Tracking and Analytics

At Agile Collective we take data privacy very seriously, and understand that there is an important conversation to have around what data is needed to maintain our clients’ websites to the highest standards.

Tldr

1. Cookie rules: All cookies and trackers (eg. pixels) should be optional unless specifically required for hosting.
2. Recommended banner: Civic Cookie Control or Klaro.
3. Customisation: Clients can choose otherwise, but we need to have fully informed them prior to implementation.

Our recommended setup

This is what we would recommend to all our clients, although changes to this can certainly be discussed, especially if the site doesn’t really apply to certain countries.

Cookie Banner

There are 2 cookie banner options we tend to recommend on our projects:

• Klaro : This is an open-source Drupal option, and is often used in new builds and LGD development.
• Civic Cookie Control : This costs ~£45-50 p/a, but when configured correctly (~15hrs total) is a reliable (and trusted) solution.

Analytics Providers

• Matomo : Matomo is a self-hosted analytical tool, meaning zero data goes to 3rd parties, whether anonymised or not. This is an ideal solution, although does bring with it additional cost for servers and admin, along with a possible reduction in features.
• Google Analytics (Consent Mode V2) : This means that if a user doesn’t interact (or declines) then only anonymous ping data is sent to google. This is the risk around GA, as the (anonymised) data would get stored on a 3rd party in the US. Which may be against a users wishes, especially if they are concerned around IP tracking or browser fingerprinting on a global scale.
• Other : Must be opt-in (tracking pixels, X, TikTok, Hotjar, CrazyEgg, Sharethis, Microsoft/Google Ads)

The 2 concerns

1. Legal : There are several different laws across the world that may apply, and trying to work with them all can be time consuming, especially as they all differ in some way.
2. Social : Users do not appreciate their data being used, some more than others, with over 50% feeling they’ve become a product. We want our clients’ users to trust our clients when they visit the sites, so need to show this by first not tracking without consent.

Other related questions

What can I include as “required” cookies?

This is ONLY something that would otherwise cause the site to be unusable for all users, and consent is unequivocally implied by accessing the site. For example shopping carts or server/security tooling for load balancers or performance (eg. Cloudflare is allowed), or IF this is a video distribution site then YouTube would be allowed.

So do I need consent to show YouTube videos

At the very least, unless the site is specifically only for a single country AND that country allows 3rd party trackers, then you probably need to consider using youtube-nocookie.com as the domain. YouTube (and google) have privacy settings, but only if the user knows where they are, and in most cases, they probably don’t.

But I anonymise all my data, surely I can still send to google analytics?

If you are working on a global website, then you probably still shouldn’t, although we can reduce as much as possible to make it less of a concern on what is shared.

• Social : if a person doesn’t want their data tracked, and potentially used to create broad generalisations by the website or by a third party, then they should still be allowed to do so, and this should be opt-in.
• Legal : at present PECR/GDPR imply that 3rd party analytic systems are still not okay to use without consent.

A lot can be done to mitigate concerns though, such as turning off location/demographics/signals in GA4, then only a minimum of personal data is collected.

What are the legal requirements you mentioned?

There are too many to list here, but a few key ones we are aware of are:

• UK (PECR) : analytics are allowed BUT there are restrictions if data is shared/reused (eg. 3rd party services such as google)
• France (CNIL) : Analytics providers should submit a self-assessment to show compliance, which will need checking.
• EU (GDPR) : possible changes from “digital omnibus initiative” in 2026, which would make tools like Matomo explicitly okay, but implicitly not GA.
• Worldwide info : https://www.uniconsent.com/docs/faq/optin-optout-geo

Last updated: 12:42pm, 23rd April 2026