Can You Run Analytics Without Consent in the UK? The ICO's Position

One of the most common questions the ICO receives from UK businesses is whether they can measure their website traffic without getting consent. The answer depends on what kind of analytics you use, where the data is processed and whether a cookie or equivalent identifier is placed on the user's device. The label you apply to it is not relevant.

For a technical check of which scripts your site loads before consent, run a free scan at /uk/en/scan.

Why standard analytics tools require consent

The consent requirement under PECR Regulation 6 applies whenever you store or access information on a user's device. Most analytics tools, including Google Analytics, Adobe Analytics, Mixpanel, Heap and similar products, work by placing a cookie or equivalent identifier on the user's browser. That triggers PECR Regulation 6 regardless of what the tool does with the data afterwards.

Google Analytics specifically sets cookies in the _ga and _gid family that persist on the user's device for up to two years. It also collects IP addresses, device fingerprints and behavioural data and transmits them to Google's servers. Under PECR, placing those cookies requires prior consent. Under UK GDPR, processing the personal data they generate requires a lawful basis. In both cases, the ICO's position is that consent is the applicable mechanism for standard commercial analytics.

The ICO addressed this directly in its guidance on cookies and similar technologies, which states that analytics cookies that collect personal data require consent and cannot rely on the strictly necessary exemption. The strictly necessary carve-out in PECR Regulation 6(4) applies only to cookies that are genuinely required to deliver the specific service the user has requested. Measuring traffic is not strictly necessary for delivering a page.

The DUAA 2025 and the analytics exemption that never came

Between 2022 and 2024 there was significant speculation that UK law would change to allow analytics without consent. The Data Protection and Digital Information (No.2) Bill, which lapsed when Parliament dissolved for the 2024 general election, had proposed adding analytics to a category of "recognised legitimate interests" that would have removed the consent requirement. That proposal did not survive into the Data (Use and Access) Act 2025.

The DUAA 2025 added recognised legitimate interests for fraud prevention, public-health emergencies, democratic engagement and safeguarding. Analytics is not on that list. The ICO's guidance published after the Act confirmed that the cookie consent standard under PECR is unchanged.

This matters because some CMP providers and analytics consultants described the analytics exemption as a near-certainty in 2023 and 2024. Businesses that made compliance decisions on the assumption the exemption would pass are now in a position where the law didn't move.

What may be exempt: the server-side and anonymisation routes

PECR Regulation 6 covers storing or accessing information on the user's device. That framing opens two routes that may sit outside PECR's scope.

Server-log analytics uses the access logs your web server generates when pages are requested. When a browser loads a page, the server records the request including IP address, user agent, timestamp and the URL requested. No cookie is placed on the user's device. The ICO's position is that server-log analysis is not subject to PECR Regulation 6 because the data is generated on the server, not stored on the user's terminal equipment.

Server-log analytics has significant limitations. Without a persistent identifier for each user, you cannot track sessions reliably. You can count requests and rough unique visits by IP, but IP addresses change and multiple users share addresses. You cannot track behaviour across pages in a session with confidence. For basic traffic volume measurement, server logs work adequately. For user-behaviour analytics, they don't.

The IP addresses in server logs are personal data under UK GDPR. You still need a lawful basis to process them, you still need to cover them in your privacy notice and you still need to apply appropriate retention limits. Server-log analytics removes the PECR consent trigger but does not remove UK GDPR obligations.

Truly anonymous aggregate analytics is a second route. If an analytics tool collects data that is genuinely anonymous from the point of collection, with no IP address retained, no persistent identifier placed on the device, no cross-site tracking, the data may fall outside UK GDPR's scope (because it is not personal data) and outside PECR's scope (because nothing is stored on the user's device). The ICO acknowledges that anonymised data falls outside the data protection framework.

The challenge is that "truly anonymous" is a high bar. The ICO applies the Breyer test from Patrick Breyer v Bundesrepublik Deutschland (C-582/14): data is personal if any person reasonably likely to obtain it could use it to identify an individual. A single page visit without a cookie may appear anonymous, but combined with IP address, user agent and timestamp, it can often be re-identified. Most analytics implementations that claim anonymity retain enough metadata to fail the Breyer test in practice.

Privacy-preserving analytics tools

Several analytics products have been designed specifically for the PECR-without-consent use case. They work on the premise that if no cookie is placed and no personal data is retained, neither PECR Regulation 6 nor UK GDPR applies.

Plausible Analytics uses no cookies and retains no persistent identifiers. Visitor counts are generated server-side from hashed combinations of IP address, user agent and date, with the hash not stored. The daily hash rotation means the same visitor on different days appears as a separate visitor. IP addresses are never stored. Plausible's architecture is specifically designed to avoid creating personal data.

Fathom Analytics uses a similar cookieless approach with server-side counting. It does not track users across sessions and does not store IP addresses. Fathom publishes a detailed data-processing explanation and has received legal opinions on PECR compliance.

Matomo (formerly Piwik) can be configured in a consent-free mode where cookies are disabled and IP addresses are anonymised before storage. In this configuration, Matomo stores only aggregate session data. The consent-free configuration provides less granular data than the full implementation but avoids PECR consent requirements.

None of these tools are officially endorsed by the ICO. The ICO has not published a list of exempt analytics products. The argument for each rests on the same analysis: no cookie placed on the user's device, no personal data retained. Whether a specific implementation meets that standard depends on the configuration and the ICO's enforcement position, which has not been tested through formal proceedings against these tools specifically.

Practical decision framework

For a UK website deciding its analytics approach, the options map to four positions.

Full consent for standard analytics is the only unambiguously compliant approach for Google Analytics, Adobe Analytics or similar tools. The banner must gate the analytics script, the user must be able to decline, and the consent record must be stored.

Server-log analytics as a supplement removes the PECR trigger but provides limited session data and still triggers UK GDPR obligations on IP-address processing.

Privacy-preserving cookieless analytics, properly configured, is the most likely route to analytics-without-consent compliance in practice. The risk is that the ICO has not formally validated this position through published guidance.

Consent-optional analytics under the "truly anonymous" argument is viable only if the implementation genuinely meets the anonymisation standard, which most common analytics tools do not.

For businesses that find their consent rates low and their analytics data distorted, the server-side and cookieless routes address both problems. Many UK businesses have moved to Plausible or Fathom specifically because they want accurate traffic data without the consent-rate noise that cookie-based analytics introduces.

What happens if the ICO investigates your analytics setup

ICO investigations into analytics compliance typically begin with a data subject complaint. The most common complaint pattern is a visitor who notices analytics scripts firing before they have clicked anything on the cookie banner. They file a complaint at ico.org.uk/concerns and the ICO sends the organisation an information notice requesting an explanation within 30 days.

The ICO's interest is in whether consent was validly obtained before the analytics script loaded. The evidence it requests typically includes the cookie banner configuration, a record of when consent was stored for specific users, and technical evidence of the script-loading sequence.

For first-time failings at SME level where the organisation co-operates and fixes the issue, a reprimand is the typical outcome. Fines for analytics-only cookie failings at SMB scale are rare in the ICO's published enforcement record. The operational cost of responding to an investigation is usually greater than the cost of switching to a consent-gated analytics implementation or a privacy-preserving alternative in the first place.

One practical note: if you switch from Google Analytics to a cookieless tool during an ICO investigation, document that change clearly in your response. Early remediation is the most reliable mitigant in the ICO's published penalty methodology. The switch itself demonstrates good faith.

For the broader PECR and cookie banner requirements, see PECR cookie rules in the UK and cookie banner rules: what the ICO requires.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on your analytics compliance position.