<aside>
ℹ️ This guide provides step-by-step instructions for configuring etracker analytics in different privacy configurations and how these configurations must be reflected in the Consenter Manager when configuring your Consent Banner.
Step 1: Choose which configuration matches your demands and configure etracker accordingly
Step 2: Configure the Consent Banner in the Consenter Manager accordingly
Step 3: Explain how you use the third party provider in your privacy policy
</aside>
etracker analytics is a German web analytics platform developed by etracker GmbH (Hamburg, Germany). It deploys a JavaScript tracking code on customer websites and is distinguished by its privacy-by-design architecture: in its standard cookie-less mode, it operates without the analytical cookies that typically trigger consent requirements under the GDPR and TDDDG. Depending on configuration, etracker can operate as a fully consent-free session analytics tool or as a more capable cross-session and cross-device analytics platform with personalisation and ad conversion integration. The configurations below cover the most privacy-relevant settings and their corresponding mappings in the Customer Panel (CP).
Important note on data location: etracker GmbH is a German company. All data is processed exclusively on etracker's own servers in Hamburg, Germany, hosted at the ISO/IEC 27001-certified IPHH Internet Port Hamburg GmbH data centre. etracker explicitly states that no data is transferred to the USA and that access by US government authorities under the CLOUD Act is excluded. Accordingly, no US processing location is indicated for etracker itself in this guide. This distinguishes etracker from US-based analytics providers and is a relevant factor in the consent banner and privacy policy.
| # | Configuration Area | Where in etracker | Configuration A — Low Risk | Configuration B — Medium Risk | Configuration C — Higher Risk |
|---|---|---|---|---|---|
| 1 | Cookie mode and consent activation | Tracking code → data-block-cookies attribute; Consent API → _etracker.enableCookies() |
Cookie-less standard mode — no analytical cookies are set; etracker operates without user consent under legitimate interest (Art. 6(1)(f) GDPR), certified by ePrivacy GmbH | Consent-required mode — data-block-cookies="true" set in tracking code; analytical cookie (_et_coid) activated only via _etracker.enableCookies() upon user consent |
Consent-required mode — data-block-cookies="true" set in tracking code; analytical cookie, cross-device tracking, and Targeting API activated upon user consent |
| 2 | IP anonymisation | Default (always active; no configuration required) | Enabled — IP address truncated before storage (privacy by default) | Enabled — IP address truncated before storage (privacy by default) | Enabled — IP address truncated before storage (privacy by default) |
| 3 | Cross-session user recognition | Tracking code attribute; Consent API | Disabled — no _et_coid cookie is set; visitors tracked as anonymous sessions only (session storage cleared on tab close) |
Enabled upon consent — _et_coid first-party cookie set for persistent cross-session visitor recognition |
Enabled upon consent — _et_coid first-party cookie set for cross-session visitor recognition |
| 4 | Cross-device tracking | Account → Tracking settings | Disabled | Disabled | Enabled — visitors identified across devices via authentication-derived identifiers (e.g. newsletter link, login) |
| 5 | Personalisation and ad connectors | Data Services → Targeting API; Account → Server-side tracking | None | None | Targeting API active — visitor history (BT_pdc cookie) used for real-time on-site personalisation; server-side ad connectors enabled (e.g. Google Ads, Meta Ads) |
| 6 | Cookie / data retention | Tracking code → data-cookie-lifetime attribute (value in months, range 1–24; default 24) |
No persistent analytical cookies; raw data retained for 13 months (contractual default) | 6 months (data-cookie-lifetime="6") |
24 months (data-cookie-lifetime="24", platform default) |
| 7 | Processing location | etracker GmbH infrastructure | EU/Germany exclusively (IPHH data centre, Hamburg; ISO 27001-certified); no US transfers; CLOUD Act does not apply | EU/Germany exclusively; no US transfers; CLOUD Act does not apply | EU/Germany for etracker; each connected ad platform processes data per its own terms and in its own location |
Use this configuration when etracker is used solely for anonymous, consent-free website analytics under the legal basis of legitimate interest. In its standard cookie-less mode, etracker does not set any analytical cookies. The only storage mechanisms in use are session storage entries (for scroll depth measurement and tag manager caching), which are automatically cleared when the browser tab is closed and contain no persistent identifiers. The IP address is truncated at the earliest point in the data acceptance process before any storage occurs. There is no cross-session or cross-device visitor recognition.
This mode has been independently audited by ePrivacy GmbH, which confirmed that use of etracker analytics in cookie-less standard mode is lawful without any consent requirement under the GDPR and TDDDG. A data processing agreement (DPA) is automatically concluded with etracker upon account creation.
Note on the consent banner: Because Configuration A does not involve consent-required processing by etracker itself, it does not technically need to appear in a consent category requiring opt-in. It must, however, be disclosed in the privacy policy, and an opt-out option must be provided. If you choose to include it in your consent banner for transparency reasons (e.g. as a legitimate interest entry), map it as described in Section 2.1 below. The opt-out text and link are available directly in the etracker account under Data protection → Data protection notice.
Use this configuration when etracker is used for website analytics with cross-session visitor recognition. Consent is required and must be obtained before the analytical cookie is set. The tracking code must include data-block-cookies="true", and the _etracker.enableCookies() API call must be triggered only after the user's consent has been recorded. Upon consent, etracker sets the _et_coid first-party cookie (stored in local storage), which assigns a pseudonymous identifier to the visitor's browser, enabling recognition across sessions. The cookie lifetime is set to 6 months via the data-cookie-lifetime="6" attribute. IP anonymisation remains active by default. No cross-device tracking or personalisation is in use. Data is processed exclusively in Germany by etracker GmbH as data processor under its DPA.
Use this configuration when etracker is used for full cross-session and cross-device analytics combined with on-site personalisation and server-side advertising conversion reporting. Consent is required for all components before activation. In addition to the _et_coid analytical cookie, cross-device tracking is enabled, which links visitor sessions across different devices using authentication-derived identifiers (e.g. a unique link in a newsletter or a website login). The Targeting API is activated to personalise website content in real time based on stored visitor history (held in the BT_pdc cookie). Cookie lifetime is set to 24 months.
Server-side ad connectors (e.g. Google Ads, Meta Ads) are enabled to transmit conversion data to the respective advertising platforms via server-side API calls. These platforms are independent controllers operating under their own terms, policies, and data locations. Each must be configured as a separate entry in the Customer Panel. As these are US-based enterprises, their processing is potentially subject to access by US government authorities under the CLOUD Act, and this must be disclosed in the consent banner for each platform individually.
etracker GmbH itself continues to process data exclusively in Germany as a data processor. The CLOUD Act does not apply to etracker.
Using the etracker configurations defined in Step 1, apply the following mappings in the Customer Panel to ensure the consent banner correctly reflects the data processing activities.