I run a website, how do I improve the privacy of my visitors?

Some simple and some more complex steps to show you respect the privacy of your site's visitors

categories: Global, Tech

You probably care about your privacy, your visitors probably care about their privacy too. Fortunately there are a couple of measures you can take to improve their privacy when they visit your site. Most of the things described in this guide are relatively simple to implement. Some of these improve your site's security too!

Need to know?

Only ask (or store) information you absolutely need to know about your visitors or customers. Do you really need to know their real name, age and gender? If not, don’t ask them.

HTTPS for everything

Use HTTPS for everything, not just for password dialogs. When your site uses HTTPS, any eavesdropper (or "Man-in-the-Middle" in tech speak) between your visitor and your site can only spot that the visitor has visited your domain. It becomes near impossible to see which page they visited on your site. This is one of the reasons Wikipedia switched to full HTTPS. It made it almost impossible to detect whether someone visited the page for the Forsythia or the Tiananmen Square Massacre.

Enable HTTP Strict Transport Security

Enable HTTP Strict Transport Security (HSTS) to make sure any future visits by a visitor are always over HTTPS. If you know that, from now on, you'll always use HTTPS this is fairly easy to implement. The excellent Scott Helme has a handy introduction: HSTS - The missing link in Transport Layer Security.

Regularly scan your site for issues

Scan your site’s encryption and security headers using tools such as Qualys’ SSLLabs SSL Server Test and These scans can help you spot security issues on your site, many of which have privacy implications too. If getting an A+ on both is too hard (or expensive), at least getting it up a couple of notches will help.

Because these scans regularly receive updates based on new developments and discoveries, it pays to check back regularly. Once a quarter perhaps?

Don't outsource your analytics

Consider running your own analytics tools. There are a lot of hosted web analytics providers that are cheap or free. Unfortunately you send all your visitor data (and much of your visitor’s data!) to them to analyse, store and keep. Instead, check out Matomo (formerly known as Piwik) as a site analytics tool. It is an Open Source, free and self-hosted analytics package. Yes, it’s a bit more of a faff to set up, but you are rewarded with complete control over your own and your visitor’s data.

Protect referrers

Set a ‘Referrer Policy’. This way you can control how much data is leaked about the sites your visitors click to from your pages. As usual, Scott Helme has written a good in-depth article on the why and how of this new technique: A new security header: Referrer Policy.

Use hCaptcha instead of Google's reCAPTCHA

Google's reCAPTCHA service is critisised for using cookies to engage in "triangle synching" to track visitors across multiple, unrelated, domains. Replacing reCAPTCHA with hCaptcha stops your site taking part in this data gathering scheme.

Every little helps

As goes for most of these guides, even if you can't implement all of them, remember that every little helps...

Last updated: 2 November 2020