Source: https://datafa.st/docs/gdpr-cookieless-tracking
Markdown source: https://datafa.st/docs/gdpr-cookieless-tracking.md
Description: Use DataFast without cookies for visitor identification: how it works, privacy trade-offs, accuracy and revenue attribution limits, and how to enable the cookieless script from your dashboard.
# GDPR and cookieless tracking
DataFast offers two ways to run the web tracker:
**Default script (`/js/script.js`)**
- **Cookies:** uses cookies for visitor identification (**best accuracy**).
- **Typical consent UI:** you may need a cookie banner for the script, depending on law and setup.
- **Accuracy:** highest, including long-term and multi-touch journeys.
**Cookieless script (`/js/script.cookieless.js`)**
- **Cookies:** does **not** use cookies for visitor identification.
- **Typical consent UI:** designed so you usually **do not** need a cookie banner **for DataFast**.
- **Accuracy:** lower—see [accuracy and attribution](#accuracy-revenue-attribution-and-long-term-journeys).
This guide focuses on the **cookieless** option for teams that prioritise avoiding cookie-based visitor IDs while still using DataFast.
---
## How the cookieless script works
- **No cookies** for assigning a stable visitor ID in the browser. DataFast does not rely on third-party cookies for this mode.
- **Session-only storage** may be used in the browser for the current tab session (for example session continuity). It is cleared when the user closes the site session, unlike long-lived cookies.
- **Server-side pseudonymous visitor id:** each visitor is represented by a **hashed** identifier derived from signals such as IP address, browser user-agent, your site domain, and a **salt that rotates about every 24 hours** (UTC). The same person browsing on different days is **not** linked as one long-lived profile across those days.
- **No cross-domain visitor linking** in cookieless mode (privacy-first default).
- **Identify** and **stored payment identity** features used in the default product are **not** applied in the same way for cookieless sites, so the product stays aligned with a stricter privacy posture.
> **Disclaimer:** Laws vary by country and your role (controller vs processor). This page describes how DataFast’s cookieless script behaves technically. You remain responsible for your privacy policy, lawful basis, and any notices required for your site. For DataFast’s commitments as a processor, see the [Data Processing Agreement](/dpa).
---
## Accuracy, revenue attribution, and long-term journeys
Cookieless mode is **not** “worse on purpose”—it reflects a real constraint: **without a long-lived cookie (or equivalent), you cannot recognise the same browser weeks later the way you can with the default script.**
**Example:** someone first visits your marketing site **three months ago**, again **two weeks ago**, and converts **today**. With the **default** script, DataFast can tie those visits to one visitor story where your product supports it. With the **cookieless** script, **each calendar day (after the salt rotates) can look like a different visitor** for identification purposes. A first touch from last quarter will **not** persist as the same visitor id months later.
That hits **revenue attribution** especially hard: DataFast’s strength is tying revenue to traffic sources. If you cannot keep a stable visitor key across long periods, **multi-touch and delayed conversions** will be attributed **less completely** than with the default script. **Daily** aggregates can still be meaningful; **long-horizon** “this campaign paid off after 30 days” stories are more limited.
**This limitation is shared by essentially all cookieless analytics products**—it is not unique to DataFast. If you need maximum attribution accuracy over long sales cycles, use the **default** script (and plan for cookie consent where required).
---
## Enable or disable cookieless mode
1. Open the [dashboard](/dashboard) and select your website.
2. Go to **Settings** → **General** (this is where you copy the tracking snippet).
3. Enable **Cookieless / privacy mode (no cookies on visitors)** to use the cookieless script, or turn it **off** for the default script. The **General** tab shows the matching snippet—copy it again after you change the toggle.
**Important:** your live site must load the script that matches the toggle:
- **Cookieless on** → use the cookieless script URL (see below).
- **Cookieless off** → replace it with the **default** script (`/js/script.js`).
If you switch modes, update your site’s HTML or tag manager so the snippet always matches your setting.
---
## How to get started (code examples)
Add the **queue** snippet once (so early calls are buffered), then load the script. Use your real `data-website-id` and `data-domain` from the dashboard.
### Plain HTML
```html
```
### Next.js (App Router)
```jsx
import Script from "next/script";
// In your root layout (e.g. app/layout.js)
<>
```
If you [proxy the script](/docs/proxy-guide) through your own domain, keep the same `data-website-id` and `data-domain` attributes; only the `src` URL changes.
---
## GDPR: what you should still do
- Keep a **privacy notice** that describes analytics if your jurisdiction requires it (even without cookies, some processing may still be personal data).
- Honour **access and deletion** requests for data you control as a business.
- Choose **cookieless** when you want to minimise cookie-based tracking and accept **lower long-range attribution accuracy**; choose the **default** script when you need **maximum** accuracy and can present a banner or lawful consent where required.
For how DataFast processes personal data on your behalf (processor role), see our [Data Processing Agreement](/dpa) and [Terms of Service](/tos).