Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
What this means
GDPR Article 6 lists the lawful bases for processing personal data. For web analytics, two are commonly discussed: consent (Article 6(1)(a)) and legitimate interests (Article 6(1)(f)). The basis must be identified before processing, documented, and communicated in your privacy notice.
Consent vs legitimate interests
Consent must meet the strict validity test and, where ePrivacy applies, is typically required just to set non-essential cookies — so cookie-based analytics often lands on consent regardless. Legitimate interests can support some processing but requires a documented balancing test weighing your interest against the visitor's rights, and the visitor can object. Neither is automatically 'the analytics basis'; it depends on the data, the technique, and the jurisdiction.
- Consent: valid, specific, often required for cookies
- Legitimate interests: needs a balancing test; right to object
- Identify and document the basis before processing
How it appears in analytics and logs
If you process personal data for analytics without an identified lawful basis, the processing is unlawful. The basis you pick changes the visitor's rights.
Diagnostic use case
Identify which lawful basis your analytics relies on and document it, recognising consent and legitimate interests carry different conditions and rights.
What WebmasterID can help detect
By minimising and anonymising, WebmasterID reduces how much processing is of personal data, shrinking the situations where a lawful basis must be established.
Common mistakes
- Processing personal data with no identified basis.
- Assuming legitimate interests always covers cookie analytics.
- Not documenting the balancing test for legitimate interests.
Privacy and accuracy notes
Choosing a basis is a legal judgement; consult counsel. Minimised, anonymous measurement can avoid processing personal data at all, sidestepping the question.
Related pages
- GDPR and web analytics: the practical picture
The GDPR governs processing of personal data of people in the EU. For analytics that means: identifiers and IP addresses can be personal data, consent is often required for cookie-based tracking, and minimisation matters. Cookieless, first-party, anonymised measurement reduces the surface — but this is a factual overview, not legal advice.
- The ePrivacy Directive and cookie consent
The ePrivacy Directive (2002/58/EC, amended 2009) regulates confidentiality of communications and, critically for analytics, the storing or accessing of information on a user's device. That clause is why setting non-essential cookies in the EU generally requires prior consent, sitting alongside the GDPR rather than being replaced by it. This is an educational overview, not legal advice.
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- Privacy-first analytics
Minimised measurement reduces what needs a basis.
Sources and verification notes
- EUR-Lex — GDPR Article 6 (lawfulness of processing)Primary text on lawful bases. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.