No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not. The goal of analytics is to see how people in general use your website, not how an individual person use your website.
So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie. Hash it together. Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes). And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
> No one needs to deduplicate over a longer period than a few minutes, or a single session. If you need that, then you're doing something shady. If a user visits your site, clicks a few things, leaves and comes back two hours later, you don't need know if it's the same person or not.
Sure you do if for example you want to know how many unique users browse your site per day or month. Which is one of the most commonly requested and used metrics.
> So just take IP address, browser details, your domain name, and a random ID you stick in a 30 minute session cookie.
That looks a lot like a unique identifier which does require a user's consent and a cookie banner.
> Now you have token valid for 30 minutes you can use for deduplication but no way of tying it back to particular user (after 30 minutes)
The EU Court of Justice has ruled in the past that hashed personal data is still personal data.
> And yes, if the user changes browser preferences, then they will get a new hash, but who cares?
It will also happen after 30 minutes have passed which will happen all the time.
> Not rocket science.
And yet your solution is illegal according to the GDPR and does still not fulfil the basic requirement of returning the number of unique users per day or month.
