Privacy & Consent

GDPR, ePrivacy, and CCPA — the legal landscape for analytics data collection

The Legal Landscape

Every analytics technique — server logs, client-side scripts, fingerprinting, session replay — collects data about real people. Privacy law exists precisely because analytics capabilities outpaced user expectations. If you build an analytics system (as you do in this course), you need to understand the legal landscape.

GDPR — The Global Standard

The General Data Protection Regulation (EU, 2018) applies to anyone processing data of EU residents, regardless of where the company is located. Six core principles are directly relevant to analytics:

  1. Lawfulness — You need a legal basis for processing: consent or legitimate interest.
  2. Purpose limitation — Collect for a stated purpose; don't repurpose data later.
  3. Data minimization — Collect only what is necessary for that purpose.
  4. Accuracy — Keep data correct and up to date.
  5. Storage limitation — Don't keep data longer than needed.
  6. Integrity & confidentiality — Protect the data you hold.

Key individual rights include: the right to access (see what data you hold), the right to erasure ("right to be forgotten"), and the right to data portability. Enforcement is serious: fines up to 4% of global annual revenue or €20M, whichever is greater.

ePrivacy Directive & Cookie Consent

The ePrivacy Directive is separate from GDPR and specifically governs electronic communications, including cookies. It is the origin of cookie banners and consent pop-ups. The core rule: you must obtain informed consent before setting non-essential cookies. Analytics cookies are non-essential. Only "strictly necessary" cookies (session management, security tokens) are exempt.

Beyond Europe

Privacy regulation is expanding globally, not contracting:

  • CCPA/CPRA (California) — An opt-out model rather than opt-in. Users can say "Do Not Sell My Personal Information." Legally recognizes Global Privacy Control.
  • US state laws — Virginia (VCDPA), Colorado, Connecticut, and others have enacted similar frameworks, creating a patchwork of requirements.
  • LGPD (Brazil) and PIPL (China) — Similar comprehensive frameworks. The trend is clear: every major market is adopting data protection regulation.

Consent Mechanisms

  • Cookie banners / CMPs — Consent Management Platforms present choices before analytics loads. Legally required in the EU for non-essential cookies.
  • Do Not Track (DNT) — A W3C header that browsers sent; sites almost universally ignored it. Effectively dead as a standard.
  • Global Privacy Control (GPC) — The successor to DNT. A browser signal legally recognized under CCPA — sites must honor it in California.
  • Privacy-preserving analytics — Tools like Plausible, Fathom, and Umami are designed to avoid needing consent entirely by not using cookies or collecting PII. They demonstrate that useful analytics doesn't require tracking individual users.

What This Means for Your Analytics

What You're Doing Consent Required? Why
Server access logs (IP, path, UA) Usually not Standard operational logging qualifies as legitimate interest
First-party analytics cookies Yes (ePrivacy) Non-essential cookie — requires informed consent
Fingerprinting Yes (GDPR) Creates personal data through processing
Session replay Yes (GDPR) Records user behavior and may capture PII
Third-party analytics (e.g. GA) Yes (GDPR + ePrivacy) Data leaves your control; third-party cookies
Aggregate, cookie-free metrics only Often not No personal data processed — no individual tracking