You can have bulletproof digital analytics data. You can follow privacy regulations. You can track users across sessions.
But you can’t have all three.
It’s the impossible trinity of digital analytics.
Let’s break it down.
Cookie consent: the gatekeeper of your data
Everything starts with consent.
Collecting personal data without user consent is not allowed in GDPR-compliant environments. That’s a fact, not a debate.
So we add cookie banners. But here’s the thing: not everyone clicks “Accept.” And those who don’t? We often can’t personal data about what they do on our site: no events, sessions, or conversions.
This means analytics datasets are filtered, not just by behaviour but by privacy choices.
Consent rates vary – and that matters
Maybe you believe your data is biased evenly. It’s not.
Consent rates vary:
- Paid campaigns on Facebook and Instagram may have lower opt-in rates than Google Ads.
- Google Ads might have lower opt-in rates than organic Google Search.
- You always have consent for remarketing campaigns…
Suddenly, your most expensive traffic sources are the least visible in analytics. That’s not a minor issue. It skews attribution models, conversion rate comparisons, and optimisation efforts.
In addition, some users block all trackers with browser plugins.
Users and browsers are getting harder to track
Even when users give consent, modern users and browsers are working against identification:
- 3rd-party cookies are half-dead.
- IP addresses are unreliable. Think VPNs, Apple’s Private Relay, and Chrome’s planned IP protection for incognito browsers.
- User agents. Standardised. Less useful than before.
What about logins? Sure, they help. Unfortunately, you won’t get many logged-in users to browse your site unless you’re running a paid membership site.
In most cases, you’re tracking events and sessions, not users. The same person visiting from three devices becomes three different people in your analytics tool.
The impossible trinity in action
Here’s what we’re really up against:
| Data collection | Bulletproof | Compliant | User-based |
|---|---|---|---|
| Full tracking w/o consent | ✅ | ❌ | ✅ |
| Cookieless, identifierless data w/o consent | ✅ | ✅ | ❌ |
| Tracking w/ consent, cookies and identifiers | ❌ | ✅ | ✅ |
You can pick two. Never all three.
(And even then, being bulletproof is rarely realistic.)
If you want reliable numbers and legal compliance, you must sacrifice user-level insights.
You can’t use personal identifiers, granular user agent data, IP addresses, or cookies, so sessions and events are the closest to users you’ll get. There are several tools you can use for setting up this kind of analytics.
If you want to track users over time and respect privacy, you will end up with limited, fragmented data instead of bulletproof data.
You will need consent, which will decrease your data significantly. You will have excellent data for identified users, but nothing for non-identified users.
And what if you want full user-level attribution, multisession customer journeys and clean funnels across touchpoints?
You’re one email away from a compliance audit and never-ending discussions with the lawyers of the local data protection authority.
What should we do instead?
This isn’t a call to give up on analytics. It’s a call to change how we think about it.
Here are some suggestions on how to approach it:
- Accept what you can’t see. Not every visit is trackable, and that’s okay.
- Design for insight, not coverage. You don’t need to track everything if you track the right things.
- Work within consent. Build separate pipelines for consented and non-consented data.
- Use modelled or non-personal data. Fill gaps with smart assumptions and econometric modelling, not wishful thinking.
- Focus on improving experiences. Not every business problem needs granular user-level tracking.
Sometimes, less is more, especially when less is legal, transparent, and valuable.
Final thoughts
We live in a post-cookie world. It’s messy. It’s fragmented. But it’s also an opportunity to build privacy-first analytics that still delivers value.
You can’t have perfect numbers, full compliance, and granular user tracking all at once.
But you can build smart systems that make the most of what you’ve got.
That’s not a failure. It’s a new reality.
One that respects users and delivers insights.