The upcoming General Data Protection Regulation (GDPR) is driving innovation on many fronts.

Today, a new approach is being launched for measuring site traffic without tracking individuals, so that consent is not required.

The developer, former Google engineer Pierre Far, says the new software — called Blockmetry — is intended to measure that “someone viewed this page” instead of tracking that “cookie ID 123 viewed this page.” He noted that conventional web traffic software, like Google Analytics or Adobe Analytics, drops an individualized cookie that can be used to track the user’s site behavior and visits to other sites.

“My product strikes a novel balance between the needs of businesses and the privacy of end users,” he told me.

Cookie ID 123 by itself wouldn’t be enough info to qualify as personal data under GDPR. But, combined with an IP address, cross-website traffic, behavioral data and other info, it could be used to pinpoint a person and therefore would warrant consent from the user.

Instead of dropping an individualized cookie or tracking behavior, Blockmetry groups site visitors by a few general characteristics. Groups are assigned by users’ browser versions, by country and by their referral origin, such as a link on a previous site or a search query. Far said there are also another 10 or so anonymized signals, which he described as Blockmetry’s “secret sauce.”

Legitimate interest

Those groups, or cohorts, are then analyzed for which site pages they viewed and how long it took pages to load. IP addresses, which determine country, are not stored, parts of URLs that could identify users are masked, and any browser-specific variables that could be used in device fingerprinting are removed. If the same browser goes to another site using Blockmetry, it gets assigned to a different cohort on that site. There are no unique IDs, and there is no tracking or profiling.

“It’s impossible to identify the individual,” Far told me, “or track their behavior across sites.”

“Because Blockmetry goes to great lengths to anonymize the data,” he added, “our customer [the website] has a solid foundation to build a case for using legitimate interest as the legal basis for processing personal data as part of web analytics.”

In addition to compliance with GDPR — and probably compliance with the ePrivacy Regulation, still in draft form — Far says that site owners will see a much more complete, total picture of their traffic, even if they might have less data and analytics than some other approaches.

Blockmetry can be installed as JavaScript in a site header, or it can be deployed server-side. If server-side, Far said, it can’t be blocked by ad blockers that often also block analytics software. His analysis shows that blocking rates can be quite high, averaging 12 percent for US-based sites, for instance, 16 percent in France and 20 percent in Germany.

That means that an average of 12 percent of visitors to US-based sites are not being measured at all, while Blockmetry will measure everyone. It also removes what Far said were the reasons people are blocking site analytics — to avoid cross-website tracking and the creation of behavioural profiles.