Have you seen a precipitous drop in your website traffic since the last week of May? Wondering where your visitors have gone?

Before you scratch your head, you may have lost some visitors but it’s more likely you lost the ability to track them (and not that you lost the traffic itself).

Who’s the likely culprit? The General Data Protection Regulation (GDPR).

Since May 25th, marketing organizations across the globe have been scrambling to get the right policies, procedures, and technologies in place to support elements of the GDPR. The subsequent chaos may represent the shuffle within which your visitors got lost.

Here’s how: First, some organizations have been sending out resubscription emails to their entire mailing list. (The results of these efforts are mixed.) In response to the flood of inbound requests, Internet users see this as an opportunity to cut down on emails flooding their inboxes. As a result, under the auspices of GDPR compliance, organizations are having their email-addressable audiences slashed by (up to) double-digits.

Next, organizations have been updating their respective website privacy and cookie policies—and practices—to reflect updated definitions of Personal Identifiable Information (PII). This means no longer storing IP address information because it’s considered personal data by the GDPR. In turn, marketers are left with significantly less data to analyze, and are unable to connect browsing behaviors and preferences to their target audiences.

Then, there’s the cookie banners. (Ahhhhhh!)

For most corporate websites, cookies are frequently used for website analytics, visitor tracking, and content personalization. These functions are all powered by cookies, the little bits of data stored in your browser that allow a given website to know who you are when you return. Those bits may be PII, as they frequently link back to a robust database record about each visitor. Cookie banners (i.e., popups, noticies, windows) alert visitors to the presence and nature of cookies on a website and (sometimes) require acceptance. Some websites have had these for years to comply with the [now deprecated] UK ICO and EU Cookie Laws that went into effect back in 2012. For many, though, the GDPR has meant adding these to specifically alert visitors of cookie tracking aspects of their websites.

For websites that have only recently introduced cookie banners, or have moved to a new format, these banners come in many forms. One version requires acceptance of the site’s privacy and/or cookie policy, without which all cookies are disabled for a visitor’s browser session. Other website visitors are using plugins to disable cookies permanently—possibly in response to all of the recent security concerns around Facebook and other information-sharers.

Even if you haven’t introduced a cookie banner, Google Analytics (and others) are alerting users to these changes and giving them the choice to opt out.

What’s the net result? If your visitor rejects your cookies, it can throw your analytics into a tailspin. While you may be less able to track your traffic, it hasn’t necessarily gone anywhere. That’s not reassuring, though, so here are three recommendations for what you can do:

1. Anonymize your IP address data in Google Analytics

For some businesses (and site visitors), simply anonymizing the IP addresses of your users may be sufficient to minimize GDPR concerns. Check with your legal counsel to be sure, but Google Tag Manager and Google Analytics now provide an “IP Anonymization” feature which should rid your analytics of any PII.

This can be handled by adding a Google Analytics setting to your Google Tag Manager configuration. It can also be accomplished programmatically, via details here and here. (For those interested in going deeper, here’s a great write-up at Jeffalytics.)

It’s also worth mentioning that, beyond anonymizing the IP address, it’s also possible to anonymize all data collected.

2. Implement another solution for visitor analytics

There are other analytics solutions, as well as customizations of Google Analytics, that can be used to restore some level of your visitor traffic analysis without violating the GDPR and related privacy directives. If more accurate analytics are critical to your business, reach out and let’s discuss how we can help.

3. When the visitor requests it, disable tracking via the Google Analytics API

If there’s no better option, use Google’s Analytics.js API to opt the user out of analytics tracking.

Unfortunately, while none of these recommendations will bring back your lost traffic, they can help to explain where your visitors have gone. Then, at least, to quote Jesse Montgomery, you won’t “go down in history as the dudes who destroyed the universe” (or the people that inexplicably shredded the subscriber list).