There’s a common misconception that if an analytics service is not using cookies, then no cookie banner is needed. This is not true: if you are tracking visitors in Europe you must ask for their permission — whether you use cookies or not.
GDPR for analytics that identifies people
Most analytics services use an identifying cookie to track individual visitors. According to GDPR, you need to ask permission from your visitors to use such a service. This means that if you are using Google Analytics, Mixpanel, Heap, Hotjar, or any other traditional analytics service you must add a GDPR banner on your website. There are many kinds of banners in the wild. Here’s one from Cookiebot:
ePrivacy for anonymous analytics
Anonymous analytics doesn’t collect any personal information so it is compatible with CCPA, GDPR, PERCe. This means that you don’t need to display any banners for visitors outside Europe.
However, all European countries are applying the ePrivacy directive, which states that accessing device information for analytical purposes requires consent. This is stated in Article 5.3:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent
This directive is applied in European laws as follows:
Countries that require consent
Some European countries require consent, that is a “yes” or “no” answer to whether the visitor can be tracked. Here’s how it looks in Volument with default settings:
The following countries have adopted this practice in their laws:
Albania: Article 123(6) of Law No. 9918 (as amended) of 19 May 2008 on Electronic Communications in the Republic of Albania
Austria: Section 20 of Law 20/2014, of 16 October, regulating electronic contracting and operators who carry out their economic activity in a digital space
Belgium: Article 129 of Law of 13 June 2005 on Electronic Communications
Croatia: Article 100(4) of the Electronic Communications Act implementing the Directive on Privacy and Electronic Communications
Cyprus: Article 99 of the Electronic Communications and Postal Services Regulations Act 2004 (Law 112 (I)/2004) (as amended)
Denmark: Executive Order No. 1148 of 9 December 2011 on Information and Consent Required in Case of Storing or Accessing Information in End-User Terminal Equipment
France: Article 82 of the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended)
Gibraltar: Regulations 5(1) and (2) of Communications (Personal Data and Privacy) Regulations 2006
Greece: Article 4(5) of the Law 3471/2006 on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and Amendment of Law 2472/1997
Ireland: Article 5(3), (4), and (5) of the S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011
Italy: Article 122 of the Personal Data Protection Code, Legislative Decree No. 196/2003
Latvia: Section 7.1 of the Law on Information Society Services of 4 November 2004
Lithuania: Article 61 of the Law on Electronic Communications of 15 April 2004, No. IX-2135
Monaco: Article 14-2 of Act No. 1.165 on the Protection of Personal Data (23 December 1993)
Montenegro: Article 172 of the Law on Electronic Communications 40/2013
Norway: Section 2-7b of the Electronic Communications Act
Portugal: Articles 5, 14, and 15 of Law No. 46/2012 of 29 August 2012
Republic of Macedonia: Article 168(5) of the Law on Electronic Communications 2018
Slovakia: Section 55 of the Act No. 351/2011 Coll. on Electronic Communications
Turkey: Article 10 of the Law on Protection of Personal Data No. 6698
UK: Section 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Countries that are good with just a notice
Some European countries have adopted a milder version of the directive where a simple notification is enough. This notification looks like this in Volument with the default settings:
The following countries have adopted this practice in their laws:
Andorra: Section 20(2), Law 20/2014 of the Electronic Communications Law
Bulgaria: Section 4a(2) of the Electronic Commerce Act
the Czech Republic: Article 89(3) of the Electronic Communications Act
Estonia: Electronic Communications Act 102, Moments 1 and 3
Finland: Laki sähköisen viestinnän palveluista ja Traficom
Germany: Telemedia Act of 2007. Moment 15 §3
Guernsey: Implementation of Privacy Directive,(Guernsey) Ordinance, 2004. Section 4, moments 1 and 2
Hungary: Article 155(4) of Act C of 2003 on Electronic Communications
Kosovo: Law No. 04/L-109 on Electronic Communications
Liechtenstein: Law of 17 March 2006 on Electronic Communications Act and Data Protection Act (DSG) of 4 October 2018
Luxembourg: Act of 30 May 2005 and Articles 88-2 and 88-4 of the Code of Criminal Procedure, Moments 4 and 2
Malta: Processing of Personal Data Regulations of 2003.
Netherlands: Article 11.7a, Telecommunications Act, 1998
Poland: Article 173, 174, 209, and 210 of the Telecommunications Act 2004
Romania: Article 4(5) of Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector
San Marino: Article 111 of Law No. 171 of 21 December 2018, Protection of Natural Persons concerning the Processing of Personal Data
Serbia: Article 126 of the Law on Electronic Communications 2014 (Official Gazette of the Republic of Serbia, No. 62/2014)
Slovenia: Article 157 of the Electronic Communications Act 2012
Spain: Article 22(2) of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce
Sweden: Section 18 of Chapter 6 of the Electronic Communications Act (2003*:389)
Switzerland: Articles 45c and 53 of the Telecommunications Act 1997