GDPR, analytics, cookies, and only doing what you need.
Do you need or want analytics on your website? Some use cases have a strong strategic case for recording website traffic and for years it’s been free and easy to gather data. GDPR means that we have to be a bit more considered. One principle of GDPR is data minimisation (only collecting what you need), but we also should think hard about process minimisation (only processing for purpose).
This is a good article that I enjoyed reading; it highlights what needs to be done to be fully compliant with GDPR when using Google Analytics.
On this site, I currently do use Google analytics, but I’m considering how much value that actually brings me. If I don’t change my behaviour based on the results of the analytics, then there’s little gained from studying them. Not having any tracking will speed the site up a bit too. I can sense the resistance to now being able to find out things that could be useful, but I’m not sure that’s a good enough reason. The site does set cookies, there are two places that matter, firstly for tracking purposes so that I could also end up without any cookies either, but they also are used so that commenters remain logged in and that’s a good reason to keep them.
On the xTENClub site I do collect payments for some products and events. I use a third party shopping cart that is PCI compliant, and very secure and I never store card or bank details. That site will need cookies and there’s a case for tracking user journeys to help optimise and improve the user experience, so there I’ll probably leave google analytics turned on.
That highlights the necessity to think through the context of what you are doing, particularly for GDPR, and design your approach strategically.