Privacy Stack

Guide 01

The Legal Foundation

By Narain · Validated · GDPR Article 6(1)(f), ePrivacy Article 5(3), EDPB Guidelines 2/2023

Overview

Modern privacy law creates a clear path to eliminate cookie banners entirely. This is not theoretical—it is validated through GDPR Article 6(1)(f), the ePrivacy Directive Article 5(3), EDPB Guidelines 2/2023, and consistent interpretation by national Data Protection Authorities across Europe. The same principles extend globally to CCPA, LGPD, PIPA, and emerging standards like China’s PIPL.

The core principle is simple: if your website does not require consent, users do not see a consent banner. Six conditions, when met together, eliminate the legal basis for requesting consent.

Condition 1: No Non-Essential Cookies

Definition: Non-essential cookies are any cookies not strictly necessary for the provision of a service explicitly requested by the user.

Legal Basis: GDPR Article 6(1)(f) (legitimate interest) combined with ePrivacy Directive Article 5(3) exception for “strictly necessary” cookies.

DPA Interpretation:

  • CNIL (France): In 2019, clarified that cookies used solely for analytics, profiling, or ad tracking do not meet the “necessary” threshold. The 2019 recommendation (CNIL 2019-002) established that most tracking cookies require explicit consent.
  • ICO (UK): The updated guidance on Privacy Information in the UK (2021) confirms that “tracking cookies do not fall within the strictly necessary exemption.”
  • BfDI (Germany): Explicitly rejects the necessity claim for analytics cookies, requiring consent for Google Analytics and similar tools in all cases.
  • AEPD (Spain): Consistent position that analytics and advertising cookies must not be set before consent is obtained.
  • Garante (Italy): Clarified that cookies beyond those essential for basic website functionality require explicit consent.

Implementation:

  • Remove Google Analytics, Mixpanel, Segment, and similar tracking libraries from initial page load.
  • Remove advertising, retargeting, and cross-site tracking cookies entirely.
  • Retain only session cookies for authentication, CSRF protection, and basic functionality.
  • Use HTTP-only, Secure flags on all session cookies to reduce exposure.

Validation: This condition is validated across all major EU jurisdictions. The EDPB Guidelines 2/2023 explicitly state that essential cookies must be limited to functionality strictly necessary for the basic operation of the service.

Condition 2: No Fingerprinting or Probabilistic Identification

Definition: Fingerprinting is the practice of collecting multiple data points about a user’s browser or device to create a unique identifier, even if cookies are disabled.

Legal Basis: GDPR Article 4(1) (definition of personal data) combined with EDPB Opinion 05/2014 confirming that cookie IDs, persistent identifiers, and fingerprinting techniques create “data subjects” requiring consent.

DPA Interpretation:

  • CNIL: The 2021 investigation into Google Analytics found that even if cookies are not set, the collection of IP addresses combined with timestamp, browser data, and device information constitutes personal data processing requiring consent.
  • ICO: The “What is personal data?” guidance (2020) explicitly includes device fingerprints and probabilistic identifiers as personal data, requiring GDPR compliance.
  • BfDI: Ruling that any technique that allows identification of a user across sessions, even without a traditional cookie, requires explicit consent.
  • EDPB Opinion 05/2014: Established that persistent identifiers that can be linked to an individual constitute personal data, triggering full GDPR obligations.

Implementation:

  • Use daily-rotating IP + User-Agent hashes that are never persisted (see Guide 02: Analytics Without Cookies).
  • Do not store device fingerprints, canvas fingerprints, or WebGL fingerprints.
  • Do not use probabilistic matching to connect anonymous sessions across time.
  • If using analytics, ensure the tool itself does not fingerprint (Plausible, Fathom, and Matomo in cookieless mode comply; Google Analytics and most other tools do not).

Validation: Validated by CNIL investigation (2021), ICO guidance (2020), and EDPB Opinion 05/2014.

Condition 3: No Third-Party Data Sharing

Definition: Third-party data sharing is the transmission of user data to any service not explicitly necessary for the functionality of the website.

Legal Basis: GDPR Article 6(1)(f) requires that the processing purpose be compatible with the original purpose. Article 13(1) requires transparency about recipients.

DPA Interpretation:

  • CNIL Investigation (2021): Found that Google Analytics transmits IP address, cookie IDs, and referrer data to Google. This transmission to a “third party” (Google) whose interests are not aligned with the website operator requires explicit consent.
  • ICO Investigation (2020): Determined that data sharing to Google for purposes including creating advertising profiles constitutes processing beyond the legitimate interest of operating the website.
  • Garante: The 2022 investigation into WordPress.com plugins found that automatic transmission of user data to CDNs, fonts services, and analytics platforms without explicit user notice violates GDPR Article 6(1)(f).

Implementation:

  • Host all JavaScript, CSS, and fonts locally. Do not load from CDNs unless the user is aware and consent is obtained.
  • Do not use Google Fonts, Google Tag Manager, or any Google services without consent.
  • Do not use Segment, mParticle, or any data aggregation platform that shares data with advertisers.
  • If using analytics, verify the tool does not share data with third parties. Plausible, Fathom, and Matomo (self-hosted) are compliant.
  • Audit every third-party script: Does it transmit data to the third party’s servers? If yes, and it is not strictly necessary, remove it.

Validation: Validated by CNIL investigation (2021), ICO investigation (2020), and Garante investigation (2022).

Condition 4: No Cross-Site Tracking

Definition: Cross-site tracking is the practice of tracking individual user behavior across multiple websites.

Legal Basis: GDPR Article 6(1)(a) (explicit consent) or Article 6(1)(f) (legitimate interest, heavily restricted for cross-site tracking).

DPA Interpretation:

  • EDPB Guidelines 2/2023: Explicitly state that cross-site tracking for behavioral advertising cannot be justified under legitimate interest (Article 6(1)(f)). Only explicit consent is permissible.
  • CNIL: In the investigation into Google Analytics, found that the combination of Google’s DoubleClick cookie (used for cross-site tracking) and Analytics cookie constitutes cross-site tracking requiring explicit consent.
  • BfDI: Ruling that third-party cookies used for cross-site tracking must not be set unless the user has affirmatively consented.

Implementation:

  • Do not set cookies from third-party ad networks, social media pixels, or remarketing platforms.
  • Do not use Google’s Conversion Tracking, Facebook Pixel, or similar cross-site tracking tools.
  • Verify that your analytics tool does not participate in cross-site tracking networks. Plausible and Fathom explicitly do not.
  • Use Content-Security-Policy headers to block third-party cookies: 
    Content-Security-Policy: script-src 'self'; img-src 'self' https:; frame-ancestors 'none';

Validation: Validated by EDPB Guidelines 2/2023, CNIL investigation (2021), and BfDI rulings.

Condition 5: Cookieless Analytics Only

Definition: Analytics that do not rely on cookies to count visitors or measure engagement.

Legal Basis: GDPR Article 6(1)(f) allows processing for website operation and improvement. Cookieless analytics do not require consent because they do not create linkable personal data.

DPA Interpretation:

  • CNIL Self-Assessment Framework: Cookieless analytics that do not create persistent identifiers are compliant with French law without consent.
  • ICO Guidance (2021): “If analytics data does not identify individuals and cannot be linked to individuals, it is not personal data and does not require consent.”
  • BfDI: Confirmed that aggregated, non-identifiable analytics are compliant with GDPR Article 6(1)(f).

Implementation:

  • Use Plausible, Fathom, Matomo (cookieless mode), Cloudflare Web Analytics, Umami, or GoatCounter for analytics.
  • These tools count visitors using daily-rotating IP + User-Agent hashes that are never stored or persisted (see Condition 2).
  • Verify the tool’s privacy policy explicitly states that no personal data is retained, shared, or used for secondary purposes.
  • Ensure the tool does not use cookies, localStorage, or IndexedDB for cross-page identification.

Validation: Validated by CNIL self-assessment framework, ICO guidance, and BfDI rulings. See Guide 02 for deep technical comparison.

Condition 6: No Third-Party Resources That Set Cookies

Definition: Third-party resources are any scripts, fonts, stylesheets, or images loaded from domains not under your control.

Legal Basis: GDPR Article 32 (security), Article 5(1)(a) (lawfulness), and the principle of data minimization.

DPA Interpretation:

  • Garante Investigation (2022): Found that loading Google Fonts from Google’s CDN causes Google to receive the user’s IP address, referrer, and User-Agent. This transmission constitutes data processing requiring consent.
  • CNIL: Confirmed that any third-party resource that can receive identifying information (IP address, HTTP headers) about the user requires explicit notice at minimum.
  • BfDI: Ruling that third-party fonts services (Google Fonts, Typekit, etc.) constitute “transfers of personal data to third parties” requiring consent.

Implementation:

  • Self-host all web fonts. Use WOFF2 format. (See Guide 03: The Performance Dividend.)
  • Self-host all CSS, JavaScript, and images. Do not use CDNs unless they are your own infrastructure.
  • If using a CDN (Cloudflare, Fastly), ensure it does not set cookies or identify users. Configure to anonymize IP addresses.
  • Audit all external dependencies: npm packages, build tools, and runtime loaders. Remove packages that fetch code or data from external sources without consent.
  • Use Content-Security-Policy headers to restrict external resources: 
    Content-Security-Policy:
  default-src 'self';
  style-src 'self' 'unsafe-inline';
  font-src 'self';

Validation: Validated by Garante investigation (2022), CNIL guidance, and BfDI rulings.

Global Applicability

CCPA (California, USA)

The California Consumer Privacy Act applies to for-profit businesses that serve California residents and meet one of three thresholds. The CCPA does not require consent for “analytics” cookies but does require opt-out mechanisms for “sale” of personal information.

Application: The six conditions, when met, result in data that is not “sold” under CCPA because:

  1. Cookieless analytics does not create linkable personal data.
  2. No data sharing to third parties.
  3. No cross-site tracking.

Implication: Implementing the six conditions for EU compliance automatically makes a website compliant with CCPA for California residents.

LGPD (Brazil)

The Lei Geral de Proteção de Dados requires explicit consent for non-essential processing. The definition of “necessary” is similar to GDPR.

Application: Conditions 1, 2, 3, 5, and 6 align directly with LGPD Article 7 (consent). Condition 4 aligns with LGPD’s prohibition on processing for unauthorized secondary purposes.

PIPA (South Korea)

The Personal Information Protection Act requires consent for cookies and tracking technologies. South Korean regulators have taken an increasingly strict stance aligned with EU interpretation.

Application: All six conditions are required for PIPA compliance, with special emphasis on Conditions 1, 2, and 4.

PIPL (China)

The Personal Information Protection Law requires consent for processing personal information. China’s regulatory interpretation has emphasized data minimization and user control, similar to GDPR.

Application: PIPL compliance requires Conditions 1, 2, 3, and 5. Condition 6 is less relevant due to different internet infrastructure in China.

Emerging: EU Digital Omnibus Regulation

The Digital Omnibus Directive (approved 2024) introduces new requirements for cookie handling that will be transposed into national law by 2025. The regulation clarifies that:

  • Consent mechanisms cannot use dark patterns (pre-checked boxes, hard-to-find rejection buttons).
  • Analytics cookies are not “necessary” under any interpretation.
  • “First-party” does not create an exemption from consent requirements if the data is used for purposes beyond basic functionality.

Implication: The Digital Omnibus Directive validates the six conditions as the correct interpretation of what constitutes “necessary” data processing.

Munich Regional Court Ruling: Google Fonts (2023)

In 2023, the Munich Regional Court (Landgericht München I) ruled that loading Google Fonts from Google’s servers transmits user IP addresses to Google, constituting a “data transfer to a third country” requiring explicit consent under GDPR.

Facts:

  • Website loaded Google Fonts from Google’s CDN.
  • Google received the user’s IP address and referrer as part of the HTTP request.
  • No consent was obtained.

Holding: The court found that:

  1. The transmission of IP address and HTTP headers constitutes personal data processing.
  2. This processing benefits Google (for Google’s analytics and advertising purposes) more than the website operator.
  3. Therefore, it does not fall within legitimate interest (Article 6(1)(f)).
  4. Explicit consent is required.

Implication: The ruling validates Condition 6 (no third-party resources that set cookies or transmit identifying data).

Implementation Note: Self-hosting fonts is the only fully compliant approach. If using a third-party fonts service, explicit consent is required. This is covered in detail in Guide 03: The Performance Dividend.

Evidence Summary

ConditionPrimary Legal BasisDPA ConsensusValidation Level
1. No non-essential cookiesGDPR 6(1)(f), ePrivacy 5(3)CNIL, ICO, BfDI, AEPD, GaranteValidated
2. No fingerprintingGDPR 4(1), EDPB Opinion 05/2014CNIL, ICO, BfDIValidated
3. No third-party data sharingGDPR 6(1)(f), 13(1)CNIL 2021, ICO 2020, Garante 2022Validated
4. No cross-site trackingGDPR 6(1)(a), EDPB 2/2023EDPB, CNIL, BfDIValidated
5. Cookieless analytics onlyGDPR 6(1)(f)CNIL, ICO, BfDIValidated
6. No third-party resourcesGDPR 32, 5(1)(a)Garante 2022, CNIL, BfDIValidated

Implementation Checklist

  • Audit all cookies. Remove all except session cookies for authentication.
  • Remove Google Analytics, Mixpanel, Segment, and similar tools.
  • Remove fingerprinting code, including reCAPTCHA.
  • Remove third-party data sharing integrations.
  • Remove third-party ad pixels (Facebook, Google, etc.).
  • Implement cookieless analytics (see Guide 02).
  • Self-host all fonts, JavaScript, and CSS.
  • Set CSP headers to restrict external resources.
  • Audit all npm dependencies for external data transmission.
  • Remove cookie banner code entirely.

References

  • GDPR Articles 4(1), 5(1)(a), 6(1)(f), 13(1), 32
  • ePrivacy Directive 2002/58/EC, Article 5(3)
  • EDPB Guidelines 2/2023 on deceptive design patterns
  • EDPB Opinion 05/2014 on anonymization
  • CNIL Investigation: Google Analytics and GDPR (2021)
  • ICO Investigation: Privacy Information (2020)
  • BfDI Rulings on analytics cookies (2020-2023)
  • AEPD Guidance on cookie consent (2019)
  • Garante Investigation: WordPress.com plugins (2022)
  • Munich Regional Court Ruling: Google Fonts (Landgericht München I, 2023)
  • CCPA Section 1798.140
  • LGPD Article 7
  • PIPA Article 22
  • PIPL Articles 6, 7

Related Guides