Analytics Tools and GDPR Consent

Analytics Tools and GDPR Consent

The EU's General Data Protection Regulation (GDPR) brought a new standard of user consent. It also brought a lot of browser pop-ups and, with it, some quite unclear rules about when consent is required.

Most people understand that the cookies used for targeted advertising require consent. But what about analytics? Is tracking how many users land on your website, how they navigate your pages, and how they interact with web forms really held to the same privacy standards?

In this article, we'll be exploring the clear rules and the legal grey areas when it comes to getting consent for your use of analytics, and looking at the requirements of several important analytics providers.


Below, we're going to look at the consent requirements of some popular third-party analytics providers. But first, let's take an overview of the privacy law that applies in this area.

Yes, you need EU users' consent before your website sets the cookies and trackers necessary for most web analytics.

To some extent, consent for analytics is a "grey area" in EU law. Data Protection Authorities in certain countries, such as France and the Netherlands, have allowed analytics without consent in some circumstances.

However, the most authoritative interpretation of the law comes from the Article 29 Working Party, an EU body that preceded the European Data Protection Board (EDPB). According to the Article 29 Working Party, analytics require consent.

The rules arise from a combination of the consent rules under the GDPR, and the technical rules under another EU law called the ePrivacy Directive.

Note: Although the UK has now left the EU, the ePrivacy Directive still applies in the UK, under a national law called the Privacy and Electronic Communications Regulations (PECR).

Here's the relevant extract, from Section 25 of the ePrivacy Directive:

EUR-Lex: ePrivacy Directive - Section 25: Users should have opportunity to refuse cookies

So, EU law states that "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." "Terminal equipment" means computers and mobile devices, which we'll be calling simply "devices."

Aren't Analytics Cookies an Exception to the Consent Rules?

The main reason cookies are so tightly regulated in the EU is due to targeted advertising. So aren't cookies an exception to the strict rules on consent?

There are two types of cookies that fall under an exception to the general rule that cookies require consent:

  • Cookies that are strictly necessary to "facilitate communication over a network"
  • Cookies that are strictly necessary to provide a service requested by the user

Such cookies include load-balancing cookies, user-input cookies (for example, to remember preferences), and cookies that allow logged-in users to share content on social media.

All other types of cookies, i.e. those that are not essential for communications or user-requested services, require consent in the EU. This includes cookies used for advertising, social media tracking, and, yes, analytics.

Some developers may feel that analytics are "necessary" for them to provide their services. However, analytics cookies don't meet the "strictly necessary" threshold provided for under the ePrivacy Directive.

This is confirmed by the UK's Data Protection Authority, the Information Commissioner's Office (ICO):

ICO Cookies Guidance: Myth 2: Analytics cookies are strictly necessary so we do not need consent

But is Using Analytics Really a Privacy Issue?

The EU sets the bar for privacy very high. What is considered a privacy issue in the EU may not be considered a privacy issue in other jurisdictions, such as the United States.

Analytics can also involve the collection of detailed information about a user's location, device, and online activity. These sorts of information are considered personal data under the GDPR.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

There are legitimate uses for the types of information collected by analytics. But they are primarily for the benefit of the website operator, and, therefore, require consent according to the rules described above.

Additionally, using analytics can involve the transfer of personal data to companies such as Google or Adobe. Because these are not the companies providing the service your user has requested, it is reasonable to request the user's consent for this.

Do These Rules Apply to Non-EU Companies?

Do These Rules Apply to Non-EU Companies?

Yes, the EU's cookie consent rules apply to non-EU companies with users in the EU.

Because of the interplay between the ePrivacy Directive and the GDPR, the GDPR's rules on "territorial scope" apply in respect of the ePrivacy Directive's rules about cookies (according to Opinion 5/2019 of the EPDB).

This means that the rules described in this article apply to any company (wherever it is based) that either:

  1. Offers goods and services in the EU, and/or
  2. Monitors the behavior of people in the EU

Under condition "A," you need to comply with the EU's cookie rules if you have customers or you target potential customers in the EU.

Under condition "B," you may fall under EU law even if you don't offer "goods or services" to people in the EU. According to Guidelines 3/2018 of the EDPB, using cookies and other trackers can qualify as "monitoring the behavior" of people in the EU.

Do I Still Need Consent If I Anonymize Analytics Data?

Some people believe that consent for analytics is only required if you use analytics for certain purposes, or if the user data you collect cannot be considered "personal data" under the GDPR.

However, you should still obtain users' consent if you are not collecting personal data from users.

The law affects cookies or similar technologies that "store information or to gain access to information stored in the terminal equipment of a subscriber or user."

"Information" in this context does not need to be personal data.

Analytics can be used in such a way as to present very minimal risk to a user's privacy. There are techniques that can help protect users' identities, such as erasing all but the first two or three octets of an IP address.

Under the GDPR's principle of "data minimization," you should apply these techniques wherever reasonably possible. But even if you collect seemingly anonymous data from users' devices, you still need consent for this.

This interpretation is confirmed by the Article 29 Working Party (at page 9 of the linked PDF):

Article 29 Working Party Opinion 2 2010 on Behavioural Advertising: Substantive Scope of Application of Article 5 section 3 - Information

Can I Use an Opt-Out?

As we've seen, the ePrivacy Directive requires you to obtain consent for analytics cookies. And the way in which you obtain consent is dictated by the GDPR.

Under the GDPR, consent must be:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Given via a clear, affirmative action
  6. Easy to withdraw

This definition derives from Article 4 of the GDPR:

EUR-Lex GDPR: Article 4 - Definition of Consent

Because consent must be given via a "clear, affirmative action," the concept of "opt-out consent" doesn't exist under the GDPR.

Consent is just one of the GDPR's "lawful bases" for processing personal data. Under certain circumstances, you can also process personal data if it is in your "legitimate interests" to do so. You should offer an opt-out in most cases where you are relying on your legitimate interests.

However, due to the ePrivacy Directive you can't rely on legitimate interests for using non-necessary cookies.

Therefore, you can't enable analytics first, and then invite your users to opt out. You can only analytics once your users have consented.

As mentioned, there is some disagreement about how to interpret the rules on analytics. One analytics provider, Matomo, claims it has an analytics solution that can operate on an "opt-out" basis. We'll look at this proposed solution below.

What if My Analytics Configuration Doesn't Use Cookies?

What if My Analytics Configuration Doesn't Use Cookies?

Certain analytics providers enable users to configure their analytics tools so as not to employ cookies. It is possible that such solutions may not require consent.

The ePrivacy Directive refers to cookies and "similar devices." This includes any technology that can "store information or to gain access to information stored in the terminal equipment of a subscriber or user."

Along with cookies, technologies such as pixels, beacons, and JavaScript can be used for the purposes of analytics. If these technologies are used to "store information or to gain access to information stored" in a user's device, then you must seek the user's consent.

Certain analytics solutions can provide basic audience measurement information without needing to "store information or to gain access to information stored" on a user's device. It is possible that these methods would fall outside of the ePrivacy Directive and not require consent.

Note that if you are using such a method to collect information that could be considered "personal data," the GDPR applies. So although you may not need to get consent, you will still need to comply with the GDPR's requirements, including:

Do I Need Consent for Mobile Analytics?

Mobile apps use analytics in much the same way as web analytics, except that they generally use mobile identifiers rather than cookies.

You still need to get consent for using analytics on mobile.

For more information about the privacy considerations involved in developing a mobile app, see our articles: Privacy Policy for Mobile Apps, Privacy Policy for Firebase.

Will the ePrivacy Regulation Change the Rules on Analytics?

The EU law on cookies is, frankly, pretty confusing. The fact that there is disagreement on interpretation between different EU countries arguably shows that it is not fit for purpose.

The ePrivacy Regulation is a major upcoming EU privacy law that was originally supposed to pass concurrently with the GDPR. After years of delays, it is likely to finally become law in 2021.

The ePrivacy Regulation is likely to create an exemption to the rules on consent for certain audience-measuring analytics.

The draft text has been amended several times, and the most recent version states that cookies used for audience-measuring can be set without consent, by either the website owner or a data processor employed on the website owner's behalf.

Under these rules, even certain third-party cookies could be exempt from the consent requirement, but only if the website operator enters into a Data Processing Agreement with the analytics provider.

These new rules would be welcomed by many website operators. However, the ePrivacy Regulation is not law yet, and it may change significantly by the time it eventually passes.

Analytics and Consent: Analytics Providers' Terms

We've explained the legal position when it comes to analytics and consent. Now we're going to look at some of the Terms and Conditions of some popular analytics providers.

Google Analytics

Google has a number of policies that you must accept before using its products. We've extracted the information relevant to obtaining consent when using Google Analytics.

Here's the relevant section from the Google Analytics Terms of Service:

Google Analytics Terms of Service: Privacy clause with Privacy Policy requirement and Cookies sections highlighted

This paragraph also appears in the Google Analytics for Firebase Terms of Service.

Here's the relevant section from Google's EU User Consent Policy:

Google EU User Consent Policy: Properties under your control clause

There are several instructions given in these excerpts:

  • You must obtain user consent for cookies or other local storage
  • You must keep a record of users' consent
  • You must post a Privacy Policy that discloses:

    • How you use cookies and other similar technologies
    • That you use Google Analytics
    • How Google Analytics uses cookies and other similar technologies
    • What third parties may collect, receive, or use your users' personal data
    • How users can withdraw consent for Google Analytics

Google also encourages you to direct users to its Google Analytics Opt-Out browser add-on.

Here's an excerpt from Medela's Privacy Policy, where the company explains its use of Google Analytics:

Medela Privacy and Cookie Policy: Use of Google Universal Analytics clause

Note that it is possible to disable cookies with Google Analytics. If you disable all cookies and similar technologies, it may be possible to configure Google Analytics in such a way as to negate the requirement for consent.

Adobe Analytics

The Adobe General Terms covers the use of Adobe Analytics and other Adobe Enterprise Cloud products.

Firstly, it's worth noting that Adobe requires Adobe Analytics customers to create a Privacy Policy that sets out how they will process user data:

Adobe General Terms: Customer Site definition

Your company is also required under the Adobe General Terms to comply with its own Privacy Policy and all other applicable laws and regulations:

Adobe General Terms: Customer Responsibility to comply with Privacy Policy clause

Also governing your use of Adobe Analytics is the Adobe Data Protection Terms, which states the following:

Adobe Data Protection Terms for Cloud Services: Privacy Obligations clause - Customer section

Adobe states that, as a user of Adobe Analytics, you must comply with all obligations under data protection law, in particular:

  • Notifying your users about your use of Adobe Analytics
  • Obtaining your users' consent for analytics
  • Disclosing how you collect personal data via Adobe Analytics

Here's how Brady discloses its use of Adobe Analytics in its Privacy Policy:

Brady Privacy Policy: Cookies clause - Adobe Analytics section

Matomo

Matomo (formerly Piwik) is a popular analytics tool that markets itself as an "ethical" and "privacy-protecting" alternative to Google Analytics.

Matomo includes a range of tools that allow website operators to anonymize the data they collect via the analytics tools. It also offers an analytics solution that, Matomo claims, does not require consent.

Matomo provides three reasons why its "cookieless tracking" does not require consent:

Matomo explanation of why no cookie consent banner is needed

It is not clear whether these three characteristics in and of themselves would excuse a website operator from obtaining consent.

However, there might be another reason that Matomo's "cookieless" solution negates the consent requirement.

If the tracking technology used by Matomo doesn't "store information or to gain access to information stored" in a user's device, this might mean that it doesn't require consent. It isn't clear from Matomo whether this is the case.

When using Matomo's cookieless solution, you are required to take several measures to help ensure GDPR compliance:

Matomo: How to Use Matomo Analytics Without Consent or Cookie Banner instructions

You must also let users opt-out of tracking altogether and explain your use of Matomo's tools in your Privacy Policy.

Here's how QHelp discloses its use of Matomo in its Privacy Policy:

QHelp Privacy Policy: Matomo clause

QHelp also provides an opt-out mechanism within its Privacy Policy:

QHelp Privacy Policy: Opt out of analytics checkbox

It's important to ensure that your users can withdraw consent as easily as they can grant it.

Summary

Consent for analytics under the ePrivacy Directive and the GDPR is a complicated area and there are still some disagreements on interpretation of the law.

A sensible interpretation of the law and the guidance presented by the Article 29 Working Party and the European Data Protection Board is as follows:

  • You should request consent before using any analytics involving cookies
  • You should not use an "opt-out" model of consent
  • You should request consent before using "cookieless" analytics if your analytics tools can store information on user's device or retrieve information from a user's device
  • If your analytics tools can be configured in such a way that they do not access your users' devices then you may not need to request consent, but you should still offer an opt-out
  • You much disclose your use of cookies, similar technologies, and analytics in your Privacy Policy
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.