Skip to main content

GDPR Compliant Analytics: Complete Framework 2026

· 28 min read
Rafael Jimenez
Rafael Jimenez
Founder of Sealmetrics

The European Union issued over €20 million in fines for analytics violations in 2023, yet most companies still don't understand what makes their analytics GDPR compliant. Many businesses either accept massive data loss from cookie consent requirements or operate in a gray area of regulatory uncertainty.

This comprehensive framework explains exactly what GDPR compliance requires for web analytics, which legal bases work, and how to implement compliant tracking without losing visitor data.

Key Takeaways:

  • GDPR offers two legal bases for analytics: consent (loses 60-87% data) and legitimate interest (captures 100%)
  • Most analytics tools fail GDPR because they store IP addresses or require cookies
  • Sealmetrics achieves full compliance through consentless tracking with zero IP storage
  • Country-specific regulations (TTDSG, CNIL) have additional requirements beyond baseline GDPR

What Makes Analytics GDPR Compliant?

GDPR compliance for web analytics rests on three fundamental pillars established by the General Data Protection Regulation.

The Three Pillars of Compliance

Legal Basis (Article 6): Every data processing activity requires a lawful basis. For analytics, this means either user consent or legitimate interest. The choice between these two options determines whether you need cookie banners and how much data you'll capture.

Data Minimization (Article 5): You can only collect data that's adequate, relevant, and limited to what's necessary. This principle prohibits collecting unnecessary identifiers, storing full IP addresses without justification, or retaining data longer than needed.

Privacy by Design (Article 25): Analytics must implement technical and organizational measures to protect user privacy from the design stage. This includes pseudonymization, encryption, and default privacy-protective configurations.

Most analytics tools fail on at least one of these pillars. Google Analytics fails on legal basis (requires consent due to cookies and US transfers). Plausible and Matomo store hashed IP addresses, creating questions under data minimization. Sealmetrics was built specifically to satisfy all three pillars simultaneously.

GDPR Article 6 defines six legal bases for processing personal data. For web analytics, two are relevant: consent and legitimate interest.

Consent (Article 6(1)(a)) - The Problem

Consent means users must actively opt in before any tracking occurs. This approach sounds simple but creates severe practical problems.

The Data Loss Problem: Studies across the EU show consistent patterns. In Germany, 87% of users reject cookie banners according to 2024 CNIL data. In France, rejection rates hover around 73%. Spain and Italy show similar patterns at 68-72%. When you require consent for analytics, you lose visibility into 60-87% of your website traffic.

Implementation Complexity: Consent requires explicit, informed, freely given agreement. Your cookie banner must clearly explain what data you collect, why you collect it, and allow granular control. Users must be able to withdraw consent as easily as they gave it. For analytics that span multiple sessions, you need to manage consent state across visits, handle consent withdrawal, and delete historical data on request.

Legal Requirements: Consent must be documented, time-stamped, and provable. You need systems to track who consented, when they consented, what they consented to, and whether consent is still valid. This creates significant technical and legal overhead.

Legitimate Interest (Article 6(1)(f)) - The Solution

Legitimate interest allows data processing when your business needs outweigh user privacy risks. For analytics, CNIL confirmed in 2020 that audience measurement qualifies as legitimate interest when implemented correctly.

The Balancing Test: GDPR requires you to balance your business interests against user rights. For analytics, the test looks like this:

Your Interest: Understanding how visitors use your website to improve user experience, optimize content, and make informed business decisions.

User Impact: Minimal when analytics uses cookieless tracking, stores no IP addresses, and implements data minimization.

Result: Legitimate interest basis applies. No consent required.

CNIL 2020 Guidance: The French data protection authority published specific guidance stating that analytics can operate without consent when they "strictly respect users' privacy." The guidance specifies requirements: no cross-site tracking, limited data retention, no IP storage, and transparency in privacy policies.

When Legitimate Interest Works: Legitimate interest applies to cookieless analytics like Sealmetrics that:

  • Collect only necessary data (pageviews, sessions, referrers)
  • Store no personally identifiable information
  • Don't use data for other purposes (advertising, profiling)
  • Retain data for reasonable periods (25 months for trend analysis)
  • Operate with technical safeguards (no cookies, no IPs)

Unlike consent-based approaches, legitimate interest captures 100% of visitor data while maintaining full GDPR compliance.

The GDPR Compliance Checklist

Implementing GDPR compliant analytics requires addressing technical, legal, and organizational requirements.

Technical Requirements

No Unnecessary Data Collection: Collect only what's needed for analytics. Sealmetrics tracks pageviews, sessions, referrers, device types, and basic engagement metrics. We don't collect names, emails, precise locations, or other unnecessary identifiers.

IP Address Handling: This is where most analytics tools fail GDPR. Google Analytics stores full IP addresses. Plausible and Matomo hash IP addresses, which GDPR still considers personal data because hashed values can be reversed or matched. Sealmetrics never stores IP addresses—not even hashed versions. Our session-based tracking generates anonymous identifiers that can't be traced back to individuals.

Data Retention Limits: Determine legitimate retention periods and enforce them. Sealmetrics defaults to 25 months of retention, documented as necessary for year-over-year trend analysis and seasonal pattern identification. Data older than 25 months is automatically purged.

Security Measures: Implement encryption in transit (HTTPS), encryption at rest, access controls, and regular security audits. Sealmetrics uses AES-256 encryption, role-based access control, and annual penetration testing.

Privacy Policy: Your privacy policy must explain what analytics you use, what legal basis applies, what data gets collected, and how long data is retained. When using legitimate interest, document your balancing test.

Legal Basis Documentation: Maintain internal documentation justifying your legal basis choice. For legitimate interest, document: (1) what business purpose the analytics serves, (2) why this data is necessary, (3) how you minimize privacy impact, and (4) what safeguards you implement.

Data Processing Agreement (DPA): GDPR Article 28 requires a DPA between you and your analytics provider. Sealmetrics provides a standard DPA covering all processor obligations including security, confidentiality, sub-processor management, and data deletion.

Data Protection Impact Assessment (DPIA): Required when processing presents high risk to user rights. Cookieless analytics typically don't require DPIA because they implement data minimization and have minimal privacy impact. However, document why you determined DPIA isn't needed.

Organizational Requirements

Internal Documentation: Maintain records of processing activities under GDPR Article 30. Document what analytics you use, why, what legal basis applies, what data gets processed, and where data is stored.

Staff Training: Ensure team members understand GDPR requirements, know how to handle data requests, and follow privacy procedures.

Incident Response Plan: Establish procedures for handling potential data breaches, including detection, assessment, notification to authorities within 72 hours if required, and user notification when appropriate.

Tools Comparison: GDPR Compliance

Understanding how different analytics tools handle GDPR compliance helps you choose the right solution for your needs.

FeatureGoogle AnalyticsPlausibleMatomoSealmetrics
Legal BasisConsent requiredLegitimate interestLegitimate interestLegitimate interest
Cookie UsageYes (multiple)NoOptionalNo
IP StorageYes (full)Yes (hashed)Yes (hashed)No - zero IPs
Consent Banner NeededYesNo*No*No
Data LocationUS + EUEU onlySelf-hosted or EUEU only
Data Loss from Rejections60-87%0%0%0%
US Data TransfersYesNoNoNo
Schrems II CompliantQuestionableYesYesYes
CNIL 2020 CompliantNoWith configWith configYes (default)
TTDSG Compliant (Germany)NoYesYesYes
Setup ComplexityHighLowMediumVery Low (2 min)
DPA IncludedYesYesYesYes

*May need consent depending on configuration and cookie usage

The table reveals a critical insight: tools that hash IP addresses (Plausible, Matomo) still process personal data under GDPR. Hashing is pseudonymization, not anonymization. Sealmetrics achieves true compliance by never storing IP addresses at all.

Why Most Analytics Tools Fail GDPR

Three common failures plague analytics tools attempting GDPR compliance.

Problem 1: IP Address Storage

GDPR defines personal data as any information relating to an identified or identifiable person. IP addresses clearly qualify as personal data according to multiple court rulings and regulatory guidance.

The Hashing Myth: Many analytics tools claim GDPR compliance by hashing IP addresses before storage. This creates a false sense of security. GDPR distinguishes between anonymization (irreversible, not personal data) and pseudonymization (reversible, still personal data). Hashed IPs are pseudonymized, not anonymized.

Why hashing doesn't solve the problem:

  • Hash algorithms can be reversed with rainbow tables
  • Hashed values can be matched across systems
  • Same IP produces same hash, enabling tracking
  • GDPR Recital 26 explicitly states pseudonymization doesn't remove personal data status

Schrems II Implications: The Schrems II decision invalidated Privacy Shield, making US data transfers problematic. Many companies responded by hosting analytics in the EU, but if those tools store IP addresses (even hashed), they still process personal data requiring careful legal basis justification.

Sealmetrics solves this by never storing IP addresses. Our session tracking uses temporary identifiers that reset after each visit, making reverse-identification technically impossible.

The ePrivacy Directive Article 5(3)—often called the Cookie Law—requires consent before storing information on user devices. This operates alongside GDPR, creating a dual compliance requirement.

The Cookie Consent Trap: Analytics tools using cookies face an impossible choice. They can require consent and lose 60-87% of data, or operate without consent and violate ePrivacy Directive. Many companies choose the latter, hoping enforcement remains limited.

Technical Cookies Exemption: The ePrivacy Directive exempts "strictly necessary" cookies for functionality users explicitly request. Analytics cookies don't qualify for this exemption according to regulatory consensus. The upcoming ePrivacy Regulation will likely remove any remaining ambiguity.

Sealmetrics avoids this problem entirely through cookieless tracking. No cookies means no ePrivacy Directive concerns, no consent banners, and no data loss from rejections.

Problem 3: US Data Transfers

Google Analytics stores data in US servers, creating complex legal challenges post-Schrems II.

Why This Matters: Schrems II invalidated the Privacy Shield framework that allowed EU-US data transfers. The Court ruled that US surveillance laws (FISA 702, EO 12333) don't provide adequate protection for EU citizen data. While a new adequacy decision was adopted in July 2023, uncertainty remains about its long-term validity.

The Google Problem: Multiple European data protection authorities (Austria, France, Italy) have ruled that Google Analytics violates GDPR due to US data transfers. Even with Google's EU hosting options, the underlying data sharing with Google's US operations creates compliance risks.

Sealmetrics operates exclusively on EU infrastructure with no US parent company, eliminating data transfer concerns entirely.

How Sealmetrics Achieves Full GDPR Compliance

Sealmetrics was built from the ground up for GDPR compliance, not retrofitted like most analytics tools.

Sealmetrics operates under GDPR Article 6(1)(f) legitimate interest, meaning no cookie consent banners are needed. This approach captures 100% of visitor data while maintaining full legal compliance.

The Technical Foundation: Our session-based tracking generates temporary identifiers that exist only for the duration of a visit. When a user leaves your site, the identifier expires. When they return, a new identifier is generated. This prevents cross-session tracking while still providing valuable analytics on how users navigate your site within individual visits.

CNIL Compliance: The French data protection authority's 2020 guidance on analytics explicitly allows this approach. CNIL confirms that audience measurement without consent is permissible when analytics strictly respect user privacy through technical safeguards like cookieless tracking and no IP storage.

No Fingerprinting: Unlike some cookieless analytics that use browser fingerprinting (tracking users via unique browser characteristics), Sealmetrics uses simple session identifiers. Fingerprinting is considered personal data processing under GDPR and requires consent. Our approach avoids this entirely.

Zero IP Storage

This is Sealmetrics' most significant differentiator. We don't store IP addresses—not full, not truncated, not hashed, not at all.

How It Works: When a pageview hits our servers, we process the request, extract necessary analytics data (page URL, referrer, timestamp), generate a session identifier, and immediately discard the IP address. The IP never touches our database, never gets logged, never exists beyond the milliseconds needed for request processing.

Contrast with Competitors:

  • Google Analytics: Stores full IP addresses by default (can be configured for anonymization but still processes full IPs)
  • Plausible: Hashes IP addresses before storage
  • Matomo: Offers IP anonymization but defaults to storing IP addresses
  • Sealmetrics: Zero IP storage, not even hashed

This technical choice means Sealmetrics processes less personal data than any competitor, strengthening the legitimate interest legal basis and eliminating many GDPR compliance concerns.

Data retention limits are crucial for GDPR compliance under the data minimization principle. Sealmetrics retains analytics data for 25 months, a period we've documented as necessary for meaningful trend analysis.

Why 25 Months: This retention period allows:

  • Year-over-year comparisons (12 months of current data + 12 months historical)
  • Seasonal pattern identification (requires full annual cycles)
  • Long-term trend analysis for strategic decisions
  • Buffer period for data exports and migrations

Automatic Purging: Data older than 25 months is automatically deleted from our systems. No manual intervention needed, no risk of keeping data too long.

Documented Justification: We maintain internal documentation explaining why 25-month retention serves our clients' legitimate interests in business intelligence and user experience optimization. This documentation supports the legitimate interest legal basis.

EU Infrastructure

Sealmetrics operates exclusively on European infrastructure, eliminating Schrems II concerns.

Data Location: All Sealmetrics servers are located in EU data centers (Germany and France). Customer data never leaves the European Union. Our company is EU-based with no US parent organization or data sharing agreements with US entities.

Processor Compliance: Our sub-processors (hosting providers, security services) are all GDPR-compliant EU companies. Our DPA with customers includes detailed sub-processor listings and notification procedures if processors change.

No Surveillance Exposure: Because we operate entirely within the EU legal framework, customer data isn't subject to US surveillance laws (FISA 702, EO 12333) that caused Schrems II complications for US-based analytics providers.

Country-Specific GDPR Considerations

While GDPR provides baseline requirements across the EU, individual countries have additional regulations affecting analytics.

Germany (TTDSG)

Germany's Telecommunications Telemedia Data Protection Act (TTDSG) is stricter than baseline GDPR regarding cookies and tracking.

Key Requirements:

  • Consent required for storing information on devices (including cookies)
  • Higher bar for "technically necessary" exemptions
  • Specific rules around telecommunications data
  • Fines up to €300,000 for violations

Sealmetrics Compliance: TTDSG changes nothing for Sealmetrics users because we don't use cookies or device storage. Our cookieless approach satisfies TTDSG requirements without configuration changes.

France (CNIL)

The French data protection authority (Commission Nationale de l'Informatique et des Libertés) published influential guidance on analytics in 2020.

CNIL 2020 Analytics Guidance: This document established that "audience measurement" can operate without consent under specific conditions:

  • Purpose limited to measuring audience
  • No cross-site tracking
  • No data sharing with third parties for other purposes
  • Limited retention periods
  • Transparent privacy disclosures

Exemption Categories: CNIL identifies two types of exempt audience measurement:

  1. First-party audience measurement (tracking on your own site)
  2. Delegated audience measurement (using analytics providers like Sealmetrics)

Sealmetrics Qualification: Sealmetrics explicitly qualifies for CNIL's delegated audience measurement exemption. We meet all specified requirements: purpose limitation, no cross-site tracking, documented retention limits, EU-only operation, and clear privacy disclosures.

Spain (AEPD)

Spain's data protection authority (Agencia Española de Protección de Datos) follows similar principles to CNIL with emphasis on data minimization.

Key Focus Areas:

  • Proportionality of data collection
  • Technical necessity justification
  • User transparency requirements
  • Cross-border data transfer restrictions

Implementation: Spanish companies using Sealmetrics should document legitimate interest justification in privacy policies, noting the data minimization approach (no IPs, no cookies, minimal data collection).

Implementation Guide

Moving to GDPR compliant analytics involves choosing your legal basis, implementing technical measures, updating legal documentation, and verifying compliance.

The first decision determines everything else.

Decision Tree:

Do you need 100% visitor data?
├─ Yes → Use legitimate interest
│  └─ Choose Sealmetrics or similar cookieless tool

└─ No → Can accept 60-87% data loss?
   ├─ Yes → Use consent
   │  └─ Implement cookie banner
   │  └─ Configure analytics to respect consent

   └─ No → Use legitimate interest
      └─ Choose Sealmetrics or similar cookieless tool

Legitimate Interest Checklist:

  • Can you articulate a clear business purpose? (user experience improvement, business intelligence)
  • Is the data processing necessary for this purpose? (can't achieve purpose without analytics)
  • Have you minimized data collection? (no unnecessary identifiers)
  • Have you implemented technical safeguards? (no IPs, no cookies)
  • Does your interest outweigh user privacy concerns? (minimal impact vs. significant business value)

If you answer yes to all five questions, legitimate interest applies.

Step 2: Technical Setup

Implementation differs by platform but follows similar principles.

That's it. No cookie configuration, no IP anonymization settings, no consent management. The script loads asynchronously, doesn't block page rendering, and starts capturing analytics immediately.

For Other Platforms:

  • Remove or configure cookie-based tracking
  • Enable IP anonymization (though this doesn't fully solve GDPR issues)
  • Disable advertising features
  • Disable user ID tracking
  • Configure EU-only data storage

Update three key documents to reflect your analytics approach.

Privacy Policy Updates:

Add or update your analytics section:

We use Sealmetrics for web analytics under GDPR Article 6(1)(f) 
legitimate interest. Sealmetrics collects anonymous usage data 
(pages viewed, session duration, referral sources) without cookies 
or IP address storage. Data is retained for 25 months for trend 
analysis and stored exclusively on EU servers. No personal 
information is collected. You can opt out via [opt-out link].

Legitimate Interest Documentation (Internal):

Maintain internal records documenting:

  • Purpose: Understanding website usage for user experience optimization
  • Necessity: Can't improve site without usage data
  • Balancing Test: Minimal privacy impact (no IPs, no cookies) vs. significant business value
  • Safeguards: Cookieless, IP-less, EU-only, limited retention
  • Alternative Considered: Consent-based analytics rejected due to data loss

Data Processing Agreement:

Execute Sealmetrics' standard DPA, which covers:

  • Processor obligations (security, confidentiality, instructions)
  • Sub-processor authorization and notification
  • Data subject rights assistance
  • Data breach notification procedures
  • Post-termination data deletion
  • Audit rights

Step 4: Verify Compliance

After implementation, verify everything works correctly.

Technical Verification:

  • Open browser developer tools → Application → Cookies
  • Confirm: No analytics cookies set
  • Check: Privacy policy updated
  • Test: Analytics dashboard receiving data
  • Verify: Opt-out mechanism functions

Legal Verification:

  • Privacy policy mentions analytics with correct legal basis
  • DPA executed with Sealmetrics
  • Internal legitimate interest documentation complete
  • Data retention periods configured (25 months)
  • Team trained on data handling procedures

Ongoing Compliance:

  • Review analytics configuration quarterly
  • Update documentation when practices change
  • Monitor regulatory guidance for updates
  • Conduct annual GDPR compliance audit

Common GDPR Compliance Mistakes

Avoiding these frequent errors saves legal headaches and potential fines.

The Problem: Consent sounds legally safe but creates massive business problems. Studies show 60-87% of EU users reject cookie banners. Your analytics becomes incomplete, making data-driven decisions impossible.

Why It Happens: Companies fear legitimate interest is too uncertain or worry about regulatory challenges. They choose consent thinking it's the "safer" option.

The Fix: Use legitimate interest with properly implemented cookieless analytics. CNIL and other regulators have confirmed this approach works. Document your balancing test, minimize data collection, and implement technical safeguards.

Mistake 2: Using Google Analytics Without Configuration

The Problem: Default Google Analytics configuration violates GDPR in multiple ways: sets cookies without consent, stores IP addresses, transfers data to US servers, and enables advertising features.

Why It Happens: Companies install Google Analytics with default settings, assuming a major tech company must be GDPR compliant by default. This assumption is incorrect.

The Fix: Either configure Google Analytics extensively (IP anonymization, cookie consent integration, disable advertising, EU-only hosting) and accept 60-87% data loss from consent requirements, or switch to Sealmetrics for compliance without data loss.

Mistake 3: Thinking Hashed IPs Solve GDPR

The Problem: Many analytics tools claim GDPR compliance by hashing IP addresses before storage. This is pseudonymization, not anonymization. GDPR still considers pseudonymized data as personal data.

Why It Happens: Marketing materials from analytics vendors incorrectly conflate hashing with anonymization. Companies believe "we hash IPs" means "we don't process personal data."

The Fix: Use analytics that doesn't store IP addresses at all. Sealmetrics never stores IPs—not hashed, not truncated, not at all. This eliminates the personal data processing question entirely.

Mistake 4: No DPA with Analytics Provider

The Problem: GDPR Article 28 requires a Data Processing Agreement between controllers (you) and processors (your analytics provider). Operating without a DPA is a compliance violation regardless of how privacy-protective your analytics tool is.

Why It Happens: Small companies often overlook this administrative requirement, focusing only on technical compliance.

The Fix: Execute a DPA with your analytics provider. Sealmetrics provides a standard DPA to all customers covering all Article 28 requirements.

Mistake 5: Inadequate Privacy Policy Disclosures

The Problem: GDPR Article 13 requires transparent information about data processing. Many companies mention "we use analytics" without explaining what data is collected, what legal basis applies, or how long data is retained.

Why It Happens: Companies copy privacy policy templates without customizing them for their specific analytics implementation.

The Fix: Clearly disclose in your privacy policy: what analytics you use, what legal basis applies (legitimate interest), what specific data gets collected, where data is stored, how long data is retained, and how users can opt out. See Step 3 above for specific language.

Expert Perspectives on GDPR Analytics

Regulatory guidance and legal opinions provide authoritative views on compliant analytics implementation.

CNIL (French Data Protection Authority)

In their groundbreaking 2020 guidance on audience measurement, CNIL stated:

"Audience measurement can be performed without consent when it strictly respects users' privacy and is limited to producing anonymous statistical data."

CNIL's guidance establishes specific requirements:

  • Purpose limitation to audience measurement only
  • No cross-site tracking or user profiling
  • Limited data retention periods (maximum 25 months mentioned)
  • No IP address storage beyond immediate processing needs
  • Transparent privacy policy disclosures

This guidance forms the foundation for legitimate interest-based analytics across the EU, as other data protection authorities have referenced CNIL's framework in their own guidance.

GDPR Article 5(1)(c) - Data Minimization

The regulation itself provides clear direction:

"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

For analytics, this means:

  • Collect only essential metrics (pageviews, sessions, referrers)
  • Don't collect unnecessary identifiers (names, emails, precise locations)
  • Don't store IP addresses if your technical approach doesn't require them
  • Don't retain data longer than necessary for your documented purposes

Sealmetrics implements data minimization as a core design principle. We collect the minimum data necessary for meaningful analytics: what pages users visit, how they navigate, where they came from, and basic device information. We don't collect anything else.

The Sealmetrics Approach

Unlike cookie-based analytics tools that retrofit GDPR compliance onto existing architectures, Sealmetrics was designed from inception for compliance.

No Compromise Required: Traditional analytics forces a choice between compliance and data completeness. Cookie consent means GDPR compliance but 60-87% data loss. Sealmetrics captures 100% of visitor data while maintaining full compliance through:

  1. Cookieless Architecture: No cookies means no ePrivacy Directive concerns, no consent requirements, no data loss from rejections.

  2. Zero IP Storage: Not hashing, not truncating—zero storage. IP addresses never touch our database, eliminating the largest GDPR compliance question.

  3. Session-Based Tracking: Temporary identifiers that reset after each visit provide analytics value without enabling cross-session tracking or user identification.

  4. EU-Exclusive Operation: Servers, company, and data all in the EU. No US parent, no Schrems II concerns, no adequacy decision dependencies.

  5. Purpose Limitation: Sealmetrics processes data only for audience measurement. No advertising integrations, no data selling, no repurposing for other commercial activities.

  6. Documented Retention: 25-month retention justified and documented as necessary for trend analysis, with automatic purging of older data.

This technical foundation supports legitimate interest as the legal basis, confirmed by CNIL guidance and accepted by DPOs across the EU.

Frequently Asked Questions

Is Google Analytics GDPR compliant?

Google Analytics is not GDPR compliant in its default configuration. Multiple European data protection authorities (Austria, France, Italy) have ruled that standard Google Analytics implementations violate GDPR due to three main issues:

First, Google Analytics uses cookies, triggering ePrivacy Directive consent requirements. This means you need cookie banners and will lose 60-87% of data from rejections.

Second, Google Analytics stores IP addresses. Even with the IP anonymization feature enabled, full IPs are processed before anonymization occurs, constituting personal data processing.

Third, Google Analytics transfers data to US Google servers, creating Schrems II compliance challenges. While Google offers a consent mode and EU hosting options, the fundamental architecture involves data sharing with a US parent company.

You can make Google Analytics more GDPR compliant through extensive configuration, but you'll still need consent banners and accept massive data loss. Sealmetrics provides compliance without these compromises.

Yes, with properly implemented cookieless analytics like Sealmetrics. Cookie banners are required by the ePrivacy Directive when websites store information on user devices (cookies). If your analytics doesn't use cookies, no banner is needed.

However, the analytics must still comply with GDPR data processing requirements. Sealmetrics satisfies both regulations: no cookies (ePrivacy Directive) and legitimate interest basis with data minimization (GDPR).

This approach captures 100% of visitor data without consent banners, providing complete analytics while maintaining full legal compliance.

Consent (Article 6(1)(a)) requires users to actively opt in before data processing begins. For analytics, this means cookie banners, explicit checkboxes, and accepting that 60-87% of users will decline.

Legitimate interest (Article 6(1)(f)) allows processing when your business needs outweigh privacy risks. For analytics, you can use legitimate interest when:

  • Purpose is audience measurement (not advertising or profiling)
  • Data collection is minimized (no unnecessary identifiers)
  • Technical safeguards are implemented (no cookies, no IPs)
  • Users can still object (opt-out mechanism)

CNIL confirmed in 2020 that cookieless audience measurement qualifies for legitimate interest. This legal basis captures 100% of visitor data while complying with GDPR.

Does hashing IP addresses make them anonymous under GDPR?

No. Hashing IP addresses is pseudonymization, not anonymization. GDPR treats pseudonymized data as personal data requiring the same protections as unprocessed personal data.

GDPR Recital 26 explicitly states: "Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person."

Hashed IPs remain personal data because:

  • Hash functions can be reversed with rainbow tables
  • Same IP produces same hash, enabling tracking
  • Hashes can be matched across systems
  • Technical possibility of re-identification exists

Sealmetrics solves this by never storing IP addresses—not hashed, not truncated, zero storage. This eliminates the personal data question entirely.

How long can I store analytics data under GDPR?

GDPR doesn't specify exact retention periods but requires you to keep data only as long as necessary for documented purposes. For analytics, retention depends on your business justification.

CNIL's 2020 guidance mentions 25 months as an acceptable retention period for audience measurement, justified by the need for year-over-year comparisons and seasonal pattern identification.

Sealmetrics implements 25-month retention with documented justification:

  • 12 months of current data for analysis
  • 12 months of historical data for year-over-year comparison
  • 1 month buffer for data exports and migrations
  • Automatic deletion after 25 months

Your privacy policy should specify retention periods, and you should maintain internal documentation justifying why these periods are necessary for your legitimate interests.

Do I need a Data Processing Agreement (DPA) with my analytics provider?

Yes. GDPR Article 28 requires a written contract between data controllers (you) and data processors (your analytics provider) establishing:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data processed
  • Categories of data subjects
  • Obligations and rights of the controller

The DPA must include specific processor obligations around security, confidentiality, sub-processor management, data subject rights assistance, data breach notification, and post-termination data handling.

Sealmetrics provides a standard DPA to all customers covering all Article 28 requirements. Operating without a DPA violates GDPR regardless of how privacy-protective your analytics tool is.

What is a Data Protection Impact Assessment (DPIA) and do I need one?

A DPIA is a systematic analysis required under GDPR Article 35 when processing is "likely to result in high risk to the rights and freedoms of natural persons." DPIAs are mandatory for:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special category data
  • Systematic monitoring of publicly accessible areas at large scale

Most cookieless analytics don't require DPIA because they implement data minimization, don't create detailed user profiles, and have minimal privacy impact. However, you should document your reasoning for not conducting a DPIA.

If your DPO or legal counsel determines a DPIA is needed, the assessment should document: description of processing operations, necessity and proportionality assessment, risk analysis, and mitigation measures.

Sealmetrics' technical approach (no IPs, no cookies, minimal data, EU-only) creates low privacy impact, typically not requiring DPIA. Many customers document this determination as part of their compliance records.

Can I use Sealmetrics for TTDSG compliance in Germany?

Yes, Sealmetrics complies with Germany's TTDSG (Telecommunications Telemedia Data Protection Act) without requiring configuration changes.

TTDSG is stricter than baseline GDPR, particularly regarding device storage and tracking. The law requires consent for storing information on devices (including cookies) with limited exemptions for technically necessary functionality.

Sealmetrics complies because:

  • No cookies or device storage (eliminates consent requirement)
  • No fingerprinting or tracking technologies (avoids TTDSG tracking restrictions)
  • Data minimization by design (satisfies TTDSG privacy principles)
  • EU-exclusive operation (no German-US data transfer concerns)

German companies using Sealmetrics operate under legitimate interest without needing cookie banners, capturing 100% of visitor data in full TTDSG compliance.

What if my Data Protection Officer (DPO) rejects cookieless analytics?

DPOs sometimes reject cookieless analytics due to unfamiliarity with the legal framework or concerns about legitimate interest basis. Address this by providing:

CNIL 2020 Guidance: Share the French DPA's official documentation confirming cookieless audience measurement can operate under legitimate interest. This provides regulatory authority for the approach.

Technical Documentation: Explain Sealmetrics' technical implementation: no cookies, zero IP storage, session-based tracking, EU-only servers. This demonstrates data minimization and privacy by design.

Balancing Test Documentation: Present the legitimate interest analysis: your business need for analytics (user experience, business intelligence) outweighs minimal privacy impact (no identification, no tracking, no profiling).

Comparison with Alternatives: Show that consent-based analytics loses 60-87% of data, making data-driven decisions impossible. Sealmetrics provides compliance without business compromise.

Most DPOs approve once they understand the legal framework and technical implementation. If concerns remain, consider requesting a second opinion from external GDPR counsel or consulting other DPOs in your industry who have approved similar approaches.

How do I document legitimate interest for analytics?

GDPR doesn't prescribe specific documentation formats, but best practices include maintaining internal records covering:

Purpose Statement: "We process website analytics data for the purpose of understanding how visitors use our website, enabling user experience improvements and informed business decisions."

Necessity Justification: "Analytics data is necessary because we cannot improve our website, optimize content, or make data-driven business decisions without understanding how users interact with our site."

Balancing Test:

  • Our Interest: Business intelligence and user experience optimization
  • User Impact: Minimal—no cookies, no IP storage, no identification
  • Data Minimization: Only pageviews, sessions, referrers collected
  • Safeguards: Cookieless tracking, zero IP storage, EU servers, 25-month retention
  • Conclusion: Our legitimate interest outweighs minimal privacy impact

Alternative Considered: "We considered consent-based analytics but rejected it because 60-87% data loss from cookie rejections would prevent achieving our business intelligence purposes."

Opt-Out Mechanism: "Users can opt out via [provide opt-out method] while we continue processing under legitimate interest."

Sealmetrics provides documentation templates to help customers formalize these analyses for internal compliance records and DPO review.

Conclusion

GDPR compliance for web analytics doesn't require choosing between legal safety and data completeness. The consent-or-data-loss dilemma is a false choice created by outdated cookie-based analytics architectures.

The path to full compliance while capturing 100% of visitor data:

  1. Choose legitimate interest (Article 6(1)(f)) instead of consent for your legal basis
  2. Implement truly cookieless analytics that doesn't use cookies or device storage
  3. Ensure zero IP storage—not hashed or truncated, but zero storage
  4. Document your approach with balancing test justification
  5. Update your privacy policy with clear, specific disclosures
  6. Execute a DPA with your analytics provider

Sealmetrics provides the only analytics platform that satisfies all these requirements by default:

  • No consent required: Operates under legitimate interest with CNIL confirmation
  • No cookies: Eliminates ePrivacy Directive concerns and data loss from rejections
  • Zero IP storage: Not even hashed—complete elimination of primary personal data concern
  • 100% data capture: Track every visitor without cookie banner interference
  • EU-exclusive: No Schrems II complications or adequacy decision dependencies
  • 25-month retention: Documented as necessary for trend analysis with automatic purging

Stop compromising between compliance and complete analytics data.

Start your 14-day free trial: Sealmetrics.com

Additional Resources