I launched my website with clean design, clear messaging, and a working portfolio. The last step seemed simple: add privacy and terms pages, check the compliance box, move on.
It wasn't simple. Going cookieless and privacy-first meant days of reconfiguring tools, researching data flows, and discovering that even fonts can track you.
The Decision: Why Bother?
Here's the thing about cookies and tracking: I hate them. Not just as a mild annoyance, but as a fundamental user experience problem. Every time I visit a site and get hit with a consent banner, I'm being asked to agree to something I won't read and probably wouldn't understand if I did.
Think about it like this. You're shopping at the mall. You leave one store, and someone from that store follows you to the next one. And the next one. They're taking notes on everything you look at, everything you touch, what you buy, how long you spend in each aisle. Then they report all of this back to their store. That's what tracking cookies do.
Most people click "accept" because it's convenient. They don't realize what they're actually agreeing to. I didn't want to be part of that system.
Beyond personal preference, there's a strategic reason for going privacy-first. Too many businesses accept automatic tracking and cookies without actually leveraging them. They collect everything just because they can, not because they have a specific purpose for it. I wanted to flip that approach: collect specific data for specific reasons, not collect everything for potential future purposes.
To actually build a privacy-first site that meets GDPR and CCPA standards, I needed to understand exactly what every tool in my tech stack was collecting, why it was collecting it, and how to configure it properly. That meant spending a couple days diving into settings, reading documentation, and discovering things I never expected.
Like Google Fonts. Turns out, using Google Fonts involves tracking personal information. Who knew that typography came at the cost of privacy? The solution was to download the Inter font files and self-host them within Webflow instead of linking to Google's servers. More setup work, but it meant one less third-party connection tracking visitors. Convenience has a price, and lately that price has been visitor data.
The Work
I started with Termly to generate base privacy and terms of use policies. Their questionnaire forced me to actually research my third-party tools: Google Workspace, Asana, Webflow, HubSpot, Plausible Analytics, Stripe. Each one needed investigation to understand what data they collected and how.
Once Termly generated my policies, they offered to host them on my website through embedded HTML. Free and easy. There was just one problem: that HTML came with tracking and cookies. A compliance and privacy tool that takes advantage of its own value proposition to track the users of its users. I wasn't about to put a privacy policy on my site that violated the privacy principles I'd just spent days implementing. So I copied the policies into Webflow pages instead and built them out manually. More work, but at least my privacy policy wasn't tracking people.
To be clear, not all of these tools interact with site visitors. Google Workspace handles my business email and file storage. Asana manages project work with clients. Stripe processes payments for active engagements. These are backend operations that only come into play once someone becomes a client. They don't touch browsers.
The tools that do interact with visitors required the most scrutiny: Webflow (hosting the site itself), HubSpot (forms and CRM), and Plausible (website analytics).
HubSpot was particularly tricky. It defaults to tracking and cookies, which makes sense for most marketing automation setups. But I didn't need that. I found a GDPR compliance toggle in settings, updated consent language, and made sure no tracking code was active for forms or landing pages. The challenge wasn't that it was technically difficult. It was understanding what I actually wanted to collect and why, then mapping that into the privacy policy accurately.
For analytics, I chose Plausible specifically because it's cookieless. It gives me essential insights like page views, traffic sources, and general geographic regions without tracking individual visitors. I get faster site speeds, more accurate visitor counts (since it bypasses ad blockers), and no consent banner is required.
After configuring all the tools, I used Claude to refine sections of the policies and make the language more clear. Then I did something that's been incredibly useful: I added both documents to Google Notebook LM. Now when I'm making decisions about new tools or features, I can ask it questions like "If I use HubSpot forms, will that violate my terms or privacy policy?" It's become a compliance check system. Worth noting: when using AI tools to analyze internal policies, you should verify that the platform's own data practices align with your privacy stance. I confirmed that Notebook LM doesn't use uploaded documents for model training.
The Trade-offs
Going cookieless means giving up some capabilities. I don't have advanced funnel tracking, visitor tagging, or the depth of customer journey analysis that something like Google Analytics provides. Plausible gives me the essentials, but not everything.
Here's what I've learned: if you truly want to eliminate privacy and tracking exposure for your business, you need to self-host everything. Relying on third-party tools costs privacy and security. But even self-hosting can't guarantee 100% security. The real question is what trade-offs you're willing to make.
My current setup is a calculated middle ground. I'm maximizing privacy within the constraints of modern SaaS convenience. Self-hosting everything would give me more control, but it would also require infrastructure maintenance, security updates, and technical overhead that doesn't make sense for a solo consulting practice. The key is being intentional about which third-party tools I use and configuring them to minimize data collection.
For my digital studio, the trade-off is worth it. I'm collecting only what visitors explicitly provide through forms: names, email addresses, company information. That's it. No behavioral tracking, no cross-site following, no data I don't have a specific purpose for.
What This Actually Means
When you visit my site, I don’t know who 'you' are. Through Plausible’s anonymous analytics, I only see that a visitor arrived, which pages were viewed, and a general geographic region (city, state, country). This is aggregate data, meaning your visit is just a number in a report, not a profile tied to your identity
If you fill out a contact form, I know what you tell me. Name, email, message, whatever you choose to share. That information goes into HubSpot for CRM and email communication.
If we work together and record meetings, I'll ask for explicit consent first.
That's it. No cookies following you around. No tracking pixels. No data sold to third parties. No mysterious "partners" who get access to your information.
Why This Matters
Building this privacy-first approach taught me something valuable about marketing operations. When you're forced to be intentional about data collection, you get better at understanding what actually matters. You can't fall back on "we might use this later" or "everyone else collects it."
If I decide in the future that I want to collect phone numbers to send SMS updates, I'll need to plan out exactly why I'm collecting that information and how I'll use it. That's more thoughtful than just adding a field because I can.
This approach also positions me to help clients who actually care about compliance, not just clients who check boxes to avoid fines. I can explain what data they're collecting, why, and what their obligations are. I can configure systems that respect privacy without sacrificing functionality.
Seven days of work to avoid a consent banner might seem excessive. But it wasn't really about the banner. It was about building systems that work the way they should, with intention and respect for the people using them.
You can read the full details in my Privacy Policy and Terms of Use. Unlike most legal pages, I actually want you to understand what's in there.