Be GDPR compliant
Improve your data literacy

How to track and analyse AI Agents on your website.

As Gen AI adoption soars in Belgium, AI agents are changing how users find your site. Learn how to navigate the critical challenges this poses for your web analytics, GDPR, and ePrivacy compliance.
Peter Vertongen
Aug 11, 2025

Introduction:

Gen AI is rapidly gaining ground in Belgium, both in everyday life and in the workplace. According to Imec’s 2024 “Digimeter” report, 93% (+3) of Flemish people say they are familiar with AI, 71% (+14) claim they can also explain it, and 45% (+11) have used generative AI.


Today, the traditional path to your website is evolving. Instead of arriving via a Google search or social media ad, users are increasingly encountering your content through AI agents — tools that summarise, preview, or even browse your site on their behalf.


This shift poses some challenges for marketers and analysts:


  • How is this AI-driven traffic reflected in your analytics — and what exactly can you track?
  • How do you stay compliant with the ePrivacy Directive and GDPR when there’s no human to consent to cookies?

Tracking AI-Agents on your website.

As AI agents increasingly interact with your website — whether by summarising content, previewing pages, or even fetching them in real time — it's becoming more important to understand how this traffic shows up in your Digital Analytics and what it actually means.

Recognise What Can Be Tracked in GA4

AI tools that behave like browsers (e.g. rendering HTML, executing JavaScript) may trigger tracking scripts — even though no human is present. These sessions might show up in GA4 as:


  • Referral traffic — from sources like chat.openai.com, claude.ai, or perplexity.ai
  • Direct traffic — when there's no referrer or identifiable source
  • Unassigned — if GA4 can't classify the session at all


But these sessions are only captured if:


  • Your tracking scripts run before cookie consent is obtained (we’ll come back to this later)
  • Or you're using server-side or cookieless tracking setups that don’t rely on consent-based cookies (more on that later)

Use UTM Parameters

Some AI tools — like ChatGPT — have started appending UTM parameters to links they generate. These tags (e.g., utm_source=chatgpt) can help you identify where a user originated from when visiting your site.


However, there are a few important limitations:


  • UTM parameters don’t bypass consent laws.
    They allow you to see the source of the visit, which helps estimate how much traffic comes from AI tools — but they don’t allow you to track what those users do on your site unless consent is granted (we’ll return to this).
  • It only works if UTM parameters are actually used. Not all AI agents apply them consistently. ChatGPT adds UTM tags but AI Agents that fetch content passively or simulate browsing (e.g. summarisation bots) usually don’t trigger UTM-based tracking at all.


As a result, you may only see a partial picture of AI-originated traffic using this method.

Tracking AI-Agents and consent.

We looked at how AI agents might appear in your analytics — through referral data, UTM tags, or unusual behavioral patterns. But now comes the bigger question: Can you legally track this traffic if no user consent is given?


AI Agents Can’t Give Legal Consent.


Under the GDPR and ePrivacy Directive, tracking requires freely given, informed, and unambiguous consent from a human visitor before any non-essential cookies (like analytics) are set.


But when traffic comes from AI Agents:


  • There’s no human involved in the visit
  • There's no interface where consent can be requested
  • There’s no legal basis to trigger tracking scripts


In other words: Although an AI Agents tools can click "Accept" on your cookie banner, this doesn't count as a a formal and legal consent so your analytics should never fire.


Does this mean that AI Agents can’t be tracked in a compliant way? Even though GA4 can't track AI visits without consent, there are still GDPR-compliant ways to monitor and analyse how AI tools interact with your website.

Check Your Web Server Logs

Your server automatically records every visit — including from AI agents. With this data, you can:


  • Identify which AI Agents accessed your site
  • See how often they return
  • Know which pages they visited


You can even feed this into a custom dashboard to sit alongside GA4 reports, giving your marketing team a fuller picture — all without cookies or consent.

Use a CDN with Bot Insights

Services like Cloudflare offer built-in tools to:


  • Detect and label traffic from known AI agents
  • Monitor how bots interact with your site
  • Block or rate-limit AI crawlers if needed


This is ideal if you want to protect specific content or control how your site is used by third-party tools.

Use Server-Side Analytics Without Cookies

Analytics Tools like Matomo (in cookieless mode) or Plausible allow you to:


  • Track anonymous pageviews
  • Avoid placing any cookies
  • Stay within GDPR as long as data (like IP addresses) is properly anonymised


This won’t give you detailed behavior tracking — but it does give you reliable traffic insights of AI Agents without consent issues.


Together, these methods offer a more complete understanding of AI-driven visits, alongside the limited insights GA4 provides via UTM parameters.

Don’t fire cookies without consent.

While it may be technically easy to fire cookies when an AI agent visits your site — that doesn't make it legal. Under GDPR and the ePrivacy Directive, cookies for analytics or marketing may only be placed after valid, informed consent is given. And that consent must come from a human — not from a bot, a scraper, or an AI agent.


If you want to understand why proper cookie consent matters, check out the blog post (in Dutch) we at MultiMinds contributed to at Sirius Legal: https://siriuslegaladvocaten.be/blogs/geen-google-tag-manager-zonder-consent-een-bommetje-in-de-analytics-wereld/


It covers a recent ruling by a German court confirming that cookies — even through Google Tag Manager — cannot be placed without valid, human consent.

Trust over Tech.

There’s a saying that “the law always lags behind technology” — and it couldn’t be more true today. Legislation like the GDPR was designed to protect people’s personal data, but it was written before generative AI became part of our daily lives. That means regulation is playing catch-up, as we’re already seeing with the upcoming EU AI Act and related legal reforms.


As marketers, it’s tempting to push the boundaries when new tools open exciting doors. But our responsibility is clear:


Respect user privacy, act ethically, and stay within the legal lines — even when the tech moves faster than the law.


Because in the end, trust – not tech - is what keeps your brand future-proof.