Consent Mode: GDPR-Compliant Analytics Without Sacrificing Insights

The Consent Problem

The GDPR changed web analytics forever. Before 2018, analytics tools tracked everyone by default. After GDPR (and later CCPA, ePrivacy, and LGPD), you need user consent before setting cookies or collecting personal data. The result: anywhere from 30% to 70% of your visitors opt out, and your analytics data becomes unreliable.

Google's response was Consent Mode -- a system that adjusts tracking behavior based on user consent. But Google's implementation still sends data to Google servers even when consent is denied, which many privacy advocates argue violates the spirit of GDPR.

JustAnalytics takes a different approach. Our consent mode is built around a fundamental principle: when a user denies consent, no data leaves their browser that could identify them. And we use behavioral modeling from consented users to fill the gaps, so your analytics remain accurate.

How Consent Mode Works

Three Consent States

JustAnalytics recognizes three consent states:

State	What Happens
Granted	Full tracking with anonymous session identifiers
Denied	Cookieless, aggregate-only data collection
Not Set	Follows your default setting (configurable)

Granted: Full Tracking

When consent is granted, JustAnalytics operates normally:

• Anonymous session identifier (not a cookie -- stored in sessionStorage)
• Full event tracking with all metadata
• Session replay (if enabled)
• Custom event properties
• E-commerce event tracking
• User properties (cross-session)

Even with full consent, JustAnalytics never stores personally identifiable information like names, email addresses, or IP addresses unless you explicitly send them as custom properties.

Denied: Cookieless Aggregate Mode

When consent is denied, JustAnalytics switches to a minimal collection mode:

• No session identifier -- each pageview is independent
• No cookies or storage -- nothing written to the browser
• No fingerprinting -- no canvas, WebGL, font, or hardware fingerprinting
• Aggregate data only -- pageview counts, not user journeys
• No custom properties -- only page URL, referrer, and viewport size
• No session replay -- recording is disabled entirely

What's collected in denied mode:

{
  "type": "pageview",
  "url": "/products/headphones",
  "referrer": "https://google.com",
  "viewport": "1920x1080",
  "timestamp": "2026-03-31T10:00:00Z"
  // No session_id, no user_id, no device fingerprint
}

This data cannot be connected to an individual. It's the equivalent of a web server access log -- basic traffic data with no user-level tracking.

Integration with Consent Banners

The Consent API

JustAnalytics provides a simple JavaScript API for communicating consent state:

// When the user grants consent
JustAnalytics.setConsent('granted');

// When the user denies consent
JustAnalytics.setConsent('denied');

// Check current consent state
const state = JustAnalytics.getConsent(); // 'granted' | 'denied' | 'not_set'

Popular Consent Banner Integrations

CookieYes:

// CookieYes callback
document.addEventListener('cookieyes_consent_update', function(event) {
  const consent = event.detail;
  if (consent.analytics === 'yes') {
    JustAnalytics.setConsent('granted');
  } else {
    JustAnalytics.setConsent('denied');
  }
});

Cookiebot:

// Cookiebot callback
window.addEventListener('CookiebotOnAccept', function() {
  if (Cookiebot.consent.statistics) {
    JustAnalytics.setConsent('granted');
  }
});

window.addEventListener('CookiebotOnDecline', function() {
  JustAnalytics.setConsent('denied');
});

OneTrust:

// OneTrust callback
function OptanonWrapper() {
  const activeGroups = window.OnetrustActiveGroups || '';
  if (activeGroups.includes('C0002')) { // Performance cookies category
    JustAnalytics.setConsent('granted');
  } else {
    JustAnalytics.setConsent('denied');
  }
}

Custom banner:

// Your custom consent banner
document.getElementById('accept-analytics').addEventListener('click', () => {
  JustAnalytics.setConsent('granted');
  dismissBanner();
});

document.getElementById('decline-analytics').addEventListener('click', () => {
  JustAnalytics.setConsent('denied');
  dismissBanner();
});

Default Consent State

Consent defaults to granted, meaning all features (including session replay, enhanced measurement, and tracing) are active immediately. For GDPR regions, override this to denied:

<!-- Default is granted. For EU compliance, set to denied: -->
<script
  defer
  src="https://justanalytics.app/tracker.js"
  data-site-id="YOUR_SITE_ID"
  data-default-consent="denied"
/>

Setting	Behavior
granted (default)	Full tracking with all features active until consent is explicitly denied
denied (recommended for EU)	No tracking until consent is explicitly granted

Geo-Based Defaults

For sites with global traffic, set different defaults based on the user's region:

JustAnalytics.init({
  siteId: 'YOUR_SITE_ID',
  consent: {
    defaultState: 'granted',
    regionOverrides: {
      'EU': 'denied',      // European Union
      'UK': 'denied',      // United Kingdom
      'BR': 'denied',      // Brazil (LGPD)
      'CA-QC': 'denied',   // Quebec (Law 25)
    },
  },
});

Users in EU countries start with consent denied. Users in the US start with consent granted. Each user can still change their preference via your consent banner.

Behavioral Modeling

The Data Gap Problem

If 50% of your EU visitors deny consent, your analytics for EU traffic are based on only half the data. Page view counts are 50% too low. Conversion rates are wrong. Traffic source attribution is skewed.

How Modeling Works

JustAnalytics uses behavioral modeling to estimate metrics for non-consented traffic. The model works on a simple principle: users who deny consent behave similarly to users who grant consent from the same traffic segment.

For each metric, the model:

1. Groups consented users by traffic source, country, device, and landing page
2. Calculates the metric for each group
3. Applies the metric proportionally to the non-consented traffic in the same group
4. Combines consented actuals with modeled estimates

Example

Organic search traffic from Germany, desktop:

Consented users:     1,200 sessions
Non-consented users: 800 sessions (estimated from aggregate page views)

Consented metrics:
  Bounce rate: 42%
  Pages per session: 3.2
  Conversion rate: 4.1%

Modeled metrics (applied to non-consented):
  Bounce rate: ~42% (estimated 336 bounced sessions)
  Pages per session: ~3.2 (estimated 2,560 page views)
  Conversion rate: ~4.1% (estimated 33 conversions)

Combined report:
  Total sessions: 2,000
  Bounce rate: 42% (modeled)
  Pages per session: 3.2 (modeled)
  Conversion rate: 4.1% (modeled)
  Confidence: High (60% consent rate in this segment)

Model Accuracy

Modeling accuracy depends on the consent rate:

Consent Rate	Accuracy	Confidence Label
> 70%	Excellent	High confidence
50-70%	Good	Medium confidence
30-50%	Fair	Low confidence
< 30%	Estimate only	Very low confidence

JustAnalytics displays confidence indicators on modeled metrics, so you always know how reliable the numbers are.

What Can't Be Modeled

Some metrics can't be modeled from aggregate data:

• Individual user journeys -- you can't reconstruct a specific user's path from aggregate page views
• Session replay -- no recordings exist for non-consented sessions
• Custom event properties -- specific event parameters aren't collected
• Cross-session behavior -- without a session identifier, you can't track returning users

Behavioral modeling fills the gap for aggregate metrics (totals, rates, distributions) but not for individual-level analysis.

User Properties for Cross-Session Data

What Are User Properties?

User properties are key-value pairs associated with a user identity that persist across sessions. They're useful for segmentation, personalization, and analysis:

// Set user properties when a user logs in
JustAnalytics.setUserProperties({
  plan: 'pro',
  company_size: '50-200',
  industry: 'saas',
  signup_date: '2026-01-15',
});

How User Properties Interact with Consent

User properties are only collected when consent is granted:

Consent State	User Properties
Granted	Stored and associated with anonymous user ID
Denied	Not collected
Revoked (was granted)	Existing properties are retained but no new ones are collected

Using User Properties

In segments:

Create user segments based on properties:

Segment: Enterprise SaaS Users
Conditions:
  - user.plan = "enterprise"
  - user.industry = "saas"
  - user.company_size IN ("200-1000", "1000+")

In Discover queries:

Source: Events
Columns: user.plan, count(), avg(session_duration)
Group By: user.plan
Sort: count() DESC

In dashboards:

Filter any dashboard by user properties to see metrics for specific user segments.

Data Deletion and Right to Be Forgotten

When a user requests data deletion (GDPR Article 17), JustAnalytics provides:

# Delete all data for a user identity
curl -X DELETE https://api.justanalytics.app/v1/users/user_abc123 \
  -H "Authorization: Bearer ja_live_abc123"

# Response:
{
  "deleted": {
    "sessions": 47,
    "events": 892,
    "user_properties": 8,
    "session_replays": 12,
    "status": "scheduled",
    "estimated_completion": "2026-03-31T12:00:00Z"
  }
}

Deletion is permanent and irreversible. It removes all data associated with the user identity, including events, sessions, user properties, and session replays.

Compliance Checklist

GDPR (European Union)

Requirement	JustAnalytics Feature
Lawful basis for processing	Consent mode with explicit opt-in
Right to be informed	Privacy-friendly tracking, clear documentation
Right of access	User data export API
Right to erasure	User data deletion API
Right to restrict processing	Consent revocation
Data minimization	No PII collected by default
Purpose limitation	Analytics data used only for analytics
Automated decision-making (Art. 22)	Prediction explanations included

CCPA (California)

Requirement	JustAnalytics Feature
Right to know	User data export API
Right to delete	User data deletion API
Right to opt-out	Consent mode ("Do Not Sell")
Non-discrimination	No impact on service for opt-out users

ePrivacy Directive

Requirement	JustAnalytics Feature
Cookie consent	No cookies used (sessionStorage only, with consent)
Tracking consent	Consent mode with denied default
Confidentiality of communications	No content tracking, only behavioral data

LGPD (Brazil)

Requirement	JustAnalytics Feature
Consent basis	Consent mode
Data minimization	Minimal data collection in denied mode
Data deletion	User data deletion API

Technical Implementation Details

Script Behavior by Consent State

Consent Granted:

// Full tracking script active
// sessionStorage used for session identifier
// All events tracked with full metadata
// Custom events and properties collected
// Session replay active (if enabled)

Consent Denied:

// Minimal tracking mode
// No sessionStorage access
// No cookies set
// No fingerprinting
// Only aggregate page view data sent
// No custom events or properties
// No session replay
// Script size reduced to ~1KB (minimal payload)

Server-Side Handling

When JustAnalytics receives data from a denied-consent session:

1. Data is processed immediately for aggregate counters
2. No session record is created
3. No user identifier is generated or stored
4. IP address is discarded (not even hashed)
5. Data is added to aggregate tables only
6. Raw event is not stored

This means there is literally no individual-level record of the visit. The visit contributes to "page X received 500 views today" but there is no row in any table that represents this specific visit.

Consent Change Handling

When a user changes their consent preference during a session:

Denied to Granted:

• A new session is started with a session identifier
• Future events are tracked normally
• Previous (denied) pageviews in this visit are not retroactively associated

Granted to Denied:

• Session tracking stops immediately
• Session identifier is removed from sessionStorage
• No further events are tracked (only aggregate page views)
• Previously collected data for this session is retained (it was collected with consent)

Reporting with Consent Mode

Consent-Aware Metrics

All JustAnalytics reports indicate how much data is based on actual observations versus behavioral modeling:

Dashboard - March 2026

Total Sessions: 45,000
  Observed (consented): 28,000 (62%)
  Modeled (non-consented): 17,000 (38%)
  Confidence: Medium-High

Conversion Rate: 3.8%
  Observed: 3.9% (from 28,000 sessions)
  Modeled: 3.7% (estimated for 17,000 sessions)
  Combined: 3.8%
  Confidence: High

Consent Rate Dashboard

Track your consent rates over time:

Consent Rate Trends

Region    | March W1 | March W2 | March W3 | March W4 | Trend
EU        | 42%      | 44%      | 43%      | 45%      | ↑ Improving
US        | 89%      | 88%      | 90%      | 89%      | → Stable
Brazil    | 51%      | 53%      | 55%      | 58%      | ↑ Improving
Global    | 62%      | 63%      | 64%      | 65%      | ↑ Improving

A/B Testing Consent Banners

Use JustAnalytics to measure the impact of different consent banner designs on consent rates. A friendlier banner that increases consent from 42% to 55% significantly improves your data quality.

Getting Started

Step 1: Configure Default Consent

<script
  defer
  src="https://justanalytics.app/tracker.js"
  data-site-id="YOUR_SITE_ID"
  data-default-consent="denied"
/>

Step 2: Connect Your Consent Banner

Add the JustAnalytics.setConsent() call to your consent banner's accept and decline handlers.

Step 3: Verify Consent Mode

Open your browser's developer tools and check the Network tab. When consent is denied, you should see minimal payloads with no session identifiers. When consent is granted, full payloads appear.

Step 4: Review Modeled Metrics

After a few days of data collection, review your dashboard. Modeled metrics will appear alongside observed metrics with confidence indicators.

Step 5: Monitor Consent Rates

Check the consent rate dashboard regularly. If consent rates are low, consider optimizing your consent banner design or messaging.

Consent mode is available today on all JustAnalytics plans at no additional cost. Privacy compliance shouldn't be a premium feature.

Start your 7-day free trial and track responsibly.