An open source, minimalist, and privacy-preserving traffic counter. No cookie banners or consent required.
Consentless is an open source, minimalist, and privacy-preserving traffic counter. It's designed to help with compliance with modern privacy laws including CCPA/CPRA (California), UCPA (Utah), GDPR (EU), and similar without requiring consent.
It does so by tracking only impressions on URLs and not IP addresses or other personally identifiable information (PII). Time is tracked only to minute precision to further reduce the ability to pinpoint users with supplemental data.
It's designed to track impressions instead of users.
It can be installed on any VPS or hosted service.
It can be used as your sole tracking mechanism or it can be used as supplemental tracking for visitors that did not consent to your other tracking methods.
It's minimal and lightning fast. The client is four lines of JS while the server is under 100 lines of code, making it easy to examine.
Consentless is written by Joel Dare and is currently beta software.
To install Consentless do the following:
There are two parts to Consentless: the client JavaScript and the server counter.
Once you have the server configured you add the following script to the bottom of any web page to start tracking stats. This script goes just above the closing body tag.
<script src="https://consentless.example.com/consentless.js" async></script>
Install the binary on a server, execute it, and redirect output to a file.
You can run Consentless in a VPS or a Docker container or the cloud.
Standard Output
All CSV data, from impressions, goes to stdout. This allows you to redirect output to a file or attach stdout to a service like pub/sub.
Why an image (vs Beacon or headers)?
The client sends a simple image request that includes the page URL as a query parameter. This avoids custom headers and CORS preflight, works with most Content Security Policies via img-src, and keeps the snippet tiny. While sendBeacon is great for unload reliability, it requires allowing the collection origin in your CSP connect-src and adds more code. Custom headers (like X-Referrer) on cross-origin requests are frequently stripped or trigger preflight, so we avoid them.
Consentless outputs it's stats as CSV data. You can process that data a number of ways. One way is to write it to a file.
If you redirect standard output to a file it will produce a CSV and you can use SCP to grab it from the server.
scp root@143.110.236.139:/some/path/consentless.log ~/consentless.log
I use SQLite to query the file directly.
sqlite ':memory:' -cmd ".mode csv" -cmd ".import consentless.log c"
Then run a query like.
select count(*) from c;
You'll find Concentless on GitHub.
MIT License. See LICENSE.txt.
If you pass PII in the query string parameter, or as any other part of a URL, then it will be logged. If someone else passes PII in a link to one of your URLs then you might log that.