How Do Websites Track User Activity?

Every article about website tracking starts in the same place. Cookies. Pixels. GA4. Session replays. Server-side. It catalogues the methods, explains how they work, and sends you off to install something.

None of them name what actually breaks it. And in 2026, a lot is broken.

I've been running conversion infrastructure since iOS 14.5 cracked open the attribution model in 2021. Tested 25+ tools across ecommerce, SaaS, and lead gen. What I keep finding is that the question "how do websites track user activity" has two very different answers depending on whether you want the textbook version or the operational truth. This article gives you both, then tells you which tools survive each layer of failure.

---

The Textbook Answer (And Why It's Already Incomplete)

Websites track user activity through six core mechanisms: cookies, tracking pixels, JavaScript analytics scripts, server-side event forwarding, session recording tools, and first-party identity resolution. Those are the building blocks. Every tracking tool you've heard of sits on top of at least one of them.

Cookies are small text files the browser stores locally. First-party cookies come from the domain you're visiting. Third-party cookies come from external domains and are effectively dead, killed by Safari, Firefox, and eventually Chrome's own privacy changes. When people say "the cookieless future," they mostly mean the death of third-party cookies, not first-party cookies, which still work.

Tracking pixels are 1x1 transparent images (or JavaScript snippets loaded by the ad platform) embedded in a page or email. When they load, they fire a network request back to the platform carrying data about the session. The Meta Pixel, Google's gtag, and LinkedIn Insight Tag all work this way. They're client-side: they run in the user's browser.

JavaScript analytics scripts are what GA4, Mixpanel, Amplitude, and Segment drop on your site. They sit in the browser, watch what users do, and send event data to collection endpoints. Also client-side.

Server-side tracking moves the data collection step to your own server. Instead of the browser firing directly at Meta or Google, your server receives the event and forwards it through an API: Meta's Conversions API, Google Enhanced Conversions, TikTok Events API, LinkedIn Insight CAPI. The browser is out of the loop for the transmission step.

Session recording tools like Hotjar, Microsoft Clarity, and FullStory capture mouse movement, scroll depth, clicks, and form interactions. They rebuild a video of what the user experienced.

First-party identity resolution is the newest layer. Instead of relying on cookies to recognize returning users, it builds a persistent identifier from first-party signals. No cookie expiry. No ITP degradation. This is where the real arms race is in 2026.

That's how tracking is supposed to work. Now here's where it actually fails.

---

The Five Places Your Data Breaks Before It Reaches You

The data layer is broken. Every dashboard inherits it. Five layers fail between a real human and your dashboard, and each one compounds the last.

Layer 1 is a geography mistake. Cookieless analytics were originally a response to EU privacy law. GDPR restricts what you can collect without consent. Cookieless by default is the legal ceiling for unconsented collection in the EU. But tools like Vercel Analytics, Cloudflare Web Analytics, Plausible, and Fathom apply it globally. US traffic, UK traffic, APAC traffic: none of it legally requires cookieless collection, and none of it required consent banners. Apply cookieless analytics to all of it and every returning customer registers as a stranger. No funnel. No attribution for return paths. The methodology built for legal compliance in one jurisdiction quietly gutted your data in every other.

Layer 2 is a consent misconfiguration. "Reject All" in GDPR law means the user refused to let you use their data for identifiable tracking. It does not mean you collect nothing. Anonymous analytics, aggregate counts, pageviews with no user identifier attached: all of that is legal under GDPR even after rejection. OneTrust, Cookiebot, Usercentrics, and Iubenda dump identifiable and anonymous data into the same consent bucket. The user clicks Reject All, and the CMP kills everything. You lose roughly 70% of the intelligence you were legally allowed to keep.

Layer 3 is where your consent tool destroys itself. This is the one nobody talks about. OneTrust loads from cdn.cookielaw.org. Cookiebot loads from consent.cookiebot.com. Those are third-party CDNs. uBlock Origin and Brave block those CDNs by name. For 30 to 40% of privacy-conscious sessions, the consent banner never loads at all. No banner means no consent interaction, which means your tracking stack never fires for those users. You never see it fail in your dashboard because the failure happens before any data reaches you. You have a consent solution with a 30-40% structural failure rate baked into its architecture.

Layer 4 is where the analytics you're actually reading gets cut in half. Every analytics script is a third-party script that ad blockers recognize by name: analytics.js, gtag, the Mixpanel snippet. Current estimates put ad blocker adoption at 25-35% of real human users, higher in technical and B2B audiences. Of the traffic that does land in your analytics, 20 to 40% is bots, VPNs, proxies, and AI crawlers. The Fraudlogix 2026 report puts global invalid traffic at 20.64%. Instagram's audience network sits at 38% IVT. Server-side tracking is frequently sold as the solution here, and it helps with the first problem. It does not help with the second. Server-side still depends on the browser sending the event in the first place. If the user has an ad blocker that strips the first-party event before it leaves the browser, server-side gets nothing. And server-side does nothing to separate a bot from a human. It just forwards whatever arrives, cleanly.

Layer 5 is where corruption becomes self-reinforcing. The bot conversions that make it through your pixel and into Meta CAPI get processed by Meta's algorithm as signal. Meta's optimization loop finds more audiences that look like those converters. Project Andromeda, fully deployed October 2025, acts on contaminated conversion signals within hours not weeks: meaning your lookalike audiences are constantly being retrained on garbage. Your ROAS numbers look fine. Your Triple Whale dashboard looks fine. Funnel.io looks fine. Every attribution tool downstream inherits the corrupted signal and charts it beautifully.

One root cause underneath all five: third-party scripts mixing identifiable and anonymous data in a bucket you do not own.

---

The Tools: What Actually Works at Each Layer

This is where most comparison articles fall short. They evaluate tools on feature lists. You need to evaluate them on which layers they survive.

GA4 (Google Analytics 4)

GA4 is the default analytics stack for most of the web. It replaced Universal Analytics in July 2023, and the migration was disruptive enough that many teams still have gaps in their historical data. GA4's event-based model is genuinely more flexible than session-based Universal Analytics, and the BigQuery export for paid accounts gives you raw data access that serious analysts actually use.

What it does not fix: GA4 is a third-party JavaScript script. Ad blockers block it. GA4 does not filter bots before ingesting traffic, and Google's automatic bot filtering is manual-list-based, not IP-intelligence-based. The tracking is client-side by default. You can layer Google Tag Manager server-side on top of it, but that setup requires developer time, Cloud Run hosting, and ongoing maintenance. ChatGPT Ads Manager launched May 5, 2026, and 70.6% of LLM traffic from AI agents misclassifies as direct in GA4 right now. If you're running a B2B or SaaS product with any developer audience, your "direct" traffic number is increasingly meaningless.

Right for: Almost everyone as a baseline, with the explicit understanding that you're working from incomplete data. Value 6/10. Free for standard, $50K/year+ for 360.

Mixpanel

Mixpanel is the best pure product analytics tool in this list for understanding what users do inside an application. The event model is flexible, the funnel and retention analysis is best-in-class, and the cohort analysis is genuinely useful for product teams. It's built for behavioral questions: where do users drop off in onboarding, which features drive retention, what does the path to expansion revenue look like.

What it does not fix: Mixpanel is a third-party script. Same ad blocker problem as GA4. No bot filtering. Not designed for paid media attribution. If your goal is connecting ad spend to revenue, Mixpanel is the wrong tool and adding it next to GA4 does not solve the upstream data quality problems both are inheriting.

Right for: Product and growth teams focused on in-product behavior, not paid attribution. Value 7/10. Free up to 20M events, Growth from $28/month.

Amplitude

Amplitude sits in the same category as Mixpanel. Excellent product analytics, strong behavioral cohort and journey analysis, a good data governance model for enterprise. The Amplitude Data product with schema enforcement is genuinely useful for teams who have been burned by event taxonomy chaos. The same caveats apply: third-party script, no bot filtering, client-side collection with all the exposure that entails.

Right for: Enterprise product teams with structured event taxonomies and compliance requirements around data governance. Value 6/10. Starter free, Growth from $61/month.

Segment (Twilio)

Segment is a customer data platform, not an analytics tool. The value is routing: you instrument once and fan the data out to GA4, Mixpanel, Amplitude, Salesforce, HubSpot, and 400+ other destinations from a single source. For organizations managing multiple downstream tools, Segment reduces the instrumentation tax significantly.

What breaks: Segment's client-side library is, again, a known third-party script. Ad blockers hit it. Segment's server-side sources help, but they still depend on your frontend having collected something worth sending. And Segment will route whatever lands in your pipeline cleanly to every destination, which means bot events arrive in Salesforce and HubSpot just as cleanly as human events do. The routing is elegant. The data quality is inherited upstream.

Right for: Mid-market and enterprise engineering teams with multiple tool destinations who want to avoid re-instrumentation. Value 7/10. Free up to 1,000 MTUs, Team from $120/month.

Heap

Heap's autocapture model is genuinely useful for teams that have not agreed on an event taxonomy: it captures everything and lets you define events retroactively. The tradeoff is volume. Heap captures a lot of noise alongside the signal, and filtering meaningful behavior out of autocaptured events takes work. The data science team that can use Heap effectively is probably a mid-to-large product org.

What breaks: same third-party script exposure, no bot filtering, client-side by default. Heap's retroactive analysis is powerful but inherits whatever quality the captured session data had.

Right for: Mid-size product teams with unsettled event schemas who want retroactive event definition. Value 6/10. Free tier limited, Growth custom pricing.

Hotjar

Hotjar is the dominant session recording and heatmap tool. For qualitative understanding of where users struggle on a specific page, a Hotjar recording is faster to act on than a funnel report. The heatmap layer on landing pages and checkout flows is genuinely useful for CRO work.

What breaks: Hotjar captures what the browser renders, which means bot sessions and automated tool sessions show up in your recordings. If you are trying to understand human confusion on your checkout page, bot-generated sessions in your recordings add noise. Hotjar also fires from a third-party script, so ad blocker users never appear in recordings at all. The population you're watching is already filtered to the users who are most tolerant of tracking.

Right for: CRO teams running conversion audits on specific pages, not for aggregate analytics or attribution. Value 7/10. Free up to 35 daily sessions, Plus from $39/month.

Microsoft Clarity

Microsoft Clarity is Hotjar at $0. Session recordings, heatmaps, click tracking, scroll maps: all free, with no session cap. It integrates directly with GA4. For small teams that need behavioral insight without budget, Clarity is the obvious starting point.

What breaks: everything in the Hotjar breakdown applies here too. Third-party script, no bot filtering, ad blocker exposure. The free price also means Microsoft gets your user behavioral data as part of the deal, which is worth being explicit about if you have enterprise privacy requirements.

Right for: Any team that wants session recording and heatmaps and cannot or will not pay for them. Value 9/10 for the price. Free.

Triple Whale

Triple Whale is an attribution and analytics dashboard built specifically for DTC ecommerce, primarily Shopify. The pixel-based attribution, the blended ROAS visibility across Meta/Google/TikTok, and the creative analytics layer are genuinely useful for media buyers managing multi-channel spend. The Moby AI attribution modeling is attempting to solve for the signal loss that cookieless tracking creates.

What breaks: Triple Whale ingests whatever your pixel and CAPI pipelines send it. It does not filter bots. If your CAPI is forwarding bot conversions, Triple Whale is charting them. The attribution models are trying to fill gaps caused by data loss. They cannot fill gaps caused by data contamination. The $179/month annual price also assumes you are getting clean signal into the dashboard, which is the part most stores have not solved.

Right for: Shopify DTC stores spending $50K+ per month on paid media who need unified attribution visibility. Value 6/10. $179/month annual, scales with GMV.

Northbeam

Northbeam is the enterprise version of Triple Whale's use case. Multi-touch attribution, media mix modeling, incrementality testing. The price reflects the sophistication: $1,500/month entry and scaling to $5K-10K+ for larger accounts. It's a real analytics platform, not a dashboard skin over ad platform data.

What breaks: same structural issue. Northbeam builds its models from your first-party pixel data and ad platform imports. Bot-contaminated conversion data goes into the model. Northbeam's incrementality testing is more resistant to this because it measures lift rather than attribution. But the base attribution is working from the same broken source data as everything else.

Right for: 8-figure ecommerce brands with dedicated analytics teams who need incrementality testing and MMM. Value 5/10 for the price. $1,500+/month.

Elevar

Elevar is the deepest Shopify-native tracking tool. It pushes order-level conversion data from Shopify's back-end into Meta CAPI, Google Enhanced Conversions, and TikTok with millisecond accuracy. The Shopify integration is the best in its category. For a 7-figure Shopify store that needs every order hit exactly, Elevar is hard to beat on that specific problem.

What breaks: Elevar is Shopify-only. It escalates sharply from $200/month for 1,000 orders to $950/month for 50,000 orders. And Elevar does not filter bots. Order-level precision on every conversion event, including bot-generated ones.

Right for: Shopify-only stores doing 7-figure revenue who need order-level CAPI accuracy and can absorb the cost. Value 5/10 for multi-platform use. $200/month (1K orders).

Stape

Stape is server-side GTM hosting with a tool catalog. If you know GTM, you know containers, and you want to self-assemble a server-side setup without managing Google Cloud Run yourself, Stape is the right infrastructure layer. 80+ tag templates, clean UI, and significantly cheaper than running Cloud Run yourself.

What breaks: Stape is infrastructure, not a solution. You still need GTM expertise to build the container, configure the tags, and maintain the setup. There is no bot filtering at the IP level, so events that reach your container still include bot traffic. Bounteous research puts server-side GTM detection rates at 80% for sophisticated ad blockers, which is better than pure client-side but not eliminated.

Right for: In-house GTM engineers who want server-side infrastructure without cloud maintenance overhead. Value 8/10 for its defined scope. $17/month Pro plus Cloud Run costs.

Tracklution

Tracklution positions itself as a simple, EU-friendly CAPI solution with SOC 2 Type II and ISO 27001 certification. It has a CMP layer, supports Meta, Google, and TikTok CAPI, and the setup is designed for non-engineers. The compliance angle is real: the certifications matter to EU enterprise buyers who need vendor compliance documentation.

What breaks: Tracklution has no bot filter at the IP level. You get clean delivery of whatever events arrive, including bot-generated ones. The €31/month Starter price is reasonable, but CAPI without bot filtering is delivering corrupted training data to Meta and Google just as efficiently as a pixel would.

Right for: EU agencies and SMBs wanting compliant server-side tracking with minimal technical overhead. Value 7/10. €31/month Starter.

Meta 1-Click CAPI (Free, April 2026)

Meta launched free one-click CAPI integration directly inside Business Manager on April 15, 2026. Zero setup. Zero cost. For stores running Meta-only and not needing multi-platform forwarding, it is hard to argue with free.

What breaks: it is Meta-only. There is no Google, TikTok, or LinkedIn forwarding. There is no bot filtering: the 1-click CAPI sends whatever your pixel collects, which includes all the bot traffic your pixel touches. EMQ optimization is basic compared to enriched server-side setups. If your Audience Network IVT is at 67% and you are forwarding every conversion through 1-click CAPI, you are efficiently training Meta's algorithm on bot behavior at no charge.

Right for: Single-platform Meta advertisers with no multi-channel needs and clean traffic sources. Value 7/10 for simplicity. Free.

Google Tag Gateway (Free, January 2026)

Google launched Tag Gateway in January 2026 as a free server-side solution for Google's own tags: GA4, Google Ads, Floodlight. It runs on GCP, Cloudflare, or Akamai with one-click provisioning. For Google-only setups, this removed most of the cost argument for paying for sGTM hosting.

What breaks: Tag Gateway handles Google tags only. No Meta. No TikTok. No LinkedIn. No bot filtering. The setup simplicity is real, but it solves one platform of a multi-platform problem.

Right for: Google-only advertisers who want server-side GA4 + Google Ads without cloud hosting overhead. Value 8/10 for its scope. Free.

Littledata

Littledata is server-side tracking built specifically for subscription ecommerce: Shopify, ReCharge, and subscription models. It handles the complexity of subscription event forwarding, recurring revenue attribution, and LTV tracking in a way that general-purpose CAPI tools do not. If you run subscriptions on Shopify and Meta pixel attribution for LTV campaigns is broken, Littledata is a targeted solution.

What breaks: it is purpose-built for subscription models. Not the right tool for standard single-purchase ecommerce. No bot filtering. Pricing escalates with order volume.

Right for: Shopify subscription brands where LTV attribution accuracy justifies the price premium. Value 6/10 outside subscriptions. $89/month+.

TrackBee

TrackBee is a server-side CAPI tool targeting European ecommerce, with a clean UI and focus on Meta and Google event matching quality. EMQ optimization is part of the pitch, and the onboarding is designed for non-technical users. The €79/month price positions it in the mid-market.

What breaks: no bot filtering, which at 8.20% average Meta IVT means you're optimizing event match quality on a data set that includes a meaningful percentage of non-human sessions. EU-first positioning means less depth on LinkedIn or TikTok.

Right for: European SMB ecommerce stores prioritizing Meta EMQ on a reasonable budget. Value 6/10. €79/month+.

Hyros

Hyros is a premium ad attribution platform using server-side tracking and first-party data stitching to attribute revenue across ad channels. The pitch is accuracy in high-consideration sales: coaching, consulting, SaaS, high-ticket ecommerce where the attribution window is long and the customer journey is complex. The implementation is sales-led and the pricing reflects that.

What breaks: $1,000-5,000/month is a hard sell for anything below 7-figure ad spend. The first-party tracking is good, but Hyros still inherits whatever bot contamination reaches its collection layer. Not designed for standard ecommerce.

Right for: High-ticket digital product sellers and agencies with complex multi-touch attribution needs and budget to match. Value 5/10 outside its core use case. $1,000-5,000/month.

Cometly

Cometly is a Meta-focused attribution tool that has been building out server-side tracking features. The UI is cleaner than most enterprise attribution tools and the setup is faster. $199-499/month puts it below Northbeam and Hyros in price, and its positioning is mid-market ecommerce and DTC brands who need attribution clarity without the enterprise price.

What breaks: no bot filtering, primarily Meta-focused with limited LinkedIn/TikTok depth, and the attribution model still depends on upstream data quality from your pixel and CAPI pipeline.

Right for: Mid-market DTC brands wanting attribution visibility without enterprise cost. Value 6/10. $199-499/month.

DataCops

DataCops takes a different approach to all of the above. Instead of solving one layer of the problem, it addresses the root cause: five layers of failure compounding on each other, all stemming from third-party scripts in a bucket you do not control.

The architecture: one script tag plus one CNAME record pointing your subdomain (datacops.yourdomain.com) at DataCops infrastructure. Live in 5 to 30 minutes. No developer required.

The bot filter runs first, before any event fires. Not a rule-based filter, not a manual bot list. A live IP intelligence database covering 361,873,948,495 IPs: 146.4 billion datacenter and cloud IPs, 202 billion residential/mobile/carrier, 11.9 billion VPN endpoints, 620 million proxy and anonymizer addresses, 160,000+ fraud email domains. Puppeteer, Selenium, and Playwright are detected. Up to 98% of automated traffic filtered before a single conversion event reaches your CAPI. This is the piece server-side GTM, Stape, Elevar, Tracklution, TrackBee, and every other tool in this list skips: they all solve delivery, not contamination.

The CMP (consent management platform) loads from your own subdomain, not from a third-party CDN. It is not on uBlock Origin or Brave's filter lists. The banner loads on every session. Anonymous analytics flow unconditionally after rejection, because anonymous data is legal after rejection. Identifiable data waits for consent. This is what TCF 2.2 compliance actually requires, and it is what every CMP built on a third-party CDN fails to deliver for the 30-40% of sessions where the banner never loads.

The identity resolution is cookieless, consent-gated, and persistent. Non-EU users get it by default. EU users get it after consenting through the first-party CMP. No cookie expiry. No ITP degradation. No 7-day Safari window. Returning users are recognized as returning users, not strangers, which means funnel attribution and return path data are intact.

The conversion API layer forwards clean, bot-filtered events to Meta, Google, TikTok, and LinkedIn from one pipeline. Not one platform. Four. At $49/month on the Business plan.

PillarlabAI ran DataCops across 4,560 signups over four weeks. 730 were real. 84% were fraudulent, with 650 accounts traced back to one laptop. That is not an edge case. That is what your CAPI is currently sending to Meta without a bot filter in place.

For SEO and organic tracking, the first-party analytics sits on your subdomain. For consent, the first-party CMP is included in every plan. For fraud detection upstream of the funnel, SignUp Cops catches fraudulent registrations before they enter your pipeline.

Right for: Any business running paid media on more than one platform, operating in or serving EU users, concerned about bot-contaminated attribution, or paying for a separate CMP. Value 9/10. Free (2K sessions), Growth $7.99/month (5K sessions, no CAPI), Business $49/month (50K sessions, CAPI starts here), Organization $299/month (300K sessions).

---

When NOT to Use DataCops

Four scenarios where a competitor wins outright.

One: you are Shopify-only, doing 7-figure revenue, and you need millisecond order-level CAPI accuracy with Shopify's native data structures. Elevar was built for this exact problem and is better at it.

Two: you have an in-house GTM engineer who wants full container control and visibility into every tag configuration. Stape gives you the infrastructure layer with 80+ templates, and your engineer keeps complete control. DataCops' bundled approach trades flexibility for simplicity.

Three: you need SOC 2 Type II certification today, on a vendor audit form, immediately. DataCops' SOC 2 is in progress. Tracklution has it now. If enterprise vendor compliance documentation is blocking the deal, Tracklution wins on that criterion.

Four: you are running Google-only with no Meta, TikTok, or LinkedIn spend, your traffic is clean, and your consent obligations are limited to a simple EU banner. Google Tag Gateway is free and handles the Google stack competently. Paying $49/month for four-platform CAPI on a one-platform setup does not make sense.

---

Feature Comparison Table

---

Buyer Decision by Use Case

Ecommerce, Shopify-only, under $500K GMV/month. Start with Meta's free 1-click CAPI for zero-cost delivery. Add DataCops Business at $49/month if you are spending meaningfully on TikTok or Google, or if you want bot filtering and a consent layer. Do not pay Elevar's $200-950/month at this scale unless subscription complexity demands it.

Ecommerce, multi-platform, $500K+ GMV/month. You need multi-platform CAPI. You need a consent solution. You probably need bot filtering if you have any Audience Network spend, where IVT runs at 67%. DataCops bundles all three at $49/month. The per-platform alternative assembles as: Stape ($17+ Cloud Run), separate CMP ($11-10K/month for OneTrust), no bot filter. The TCO math does not hold up.

B2B SaaS, lead gen focus. Your concern is fraudulent signups poisoning your HubSpot pipeline and your LinkedIn CAPI sending bot-generated form submissions into lookalike audiences. DataCops fraud traffic validation and HubSpot AI lead scoring address this directly. This is the PillarlabAI scenario.

EU-primary business with serious GDPR exposure. The CMP being first-party is not a nice-to-have. It is the architecture that makes TCF 2.2 compliance actually function for the 30-40% of sessions where third-party CMPs fail silently. Layer this with anonymous analytics flowing post-rejection and you are compliant and collecting legally everywhere consent applies.

Enterprise, dedicated tagging engineers, 20+ destinations. Segment for routing, Stape for server-side GTM infrastructure, GA4 for measurement. Add bot filtering separately if you can find a way to integrate IP intelligence at the infrastructure layer. DataCops' Enterprise tier with a custom DPA and dedicated IP database is the option if you want the full architecture without assembling it.

---

The Question Nobody Asks About Server-Side

Server-side tracking is the right direction. It survives ad blockers better than client-side. It delivers cleaner event matching quality to platforms. But the framing in most server-side setups treats delivery as the problem to solve.

Delivery is not the problem. The water is the problem.

When the Adalytics March 2025 report found that IAS mislabeled known bot traffic as human 77% of the time, that was not a delivery infrastructure failure. It was a contamination failure. Every server-side setup forwards contaminated data efficiently. You solved the pipe. Nobody solved the water.

The question worth asking about your current conversion stack is not "is my CAPI set up correctly." It is: of the conversion events your CAPI sent to Meta last month, how many can you prove came from real humans?

If the answer is "I assume most of them," you are paying Meta to train its algorithm on a data set you have not validated. Project Andromeda acts on those signals within hours. The audience it builds reflects what you sent it.

What is your current CAPI actually sending?