GDPR-compliant tracking refers to collecting and analysing user data on websites in compliance with the General Data Protection Regulation (GDPR) and the German TDDDG – in particular through valid consent, data minimisation or the use of cookieless analytics that do not require consent.
If you want to know how visitors use your shop, you cannot measure it any way you like: personal data may generally only be collected with consent or via particularly data-minimising methods. Put simply: either visitors actively agree to tracking – or the analytics must be built to work without personal data.
Why do I need to know this?
Web analytics, conversion measurement and marketing pixels generally process personal data – which brings the GDPR into play. In addition, Section 25 of the German TDDDG requires consent before information is stored on or read from the user's device (such as cookies or local storage), unless this is strictly technically necessary. Violations can result in fines; in severe cases the GDPR provides for up to 20 million euros or 4% of worldwide annual turnover. On top of that, competitors and consumer associations can issue cease-and-desist letters.
Practical relevance for shop and website operators
In practice, two approaches have become established. First: a consent banner that obtains genuine, voluntary consent before tracking scripts load. The downside: some visitors decline, leaving gaps in the data. Second: cookieless analytics that do not require consent, with no device access and no personal profiles – for example self-hosted analytics solutions configured without cookies, or aggregated server log analysis. Our article on running a shop without a cookie banner shows how this can work; it is also worth looking at server-side tracking and a first-party data strategy.
Which option fits depends on the business model: those running detailed marketing retargeting will generally not get around consent. Those who mainly want to understand reach, content performance and conversion funnels are often better served by data-minimising methods – and spare their visitors the banner.
Typical mistakes
- Tracking scripts load before consent is given – the banner is then mere decoration
- Manipulative banner design (dark patterns) that hides or complicates the "decline" option – such consent is generally invalid
- Data transfers to third-country providers without a sound legal basis and without reviewing the transfer mechanisms
- The privacy policy does not list all tools in use, their purposes and retention periods
- "Legitimate interest" is used as a blanket legal basis for marketing tracking, even though Section 25 TDDDG requires consent for device access
What to look out for
Start by establishing which tools actually run and what data they send where – over the years, scripts often accumulate that nobody uses anymore. Conclude data processing agreements with all processors, document legal bases in your record of processing activities, and verify the banner logic technically: does anything really load before consent? We support the selection and integration of privacy-friendly analytics setups as part of our consulting services; we look at the measurable effects on visibility and conversion together with search engine optimisation.
The less personal data an analytics setup collects, the lower the consent and documentation effort tends to be. Cookieless web analytics can be a pragmatic alternative to the consent banner for many shops – though it does not replace a legal review of the specific setup.