Most GDPR discussions for analytics boil down to one question: “Do I need a cookie banner?” But that question conflates two separate legal frameworks that operate independently of each other. Understanding the difference isn’t just an academic exercise — it’s the key to knowing when you can legally skip the banner entirely.
Let’s untangle legitimate interest as a lawful basis, explain why the cookie rule runs on a completely different track, and walk through exactly when each framework applies to your analytics setup.
Legal note: This article is educational, not legal advice. Privacy law is fact-specific. If you’re making compliance decisions with real consequences, talk to a lawyer who knows EU data protection law.
Two Laws, Two Questions — Why You Can’t Answer One With the Other
When you run analytics on a European website, you’re actually dealing with two overlapping legal regimes. Most people think of them as one thing. They’re not.
GDPR (Regulation 2016/679) governs the processing of personal data. It asks: do you have a lawful basis to process information that relates to an identifiable person?
The ePrivacy Directive (2002/58/EC, as amended) governs access to and storage of information on a user’s device. It asks a narrower question: are you storing or reading information on someone’s terminal equipment?
These are sequential, not interchangeable. You need to pass both tests independently. A lawful basis under GDPR does not excuse you from the ePrivacy cookie rule. And satisfying the cookie rule doesn’t mean you’ve sorted your GDPR lawful basis.
This is the root cause of so much confusion in compliance discussions. Let’s take each in turn.
What Is Legitimate Interest — and How Does It Work Under GDPR?
Legitimate interest is one of six lawful bases listed in Article 6(1)(f) of GDPR. It allows you to process personal data without consent, provided three conditions are met — what the EDPB calls the “three-part test”:
- Purpose test: Is there a legitimate interest being pursued by the controller or a third party?
- Necessity test: Is the processing necessary to achieve that purpose? Could you achieve the same result with less privacy impact?
- Balancing test: Do the legitimate interests override the fundamental rights and freedoms of the data subject?
In theory, website analytics can qualify. Measuring traffic, understanding which content performs, detecting technical errors — these are real business interests. However, the balancing test is where analytics under legitimate interest gets complicated.
The European Data Protection Board (EDPB) and national DPAs have consistently taken the view that behavioural advertising, cross-site tracking, and building detailed individual profiles cannot rely on legitimate interest. The balance tips against the controller. But aggregate, purpose-limited analytics for internal performance measurement is a closer call — and some DPAs have accepted it in specific contexts.
The keyword in “legitimate interest analytics” is not the word “analytics.” It’s the word “legitimate.” The purpose, the data minimization, and the genuine balancing against visitor rights all have to hold up.
The ePrivacy Cookie Rule: Why Consent Is a Separate Requirement
Here’s the part that trips people up. Even if you’ve established legitimate interest as your GDPR lawful basis, you may still need a cookie consent banner. Not because of GDPR — but because of ePrivacy.
Article 5(3) of the ePrivacy Directive requires prior informed consent before storing or accessing information on a user’s terminal equipment (their browser, phone, or device). This applies to cookies, localStorage, fingerprinting techniques that read device characteristics, and any other access to device storage.
Importantly, the Directive only has one narrow exception: cookies that are “strictly necessary” for a service explicitly requested by the user. Analytics cookies do not fall under that exception. A cookie that tracks pageviews for your benefit, not the user’s, is not strictly necessary for the user.
So the logic chain looks like this:
- You place an analytics cookie → ePrivacy Article 5(3) triggers → you need consent, regardless of your GDPR basis.
- Legitimate interest under GDPR does not substitute for this consent requirement.
- This is why a website can have a valid legitimate interest basis for some processing and still need a cookie banner.
In the UK, the ICO’s guidance on PECR (which implements ePrivacy in UK law) makes this explicit: legitimate interests does not provide a valid basis for setting analytics cookies. You need consent.
This matters enormously for legitimate interest analytics in practice. The basis might be defensible for your server-side data processing, but if the data collection itself involves a cookie or device storage access, you still need the banner.
Consent vs Legitimate Interest: A Side-by-Side Comparison
Here’s how the two bases play out in a typical analytics context:
| Dimension | Consent (Art. 6(1)(a)) | Legitimate Interest (Art. 6(1)(f)) |
|---|---|---|
| What triggers it | Any personal data processing where no other basis applies | Processing necessary for a genuine interest, where balance favours controller |
| Who decides | The data subject — freely, before processing starts | The controller — but subject to DPA scrutiny |
| For cookie placement | Required by ePrivacy, not just GDPR | Does NOT exempt you from ePrivacy consent requirement |
| Can be withdrawn | Yes — at any time, must be as easy as giving it | Yes — “right to object” under Art. 21; controller can override if compelling grounds exist |
| LIA (Legitimate Interest Assessment) required | No | Yes — must be documented |
| Works for behavioural advertising | Yes (if freely given, specific, informed) | No — ECJ/EDPB guidance rules it out |
| Works for aggregate analytics | Yes | Potentially — depends on scope, purpose limitation, and data minimisation |
| Typical DPA stance | Preferred for anything high-risk or profiling | Acceptable for low-risk internal measurement in some jurisdictions; contested elsewhere |
The bottom line: neither basis is universally “better.” Consent gives you clearer legal footing but requires an opt-in mechanism. Legitimate interest requires a documented assessment and is more fragile — a DPA can override it if your balancing test doesn’t hold up.
When Cookieless Tools Change the Equation Entirely
This is where the conversation gets practically useful. If the ePrivacy rule is what forces the consent banner — and ePrivacy only triggers when you access device storage — then tools that never touch device storage can sidestep the requirement at the source.
Privacy-first analytics tools like cookieless analytics tools — Plausible, Fathom, GoatCounter, Simple Analytics — operate entirely server-side. They do not place cookies. They do not write to localStorage. They derive an anonymized daily hash from the IP address, user agent, and a rotating salt, and they discard the raw data immediately. The hash cannot be reversed. It resets every 24 hours, preventing long-term tracking.
Because these tools don’t access device storage, Article 5(3) ePrivacy does not fire. No trigger, no requirement, no banner.
That still leaves the GDPR question: is the processing of that daily hash “personal data”? Arguably, if the hash cannot be reversed and the underlying IP is never stored, you’re dealing with truly anonymous data — and GDPR doesn’t apply to anonymous data at all. Most privacy-first tools take this position, and it’s a defensible one when done properly.
In my experience testing these tools on production sites, GoatCounter is one of the cleanest examples: it stores no cookies, no persistent identifiers, no IP addresses. For a small content site, you get your visitor counts and top pages with zero legal exposure on the tracking side. The script is around 3.5KB. Simple Analytics, similarly, hashes IPs and stores no cookies or PII — they’re based in the Netherlands and specifically built for GDPR/ePrivacy compliance from the ground up.
For a deeper look at how tools handle privacy at the feature level, the tool-by-tool GDPR compliance comparison covers the specifics of what each platform collects and how.
The Legitimate Interest Analytics Checklist: Can Your Setup Qualify?
If you’re considering legitimate interest as your GDPR basis for analytics processing, work through these questions before you document anything:
- Does the analytics actually use cookies or device storage? If yes, LI doesn’t help you with ePrivacy. You need consent for the cookie layer regardless.
- Is the purpose specific and documented? “We want to improve our website” is too vague. “We measure which support articles reduce support ticket volume” is specific.
- Have you done a genuine data minimisation review? If you can achieve the same purpose with aggregate-only, cookieless data, using individual-level tracking fails the necessity test.
- Can visitors reasonably expect this processing? EDPB guidance flags “reasonable expectation” as a key balancing factor. Visitors to a small business site have lower expectations of behavioural tracking than visitors to a major ecommerce platform.
- Have you prepared a Legitimate Interest Assessment (LIA)? This document is not optional — it’s what you show regulators if challenged.
- Is the right to object prominently communicated? Under Art. 21, data subjects can object to legitimate interest processing. Your privacy notice must explain how.
- Is data retained for longer than necessary? Legitimate interest does not override the storage limitation principle. Analytics data should have a defined retention period.
- Would switching to a cookieless tool make the LIA stronger? Often yes — and it may make the question moot entirely.
If you can’t answer questions 1 through 4 confidently, the basis is probably not defensible. Start with a cookieless tool and build from there.
What EDPB Guidance Actually Says About Analytics
The EDPB has not issued a dedicated opinion specifically on web analytics and legitimate interest. However, several documents shape the landscape.
The EDPB’s Guidelines 06/2014 on legitimate interests (updated through the Board) establish that the balancing test is genuine, not formulaic. They note that the severity of the impact on data subjects, the nature of the data, and the controller’s ability to adopt less privacy-intrusive means all weigh in.
France’s CNIL, Germany’s DSK, and the Dutch AP have each issued guidance or decisions touching on analytics. The consensus across jurisdictions: analytics cookies require consent under ePrivacy; cookieless aggregate analytics occupies a greyer zone that may or may not require a lawful basis depending on whether the processed data remains truly anonymous.
The practical implication: if you’re using a tool that genuinely processes only anonymous aggregates, you’re largely outside the scope of GDPR discussion. If you’re using any form of individual-level tracking — even pseudonymised — you’re in GDPR territory and you need a documented basis.
For attribution tracking specifically, the picture gets more complex. Cookieless attribution models use probabilistic and cohort-based approaches that avoid individual-level identifiers — a useful middle ground when you need conversion data without PII.
Practical Scenarios: Which Basis Applies?
Here’s how this plays out in common situations:
Scenario 1 — You use a tool that places cookies (any analytics with a persistent visitor ID). You need ePrivacy consent for the cookie. You also need a GDPR basis for processing. Most sites use consent for both, combined in a single banner. Attempting to use legitimate interest for the GDPR layer while ignoring ePrivacy is a compliance gap.
Scenario 2 — You use a cookieless tool that processes daily-salted hashes (Plausible, Fathom, GoatCounter). No ePrivacy trigger. If the tool genuinely processes no personal data (no IPs stored, hash not reversible), GDPR may not apply at all. In most practical deployments, no banner is required. This is the cleanest outcome.
Scenario 3 — You use server-side log analysis (GoAccess, raw nginx logs). No cookies, no device-side access. But raw logs typically contain IP addresses, which are personal data under GDPR. You need a lawful basis for storing logs — legitimate interest for security and operational purposes is commonly used. IP anonymization (stripping the last octet or more) reduces exposure. GoAccess itself is fine; it’s the raw logs underneath that need managing.
Scenario 4 — You use self-hosted Matomo with anonymization enabled. Matomo in “cookie-less mode” with IP anonymization and no fingerprinting approaches the same clean zone as Scenario 2. However, if you enable any optional features that re-introduce cookies or longer retention, each feature needs its own compliance check.
Bottom Line
Legitimate interest analytics is not a trick to avoid cookie banners. The two questions — “do I have a GDPR lawful basis?” and “do I need ePrivacy consent for cookies?” — are separate and must be answered separately.
For most small to mid-sized websites, the practical conclusion is this: use a cookieless, no-PII analytics tool, and you sidestep both questions simultaneously. The GDPR basis question largely disappears when you’re not processing personal data. The ePrivacy question disappears when you’re not touching device storage.
If you do process identifiable data and want to rely on legitimate interest analytics, you need a documented LIA, a specific purpose, genuine data minimisation, and a clear right-to-object mechanism. Consent remains the safer and cleaner basis for anything that involves cookies or individual-level tracking.
The tools have gotten good enough that most site owners don’t have to wrestle with this tradeoff at all. Choose the right tool, and the legal complexity collapses by itself.
