Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Histats is a free hit counter and visitor analytics service launched in the early 2000s and operated from Romania. The product is widely used by personal websites, blogs and small forums for the live counter widget and a basic dashboard with country statistics, referrers and search keywords. The script sets third party cookies, exchanges identifiers with the Histats ad network when monetisation is enabled, and offers limited transparency on sub processors, which makes Histats a high risk tracker under the GDPR and the ePrivacy Directive.
Histats is a long running free hit counter and visitor analytics service operated from Romania. It is widely embedded on personal sites, blogs, forums and legacy CMS templates that rely on a public counter and a simple dashboard with country, referrer and keyword breakdowns. Many sites continue to load Histats long after the publisher has stopped using its admin console.
The Histats script captures page views, IP based geolocation, referrer, user agent, screen resolution, time of day and an internal visitor identifier stored in third party cookies (HSCK, HSALT). When the publisher activates monetisation, additional advertising signals are exchanged with partner networks. The public counter widget itself reveals aggregate traffic numbers to anyone who can see the site.
The Histats cookies fall under Article 5(3) ePrivacy. The persistent visitor identifier and the integration with advertising partners constitute personal data processing under Article 4(1) GDPR. Without a comprehensive sub processor list and a clear DPA, the standard fallback is consent under Article 6(1)(a) GDPR and tag blocking until consent is granted.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Histats script must be tag blocked until explicit, granular opt in consent is given. The consent message should mention Histats, the basic analytics purpose and, when relevant, the Histats ad network. A clear refuse option must be available, and the choice must be revocable at any time. Older Histats integrations that load the script unconditionally are not compatible with the GDPR.
Histats is operated from Romania (EU). Production servers are reported to be in the EU, but the absence of a public sub processor list and the legacy operational practice of free counter services means a transfer impact assessment is required. Customers should request a written commitment that no personal data is transferred to non EEA partners and apply Standard Contractual Clauses if any partner outside the EEA is involved.
In most cases, the cleanest path is to remove Histats and replace it with a privacy first analytics tool (Plausible, Matomo, Fathom, Umami, Rybbit). If you keep Histats, request a DPA, document a transfer impact assessment, tag block the script until consent, list Histats in the privacy and cookie policies and disable the monetisation hooks unless they have a clear legal basis.
Websites using Histats must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Histats given the persistent third party identifiers, the lack of transparent sub processor information, the integration with the Histats ad network and the historical positioning as a free service funded by advertising signals.
Sample consent text
We use Histats to count visitors and to display a public hit counter. Histats sets cookies and may share data with the Histats ad network. We only load Histats after you click Accept. You can withdraw your consent at any time from the cookie settings.
Third-party domains contacted
histats.coms4.histats.comhits.histats.comsstatic1.histats.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| HSCK | persistent | 6 months | Histats third party cookie that identifies a unique browser across pages and sites that include the Histats counter or tracker. |
| HSALT | persistent | 13 months | Stores a salted alternative identifier used by Histats to deduplicate visits and to feed audience reports. |
| HSSRC | persistent | 6 months | Records the original referrer source so Histats can attribute the visit in dashboards. |
Histats collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Histats sets the third party cookies HSCK, HSALT and a session level cookie on histats.com. They persist for several months and identify a unique browser across pages that include the Histats counter or tracking script.
Yes. The cookies fall under Article 5(3) ePrivacy and the visitor profiling under Article 6(1)(a) GDPR. The Histats script must be tag blocked until explicit, granular opt in consent is collected.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy). Legitimate interest is not admissible because the persistent identifier and the optional advertising integration build cross site profiles, even when the publisher only intends to use the basic counter.
Histats is operated from Romania, an EU member state. Production servers are reported to be in the EU, but the lack of a public sub processor list means a transfer impact assessment is recommended and SCC may be required if any partner outside the EEA is involved.
A DPIA is recommended for any meaningful European deployment, given the persistent third party identifiers, the optional ad network integration and the limited transparency on sub processors.
Tag block the Histats script until consent, request a DPA from the operator, document a transfer impact assessment, list Histats in the privacy and cookie policies, and disable any monetisation hooks unless you have a clear legal basis. In most cases the cleanest path is to migrate to a privacy first analytics tool.
Privacy first analytics tools that replace Histats neatly include Plausible (EU hosted, cookieless), Fathom (EU hosted), Umami (self hosted), Matomo (self hosted in cookieless mode), GoatCounter (open source), Rybbit and Pirsch (Germany). All can run without consent banners under the CNIL exemption when properly configured.
List Histats with the operator (Histats S.R.L., Romania), the purpose (visitor counter and audience analytics), the cookies (HSCK, HSALT) with retention, the legal basis (consent), the storage location (EU) and a note on the limited transparency about sub processors and any monetisation features you have enabled.