ePrivacy Directive, National Implementations and Website Analytics
The Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”) focuses on the privacy of electronic communications. The Directive covers confidentiality, traffic data, location data, unsolicited communications, the storing or accessing data in terminal devices and security of services.
Scope Beyond Personal Data
Unlike the GDPR, which focuses on personal data, the ePrivacy Directive covers “gaining access to or storing information on users’ terminal devices.” ePrivacy law applies even to anonymous data sets: even if you don’t collect personal data using analytics, you may need to request consent under the ePrivacy implementing laws.
More Than Cookies
In November 2023, the European Data Protection Board (EDBP) released draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive | European Data Protection Board (europa.eu) for public consultation. EDBP clarified that, the draft Guidelines stated that Art. 5(3) applies to:
- various forms of terminal equipment (i.e., any equipment directly or indirectly connected to network, whether owned or rented, used by an individual or multiple users, e.g., a connected car, smartphone, laptop, connected TV, IoT device, etc.);
- various modes and means of storing information or gaining access to information;
- broad range of technologies (e.g. storage of viruses on terminal equipment, fingerprinting, tracking of resource identifiers, URL and pixel tracking, local processing, tracking based on IP only (in most cases), intermittent and mediated IoT reporting, Unique Identifiers).
A final guideline has not yet been issued.
Consent Requirement
Article 5(3) of the directive is crucial for website owners as it requires that visitors must provide consent before any information is stored or accessed in the visitors’ terminal equipment, subject to two exceptions (see section below). Unless these exemptions apply, website owners must obtain consent before placing cookies or using similar tools to track visitor data. This includes:
- Displaying a cookie banner to inform users about the use of cookies.
- Detailing the purposes of the cookies.
- Obtaining and recording user consent.
- Providing mechanisms for users to withdraw consent at any time.
When Consent Is Not Required
Across the EU, consent is not required for storing or accessing information where it is strictly necessary for providing an online service explicitly requested by the user or solely required for transmission of a communication. These are often referred to as “essential” and include cookies or tools used for the following purposes:
- recording users’ cookie preferences;
- personalising the user interface (language or UI settings) but only when the personalisation is an expected element of the service (does not apply to advertising);
- remembering shopping cart contents;
- allowing load balancing;
- user authentication;
- session security.
Differences in interpretation and what it means for website analytics users
Unlike the GDPR, the ePrivacy Directive must be implemented through national laws in each EU member state, leading to varying interpretations and enforced rules around cookie consent. This variability especially affects what is considered “strictly necessary” or “essential” cookies. This is particularly evident in the case of privacy-friendly analytics tools.
Supervisory authorities in some EU member states (e.g., France, Spain, Italy) decided that privacy-focused website analytics can be “essential,” exempting them from the consent requirement if configured in a specific way. However, a full set of analytics will not be available under this exemption.
The EDPB Draft Guidelines provide more detail around when Art. 5(3) applies, though they have not resolved the question of whether website analytics can be exempt from consent requirement. Some of the public feedback on the Draft suggested that EDPB address this omission in the final version of the Guidelines.
In the absence of an ePrivacy regulation offering a unified EU approach, website publishers must navigate the different national approaches to analytics compliance. The decision on compliance will depend on:
- the website’s geographic reach;
- the full set of cookie and tracking tools used on their website (not only analytics);
- the preferred functionalities of the analytic tools; and
- whether the consent management platform or tool used by the website owner can be configured to collect consents from some locations, while presenting consent-exempt analytics in the other.
For example:
-
For websites targeting visitors from France, Spain, Italy, or the Netherlands, the website owner may choose to configure the analytics tool using the consent-exempt configuration option permitted by the relevant national supervisory authorities, including the Opt-Out feature.
- However, if the website owner intends to track data beyond what is considered consent-exempt (e.g., Heatmaps, UserIDs, Session Recordings; advertising conversion exports or eCommerce data), a consent banner must be implemented before enabling these plugins.
-
In countries where supervisory authorities have explicitly stated that website analytics always require consent, requesting user consent remains the safest and most compliant approach.
-
For websites directed at visitors from jurisdictions that do not have specific cookie laws and do not require cookie banners, Matomo analytics can be used without cookies consent. However, compliance with privacy laws is still required when collecting personal data, and anonymised analytics may be preferable in such cases.
-
Website owners may opt for anonymised, aggregated analytics with privacy-preserving configurations: How do I use Matomo Analytics without consent or cookie banner? However, these configurations may reduce the accuracy of the analytics and may not be suitable for those looking to use the full range of analytics features.
-
Websites with a global audience can either implement a consent banner globally or use a consent management platform that allows geotargeting, such as showing a consent banner in the EU or selected jurisdictions while omitting it elsewhere.
-
When website analytics or tracking are used for advertising or marketing purposes, consent is always required in the EU countries.
Variability Across European Countries
Strict Interpretation
Countries where the relevant supervisory authorities expressly stated that consent is required for all forms of website analytics that fall into the technical scope of the ePrivacy directive, regardless of their privacy impact include Austria1, Cyprus2, Germany (some land supervisory authorities3), Finland4, Ireland5, Latvia6, Lithuania7, and the UK8.
Some of these supervisory authorities suggest that enforcement against first-party, aggregated, privacy-preserving website analytics may not be an enforcement priority (Ireland, UK).
a) Germany
The ePrivacy Directive implementing laws, TDDDG (and earlier TTDSG), require consent for website analytics. For compliance with the German laws, we recommend asking for consent before collecting analytics data using Matomo.
Note that some German supervisory authorities, e.g. the Baden-Württemberg SA9, have stated that it is possible to carry our “reach analysis” (audience measurement) that falls outside the TDDDG (formerly TTDSG) and can be done without consent. Such audience measurement must:
- use local log file analysis only;
- not access the terminal device;
- involve no external third-party services (allowing third parties to analyse user behaviour or if personal data is passed on to third parties);
- data-saving configuration;
- involve no merging of usage data across provider or device boundary;
- involve no use of information to recognise the user for any other purpose; and
- the purpose of the processing is the creation of aggregated statistics that cannot be related to individuals.
Matomo Log Analytics uses only log files. Analytics based on log files will produce only a limited analytics set.
b) United Kingdom
In the UK, the ePrivacy Directive is implemented into the Privacy and Electronic Communications Regulations (PECR). The ICO’s comprehensive guide on cookies and similar technologies expressly requires consent for analytics cookies 10:
- Analytics cookies do not fall under the “strictly necessary” category;
- Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices.
- ICO cannot rule out the possibility of formal action in any area; this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals. However, where first-party analytics cookies provided by a third-party are used, this is not necessarily going to be the case.
- Consent is expressly required for marketing cookies and social media plugins, social media tracking, online advertising and cross-device tracking.
For compliance with the UK laws, obtaining consent is recommended.
c) Ireland
The Irish Data Protection Commission expressly requires consent for analytics cookies11. However, in their Guidance, the DPC acknowledge that first party analytics cookies are not likely to create a privacy risk when they are:
- strictly limited to first-party aggregated statistical purposes;
- used by websites that already provide clear information about such cookies in their privacy policy;
- provide adequate privacy safeguards; and
- include a user-friendly mechanism to opt out of any data collection for analytics.
The guideline further states that it is unlikely that first-party analytics cookies would be considered a priority for enforcement action by the Data Protection Commission.
For compliance with the Irish laws, obtaining consent is recommended.
Lack of Specific Guidance
Countries where the relevant supervisory authorities have not provided any specific guidelines on analytics include Bulgaria, Croatia, Estonia, Malta, Norway, Poland, Portugal, Romania, and Sweden. For these countries, website owners may prefer to adopt a conservative approach and ask for consent to website analytics. An alternative approach, based on website’s owner assessment of the risks, may be to configure Matomo in a similar way to that described in the Exemptions section below.
Exemptions for Privacy-preserving Aggregated Analytics
Countries where the relevant supervisory authorities have exempt certain categories of privacy-focused analytics from consent, provided they meet certain criteria include France, Italy, the Netherlands, Spain, and Switzerland.
The French Supervisory Authority, CNIL recognises that some audience measurement trackers are strictly necessary and exempt from consent:
- audience measurement, page by page;
- a list of pages from which a link has been followed to request the current page (sometimes referred to as a “referrer”), whether internal or external to the site, by page and aggregated on a daily basis;
- the type of terminal, browser and screen size of visitors, per page and aggregated on a daily basis;
- page load time statistics, per page and aggregated on an hourly basis;
- statistics of time spent on each page, bounce rate, scroll depth, per page and aggregated on a daily basis;
- statistics on user actions (click, selection), by page and aggregated on a daily basis;
- statistics on the geographical area of origin of the requests, by page and aggregated on a daily basis.
These trackers are exempt from consent, subject to the following conditions.
To be exempt the trackers must:
- have a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or its ergonomics, estimation of the power of the servers required, analysis of the content consulted);
- be used exclusively on behalf of the publisher;
- be used to produce anonymous statistical data only.
To be exempt the trackers must not:
- allow the global tracking of the person using different applications or browsing different websites;
- be used for cross-checking of the data with other processing;
- be transmitted to third parties;
- Furthermore, any solution using the same identifier across several sites (via, for example, cookies placed on a third-party domain loaded by several sites) to cross-reference, duplicate or measure a unified coverage rate (“reach“) of a content is excluded.
In addition:
- Users must be informed of the use the exempt trackers (e.g., in website privacy policy);
- The lifespan of the trackers must be limited (max 13 months);
- Information collected by the trackers is stored for no longer than 25 months;
- The lifespan and retention periods are regularly reviewed to make sure they are limited to what is strictly necessary;
- Data is collected, processed and stored independently for each publisher and the trackers are completely independent of each other and any other tracker.
CNIL expressly states that the following trackers are not exempt:
- trackers used to display personalised or non-personalised advertising;
- trackers with social network sharing functionality;
- using the same tracker for multiple purposes, some of which do not fall within these exemptions. For example, in the case of a service offered through a platform that requires user authentication (a “logged-in environment”), the service provider can use a cookie to authenticate users without seeking their consent, because this cookie is strictly necessary for providing the online communication service. However, the same cookie cannot be used for advertising purposes unless users have previously given their specific consent to this purpose.
Refer here to learn more about how to configure Matomo to rely on the CNIL exemption for audience measurement tools.
Both Matomo On-Premise and Matomo Cloud can be configured to comply with CNIL consent exemption. Matomo On-Premise is a self-hosted solution. Matomo Cloud is a hosted solution, but each Customer’s data is collected, processed and stored independently for each Customer, the trackers are completely independent of each other and any other tracker, and the data is not used for any other purpose that the purpose of processing data for the Customer.
Important note:
The CNIL exemption requirements are cumulative, meaning that if you don’t comply with all the requirements (because you add other cookies, or track the individual or share the data with third parties), you can no longer rely on the exemption.
If you are using other non-exempt Matomo tracking tools (e.g., User ID, Heatmaps, Session Recordings, eCommerce, Advertising Conversions, etc.) or non-exempt features of other tools, you will need to ask your visitors for prior consent. This means that you will need to implement a cookie banner/consent manager to record your visitors’ consent before you can start tracking their activity using Matomo.
(b) Italy
The Italian supervisory authority, Garante per la protezione dei dati personali considers that some types of analytics can be permitted without consent13 It, 13 Eng.
Such analytics must:
- prevent direct identification or singling out of a data subject (no direct, unique identifiers);
- only be used to produce aggregated statistics concerning a single site or a single mobile app;
- not allow tracking an individual’s navigation across different applications or websites;
- at least the fourth component of each IP address is masked out;
- the third parties providing the analytics services must not match the analytics data with any other information (such as customer records or statistics concerning visits to other websites) and must not forward such data to other third parties. However, statistical analyses concerning several domains, websites or apps that can be traced back to the same publisher or group of undertakings are allowed.
- where a controller produces, through its own resources, statistics on data relating to several domains, websites or apps that can be traced back to that controller, non-encrypted data may also be used providing purpose limitation constraints are complied with.
Tools used to profile or trace specific action or recurring behavioural patterns back to identified or identifiable person or to send advertising messages, are not exempt.
Website owners wishing to comply with the Italian exemption requirements, could consider configuring Matomo in line with CNIL configuration recommendations set out above.
(c) The Netherlands 14
Analytical cookies that help to improve a website may be placed without permission, as long as they have little impact on the privacy of the visitors. The website owner must inform the visitors such cookies are used. For privacy-sensitive analytical cookies consent is required. Specifically, cookies that allow to track a visitor’s internet behaviour over time, between websites, or making it possible to create visitor profiles always require prior consent. Tracking cookies used for marketing or advertising purposes also always require consent.
Website owners wishing to comply with this exemption requirements, could consider configuring Matomo in line with CNIL configuration recommendations set out above.
(d) Spain
In Jan 2024, the Spanish Data Protection Agency AEPD released the guidance on use of cookies for audience measurement. The AEPD considers that for the proper administration of a website, only the following measurements are strictly necessary (and consent-exempt):
- audience measurement, page by page;
- the list of pages from which a link has been followed to request the current page (sometimes called “referrer”), whether internal or external to the site, per page and aggregated daily;
- determination of the type of device, browser, and screen size of visitors, per page and aggregated daily;
- page load time statistics, per page and aggregated hourly;
- statistics on the time spent on each page, bounce rate, scroll depth, per page and aggregated daily;
- statistics on user actions (clicks, selections), per page and aggregated daily;
- statistics on the geographical area of origin of requests, per page, and aggregated daily; and
- the lifespan of trackers is limited to 13 months and retention to 25 months and both are subject to periodic review.
In addition:
- visitors must be informed about the use of cookies that are considered exempt, e.g., via the privacy policy;
- if any non-exempt cookies remain, consent is required;
- if data is collected by a provider of audience measurement service, the data must be collected, processed and stored independently for each publisher and the trackers must be used independent of each other; and
- other conditions also apply (concerning strictly necessary processing, entering into a processing agreement, data transfers and internal or external configuration compliance assessment).
Website owners wishing to comply with the Spanish exemption requirements could consider configuring Matomo in line with CNIL configuration recommendations set out above. In contrast with CNIL, AEPD does not require that the dataset be anonymised, however data processing must be limited to what is strictly necessary for the purpose of audience measurement.
e) Switzerland 15
Switzerland is not an EU member state and is not required to follow the ePrivacy Directive. The use of cookies must be in line with the Federal Act on Data Protection (FADP). The Swiss law does not explicitly require prior consent for cookies that do not involve processing sensitive data.
The Swiss law does not explicitly require prior consent for cookies that do not involve processing sensitive data. However, website operators must inform users about the use of cookies and the processing of personal data associated with them. This information should be clear, comprehensive, and easily accessible. In other words, web analytics can be used without consent, but data processing must comply with data protection laws if personal data is processed.
For advertising cookies and social media cookies, we recommend obtaining consent.