The Monoid Blog

Privacy, analytics, and the open web — written for developers.

The back/forward cache makes back-button navigations near-instant, but one unload listener disables it for the whole page. Tracking scripts are the usual culprit — and CrUX now measures the damage.

June 18, 20264 min read

GDPR Data Transfers Are the One Compliance Risk You Can Architect Away

The EU-US Data Privacy Framework survived its first court challenge but is now on appeal to the CJEU. Analytics that never transfers EU data to the US has nothing to lose either way.

June 17, 20265 min readLaw & Regulation

The EDPB's 2026 Enforcement Target Is Your Privacy Notice

The EDPB's 2026 coordinated action audits transparency under GDPR Articles 12–14. The shortest path through it is collecting so little that the notice writes itself.

June 14, 20265 min readEngineering & Performance

Your Analytics Script Is the Hole in Your Content-Security-Policy

A strict CSP closes XSS. A third-party analytics tag reopens it. Here is why host allowlists and missing SRI undermine your policy — and what a first-party tracker fixes.

June 11, 20265 min readEngineering & Performance

Privacy by Default at the HTTP Layer: Headers That Shrink Your Tracking Surface

Two response headers — Permissions-Policy and Referrer-Policy — decide how much your pages can leak to ad-tech and third parties. Set them once and the surveillance surface closes by default.

June 9, 20264 min readEngineering & Performance

INP Punishes Heavy Analytics: Why Your Tracker Is on the Main Thread

Interaction to Next Paint is the Core Web Vital most sites fail, and field data shows behavior-tracking scripts are a leading cause. The fix is sending less work to the main thread.

June 8, 20264 min readLaw & Regulation

The Digital Omnibus Wants to Exempt First-Party Analytics From Consent

The EU's November 2025 Digital Omnibus proposes a consent exemption for first-party, internal-use audience measurement. It describes the model cookie-free analytics already runs.

June 7, 20265 min readLaw & Regulation

When Is a Hash Personal Data? The CJEU's SRB Ruling and Analytics Identity

The CJEU's EDPS v SRB judgment made identifiability a relative, contextual test. Here is what that means for hash-based analytics — and why a daily-rotating salted hash survives both the court's reading and the EDPB's stricter one.

June 2, 20265 min readLaw & Regulation

Consent Mode v2 and the June 2026 Google Signals Sunset

On June 15, 2026, ad_storage becomes the sole control over advertising data in Google's stack. Here is what the Google Signals sunset changes for developers — and why the whole machinery is something cookie-free analytics never had to build.