we'll generate a unique user ID based on IP address and User-Agent:

user ID = hash(IP + user_agent)

We recommend using the following flow to comply with GDPR/PECR/CCPA:

  • Display cookie-banner for users coming from EU and UK; use Jitsu without additional settings otherwise If the user didn't consent to analytics cookies, switch on privacy_mode (see below)
  • Of course, you can skip cookie-banner completely and switch on privacy mode from the beginning. The only downside will be precision: hashing of user-agent and IP address can cause a collision (two completely different users will have the same ID sometimes).

GDPR and PECR are applied to users who visit your web resource from EU or UK. Jitsu can apply cookie policy selectively to every request based on user location. There is a setting called cookie_policy, which controls how to deal with cookies:

  • keep — Despite the user's country Jitsu will set identification cookies.
  • strict — Despite the user's country Jitsu won't set any cookies. Identification will identify user by IP address + user agent.
  • comply — Jitsu detects users's country with MaxMind database:
    • if detected country is not in EU/UK, the behavior will be like in keep mode.
    • If the MaxMind database is not configured or the country is in EU/UK, the behavior will be like in strict mode.

It's worth to mention, that CCPA doesn't require application developers to collect cookie consent (see regulations comparison below)

We recommend using comply as cookie_policy value if you have configured MaxMind for Jitsu. The default value is keep.

IP address

Jitsu collects user IP addresses as well. It puts them in a separate field in the destination and looks up location data based on them (country / city / zip code).

However, according to GDPR and PECR (but not by CCPA!) IP address is considered personal data. Therefore, to collect personal data, you should obtain separate consent from the user. For registered users, that's probably not an issue: before registration, users are usually required to agree with the Privacy Policy and Terms of Services. You can easily squeeze in IP collection consent into it.

However, for anonymous users collecting IP address collection, consent is probably overkill. Jitsu has a setting called ip_policy, which controls how the IP address is collected:

  • keep — IP addresses collected and recorded in full. It's safe to use this setting for registered users and users outside UK/EU
  • strict — replace the last octet with IP address with 1 (example: → After this change, IP ceases to be Personal Identifiable Information. However, it is still enough to lookup user location down to city or zip-code level.
  • comply — Jitsu will do its best to collect a full IP address if possible
    • If identify() has been called before, Jitsu will collect the full IP assuming that you obtained consent from the user in Terms of Services Otherwise, Jitsu will remove last octet from the IP address and get a country from MaxMind database
    • If the MaxMind database is not configured or the country is in EU/UK, Jitsu won't make any further changes. Otherwise, Jitsu will restore the last octet of IP-address

We recommend using comply as ip_policy value if you configured MaxMind for Jitsu. The default value is keep


There are several ways how to configure JS SDK depending on conditions and requirements (please read a full version of documentation here)

  1. Tracking without any restrictions (default option)
  2. Privacy strict: use privacy_policy (or data-privacy-policy) parameter. privacy_policy = strict is just a shortcut for cookie_policy = strict and ip_policy = strict. Example of JS SDK configuration:
const { jitsuClient } = require("@jitsu/sdk-js")
const jitsu = jitsuClient({
  key: "[API_KEY]",
  privacy_policy: "strict",

or if you have HTML snippet integration:

<script src="%%SERVER%%/s/lib.js"
  1. Manually configure options that you need: for instance collect full IP address, but don't use identification cookies:
const { jitsuClient } = require("@jitsu/sdk-js")
const jitsu = jitsuClient({
  key: "[API_KEY]",
  cookie_policy: "strict",

or if you have HTML snippet integration:

<script src="%%SERVER%%/s/lib.js"

Appendix: Comparison Table

See how different regulations treats IP Address and Cookie collection


(European Union)
(United Kingdon)
IP Address IP address is considered to be a personal data. IP address is considered to be a personal data. PECR explicitely recommedns to remove last octet of the address to make it non-personal. IP address is not a personal data
IP Address Consent
(Shoud the application collect the user consent before collecting full IP address?)

  • Obtain users consent before you use any cookies except strictly necessary cookies.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent obtained from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies.
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
  • Tell people the cookies are there.
  • Explain what the cookies are doing and why.
  • Get the person’s consent to store a cookie on their device.

The CCPA requires businesses to give consumers certain information in a "notice at collection". A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. Unlike GDPR (GDPR requires consent) CCPA is an opt-out jurisdiction - requires websites to provide users with an easy way opting out of cookies at any moment.

Cookies Consent

Disclaimer: the information provided in this blogpost does not, and is not intended to, constitute legal advice

Learning More

About Jitsu

Jitsu is an open-source data integration platform offering features like pulling data from APIs, streaming event-base data to DBs, multiplexing and many others.
© Jitsu Labs, Inc

2261 Market Street #4109
San Francisco, CA 94114