Izac Cavalheiro

Founder

Founder of Monoid. Writes about privacy-first analytics, web performance, and the regulation shaping how the web measures itself.

Posts by Izac Cavalheiro

June 11, 20265 min readEngineering & Performance

Privacy by Default at the HTTP Layer: Headers That Shrink Your Tracking Surface

Two response headers — Permissions-Policy and Referrer-Policy — decide how much your pages can leak to ad-tech and third parties. Set them once and the surveillance surface closes by default.

June 9, 20264 min readEngineering & Performance

INP Punishes Heavy Analytics: Why Your Tracker Is on the Main Thread

Interaction to Next Paint is the Core Web Vital most sites fail, and field data shows behavior-tracking scripts are a leading cause. The fix is sending less work to the main thread.

June 8, 20264 min readLaw & Regulation

The Digital Omnibus Wants to Exempt First-Party Analytics From Consent

The EU's November 2025 Digital Omnibus proposes a consent exemption for first-party, internal-use audience measurement. It describes the model cookie-free analytics already runs.

June 7, 20265 min readLaw & Regulation

When Is a Hash Personal Data? The CJEU's SRB Ruling and Analytics Identity

The CJEU's EDPS v SRB judgment made identifiability a relative, contextual test. Here is what that means for hash-based analytics — and why a daily-rotating salted hash survives both the court's reading and the EDPB's stricter one.

June 2, 20265 min readLaw & Regulation

Consent Mode v2 and the June 2026 Google Signals Sunset

On June 15, 2026, ad_storage becomes the sole control over advertising data in Google's stack. Here is what the Google Signals sunset changes for developers — and why the whole machinery is something cookie-free analytics never had to build.

June 1, 20265 min readLaw & Regulation

Storage Limitation Is the 2026 Enforcement Frontier for Analytics

Regulators stopped asking whether you collected data lawfully and started asking when you deleted it. After the CNIL's €42M Free ruling and the EDPB's erasure sweep, analytics retention is the audit target.

May 31, 20263 min readEngineering & Performance

Soft Navigations: Measuring SPA Performance the Browser Way

Chrome's soft navigation heuristics finally let Core Web Vitals attach to client-side route changes. Here is how the API works and how to measure it without surveillance.

May 30, 20265 min readLaw & Regulation

Global Privacy Control Is Now a Binding Opt-Out Signal in Ten States

GPC is no longer advisory. After the Disney settlement and a three-state enforcement sweep, the Sec-GPC header is legally binding across ten US states — and cookie-free analytics has nothing to honor.

May 28, 20265 min readLaw & Regulation

The Cookie Law Is No Longer About Cookies: What Article 5(3) Now Covers

EDPB Guidelines 2/2023 extended ePrivacy consent rules to pixels, URL tracking, and IP-only identification. Recent CNIL and Garante decisions confirm the technology-neutral reading. Here is what changes for developers.

May 27, 20264 min readEngineering & Performance

Adding Privacy-First Analytics to an Astro Site

Astro's View Transitions break standard analytics scripts silently. Here is the correct pattern for tracking every route change without cookies or a consent banner.

May 26, 20264 min readEngineering & Performance

Adding Privacy-First Analytics to a SvelteKit App

SvelteKit 2 intercepts client-side navigation differently from other frameworks. Here is the correct pattern for tracking route changes without cookies or a consent banner.

May 25, 20265 min readPrivacy & Compliance

Privacy Sandbox Is Dead: What It Means for Your Analytics Stack

Google retired Topics, Attribution Reporting, and Protected Audience in October 2025. Here is what the shutdown means technically, and why first-party analytics was always the right call.

May 24, 20265 min readLaw & Regulation

Inaccessible Consent Banners Now Create Two Legal Liabilities, Not One

The European Accessibility Act made WCAG 2.2 enforceable in June 2025. A banner a screen reader cannot navigate invalidates GDPR consent. Cookie-free analytics sidesteps both problems.

May 23, 20265 min readPrivacy & Compliance

Google Reversed Its Fingerprinting Ban: What Developers Need to Know

In February 2025, Google lifted its own ban on device fingerprinting. Here is what changed, why regulators are alarmed, and what it means for your analytics stack.

May 16, 20266 min readPrivacy & Compliance

Why Tracking-Heavy Services Cost You More Than You Think

Most apps collect far more than they need to function. Here is what that data actually does, who profits from it, and why the risk doesn't stay with the company collecting it.

May 15, 20266 min readPrivacy & Compliance

What 'Privacy-First' Actually Means in Your Analytics Stack

The phrase is everywhere, but most tools using it still store identifiers, fingerprints, or hashed emails. Here is what a technically sound privacy-first data model looks like.

May 8, 20265 min readEngineering & Performance

How a 2 KB Analytics Tracker Keeps Your Core Web Vitals Green

Traditional analytics scripts are heavy enough to move your Lighthouse score. Here is what a lightweight tracker does differently — and why it matters for real users.

May 1, 20266 min readWeb Analytics

Google Analytics Is Overkill for Most Sites: A Developer's Case

Google Analytics collects far more than most sites need. Here's why a lightweight, privacy-first alternative changes the developer experience — and the visitor experience.

April 24, 20264 min readEngineering & Performance

Adding Privacy-First Analytics to a Next.js App

A step-by-step guide to integrating Monoid into Next.js without cookies, consent banners, or compliance headaches.

April 10, 20265 min readPrivacy & Compliance

Why Cookie-Free Analytics Don't Need a Consent Banner

Most analytics tools require a cookie consent popup because they store personal data. Here is the technical reason privacy-first analytics skips that entirely.