If you run a WordPress site and collect any data about your visitors, GDPR applies to you — regardless of whether your site is based in the EU or whether your visitors are. For most site owners, the relevant regulations are three overlapping frameworks: GDPR (EU), CCPA (California), and PECR (UK). Understanding what each one requires is the foundation of running analytics that is both useful and legally sound.
This guide covers what you can and cannot collect, what requires consent and what doesn’t, and how to make practical decisions for your WordPress analytics setup.
The Three Regulations You Need to Know
GDPR (General Data Protection Regulation)
GDPR is the EU’s framework for data protection, in force since May 2018. It applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. If you have any EU visitors, GDPR applies.
Key principles relevant to analytics:
- Data minimisation: Collect only what you actually need
- Purpose limitation: Use data only for the stated purpose
- Storage limitation: Don’t keep data longer than necessary
- Lawful basis: You must have a legal reason to process data — consent, legitimate interests, or contract, most commonly
CCPA (California Consumer Privacy Act)
CCPA applies to for-profit businesses that collect personal information about California residents and meet certain thresholds (annual revenue over $25M, data on 100,000+ consumers, or 50%+ revenue from selling personal data). For most small WordPress sites, CCPA thresholds are not met — but it’s worth understanding.
Under CCPA, “personal information” is broadly defined and includes IP addresses, device identifiers, and browsing history. The key obligation is the right for California residents to opt out of the sale of their personal information.
PECR (Privacy and Electronic Communications Regulations)
PECR is the UK’s regulation (a UK-specific version of the EU’s ePrivacy Directive) that specifically governs the use of cookies and similar technologies. PECR is what makes a cookie banner necessary for tracking cookies — not GDPR directly. Under PECR, you need consent to store or access information on a user’s device, which is what analytics cookies do.
What Personal Data Is (In the Context of Analytics)
Before deciding what you can collect, you need to know what counts as personal data. Under GDPR, personal data is any information that can identify a natural person — directly or indirectly.
In an analytics context:
| Data Point | Personal Data? | Notes |
|---|---|---|
| Full IP address | Yes | Can identify an individual or household |
| Truncated IP (last octet removed) | Borderline / No | Significantly harder to identify an individual |
| Hashed/anonymised IP | No | Cannot be reversed to identify someone |
| Full URL with query parameters | Sometimes | URLs can contain names, email addresses, or session tokens |
| URL without query parameters | Generally no | The page path alone is not personal |
| Device type (desktop/mobile) | No | Too broad to identify an individual |
| Browser and OS | Borderline | Used in fingerprinting; alone not usually personal |
| Referrer URL | Sometimes | Referring URL may contain personal data in parameters |
| Page title | Generally no | Unless the title contains a person’s name |
| Session ID linked to a user | Yes | If linked to an identifiable account |
What You Can Collect Without Consent
Under GDPR, you can process data without consent if you have a different lawful basis. For analytics, the most commonly relied-upon basis is legitimate interests under Article 6(1)(f) — provided you conduct a legitimate interests assessment (LIA) and can demonstrate that your interests are not overridden by the rights and interests of the data subject.
The Information Commissioner’s Office (ICO) and other EU data protection authorities have indicated that anonymised analytics data can typically be processed under legitimate interests, without consent, if:
- No cookies or persistent identifiers are set on the visitor’s device
- IP addresses are anonymised before storage (truncated or hashed, not stored in full)
- Data is processed locally — not shared with or sent to third parties
- Only aggregate or pseudonymous data is used — no individual user profiling
- Data retention is limited — not kept beyond what is necessary for the stated purpose
When all five conditions are met, the analysis is that the processing is genuinely low-privacy-risk and can proceed under legitimate interests, without a consent banner.
What this means in practice: Tracking page URLs, anonymised IPs, device types, referrers, and timestamps — when stored locally on your own server — is generally permissible without consent under GDPR.
What Requires Consent
The following analytics activities require explicit, informed consent under GDPR and PECR:
Setting cookies for analytics purposes
Under PECR (UK) and the ePrivacy Directive (EU), storing a cookie on a visitor’s device requires consent — unless the cookie is strictly necessary for a service the visitor has explicitly requested. Analytics cookies are not strictly necessary, so they require consent.
This applies to:
- Google Analytics (GA4) tracking cookies
- Matomo cookies (in default configuration)
- Facebook Pixel
- Any tool that sets a first or third-party cookie to track visitors
Sending data to third-party servers
If visitor data (including IP addresses) is transmitted to a third-party server — Google’s, Matomo Cloud’s, or any other vendor’s — this constitutes a data transfer that requires a lawful basis and, in most cases, explicit consent or a valid data processing agreement.
Cross-session user profiling
Building a profile of an individual user’s behaviour across multiple visits — even using anonymised identifiers — requires consent. This is the “tracking” that GDPR targets most directly.
Linking analytics data to identifiable user accounts
If you correlate analytics data with logged-in WordPress user accounts (names, emails, purchase history), the resulting combined dataset is personal data and requires consent for the analytics processing.
The Data Active Analytics Collects — and Why It’s Different
Active Analytics was designed specifically to operate within the legitimate-interests basis without requiring consent. Here is what it collects and the legal rationale for each:
| Data Collected | How It’s Handled | Legal Basis |
|---|---|---|
| IP address | Anonymised before storage — not stored in full | Legitimate interests (anonymised, no personal data) |
| Page URL | Stored without query parameters | Legitimate interests (no personal data) |
| Post ID | Internal WordPress identifier only | Legitimate interests (no personal data) |
| Device type | Binary: desktop or mobile only | Legitimate interests (cannot identify individual) |
| Referrer | Last referring URL only | Legitimate interests (aggregate traffic source data) |
| Timestamp | Unix timestamp of visit | Legitimate interests (required for time-series data) |
What Active Analytics does not collect:
- Full IP addresses
- User agent strings (browser fingerprinting data)
- Session recordings or heatmap data
- Any data from logged-in users (unless explicitly enabled)
- Any cross-session user identifier
All data is stored in your WordPress database on your own server. Nothing is shared with, sent to, or processed by any third party.
Practical Steps for Compliance
1. Audit your current analytics stack
List every analytics or tracking tool currently active on your site. For each one, identify: what data it collects, where it sends data, whether it sets cookies, and what lawful basis you’re relying on.
2. Remove or replace tools that require consent (if you want to avoid a banner)
If you want to run analytics without a consent banner, you need to remove any tool that sets cookies or sends data to third parties. Replace them with a cookieless, first-party alternative.
3. Update your privacy policy
Even when consent is not required, you must inform visitors about the data you collect under GDPR’s transparency requirement (Article 13/14). Add a section to your privacy policy covering:
- What data is collected
- The lawful basis for processing
- How long data is retained
- Your contact details for data subject requests
Active Analytics includes a ready-to-use sample privacy policy section in its documentation.
4. Set a data retention period
GDPR’s storage limitation principle requires you to delete data when it is no longer needed. Active Analytics includes configurable automatic data deletion. The default is 2 years — a reasonable period that aligns with common DPA guidance. Set this in Settings → Active Analytics → Data Retention.
5. Conduct a Legitimate Interests Assessment (LIA)
If you are relying on legitimate interests as your lawful basis, you should document an LIA — a three-part test that assesses: (a) your legitimate interest, (b) the necessity of the processing, and (c) a balancing test against the rights of data subjects. For anonymised analytics of the type Active Analytics performs, this test is typically straightforward to pass. Keep the LIA on file in case of a regulator query.
Common Questions
Do I need a cookie banner if I use Active Analytics?
For most sites using Active Analytics as their only analytics tool, no. The plugin does not set cookies and processes only anonymised data locally. Standard analytics processing of this type does not require consent under GDPR. See our full guide: How to Track WordPress Visitors Without a Cookie Banner →
What if I also run Google Ads or Facebook Pixel?
Those tools set tracking cookies and send data to third-party servers. They require consent, and if you run them alongside Active Analytics, you still need a consent banner — for those tools. Active Analytics itself does not require one.
Does GDPR apply to my site if I’m not in the EU?
If your site has EU visitors (which most public websites do), GDPR applies to how you process their data. Location of the organisation is not the determining factor.
Can I track logged-in WordPress users?
Active Analytics has an option to track logged-in users (disabled by default). Enabling this means you may be processing personal data, because logged-in users are identifiable. This would require a consent basis. Leave it off unless you have a specific need and appropriate legal basis.
How long should I keep analytics data?
There is no single answer in GDPR — only the principle of keeping data “no longer than necessary.” For web analytics, 12–24 months is the range most Data Protection Authorities have indicated is reasonable. Active Analytics defaults to 2 years.
Summary
| Scenario | Consent Required? |
|---|---|
| Cookieless analytics, anonymised IP, stored locally | Generally no — legitimate interests applies |
| Analytics cookies set on visitor’s browser | Yes — PECR requires consent |
| Data sent to third-party analytics server | Yes — requires lawful basis, usually consent |
| Cross-session user profiling | Yes — consent required |
| Logged-in user tracking | Yes — personal data, consent required |
Running GDPR-compliant analytics on WordPress is straightforward if you use the right tool and understand what the law actually requires. The key distinction is between collecting anonymised, first-party traffic data (generally permissible) and tracking individual users with cookies or external services (requires consent).
Run compliant analytics from day one: Active Analytics for WordPress — €29/year →
