Legitimate Interest (Analytics)
GDPR Article 6(1)(f) lawful basis: a controller may process personal data when it has a legitimate purpose, the processing is necessary for that purpose, and the data subject’s rights and freedoms do not override the interest. Sometimes invoked as a basis for analytics — but with important caveats.
The three-part test
To rely on Art. 6(1)(f), the controller must document a three-part test: a legitimate purpose (understanding website use), necessity (the processing achieves the purpose), and balancing (the data subject’s rights do not override). The EDPB has accepted this reasoning for basic analytics provided the controller does not build per-user profiles, does not enable cross-site tracking, and stores no personal data beyond what is strictly needed for aggregate measurement.
Why GDPR is not enough
The common mistake: assuming a Art. 6(1)(f) DPIA replaces the cookie banner. It does not. ePrivacy Article 5(3) applies independently of GDPR’s lawful basis. Storing a cookie or reading localStorage requires consent regardless of how the data is processed afterward. Legitimate interest unlocks GDPR; ePrivacy still requires the banner.
When it does work
Art. 6(1)(f) becomes the right basis when paired with an architecture that does not trigger ePrivacy: no cookie, no localStorage, no device storage. Server-side aggregate measurement falls in this category — GDPR scope may or may not engage (if no personal data is processed, it does not), and ePrivacy explicitly does not. This is the legal foundation of consentless analytics: the analytics is lawful by architecture, not by paperwork.
Authority guidance
The CNIL, German DSK, AEPD, Italian Garante and UK ICO have all published guidance accepting legitimate interest for analytics — provided the architecture meets the exemption criteria (no per-user identification, no cross-site tracking, aggregate reporting, EU-only processing). The convergence makes legitimate interest the cleaner-than-consent path for analytics that is built correctly.
Related concepts
- GDPR Analytics ComplianceMeeting GDPR requirements for web analytics: lawful basis for processing, data minimization, purpose limitation, and — if using cookies — valid consent collection before tracking.
- Consent Management Platform (CMP)Software that displays cookie consent banners and manages user preferences. Required under GDPR for websites using cookies or collecting personal data. Typical EU rejection rates: 35%.
- Cookieless AnalyticsWeb analytics that captures visitor data without using browser cookies, enabling 100% traffic measurement regardless of consent status or browser restrictions.
- ePrivacy DirectiveEU Directive 2002/58/EC governing privacy in electronic communications, including the rule (Art. 5(3)) that consent is required before storing or accessing information on a user's terminal device. The legal basis for cookie consent banners.
Learn more: GDPR Analytics Without Consent