The Hidden Risks of Website Tracking: A Business Owner’s Guide to Data Privacy and Consent

by | May 7, 2026 | Business

The Hidden Risks of Website Tracking A Business Owners Guide to Data Privacy & Consent
We recently put a new cookie banner on our website at my place of work.  Our web developer made a very clear cookie banner that only allowed google tag manager analytics to track data on the page after a user clicked the accept button.  I loved this solution, it was so clean and easy.  It was clear we were not tracking anyone and if a user inspected the page, they could also tell that there was no tracking of any kind being loaded onto the page.  Done and done.

Quickly, we learned not everyone was happy with this solution; the marketing team had some issues and so did our boss.  What we thought was going to be a simple decision was actually turning out to be a much more complicated issue.  

We had also recently been sued by someone because we did not have any cookie banner at all, so we were taking this matter very seriously and wanted to analyze the risks from all sides.  That’s how the passion for this article began.  

This issue affects business owners, website owners, website viewers, marketing companies, software companies (like google, facebook, microsoft), software builders who make compliance and data privacy software, and web developers. There is also a 2nd wave where the data is being sold or used unknowingly and how it is used to manipulate consumers and track people. 

This issue is relevant because business owners are vulnerable to “ambulance chasers” who are looking for loopholes they can sue them with. It is also relevant because consumers who don’t want to share their data, may still be getting their data shared, and they have a right to privacy that needs to be protected so their data cannot be used to harm or manipulate them.

Why Website Tracking Is So Confusing

Website tracking is confusing because:

1. We assume consent = tracking, but that isn’t true. 

Many websites need to do a basic level of tracking for security purposes to make sure they don’t get hacked, or to make sure the basic functions of a website work correctly (like the item you selected for the shopping cart actually goes into the cart), and ecommerce websites need to collect your credit card info and mailing address so they can send your products to you that you buy.  This is called basic functionality tracking.  All the information stays with the website owner and is not shared with third parties.

2. What is a 3rd Party Anyway?

A 3rd Party is someone who is not the website owner/business.  It is a separate business like Facebook, Google, Trustpilot…..

3.  Why Would A Business Want to Share Data and Tracking with a 3rd Party?

Business owners spend lots of money on ads and SEO.  Ads and SEO are very important to business owners because they bring in customers which makes them money.  When you are spending lots of money on something, you want to make sure it is working correctly and you are not guessing in the dark.  You also want to maximize your dollars and your marketing campaigns.  If a campaign for a 20% off Memorial Day sale does not go well, it is nice to look at the data from your website and see that the landing page results were good, the product views were good, but customers dropped off when they saw the price.  It helps you adjust your marketing and make better business decisions.

4.  This leads to a gray area of analytics called basic analytics.  Legally, we are not allowed to collect “personal” data without consent, but how much data can we gather to make good decisions that is not considered “personal”?  

how data flows on a sample website

This chart was created with the assistance of AI.

What Counts as Personal vs. Non-Personal Data?

“Personal information identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Source: California Consumer Privacy Act (CCPA) Definition of Personal Information

Personal data is data that clearly defines who you are and can lead us to figuring out who you are; like your first and last name, your social security number, your email address, your home address.  Some people have the same first and last names, so if we have two pieces of personal data like your first & last name AND your email address, we can clearly distinguish between two people with the same data and figure out who the person actually is.  

Non-personal data on a website would be things like how many pageviews a page gets, what the total price is in the shopping cart, how long users spend on average while visiting a website.  Things that do not connect us to a specific person and we have no way of telling who the person is.  

Data that we aren’t really sure is personal or non-personal would be things like a person’s location, is the user male or female, IP addresses, device IDs, cookie identifiers, search history, purchase history, shopping cart contents.  

Things get tricky, because there is a general rule, that if someone has lots of data points collected on a person, even if they are not very personal,  we may be able to figure out who the person is.  For example, if I had 100 pieces of data about what a person did during their day:

  1. Went to Aldis 
  2. Bought Cauliflower
  3. From San Diego
  4. Drove on Spruce St.
  5. Made a 20 minute phone call
  6. Went to eat at Olive Garden at 6

…….Each piece of data narrows down the person who it could be.  I went from a 1 in a billion chance of figuring out who you are to now I know you live in San Diego, you do grocery shopping, you live near Spruce St, you live near Olive Garden…every piece of data I gather narrows down the pool of who you could be.  So now it is 1 in a 20,000 chance that I can guess who you are.  What is the amount of non–personal data points it would take to bring that number down to a 1 in 1 chance?  This is a very real question in this day and age of data being able to be so easily collected.  

types of website data and privacy risks

This chart was created with the assistance of AI.

Why Business Owners Care About Analytics

It’s easy to think we should be very strict with our data collection and only collect the basic minimum, until you are the business owner behind the website.  It takes many things to make a business run well like getting a steady flow of customers, marketing to your customers in a way they respond to, making enough sales to be able to pay your staff each month, making good decisions about how to spend your money, and studying how each process is flowing and making decisions to reduce risk concerning losing money which could result in firing long time employees you care about or losing your business completely.  

Business owners also spend a lot of money on SEO and on ads because those bring in customers which keeps the shopping cart dinging and the money flowing.  If there is a marketing campaign that is a bust, it is good to know the website analytics so we can know not to repeat that terrible campaign again next year.  If customers are coming to the website home page, but then they are not clicking on any products, business owners will react to the data and make a decision that will help make it easier for customers to see the products. Each step a customer takes on the website, is a piece of knowledge for a business owner to make their next decision.

“The more we know about the journey a customer takes through our website, the better we can customize the journey and make it more beneficial for the customer and for the company.  Website tracking also allows us the ability to offer special deals and promotions just at the right time for maximum revenue generation.” ~Greg Miller, Business Owner of MagicKitchen.com

Why Developers Worry About Consent

More than anyone else, developers can see what is happening behind the scenes, they understand how easily data can be shared, hidden, and gathered. Developers know many a software company has gotten in trouble for collecting and selling data and then we find out later there was a huge class action settlement that nobody paid attention to because they were too distracted by the ease of online shopping and marketing campaigns. 

Developers know once we share our API with a 3rd party, we do not know what they are doing with the data and we really have no way to check.  They can say they are not using the data we send them in other ways, but no one really knows.  Google is one of the main authorities for how we collect data on websites, but they are also the first receiver of our unfiltered APIs that are full of data.  

We like to use google tag manager and google analytics to store our data and google has made these two software apps free for people to use and the charts, graphs and reports they send back to us are beautiful and we really like getting them.  But no one is talking about how Google itself is making the rules on how web developers collect the data and how one of their first requirements is that we send the data unfiltered to google tag manager and then once it is there we can filter it with google tag manager to make sure no personal data or marketing data goes to google analytics without user consent.  Developers have seen the databases that are filled with massive amounts of data and how easy it is to sort it and use it for your needs.

Why Marketing Teams Need Measurement

The goal of a marketing team is to bring in customers and to sell products.  They do that with marketing campaigns, ad campaigns, and search engine optimization (SEO).  It is difficult to know how successful their work is without analytics data.  It is nice to know if the website customers are coming from Facebook, google searches, or from Microsoft Ads.  It is helpful to know if users are buying from their phones or a laptop.  All of the data and measurement of the data guides the marketing team on what their next steps will be.  They learn things about their customers like “when I put a puppy in the ad, my sales increase 20%” or “an orange buy now button is tapped 50% less than a red buy now button”.  The data and analytics help the marketing team to maximize profits and customers.  Without any analytics, they are only guessing about what they think is working and when something is successful, they are guessing as to the why it was successful.  Analytics are very important to marketing teams.  

Another area that analytics are important to marketing teams, is in things like browser abandonment or cart abandonment.  They are able to send you a text (with website consent of course), saying “You accidentally left items in your cart”.  They are also able to personalize your facebook ads (with your consent, of course). For instance if you clicked on the lasagna product, you can get facebook images of lasagna from that website for awhile that will entice you to buy it. 

The Gray Area: Basic Analytics Without Consent

We can all agree that personal information like a person’s name, address, phone number are personal and should not be collected without consent.  A lot of businesses also put marketing data in the area that needs consent.  The gray area is where we are collecting basic information and through the sheer amount of information we collect, a user’s identity could be discovered and targeted.  

Also, the fact that we load the API into google tag manager where we individually decide which tags are allowed to fire with consent and which tags are allowed to fire without consent.  Google is technically a 3rd party that is getting the information before the filters are made.

It is also “gray” because the user has no way of knowing what is in our google tag manager because it requires a business login to enter.  The user can only see that data is being shared with google tag manager with or without consent, and then hope that we are being honest behind the scenes. 

The FTC has also raised concerns about website tracking pixels.

The Federal Trade Commission recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising.

One more thing that makes basic analytics a gray area is we are currently in a time in the United States where many of the individual state are writing their own privacy laws for websites.  A lot of them are basing them off of California Consumer Privacy Rights Act, so that is a good standard to use to measure if your website is legally compliant, but we don’t know for sure what each state’s laws really are and it is difficult to analyze each state’s individual privacy laws and keep up to date on them.  We are living in a time where the laws about privacy are changing and evolving, this puts a website owner at risk when choosing to use basic analytics without consent. 

Here is a website that does a good job keeping updated with individual state’s privacy laws and they have a nice comparison pdf that lets you look at each state’s laws.  US State Privacy Laws Comparison Chart

Consent options compared

This chart was created with the assistance of AI.

The comparison of consent options discusses the risks of personal and other data being collected, but a business owner needs to balance the risk of sharing too much data with the risk of losing customers and sales.  The safest option data-wise is not always the best choice for the business to make. 

No Tracking Until Consent:

This means, no analytics or tracking is loaded onto the page at all unless the “I agree” button on the cookie banner is clicked.  Some people just ignore those banners and some people don’t agree.  The business owner would lose all basic data about those people including if they even viewed the website.  Only the data from users who click the consent button could be gathered.

Basic Analytics Before Consent:

This is a more balanced approach that allows the website/business owner to collect data about basic analytics like page views, user clicks, length of time spent on the website.  The website owner gets to decide what the boundary is between basic analytics and marketing analytics.  The user sees that data is being collected without consent but has no way of knowing what data is collected.   

Full Tracking Unless Rejected:

This still gives the user the option to reject having their data shared, and it gives the website owner full tracking for users who just ignore the cookie banner.  

Category Based Consent:

The ones like this that I have seen usually have a reject, consent, and a choose categories of consent button.  It gives the user 3 choices and tries to make the accept choice the most appealing.  Having 3 buttons is not always the best choice for marketing something that you want to happen, sometimes 2 buttons will get you more “accepts” than 3.  But it is nice for the user to have clearly defined categories they can choose to share or not share. 

No Third Party Tracking:

This means no analytics or data are being gathered, no API is being shared with google analytics or google tag manager.  It is a very safe choice datawise, but could be risky for a business owner.  You would need to assess the goals of your website to see if this is a good choice.

A good consent setup should answer these questions clearly:

questions every business owner should ask about consent

This chart was created with the assistance of AI.

Key Legal Privacy Resources

This chart was created with the assistance of AI.

Final Thoughts

Website tracking is not a simple issue, and it is important to weigh both the risks of consumer privacy and the business risks of not making payroll or losing the business.  There isn’t a “right” answer in this situation, it is a decision each individual website owner needs to make after assessing the risks of their personal situation.  

There is a trust problem with collecting data for consumers.  Most consumers have no idea how to inspect a website even if the website is doing the completely safe solution when it comes to data collection.  And if a website is collecting basic analytics, consumers don’t really know where the boundaries are between basic and more advanced.   

The gray area of data collection doesn’t really go away, in fact, the longer users are active on the internet and the more information they give away, it becomes more possible to identify them and target them.  It’s a problem that cannot even be fixed with cookie banners as we are giving AI our personal information, we are asking google questions that reveal who we might be.  It is a multiplying effect that works against people’s rights.  It is even a problem that reaches into our everyday lives because now stores are using our data to change prices as we walk by a product, car companies want to have a camera installed in our car that watches us as we drive so they can collect data about drivers to help insurance companies charge us more.  There are cameras on every intersection and police have installed cameras in busy public areas.  Our privacy is being invaded in huge ways and people don’t know how to fight back. 

Website cookie banners give a little of that control back to the consumer, even if we have no idea how much data they are collecting without our consent, we still get to click that button that says “reject” and it is protected by law.  The reject button is important to our society.  Privacy laws around websites are one small step we are currently allowed to take.  It’s one step in the fight for privacy for individuals that matters. 

Sources and Further Reading

facebookShare on Facebook
TwitterTweet
FollowFollow us
PinterestSave

Disclaimer: Please keep in mind that we may receive a commission when you click on our links and make a purchase. This, however, has no bearing on our reviews and comparisons.

Subscribe to our newsletter for more website tips!

13 + 15 =

0 Comments

8 Steps To Website SEO

Free! 8 Steps To Website SEO

Join our mailing list to receive the latest news and updates from our team.

You have successfully subscibed! Soon you will receive an email with your free 8 steps to SEO.