Web Analytics implementation checklist

Confirm that IP addresses are hashed with a rotating salt or truncated before database insertion to ensure GDPR compliance.

Verify the analytics script does not write to 'document.cookie' or 'localStorage' to bypass the requirement for a cookie consent banner.

Check that the tracking script honors the browser's 'Do Not Track' (DNT) signal by disabling data collection when active.

Inspect outgoing network requests to ensure that email addresses, names, or auth tokens are not included in URL parameters or event properties.

Ensure a signed DPA is in place with the analytics vendor if using a hosted service like Plausible or Fathom.

Use 'async' or 'defer' attributes on the script tag to prevent the analytics library from blocking the critical rendering path.

Configure a reverse proxy (e.g., via Nginx or Vercel Rewrites) to serve the script from your own domain to minimize ad-blocker interference.

For React/Next.js/Vue apps, verify that page views trigger on router events rather than just initial page load.

Measure the impact of the analytics library on the total JS bundle size; ensure it stays under 5KB for privacy-focused tools.

Ensure the tracking script is only executed in the browser context to prevent 'window is not defined' errors during server-side rendering.

Enforce an 'object_action' naming convention (e.g., 'button_click') across all custom events to ensure report consistency.

Use different Site IDs or API keys for 'development', 'staging', and 'production' to prevent test data from polluting production metrics.

Exclude traffic from internal IP addresses or specific local storage flags to prevent team activity from skewing data.

Verify that the tool automatically filters out common search engine bots and headless browsers from the dashboard.

Test that clicks on external links are correctly captured before the browser navigates away from the page.

Configure automated data pruning or TTL (Time To Live) settings to prevent the database from exceeding disk capacity.

Ensure the analytics endpoint is served exclusively over HTTPS to protect data in transit.

Establish a daily backup schedule for the analytics database (PostgreSQL/ClickHouse) to an off-site S3-compatible bucket.

Set up alerts for high CPU or memory usage on the analytics container to prevent tracking downtime during traffic spikes.

Implement and monitor a '/health' or '/ping' endpoint to verify the availability of the tracking server.

Verify that dashboard access is restricted to authorized team members via SSO or 2FA.

Manually trigger a conversion (e.g., signup or purchase) and verify it appears in the dashboard within the expected latency window.

Test the API endpoint for data retrieval to ensure automated reports or internal BI tools can ingest the analytics data.

If tracking across multiple subdomains, verify that the user session is preserved across transitions.

Set up notifications for significant, unexpected drops in traffic which might indicate a broken tracking script.