[tipiirai]

It's the local European laws. For example in Finland, where I live all analytics software must display a consent because the data is used for non-essential purposes. Applies to Volument and our competitors. More details on this doc, which is co-authored with a GDPR official:

https://volument.com/learn/data-privacy

[jakelazaroff]

GDPR differentiates between cookies and localStorage? I'm skeptical, but if so that's… a really surprising loophole.

[tipiirai]

It doesn't differentiate. GDPR is about identities and using them for non-essential purposes. It doesn't take a stance on the technologies in use. According to our lawyer GDPR law texts doesn't contain the word "cookie" anywhere.

Storing a user identifying random id to any permanent storage (cookie, localStorage, etag, Flash, you name it...) goes against GDPR.

[jakelazaroff]

Got it — the difference between Volument’s localStorage and GA’s cookie is the “identifying” aspect of the latter.

[tipiirai]

Exactly. GA uses identifying cookie so a consent is needed outside Europe too as per CCPA and others. Moreover you must explicitly ask for permission to identify the visitor and explain why you do it.