If you've browsed the web in the last 10 years then you'll have seen more than your fair share of cookie banners!

Intended as a workaround to the 2011 EU Cookie Law, cookie consent banners have become so commonplace that most people don't even bother to look at them, or just click accept on everything.

As I see it, the purpose of the Cookie Law was to stop websites from storing data in your browser unless they absolutely needed to, by requiring them to prompt their visitors for consent. The end goal being to give you more control over your online privacy, stop needless tracking, and make website owners think twice about what they were doing. In short - a good intentioned idea.

However, basically every website in the world took the easier, less introspective approach - prompting for consent - creating an objectively worse web experience for everyone.

Since at Leave Me Alone we're trying to set an example of how to run a privacy friendly company, we decided to figure out how we could remove all the cookies from our landing page without sacrificing anything important. This means no more cookie banner, no more tracking! 🍪

We had three main cookie monsters that will be well known to SaaS companies;

  1. Web analytics
  2. Live Chat
  3. Security (DDOS protection etc)

Before we start, I'm not neccessarily saying I distrust any of these companies and how they use cookies...so make your own judgement about them. We're just in this to get cookie free!

Web Analytics

To track our page views and general visitor behaviour, like most sites, we were using Google Analytics.

Google Analytics sets a little cookie on page load to "remember" what a visitor has done on each page as they navigate around a site. This allows it to create a profile of the visitor so you can figure out exactly what it takes to get a visitor to sign up or convert, or whatever it is that you're trying to measure.

Realistically we never really use this information, so it's an easy one to get rid of. There are actually a handful of simpler web analytics platforms that don't use cookies, and we opted to try Simple Analytics. With this we get basically all the info we ever got out of Google Analytics (page views), so it seems like a great compromise.

You can even make your analytics pages public, which fits nicely with our "open startup" work ethic. For example you can view the stats for this blog post here!

The page view anaylitcs for Simple Analyics - meta!

🍪 Cookie Verdict = 5/5, no cookies, no problem.

Live Chat

Having an annoying chat widget is another common thing for a SaaS homepage. We used to use Crisp for this, which uses a cookie to match a browser session to messages in their system. Their privacy policy says this is "not used for tracking purposes", but given all the data they show in their UI about visitors that's not exactly much comfort.

(It even guesses a load of personal info from the visitors' email address like what company they work for and their job title using something called Crisp Enrich which is apparently impossible to find any info about but sounds shady as hell).

I don't know why I would care about half of the stuff Crisp automatically collect on people who are just asking for help on my website 🤷‍♂️

So, this is a top priority since it looks like an absolute privacy and tracking nightmare.

I get that this is a difficult one, but there's literally no service we could find to do this cookieless (or even mildly privacy focused) so we ended up heavily modifying an open-source project called Intergram to do what we wanted. Intergram works like a regular chat widget, but it communicates with the chat app Telegram via a self-hosted server - meaning at least we're in control of the code. Our modified chat widget now looks like this (and the code is open-source);

Unfortunately it still requires some place to store the messages locally so that the visitor has a copy of them, but we still made this work by only storing anything after the chat has been opened. Unlike Crisp that injected it's cookies when it felt like it. We also don't collect any tracking crap like Crisp does, only chat messages!

We sweetened the deal by adding a consent prompt to the chat widget itself like this;

🍪 Cookie Verdict = 3/5 - fewer cookies, more privacy.

Security

This was a tricky one. We use Cloudflare as a security layer to protect the website from denial-of-service attacks. We also use their CDN to cache our assets so that the site loads extra fast, and use their DNS because it's hella convenient.

To perform their protection Cloudflare stores a cookie called _cfduid, which is used to track each client and somehow figure out if they're a malicious actor or something. I don't really know and their description is clear as mud. Whatever it does, it's got to go.

I didn't really know where to start with this one, so I tweeted about it and got a reply from a systems engineer that works there:

Which is a bit of a non-answer, since the Enterprise plan costs $200/month and I'd end up with fewer features for my trouble.

Since we've never actually had to use Cloudflare protection, my solution was to disable Cloudflare forwarding completely and switch to a proper CDN provider. You can do this by clicking the cloud icon on the DNS settings switching to "DNS only":

This means we are now just using Cloudflare for DNS. But it's possible to hit this button again and re-enable Cloudflare forwarding temporarily if we find ourselves under attack, so I figure this is a good option.

For a CDN provider we decided on recommendation to check out BunnyCDN. I'm actually really impressed by this service, compared to Cloudflare everything feels a bit faster and it's easier to know what's going on, which I like. Also since it's just a file CDN there are zero cookies of course!

🍪 Cookie Verdict = 6/5 - No cookies AND a faster website!

Remarks

The website now has no cookies on load, with some storage being used if a visitor opens the chat widget, which I think is a pretty successful outcome!

You can check it out here, you'll notice there's no cookie banner to annoy you, it's almost like stepping back in time ;)


PS.

If you enjoyed this post then check out my Twitter. I spend my free time tweeting about how much I hate anti-privacy web practices and crappy mailing list emails. See you there!


Cover photo by Clem Onojeghuo on Unsplash.