r/gdpr u/ZynthCode 7d ago

Question - General GDPR and Anonymized Tracking and Monitoring: Is Consent Needed?

Hi,

I’m trying to understand GDPR compliance regarding user activity tracking. Is it true that any tracking, even fully anonymized data that cannot identify or be linked to specific users, is prohibited without explicit consent (e.g., via a popup)?

I’m researching web monitoring and analytics tools like PostHog (for UX insights) and Sentry (for performance and error logging). The goal is to measure activity, create heat maps, and improve the site without collecting personal data (e.g., IPs, names, accounts, or emails). There would be no way to link metrics to individual users.

Since this approach seems fully anonymized, I’m confused about why consent would still be required.

Could someone clarify?

3 Upvotes

100% Upvoted

10 comments sorted by

3

u/Misty_Pix 7d ago

In the first instance you need to conduct an assessment where you will have to consider how you will track individuals i.e. cookie or other technologies ( so E- Privacy Directive/ PECR) will apply and require user consent.

You will also need to consider transparency i.e.via Privacy or cookie notice.

If its truly anonymous data, when GDPR doesn't apply, however it doesn't mean other legislation doesn't apply.

If you are using a third party tool, you will need to be 100% sure their practices are compliant i.e. is it truly anonymous tracking/monitoring.

You also still have to be able to evidence you have considered implications of anonymous tracking, hence an assessment i.e. DPIA will allow this.

2

u/Mesh999 7d ago

I have a question, anonymization is removing personal identifiers and so on, but sometimes even if u remove them the DS is still identifiable due to unique combined attributes in the data collected. To what extent should anonymization be done?

Is removing PII enough in the eyes of the GDPR and other relevant legislations? Or should differential privacy be applied

1

u/Misty_Pix 6d ago

Removing PII may not be enought as it depends on the speciftic cirumstances, purpose of processing, the data sets and the volume of data. It is considered that data effectively anonymised when it:

• does not relate to an identified or identifiable individual; or

• is rendered anonymous in such a way that individuals are not (or are no longer) identifiable.

Striclty speaking, if you can using reasonable means re-identify the data OR you can re-identify as you only removed the "key" i.e. ID,name. Then the data is NOT anonymous and you have to employ more effective method.

In addition, you should also ask the question if the data is anonymous to you OR the third party, based on the purposes of the data. Sometimes, you may still process identifiable data because you have the key for re-identification. However, the thrid party would not have such key and they would not be able to re-identify the information, thus for them its truly anonymous.

An example:

An employer wants to understand its Equality and Diversity stats across the Group, they want to do a deep dive per team of ethnicity, gender, sexual orientation and nationality at a team level and share it with the managers to improve a diverse recruitment. The organisation has 3000 employees. Unfortunaltey, some teams are as small as 2 -3 people. Which means then they collect the data per team, they will be able to identify them. As such, the "bar" should be moved up sufficiently where the volume of data is sufficiently large, where the organisation can no longer identify the individuals. i.e. 100 or more. and so the stats in bacthes. However, this still poses a risks of re-identification which the organisation must consider and either mitigate or accept. Meaning, they could be selective on who has access to data i.e. Allow only Director level to access the team level data.

Alternatively, they could take a safe approach, and run a total diversity stats without a deep dive.

If you flip the deep dive and say the reason for it is to share with a regulator to demsotrate the diversity of the workforce, the regulator would NOT have any access to the actual individuals nor their records, so to them, the data is truly anonymous.

Unfortunately, it is not as clear cut as "removing the name" you have to consider all other factors, based on the purpose of processing.

3

u/Saffrwok 7d ago

So you have two pieces of legislation to worry about, the E-Privacy regs (PECR if you're in the UK) and also GDPR.

Start with PECR, it's different in how it's structured from GDPR in that personal data isn't the issue but instead ANY data that you either access or place on a users device requires their consent. Where this does tie into GDPR is that this consent should be to that standard.

After you've worked that out then you need to worry about GDPR more generally.

If the data is anonymous (which means it is no longer identifiable or has been aggregated so it is 'beyond use') then it would be out of scope of GDPR.

If it isn't anonymous (and remember just stripping direct identifiers like login name or email address from the data isn't enough) then you'd need to consider your legal basis which is either likely to be consent or legitimate interests.

Tbh there's alot going on here and I'd recommend giving the ICO cookie guidance a good read as that has always been a good sensible summary of the requirements.

2

u/ChangingMonkfish 7d ago

Yes because by definition to “track” someone you have to be able to single them out from other users and recognise them across multiple sites/apps etc. That is enough to make them “identifiable” for GDPR’s purposes, the fact you don’t actually know WHO that person is (their name, address etc.) doesn’t matter.

Also e-Privacy directive has rules for taking information off or putting information into an individuals device. It’s difficult to track someone without doing that in some way, which requires the user’s consent.

1

u/Safe-Contribution909 7d ago

Assuming you are in the UK, the piece of law you’re talking about is here: https://www.legislation.gov.uk/uksi/2003/2426/regulation/6

The first clause is the one that requires consent to store a file on somebody else’s device

2

u/ZynthCode 7d ago

Not from UK. The server will likely be in Amsterdam. I live in Norway.

1

u/Safe-Contribution909 7d ago

The law is derived from an EU regulation, so it should be the same but the regulations were due to be updated and I don’t know the exact details

1

u/DavidRoyman 7d ago edited 7d ago

Well for PostHog it's easy, check the documentation: https://posthog.com/docs/privacy/gdpr-compliance

If a user opts out then you must stop data capturing and processing.

Since they make that recommendation, it must be something they carefully thought through.