The Secret Life of the User ID: What It Is, Why It Matters, and When You Can’t Use It

We talk to a lot of organisations that think they’re tracking everything on their website. They’ve got Google Analytics, Meta Pixel, cookies, consent banners - the lot.

Then we have a nose and find that half their sign-ups have no source, their ads are getting “clicks” but no “sessions”, and their data looks like a Jackson Pollock painting (messy).

That’s when we ask, “Do you use a User ID?”

Cue the blank stares.

What is a User ID?

Think of the User ID as a quiet name tag for each visitor on your site. It's a unique, anonymous code that lets you see what that person does while they’re on your site (and when they come back).

It’s not their name, email, or phone number. It’s just a string of characters like a9f67x12 that says, “Hey, this is the same browser as before.”

That little ID is the backbone of proper analytics. It helps you connect the dots between different actions that would otherwise look like a bunch of disconnected visits.

What the User ID can do (with consent)

When a visitor accepts cookies, your analytics setup can create and store a User ID. From there, you can:

• Track their journey: See how they move through your site. Maybe they land on your blog, click on your “Sign Up” page, then visit again two days later to actually sign up.
• Attribute actions properly: Know that the Facebook ad they clicked last week did lead to a sign up today.
• Understand behaviour: How many pages do people visit before converting? Which journeys lead to drop-offs? Our clients love this.

In other words, it connects the story. Without it, you just get isolated blips of traffic with no context.

Real User Journey Example

Here’s what that looks like in real life:

Day 1: Someone clicks your Google Ad. They scroll, watch a video, but don’t sign up.
Day 3: Same person comes back via a Facebook retargeting ad. Reads your About page. Still doesn’t convert.
Day 5: They return directly, fill in your contact form, and book an appointment.

Without a User ID, that’s three random visits from “different” people.
With it, you see one person, three visits, one conversion.

That’s pretty powerful in my opinion.

When You Can’t Use It (and Why GDPR Cares)

Here’s the tricky part: GDPR doesn’t care that it’s “anonymous” to you. The law treats a User ID as personal data because it’s an “online identifier” that could potentially identify someone if combined with other data.

That means you can’t just use it however you like.

If a user rejects cookies, you can’t use that User ID for analytics or marketing. You can still create one for legitimate interests, but the purpose must be strictly functional. Things like:

• preventing fraud or spam submissions,
• deduplicating form entries,
• maintaining site security.

You cannot later say, “Oh, we’ll just link that same ID to their form submission data now that they’ve consented.”
Nah. GDPR’s purpose limitation rule means you can’t use data collected for one reason (security) for a completely different one (analytics).

If you want to track behaviour for marketing or analytics, you need clear consent at the point of tracking.

How You Apply It (Practically)

1. Set up your consent management: Use something like Termly or CookieYes to make sure the User ID only fires when a visitor says “yes” to cookies.
2. Generate the ID: Only when consent is given (or under legitimate interest for functional use).
3. Store data separately: Keep User ID tracking data (for analytics) separate from personal data like names or emails.
4. Don’t mix purposes: If a User ID was created for security, don’t use it for marketing later.

That’s your GDPR-safe zone.

When the User ID Doesn’t Work

Even with a perfect setup, there are blind spots.

• Different devices: If someone visits on their phone and then later on their laptop, those are two different IDs unless they log in or identify themselves somehow.
• Cookie deletion: If they clear cookies or use incognito mode, poof - new ID.
• Rejected cookies: No analytics tracking. You can’t follow that journey beyond the functional basics.

And that’s fine. It’s about doing it right, not doing it creepily.

Why It’s Worth It Anyway

When it works, a User ID gives you the clearest possible view of how people interact with your site.

It bridges the gap between “ad clicks” and “real-world actions.”
It helps you understand intent, not just numbers.
And it does it in a way that’s privacy-first and compliant.

The truth is, you don’t need to track everyone.
You just need to track honestly.

Because accurate, ethical data beats more data every single time.

TL;DR:

• The User ID connects user journeys across sessions.
• It’s personal data under GDPR, so you need consent for analytics use.
• You can still use it for legitimate interests like security or form deduplication, but never for marketing without consent.
• It breaks on new devices, cookie deletion, or cookie rejection.
• Done right, it’s the key to understanding your users without crossing the line.

If you don't have User ID's and want to have User ID's, give us a shout, we can help.