Recorde: Cookie-Free Web Analytics Built for DUAA 2025

Overview

What started as frustration with broken analytics data became the UK's first web analytics platform built natively for the Data (Use and Access) Act 2025.

UK businesses had been losing 40 to 60% of their visitor data to consent popups for years. When DUAA 2025 changed the law and made cookie-free analytics legally viable in the UK for the first time, we built Recorde: a privacy-first analytics platform designed from day one around the new compliance model. No consent popups. No data blind spots. No compromise.

The Challenge

Cookie consent banners are a conversion problem disguised as a compliance requirement. Under the old consent model, between 40 and 60% of visitors decline tracking entirely, leaving businesses with an incomplete and skewed picture of their audience. For any site where conversion data matters, that gap is expensive.

The tools available were not built for this moment. Google Analytics still requires consent banners. Plausible and Fathom are solid privacy tools, but neither is built specifically for UK law, neither auto-generates the required privacy notices, and neither handles the opt-out mechanism that DUAA compliance requires. The market gap was obvious: UK businesses needed an analytics tool that made DUAA compliance the default, not an afterthought.

The technical challenge was equally clear. DUAA 2025 is not simply "no cookies." It requires a specific model: track by default, provide a clear privacy notice, and give users a simple, one-click opt-out. A tool that gets this wrong does not just underperform. It exposes its users to ICO enforcement.

The Approach

We started with the law, not the product. Before writing a line of application code, we worked through the ICO's official DUAA 2025 guidance, studied the four legal requirements for cookie-free analytics, and documented exactly what a compliant implementation looks like. That research became the foundation for every technical decision that followed.

The architecture decision came next. Analytics event ingestion is a high-throughput, low-latency problem: thousands of events, processed in real time, stored efficiently. We chose Go for the ingestion service because it delivers roughly 2.25 times the throughput and seven times lower memory usage compared to Node.js at that layer. Everything else, the dashboard, auth, site management, compliance tools, runs in TypeScript with Next.js, where developer velocity matters more than raw performance.

We built the compliance features first, not last. The opt-out mechanism, the auto-generated privacy notice, and the compliance verification dashboard are not bolt-ons. They are the foundation the product is built on. Everything else is analytics.

The Solution

Recorde gives UK businesses accurate, complete analytics data without the conversion friction of consent popups.

The tracking script is under 3KB gzipped: roughly 33 times smaller than Google Analytics. It collects no personally identifiable information. IP addresses are used only to resolve country, then discarded immediately. Session IDs rotate daily, making cross-day tracking impossible by design.

Core features:

• Real-time dashboard with sub-one-second load times
• Top pages, traffic sources, device breakdowns, country data, and UTM campaign tracking
• Custom event tracking via cdn script
• Auto-generated DUAA-compliant privacy notice, ready to drop into any site
• Built-in one-click opt-out mechanism, persistent across sessions
• Compliance verification dashboard confirming all four DUAA requirements are met
• UK-only data hosting: all data lives in London and never leaves British soil

The Results

Early adopters are seeing an average 14% lift in measured conversions after removing consent popups, consistent with industry data showing that consent friction depresses visible traffic by 40 to 60%.

The waitlist validation confirmed genuine demand. Within weeks of announcing, the product attracted signups from UK SaaS founders, agencies, and e-commerce operators, all citing the same pain: incomplete data, broken attribution, and frustration with tools that were not built for UK law.

The 20-week development timeline, proved that a focused scope and a clear compliance mandate can produce a production-ready product without a large team or a large budget.

Key Takeaways

Regulation creates opportunity: Most businesses treat compliance as a constraint. DUAA 2025 created a legal advantage for businesses willing to move first. Being the tool that makes that advantage accessible is a strong market position.

Accuracy builds trust: Early versions of the messaging overstated what DUAA allows. Correcting this, being upfront that a privacy notice and opt-out are still required, turned out to be a differentiator. Customers trust the product more because the positioning is honest.

Build for the law, not around it: Compliance features added after the fact are fragile. Building the opt-out mechanism, the privacy notice generator, and the compliance dashboard as core infrastructure means the product cannot accidentally break the legal model it is built on.

Constraints sharpen scope: A solo developer, a bootstrap budget, and a 20-hour week forced rigorous prioritisation. Every deferred feature is something that would have slowed the launch without improving the core value. The product that shipped is better for what was cut.