Understanding when consent is required under GDPR is essential for anyone collecting user data online. If you rely on analytics, A/B testing, or behavioural tracking, knowing when consent is legally necessary could save your business from compliance risks — and help maintain trust. In this article, we break down GDPR consent requirements in plain language, with a special focus on how they impact web analytics and tracking.
What Is GDPR Consent?
#GDPR consent is a clear, affirmative action that users must take to allow processing of their personal data. It must be:
- Freely given
- Specific
- Informed
- Unambiguous This means pre-ticked boxes, vague language, or burying consent in your terms won't cut it. Read more in our guide to GDPR-compliant analytics
When Is Consent Required Under GDPR?
#You must request explicit user consent under GDPR in the following situations:
1. Using Cookies or Similar Tracking Technologies
If your website uses:
- Marketing or retargeting cookies
- Third-party analytics scripts that use cookies
- Tools that fingerprint or uniquely identify users 👉 Consent is required before any data is collected.
Example: Google Analytics sets cookies to identify users — so it requires consent under GDPR. ✅ Solution: Consider a cookie-free analytics tool like Userbird to bypass this need entirely.
2. Tracking Users Across Websites or Devices
If you’re:
- Tracking logged-in users across domains
- Building user profiles
- Conducting cross-device tracking 👉 You need explicit consent, because this constitutes profiling under GDPR.
3. Processing Special Category Data
This includes data that reveals:
- Racial or ethnic origin
- Health conditions
- Religious beliefs
- Sexual orientation 👉 Even if it’s user-submitted (e.g. via forms), you must get explicit consent before storing or processing it.
4. Email Marketing & Newsletter Sign-Ups
Even if you already have a business relationship, GDPR requires:
- Unbundled consent (separate from T&Cs)
- Clear opt-in mechanisms (not opt-out)
Example: Pre-ticked boxes or passive consent don’t count.
5. Session Replay and Heatmaps (Sometimes)
If session replays collect keystrokes, mouse movement, or on-screen inputs and tie it to a user ID, consent may be required. ✅ Privacy-first session replay (like Userbird's) avoids this by:
- Not recording sensitive fields
- Using anonymised, cookie-free technology Learn how Userbird does it
When Consent Is Not Required
There are exceptions under the GDPR's six lawful bases for processing. These don’t require consent if you meet the criteria:
✅ Legitimate Interest
You may collect some data without consent if:
- It's necessary for your service
- It doesn’t override users' rights
- You’ve conducted a Legitimate Interest Assessment (LIA) However, this does not apply to cookies. Under the ePrivacy Directive, cookies always require consent unless strictly necessary.
✅ Performance of a Contract
If you're providing a service (like a shopping cart) and the data is essential to fulfil the contract, consent is not required.
Example: Tracking product clicks within a logged-in user dashboard may fall under this basis — if analytics are part of the user agreement.
GDPR Consent Checklist for Marketers
#| ✅ Task | 📌 Description |
|---|---|
| Cookie Consent Banner | Required for any cookies except essential ones |
| Consent Logging | Record timestamp and consent preference |
| Unbundled Consent | Avoid hiding consent in other agreements |
| Easy Withdrawal | Allow users to change their preferences anytime |
| Geo-Targeting | Show consent banners only where legally required (e.g., EU/EEA) |
Choosing Tools That Don’t Require Consent
#Not all analytics platforms need consent. Userbird offers:
- 🍪 Cookie-free tracking
- 🌍 GDPR and ePrivacy-compliant architecture
- 🎯 Real-time insights and automatic event tracking
- 🔥 Heatmaps and session recordings with anonymisation
- ⚡ Fast-loading scripts under 3KB (see script size) This means you can skip the consent banners while still tracking what matters. Compare with tools like Plausible, Fathom, and Simple Analytics.
Final Thoughts: Make Consent a Strength
#Understanding when consent is required under GDPR is about more than compliance.
Choose tools and practices that make privacy the default. With solutions like Userbird, you can gain rich insights without invasive tracking.
👣 Next Steps
#- 🔍 Explore Userbird’s features
- 💰 Check out Userbird’s pricing
- 📘 Read more on GDPR-compliant analytics
- 🛠 Visit our docs for setup help
Looking for privacy-focused, powerful analytics?
Try Userbird today and unlock actionable insights — without compromising data privacy.
Ready to Try Privacy-First Analytics?
See how Userbird can give you powerful insights without compromising user privacy. No cookies, no tracking consent needed, fully GDPR compliant.
