Skip to main content
CompliantHQ
Blog

GDPR + cookies — when your tracking has no legal basis

Published 8 April 2026

TL;DR

  • Cookies + tracking scripts fall under TWO regulatory regimes simultaneously: the ePrivacy Directive (the cookie technical aspect) and GDPR (the personal data processing that tracking involves).
  • ePrivacy requires consent before cookies are set; GDPR requires a legal basis to process personal data (which IP addresses and user behaviour count as).
  • Most common GDPR mistake: tracking is set up under "legitimate interest" instead of consent. For analytics cookies this almost never works — supervisory authorities have repeatedly rejected that reasoning.
  • The practical mistake: scripts load before the banner is shown, or load anyway when the user said no.

Two laws, one site

When a user visits your site and you collect data about them you need to keep both regimes in mind:

The ePrivacy Directive (national implementations vary) governs whether you can set cookies and similar things on the visitor's device. The only ground for non-essential cookies is consent.

GDPR governs what you can do with the personal data you collect via tracking — IP address, behavioural data, cookie identifiers. There are six legal bases here (Art. 6.1):

Letter Legal basis Useful for tracking?
a Consent Yes — the workable basis
b Contract No (tracking isn't necessary to deliver the service)
c Legal obligation Rarely
d Vital interests No
e Public interest Public sector only, in specific cases
f Legitimate interest Theoretically — not in practice (see below)

In practice: for analytics cookies, marketing, retargeting and A/B testing only consent (Art. 6.1.a) works. Legitimate interest has been tested repeatedly by EDPB and national authorities and found insufficient for consumer-facing tracking nearly every time.

The common grey-zone trap: "legitimate interest"

Sales consultants often try to sell you on tracking not requiring consent if it's "just about improving the site". Sounds reasonable — and doesn't hold up.

The legitimate-interest basis requires a balancing test between your need and the individual's privacy. Three criteria must be met:

  1. Legitimate purpose (your site improvement qualifies)
  2. Necessity (can you achieve the purpose another way?)
  3. Balance (does your interest outweigh the individual's?)

Supervisory authorities have consistently landed on criterion 3 not being met for consumer-facing tracking — the individual has a strong privacy interest, and your "improvement need" can be addressed through aggregated statistics without personal identifiers (e.g. server-side analytics without cookies). Because alternatives exist, the tracking isn't "necessary" in the legal sense.

Conclusion: don't count on relying on legitimate interest for Google Analytics, Meta Pixel, or similar. Consent is the path.

What consent actually requires

GDPR Art. 7 + EDPB guidelines (updated 2020) set the bar:

  • Freely given — not a condition for receiving the service
  • Specific — not one click that covers everything
  • Informed — the user knows what they're consenting to
  • Unambiguous — active action, not silence or defaults
  • Withdrawable — as easy to say no as to say yes
  • Documented — you must be able to prove consent was given

Banner designs that FAIL these requirements (common errors):

  • "Accept all" is prominent but "Reject all" is hidden → not freely given on equal terms
  • A single checkbox for analytics + marketing + functional → not specific
  • "By continuing to use the site you accept…" → not unambiguous
  • Pre-ticked checkboxes → not active action
  • No "change settings" button in footer → not withdrawable

The technical mistake most make

Even if your banner is perfectly designed, compliance often falls on implementation: tracking scripts load and cookies are set regardless of what the user clicked.

Common underlying causes:

  • GTM with "All Pages" trigger without consent gating
  • Hardcoded GA snippet in <head> alongside the consent manager
  • Third-party iframes (YouTube, Spotify, maps) that pull in tracking cookies from their own domain
  • Server-side rendering returning tracking script in HTML before the client's consent state is known

Test that takes 2 minutes:

  1. Open the site in an incognito window (clear state)
  2. Open DevTools → Network tab
  3. Reload the page
  4. Before clicking anything in the banner, search Network for: google-analytics, googletagmanager, facebook, clarity, hotjar, linkedin
  5. Any hits = tracking loads without consent = compliance problem

What to do about it

If you find tracking before consent:

Three paths to fix, easiest to most thorough:

  1. Activate consent-mode in your tool. Google Tag Manager, Cookiebot, OneTrust, CookieScript etc. all have some variant of consent-mode. It blocks tag loading until the user clicks yes. Takes 1–2 hours to configure correctly.

  2. Reshape your data collection. Switch from GA4/Meta to an EU-based cookieless analytics (Plausible, Fathom, Simple Analytics) that doesn't require consent at all. More expensive per month but skips the entire compliance circus. Suitable for sites where analytics is used internally only — not for marketing attribution against paid ads.

  3. Server-side tracking. Route all data via your own server (server-side GTM or similar) so you control what's sent and when. More technical work but maximum control.

Who should do the work:

This is classic collaboration between comms/marketing (who own why the tracking exists) and development (who own how it's implemented). Web agencies can do the heavy lifting but need clear input from you on what you actually want to measure — many agencies haven't realised their default GA installations are non-compliant.

What you should do now

  1. Run the 2-minute test above. If everything's clean — good. If tracking shows up before consent — proceed.
  2. Inventory your third-party scripts. List every third-party tag, name who owns it and what it does. Many sites have scripts no one remembers placing.
  3. Decide a strategy. Consent-mode is the pragmatic path for most SMBs. Cookieless analytics for those who don't lean heavily on paid attribution.
  4. Document consent logs. GDPR requires you to be able to prove consent was given — your consent vendor should log date, time, what choice the user made, which version of the banner. Verify that logging actually happens.

We've built CompliantHQ to automate step 1 + parts of step 2 — we list every third-party script that loads before consent, and monitor continuously so new tracking tags don't sneak in via GTM updates or marketing integrations. You can run the first scan without registering payment details.

Run a free scan of your cookies and tracking →