I believe in people's right to privacy. I believe we shouldn't be needlessly tracked all over the web by big tech companies. At the same time, I am trying to run an online business. This means that if I want to be successful, I would have to at least partially play ball with the tech giants.

The challenge

My latest challenge on this front was search ad conversion tracking. After trying out a few different acquisition channels for my product, Thankbox, I noticed that search ads work really well. I set up both Microsoft Bing and Google Adwords and started seeing a steady stream of new users. For this article, I'll focus on Adwords.

Adwords has a conversion tracking feature which lets you track which keywords "convert" best. In my case, I wanted to track which keywords resulted in a user actually signing up and creating a Thankbox.

In order to do that, I'd have to add Google's trackers to my website. This is some JS code that they encourage you to add to the <head> tag of every page in your website. Here is an extract from Google's instructions, which uses their Google Tag Manager for this.

I cringed when I read that. I take pride in not having polluted my website with trackers but now I was fighting with what seems to be good business sense - knowing where your customers come from.

Do they really need to track every page?

After a bit of thought I realised that there's no way, from a functional standpoint, for Google to need this script installed on every page. Surely for tracking a conversion you just need it on the pages involved in the steps. For me, that was actually just two pages for the four step process.

Adwords click -> Landing page -> Create Thankbox page -> Create a Thankbox finished (conversion)

It seemed to me that I only needed to install this on my Landing page and the "Create Thankbox" page.

That's already a win but not a big one - my landing page is (naturally) my most visited page so I'd still be exposing all visitors to a script intended to be used only for people coming off search ads.

💡 That's when a lightbulb turned on.

Do they really need to track every user?

No - they don't! I certainly didn't want to.

I realized that the most responsible thing to do in this case would be to only track users who arrive from Adwords. Only those people would get the script included.

Knowing who to track - using refs

In order to only load the script conditionally I had to be able to discern the users that came from Adwords from everyone else. The easiest way to do that was to just add a ?ref parameter to the ad, since Google are totally OK with you doing that. utm_source would have also worked here.

Thankbox runs on Laravel and using the Laravel blade components (server side rendering) it was really easy for me to conditonally add the tracker only if the ref contained the word "Google". I include this in both my landing and Create Thankbox pages.

    @if(str_contains(request()->query('ref'), 'Google'))

Then I had to make sure to pass this ref to my Create Thankbox page. I do that by modifying the href link of the Create <a> tag  if there is a ref in the request.

$create_link = '/app/thankbox/create';
$ref = request()->query('ref');
if ($ref) {
    $create_link .= '?ref=' . $ref;

<a href="{{ $create_link }}">Create a Thankbox</a>

Here is an image that shows what happens:

The final step was to actually attribute the Thankbox creation. That was as simple as just checking if gtag (Google Tag Manager) exists and calling it once the form is submitted.

if (typeof gtag === 'function') {
    gtag('event', 'conversion', {})

Privacy minded

That's it! With some extra thought and a little bit of extra effort I was able to keep tracker scripts from taking over my whole website. I've contained them just to the places I need them.

As an added bonus to this work it means that I only have to show a cookie notice to those tracked users, not everyone. This is because my normal landing page has no trackers that require one to be shown. When it comes to website analytics I didn't go with the web standard Google Analytics. Instead, I went with Fathom Analytics - a privacy focused alternative. It is GDPR-friendly and doesn't require a cookie prompt.

For easy cookie & privacy notice management I ended up using Iubenda, which was recommended by a fellow founder.