GDPR Analytics: What You Actually Need (and What You Don't)

Most sites are overcomplying. GDPR doesn't ban analytics — it regulates personal data. Here's what the law actually requires, explained without the legal fog.

The common misunderstanding

When GDPR came into force in 2018, a wave of cookie banners appeared across the web. Most site owners interpreted the regulation as: analytics = cookies = consent banner. This is wrong, but the mistake is understandable — most analytics tools at the time did set persistent cookies, and many still do.

GDPR doesn't ban analytics. It doesn't require consent for everything. It regulates the processing of personal data, and it provides several legal bases for doing so — consent is just one of them, and often not the right one for analytics.

What GDPR actually regulates

GDPR's core rule is that personal data must be processed under a valid legal basis. The six legal bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

For analytics, the question is whether what you're collecting is personal data in the first place — and if it is, which legal basis applies.

What counts as personal data in analytics

Under GDPR, personal data is any information that relates to an identified or identifiable natural person. This includes:

• IP addresses — considered personal data by the CJEU and most EU data protection authorities
• Persistent cookies — a cookie that tracks the same browser across sessions links data to an identifiable device
• User IDs — any identifier that can be linked back to a real person
• Device fingerprints — a combination of browser characteristics that probabilistically identifies a device

What does not count as personal data:

• Aggregate counts ("347 people visited this page today")
• Fully anonymised data where re-identification is not possible
• Data that cannot be linked to any specific individual, even indirectly

The legitimate interests basis

Legitimate interests (Article 6(1)(f)) allows you to process personal data without consent if you have a legitimate reason to do so, the processing is necessary for that reason, and the person's interests don't override yours.

Running a website and understanding how it performs is a legitimate interest. Processing aggregate analytics data — page views, referrers, general traffic patterns — to operate your site falls squarely within this. The European Data Protection Board and multiple national DPAs have confirmed this.

The catch: if you're storing IPs, using persistent identifiers, or building user profiles, you can't rely on legitimate interests — you need consent, because the processing goes beyond what's necessary for basic site operation.

What the ePrivacy Directive adds (the cookie law)

The ePrivacy Directive (implemented as PECR in the UK) is separate from GDPR and specifically covers cookies and similar technologies. Its rule: you need consent before setting cookies that are not strictly necessary for the service the user has requested.

This is why analytics cookies specifically require consent under ePrivacy — even if GDPR's legitimate interests basis might cover the underlying data processing. The two regulations interact: ePrivacy covers the act of setting the cookie; GDPR covers what you do with the data.

If you don't set cookies, ePrivacy doesn't apply to your analytics. No cookie, no ePrivacy obligation, no banner required for that purpose.

The practical approach: don't collect what you don't need

The cleanest way to do analytics without consent requirements is to not collect personal data at all. This means:

• No cookies — no ePrivacy obligation
• No IP storage — derive country from the IP, then discard it immediately
• No cross-session identifiers — each session is independent
• No fingerprinting — don't generate or store device fingerprints

What remains — page URLs, referrers, browser type, country, time on page — is aggregate data. It can tell you everything useful about how your site is performing without implicating any individual.

Under this model, you're not processing personal data. GDPR's lawful basis requirement doesn't apply (there's nothing personal to process). ePrivacy doesn't apply (there's no cookie). Your privacy policy still needs to mention analytics, but it's a disclosure, not a consent form.

Do I still need a privacy policy?

Yes. GDPR's transparency principle (Article 5(1)(a)) requires you to inform users about what data you process, even if consent isn't required. Your privacy policy should mention:

• That you use analytics and what tool
• What data is collected (page views, referrers, country, device type)
• That no personal data or cookies are used for analytics
• The legal basis if you have any personal data processing elsewhere on the site

This is disclosure, not consent collection. A short paragraph in your privacy policy is sufficient.

What about existing tools with IP anonymisation?

GA4 offers IP anonymisation, but it anonymises after collection — the IP is temporarily processed before being truncated. Most DPAs consider this insufficient to remove the GDPR personal data classification, because the IP exists in memory and in logs before anonymisation happens.

True privacy-first analytics tools don't receive the IP in a way that gets stored at all: the country is derived at the edge and the IP never touches the database.

The bottom line

You don't need a consent banner for analytics if your analytics tool doesn't collect personal data. The banner is a consequence of the tool, not a requirement of the law. Choose a tool that doesn't set cookies and doesn't store IPs, and the consent requirement disappears.

That's not a loophole — it's compliance by design. You're not avoiding GDPR; you're building a system that GDPR's requirements simply don't apply to.