Advertising tracking needs consent. Always, everywhere, no exceptions. But what about your own internal analytics—data you collect for yourself, store on your own servers, and never share with advertisers? The answer depends entirely on where your visitors are located, how you collect the data, and where you store it.
The EU Digital Omnibus (published November 2025) proposes that cookies used for “aggregated audience measurement for controller’s own use” will no longer trigger consent pop-ups. France, Spain, and Italy already allow this exemption under specific conditions. The UK allows no exemption at all.
If you’re treating all analytics the same as advertising tracking, you may be killing your data unnecessarily.
The Critical Distinction Nobody Explains
Most cookie consent guides treat everything the same: analytics, advertising, remarketing—all lumped together as “non-essential cookies requiring consent.” This is technically correct under the strictest interpretation. It’s also massively oversimplified.
There’s a fundamental difference between:
- Advertising tracking: Data shared with Google, Meta, TikTok for ad targeting. Always requires consent because third parties use your visitor data for their commercial purposes.
- Internal first-party analytics: Data you collect yourself, store on your own servers, use only for improving your own website. MAY be exempt in jurisdictions that recognize the distinction.
The key questions are: Who controls the data? Where does it go? What’s it used for?
When you send data to Google Analytics, it enters Google’s advertising ecosystem—even if you’re not running ads. Google uses that data for benchmarking, audience insights, and improving their ad products. That’s not “your own” analytics. That’s participating in an advertising data network.
You may be interested in: Google Consent Mode V2 Is Killing Your Analytics
Country-by-Country Reality in 2026
The ePrivacy Directive leaves implementation to individual EU member states. The result is a patchwork of different rules for analytics consent.
France (CNIL) — Exemption Available
France’s CNIL explicitly allows analytics without consent IF you meet all of these conditions:
- First-party cookies only (set by your domain)
- No cross-site tracking
- No user profiling over time
- No data sharing with third parties
- Aggregated statistical output only
- Cookie lifespan limited to 13 months
- Data retention limited to 25 months
- IP addresses anonymized
Standard Google Analytics does NOT qualify. Even with IP anonymization enabled, data goes to Google’s servers and enters their ecosystem. CNIL-compliant analytics must stay entirely under your control.
Spain (AEPD) and Italy (Garante) — Similar Exemptions
Spain’s AEPD and Italy’s Garante allow analytics exemptions under similar conditions to France. The core principle is the same: truly first-party, aggregated, internal-use-only measurement can operate without consent.
UK (ICO) — No Exemption
The UK ICO is unambiguous: “Analytics cookies do not fall under the strictly necessary exemption and always require consent.” No exceptions. No technical workarounds. If you have UK visitors and use any analytics cookies, you need consent.
This matters for WordPress owners with international audiences. You might qualify for exemption with French visitors but need consent for UK visitors—on the same website, for the same analytics.
Germany (DSK) — No Exemption
Germany’s data protection authorities (DSK) do not consider website analytics using third-party tools as a legitimate interest. Consent is required. Some German authorities suggest that purely aggregated “reach analysis” without third-party services might be possible, but the safe path is consent.
The EU Digital Omnibus Changes Everything
Published November 19, 2025, the EU Digital Omnibus proposes to unify these fragmented rules. The Commission explicitly states: “Cookies used only for non-risk purposes like counting website visits will no longer trigger consent pop-ups.”
The proposed exemption whitelist includes:
- Communication transmission
- Providing a service requested by the user
- Aggregated audience measurement for controller’s own use
- Security
That third item is the analytics exemption. If adopted, first-party analytics for your own business intelligence would not require consent across the entire EU—not just France, Spain, and Italy.
The Digital Omnibus still needs European Parliament and Council approval. It’s not law yet. But the direction is clear: the EU recognizes that treating internal analytics the same as advertising tracking was always overkill.
You may be interested in: The Cookie Redemption: First-Party Data Is the Ethical High Ground
What This Means for WordPress Store Owners
Here’s the practical reality for 2026:
If Your Audience is Primarily EU
You have two paths:
Path 1: Full consent for everything. Install a CMP, implement Consent Mode v2, accept that 40-70% of EU visitors will reject cookies and you’ll lose their data. This is the safe, conservative approach.
Path 2: Separate advertising from internal analytics. Use consent for advertising tracking (GA4 → Google Ads, Meta Pixel → Facebook Ads). Use first-party server-side analytics that qualify for exemption in FR/ES/IT—and potentially EU-wide once Digital Omnibus passes.
If Your Audience is Primarily Non-EU
Stop following the herd off a cliff. EU consent requirements apply to EU visitors. If 80% of your traffic is from the US, Asia, or other regions without EU-style consent requirements, you’re destroying your analytics for the majority of visitors who don’t need consent banners.
Know your actual audience geography. Google Analytics shows you where visitors come from. If EU traffic is 5% of your total, implementing aggressive consent requirements that kill data for the other 95% is self-inflicted damage.
Geo-targeted consent is the solution: Show consent requirements to EU visitors, collect full analytics from everyone else.
The Architecture That Qualifies for Exemption
To qualify for analytics consent exemption in jurisdictions that allow it, your analytics must meet specific technical requirements:
- First-party collection: Data collected by YOUR domain, YOUR servers
- No third-party sharing: Data never leaves your infrastructure for advertising purposes
- Aggregated output: You analyze patterns and trends, not individual user journeys
- No cross-site tracking: You’re not linking visitors across different domains
- IP anonymization: Full IP addresses are not stored or processed
- Limited retention: Data automatically purged within retention limits
Standard Google Analytics fails multiple criteria. Data goes to Google. It’s used for benchmarking. It feeds Google’s advertising intelligence. Even if you never run a Google Ad, your GA4 data participates in an advertising ecosystem.
Server-side tracking to your own data warehouse—BigQuery, your own database, any infrastructure you control—can meet exemption criteria. The data stays first-party because it never leaves your control.
Transmute Engine™ with a BigQuery destination keeps analytics data entirely first-party. Events fire from your WordPress server to your BigQuery instance. No advertising platform ever sees the raw data. This architecture aligns with CNIL exemption criteria and the proposed Digital Omnibus whitelist.
Key Takeaways
- Advertising tracking always requires consent—data shared with Google, Meta, TikTok for ad targeting has no exemption anywhere
- Internal first-party analytics may be exempt in France, Spain, and Italy if meeting strict technical criteria (first-party, no sharing, aggregated, limited retention)
- The UK allows no analytics exemption—consent required for any analytics cookies regardless of architecture
- EU Digital Omnibus proposes EU-wide exemption for “aggregated audience measurement for controller’s own use”—direction is clear even if not yet law
- Know your audience geography—if most visitors are non-EU, aggressive consent requirements may be unnecessary self-harm
- Server-side to your own BigQuery is the architecture that qualifies for exemption where available
No. Current GDPR enforcement is clear: legitimate interest cannot justify non-essential cookies including analytics. The ePrivacy Directive requires consent for storing information on user devices, and legitimate interest doesn’t override this. Only strictly necessary cookies are exempt—and regulators don’t consider analytics strictly necessary.
Advertising tracking always requires consent because data is shared with third parties for targeting. Internal first-party analytics MAY be exempt in some jurisdictions (France, Spain, Italy) if data stays on your servers, isn’t shared, doesn’t profile individuals, and meets technical requirements like IP anonymization and cookie lifespan limits.
The consent requirement depends on data destination, not collection method. Server-side tracking that sends data to Google Analytics for advertising purposes needs consent. Server-side tracking that stores data in your own BigQuery for internal analysis may qualify for exemption in jurisdictions that allow it.
EU consent rules apply to EU visitors regardless of where your business is located. But if your audience is primarily US, Asia, or other non-EU regions, you may be over-applying consent restrictions. Know your actual audience geography before implementing EU-specific requirements that damage analytics for visitors who don’t require them.
The bottom line: Stop treating all tracking the same. Understand where your visitors are, separate advertising from internal analytics, and use architecture that keeps first-party data first-party. The regulatory direction is clear—internal analytics exemptions are coming EU-wide. Position yourself now with first-party server-side tracking that qualifies.
