1. Home
  2. Blog
  3. Privacy & Consent
  4. GDPR and Web Tracking: A Plain-English Guide
Privacy & Consent

GDPR and Web Tracking: A Plain-English Guide

Alexander Vermeer

Alexander Vermeer

· 4 min read
GDPR and Web Tracking: A Plain-English Guide

If you run a website and collect any kind of visitor data, GDPR web tracking rules affect you. But reading the actual regulation feels like wading through legal quicksand. This guide breaks down what GDPR means for web tracking in plain English — no law degree required.

What GDPR Web Tracking Rules Mean for Analytics

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, store, and use personal data. It came into effect in May 2018, and it applies to any website that processes data from people in the EU — regardless of where your company is based.

For anyone running web analytics, the key takeaway is this: you can’t just track everything by default anymore. You need a legal basis for collecting personal data, and in most cases that means getting consent before firing tracking scripts.

The official GDPR text outlines six legal bases for processing data. For GDPR web tracking, the two most relevant are consent and legitimate interest.

What Counts as Personal Data in Tracking

This is where many site owners get tripped up. Under GDPR, personal data is any information that can identify a person — directly or indirectly. In web tracking, that includes:

  • IP addresses (yes, even dynamic ones)
  • Cookie identifiers and device fingerprints
  • Email addresses collected through forms
  • Location data derived from IP or GPS
  • User IDs tied to login sessions

If your analytics tool stores any of the above, you’re processing personal data under GDPR. Standard Google Analytics setups, for example, collect IP addresses and set cookies — both of which qualify. Understanding this is essential for GDPR web tracking compliance.

When Do You Need Consent?

The short answer: whenever you use cookies or collect personal data for analytics, advertising, or profiling purposes. The UK ICO’s cookie guidance makes this especially clear — non-essential cookies require informed, freely given consent.

That means those old-school “by continuing to browse, you accept cookies” banners don’t cut it. Valid consent under GDPR requires:

  • A clear affirmative action (opt-in, not opt-out)
  • Specific information about what you’re collecting and why
  • The ability to withdraw consent at any time
  • No pre-ticked boxes or bundled consent

What You Can Track Without Consent

Not all GDPR web tracking requires a consent banner. Some data collection falls under strictly necessary purposes or uses methods that avoid personal data altogether.

Here’s what generally doesn’t require consent:

  • Aggregated, anonymous analytics — page view counts without tying them to individuals
  • Strictly necessary cookies — session cookies for login, shopping carts, or security
  • Cookieless tracking methods — some privacy-first analytics tools operate without cookies at all

If you’re curious about what’s possible without cookies, check out our guide on cookieless event tracking. It covers what you can and can’t measure when you ditch cookies entirely.

Some privacy-focused analytics tools (like Plausible or Fathom) are designed to work without cookies and without collecting personal data. These tools can often be used without a consent banner, though it’s always worth confirming with your legal team.

Practical Steps for GDPR Web Tracking Compliance

Staying on the right side of GDPR doesn’t have to be overwhelming. Here’s a straightforward checklist:

  1. Audit your tracking scripts. List every tool that sets cookies or collects data. Google Analytics, Meta Pixel, heatmaps — write them all down.
  2. Implement a proper consent management platform (CMP). Tools like Cookiebot or Complianz let visitors choose which cookies to accept before any scripts fire.
  3. Only load tracking scripts after consent. This is the technical part — make sure your tag manager respects consent signals.
  4. Update your privacy policy. Explain what data you collect, why, and how long you keep it.
  5. Understand your data flows. Know where data goes, especially if you’re transferring it outside the EU. Understanding the difference between first-party and third-party data helps here.
  6. Keep records. GDPR requires you to document your processing activities and be able to demonstrate compliance.

Wrapping Up

GDPR web tracking isn’t about stopping you from collecting visitor data. It’s about doing it transparently and giving people control over their information. The good news is that compliance and good analytics aren’t mutually exclusive. With the right setup — proper consent flows, privacy-respecting tools, and clear communication — you can collect the data you need while keeping your visitors’ trust.

Start with an audit of what you’re currently tracking, and work through the checklist above. It’s easier than you think.

Alexander Vermeer

Alexander Vermeer

Web analytics specialist with over 8 years of experience implementing tracking solutions for businesses of all sizes. Passionate about helping companies make sense of their data without drowning in complexity. When not debugging GTM containers, you'll find me advocating for privacy-respecting analytics approaches.

Related articles

First-Party vs Third-Party Data: What Marketers Need to Know

First-Party vs Third-Party Data: What Marketers Need to Know

· 5 min read