The common misconception: GDPR requires consent for analytics
Most site owners believe they need a cookie consent banner because “GDPR requires it for analytics.” This is an oversimplification that has led to a proliferation of consent banners across the web — many of them unnecessary.
The legal framework is actually composed of two separate instruments:
- GDPR (General Data Protection Regulation) — governs the processing of personal data in the EU. It sets out legal bases for processing: consent, legitimate interest, contractual necessity, legal obligation, vital interests, and public task.
- ePrivacy Directive (Directive 2002/58/EC, as amended) — specifically regulates electronic communications privacy. Article 5(3) is the “Cookie Law” that requires consent for storing or accessing information on a user’s terminal device.
The consent requirement for web analytics comes primarily from the ePrivacy Directive, not GDPR directly. And the ePrivacy Directive specifically targets cookies and “similar technologies” — not all forms of server-side analytics.
What Article 5(3) of the ePrivacy Directive actually says
Article 5(3) requires prior informed consent before “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.”
This covers:
- HTTP cookies (reading and writing)
- localStorage and sessionStorage (when used to access previously stored data for tracking)
- Browser fingerprinting techniques
- Flash Local Shared Objects
- Any other technique that stores information on or reads information from the browser
It does not cover:
- Server-side logging of HTTP request metadata (IP address, User-Agent, referrer) that is inherent to how HTTP works
- Analytics derived purely from server logs without accessing browser-stored data
Where FPAI fits in this framework
FPAI’s tracking approach has two components. Let’s examine each separately:
Component 1: Server-side IP hashing
When a request reaches your server, the IP address is part of the HTTP header — not something FPAI “accesses from the browser.” The server receives it as part of normal network communication. FPAI immediately hashes this IP server-side and stores only the hash.
This is broadly analogous to server-side web log analysis, which has long been considered outside the scope of the consent requirement. You’re not reading data from the browser; you’re processing data that the browser necessarily transmitted to initiate the connection.
Component 2: localStorage for session continuity
This is where legal analysis becomes more nuanced. FPAI writes a random visitor ID to localStorage and reads it on subsequent page loads to link pageviews into a session.
Technically, localStorage access falls within the literal scope of Article 5(3). However, several factors affect the practical risk level:
- First-party only: The localStorage data is scoped to your domain and never shared with third parties. It’s not used for cross-site tracking or advertising profiling.
- No personal data transmitted externally: The visitor ID stored locally never leaves your server — it goes to your own WordPress database only.
- Strictly analytics purpose: The data is used only to understand how your own site is being used, not to build advertising profiles or track individuals across sites.
- Legitimate interest argument: Some legal interpretations hold that basic analytics necessary for site operation can be justified under legitimate interest rather than consent — though this remains contested among regulators.
What the regulators have actually enforced
The enforcement actions we have seen from European data protection authorities have targeted:
- Google Analytics specifically, for transferring EU visitor data to US servers
- Sites using advertising cookies (Meta Pixel, Google Ads tags) without proper consent
- Sites with consent banners that didn’t actually honor “reject all” choices
- Cross-site tracking and behavioral advertising profiling
We are not aware of enforcement actions targeting first-party, cookie-free, server-side analytics that don’t transfer data to third parties. This is consistent with the regulatory intent: protecting users from hidden third-party data collection, not from site owners analyzing their own server logs.
What GA4 gets wrong — and why it was banned in several EU countries
The Austrian DSB, French CNIL, Italian Garante, and Danish Datatilsynet all issued guidance between 2022 and 2023 finding Google Analytics (both UA and GA4) non-compliant with GDPR. The specific problem: GA4 transfers European visitor data to Google’s US servers, and the standard contractual clauses used to justify this transfer were deemed insufficient.
This is a data transfer problem, not a consent problem per se. GA4 could theoretically be consent-based and still violate GDPR if the data transfer mechanism is invalid. FPAI avoids this entirely: your analytics data never leaves your server, so there is no cross-border transfer issue.
The legitimate interest argument for analytics
GDPR provides several legal bases for processing personal data. Consent is one, but not the only one. Legitimate interest (Article 6(1)(f)) allows processing when:
- You have a legitimate interest in processing the data
- The processing is necessary for that interest
- The interest is not overridden by the individual’s rights and freedoms
Understanding how visitors use your site is a legitimate business interest. Basic analytics (pages visited, traffic sources, session duration) is necessary for that interest. And privacy-preserving analytics — hashed IPs, no cookies, no third-party sharing — is less likely to override individual rights than cookie-based tracking.
Some practitioners argue that cookie-free, first-party analytics can be justified under legitimate interest without consent. This position is not universally accepted by all regulators, but it’s more defensible for FPAI’s approach than for traditional cookie-based analytics.
What you still need to do
Even with cookie-free analytics, you have obligations:
1. Update your privacy policy
Disclose that you collect analytics data, what is collected, where it is stored, and for how long. Even if you don’t need consent, transparency is required. See the cookie-free analytics article for sample privacy policy language.
2. Set data retention limits
FPAI Free retains data for 90 days by default. FPAI Pro retains indefinitely — but you should decide what retention period is appropriate and document it in your privacy policy. Keeping analytics data longer than necessary is harder to justify under the data minimization principle.
3. Honor data subject requests
Under GDPR, visitors can request access to or deletion of their personal data. Since FPAI stores only hashed IPs (not names or emails), individual-level deletion requests are difficult to fulfill precisely — but you should have a process for handling them and should explain this in your privacy policy.
4. Check local rules
Some EU member states have implemented stricter national rules under the ePrivacy Directive. Germany’s TTDSG and France’s CNIL guidelines, for example, have specific positions on analytics. If you primarily serve users in specific countries, check the guidance from that country’s regulator.
The bottom line
Running analytics without a consent banner is legally viable when you:
- Don’t use cookies for analytics
- Don’t transfer data to third-party servers
- Use privacy-preserving techniques (hashed IPs, no fingerprinting)
- Disclose your analytics approach in your privacy policy
- Have a defensible legal basis (legitimate interest or, in some frameworks, the analytics exemption)
FPAI’s design checks all of these boxes. That’s why sites using FPAI can legitimately remove their analytics cookie consent banner — not because they’re ignoring the law, but because FPAI’s approach falls outside the primary scope of the consent requirement.
FPAI is a free WordPress plugin designed for privacy-first analytics from the ground up. Download free →